GNU and Unix systems are set up to allow many people to use the same computer,
while keeping certain files private or keeping certain people from modifying
certain files. You can verify this for yourself. Log in as yourself, i.e. NOT
as root.
whoami
This verifies that you are not root. Then enter the following command:
rm /etc/resolv.conf
You should be told Permission denied. /etc/resolv.conf is
an essential system configuration file; you aren't allowed to change or remove
it unless you're root. This keeps you from accidentally messing up the system,
and if the computer is a public one (such as at an office or school), it keeps
users from messing up the system on purpose.
Now type ls -l /etc/resolv.conf.
This will give you output that looks something like this:
-rw-r-r- 1 root root 119 Feb 23 1997 /etc/resolv.conf
The -l option to ls requests all that additional information.
The info on the right is easy: The size of the file is 119 bytes; the
date the file was last changed is February 23, 1997; and the file's name is
/etc/resolv.conf. On the left side of the screen, things are a little
more complicated.
First, the brief, technical explanation: The -rw-r-r- is the
mode of the file, the 1 is the number of hard links to this
file (or the number of files in a directory), and the two roots are
the user and group owning the file, respectively.
Every file has two owners: a user and a group. The above case is a little confusing
because there's a group called root in addition to the root
user. Groups are just collections of users who are collectively permitted access
to some part of the system. A good example is a games group. Just to
be mean, you might create a group called games on your
computer and then set up your system so that only people in a games
group are allowed to play games.
Here's a more practical example. Consider a case in which you're setting up
a computer for a school. You might want certain files to be accessible only
to teachers, not students, so you put all the teachers in a single group. Then
you can tell the system that certain files belong to members of the group teachers,
and that no one else can access those files.
Let's explore groups on the system. First, you can use the groups command
at the shell prompt. This will show you a list of the groups to which you belong.
Here's an example:
It's likely that you're a member of only one group, which is identical to your
username. However, root can add you to other groups. The above example shows
a person that is a member of five groups.
less /etc/group
This file lists the groups that exist on your system. Notice the root
group (the only member of this group is the root user), and the group that corresponds
to your username. There are also groups like dialout (users who are
allowed to dial out on the modem) and floppy (users who can use the
floppy drive). However, your system is probably not configured to make use of
these groups. It's likely that only root can use the floppy or the modem right
now. For details about this file, try reading man group.
ls -l /home
This command shows you that every user's directory is owned by that user and
that user's personal group.
Tip: If you just installed Debian, you may be the only
user. You can use the adduser command to add more users to the
system.
In addition to being owned by one user and one group, every file and directory
also has a mode, which determines who's allowed to read, write, and execute
the file (and run it, if it's a program). There are a few other things also
determined by the mode, but they're advanced topics so we'll skip them for now.
The mode looks like this in the ls output: -rw-r-r-.
For now, we'll consider nine of these parts: those that control read,
write, and execute permissions for the user owning
the file, the group owning the file, and others (everyone
on the system, sometimes called world).
In the mode line, the first ``element'' gives the file type. The -
in this case means it's a regular file. If it was d, we'd be looking
at a directory. There are also other possibilities too complex to go into here;
for details, see section 13.2.2 on page .
The remaining nine elements are used to display the file's mode. The basic 9
bits (read, write, and execute for user, group, and other) are displayed as
three blocks of rwx.
So if all permissions are turned on and this is a regular file, the mode will
look like this: -rwxrwxrwx. If it was a directory with all permissions
turned off for others and full permissions for user and group, it would be drwxrwx--.
Table 7.1:
Permissions in Linux
Code
Name
Allows for Files
Allows for Directories
r
read
Examine contents of file
List contents of directory
w
write
Modify file
Add or remove files in directory
x
execute
Run as a command
Access files in directory
Table 7.1 describes the meaning of the read, write,
and execute permissions for both files and directories.
Directory modes can be a little confusing, so here are some examples of the
effects of various combinations:
r-
The user, group, or other with these permissions may list the contents of the
directory, but can do nothing else. The files in the directory can't be read,
changed, deleted, or manipulated in any way. The only permitted action is reading
the directory itself, that is, seeing what files it contains.
rw-
Write permissionhas no effect in the absence of execute permission, so this
mode behaves just like the above mode.
r-x
This mode permits the files in a directory to be listed and permits access to
those files. However, files can't be created or deleted. Access means
that you can view, change, or execute the files as permitted by the files' own
permissions.
-x
Files in this directory can be accessed, but the contents of the directory can't
be listed, so you have to know what filename you're looking for in advance (unless
you're exceptionally good at guessing). Files can't be created or deleted.
rwx
You can do anything you want with the files in this directory, as long as it's
permitted by the permissions on the files themselves.
Directory write permission determines whether you can delete files in a directory.
A read-only file can be deleted if you have permission to write to the directory
containing it. You can't delete a file from a read-only directory even if you're
allowed to make changes to the file.
This also means that if you own a directory you can always delete files from
it, even if those files belong to root.
Directory execute permission determines whether you have access to files -
and thus whether file permissions come into play. If you have execute
permissions to a directory, file permissions for that directory become relevant.
Otherwise, file permissions just don't matter; you can't access the files anyway.
This section goes through a short example session to demonstrate how permissions
are used. To change permissions, we'll use the chmod command.
cd; touch myfile
There are a couple of new tricks here. First, you can use ; to put
two commands on one line. You can type the above as:
$ cd
$ touch myfile
or as:
$ cd; touch myfile
Either way the same thing will end up happening.
Recall that cd by itself returns you to your home directory. touch
is normally used to change the modification time of the file to the current
time. But it has another interesting feature: If the file doesn't exist, touch
creates the file. So you're using it to create a file to practice with. Use
ls -l to confirm that the file has been created and notice the permissions
mode:
$ ls -l
-rw-r-r- 1 user user 0 Nov 18 22:04 myfile
Obviously the time and user/group names will be different when you try it. The
size of the file is 0, because touch creates an empty file. -rw-r-r-
is the default permissions mode on Debian.
chmod u+x myfile
This command means to add (+) execute (x) permissions for
the user (u) who owns the file. Use ls -l to see the effects.
chmod go-r myfile
Here you've subtracted (-) read permission (r) from the group
(g) owning the file and from everyone else (others, o). Again,
use ls -l to verify the effects.
chmod ugo=rx myfile
Here you've set (=) user, group, and other permissions to read and
execute. This sets permissions to exactly what you've specified and
unsets any other permissions. So all rx should be set, and all w
should be unset. Now, no one can write to the file.
chmod a-x myfile
a is a shortcut for ugo, or ``all.'' So all the x
permissions should now be unset.
rm myfile
With this command, you're removing the file, but without write permissions.
rm will ask if you're sure by displaying the following message:
rm: remove `myfile', overriding mode 0444?
You should respond by typing y and pressing Enter. This is
a feature of rm, not a fact of permissions. Permission to delete a
file comes from the directory permissions, and you have write permission in
the directory. However, rm tries to be helpful, figuring that if you
didn't want to change the file (and thus remove write permission), you don't
want to delete it either, so it asks you.
What was that 0444 business in the question from rm? The permissions
mode is a twelve-digit binary number, like this: 000100100100. 0444
is this binary number represented as an octal (base 8) number, which is the
conventional way to write a mode. So you can type chmod 444 myfile
instead of chmod ugo=r myfile.