Managing Permissions
Under Linux (and UNIX), everything in the file system, including directories and devices, is a file. And every file on your system has an accompanying set of permissions based on owner ship. These permissions form the basis for security under Linux, and designate each file's read, write, and execute permission for you, members of your group, and all others on the system.
You can examine the default permissions for a file you create by using the umask command, or as a practical example, by using the touch command and then the ls command's long-format listing, like this:
$ touch file
$ ls -l file
-rw-rw-r-- 1 andrew andrew 0 2007-10-23 18:50 file
In this example, the touch command is used to quickly create a file. The ls command then reports on the file, displaying information (from left to right) in the first field of output (such as -rw-rw-r-- previously):
> The first character of the field is the type of file created — The common indicator of the type of file is a leading letter in the output. A blank (which is represented by a dash in the preceding example) designates a plain file, d designates a directory, c designates a character device (such as /dev/ttyS0), and b is used for a block device (such as /dev/hda).
> Permissions — Read, write, and execute permissions for the owner, group, and all others on the system. (You learn more about these permissions later in this section.)
> Number of links to the file — The number one (1) designates that there is only one file, whereas any other number indicates that there might be one or more hard-linked files. Links are created with the ln command. A hard-linked file is an exact copy of the file, but it might be located elsewhere on the system. Symbolic links of directories can also be created, but only the root operator can create a hard link of a directory.
> The owner — The account that created or owns the file; you can change this designation by using the chown command.
> The group — The group of users allowed to access the file; you can change this designation by using the chgrp command.
> File size and creation/modification date — The last two elements indicate the size of the file in bytes and the date the file was created or last modified.
Assigning Permissions
Under Linux, permissions are grouped by owner, group, and others, with read, write, and execute permission assigned to each, like so:
Owner Group Others
rwx rwx rwx
Permissions can be indicated by mnemonic or octal characters. You can use the following mnemonic characters:
> r indicates permission for an owner, member of the owner's group, or others to open and read the file.
> w indicates permission for an owner, member of the owner's group, or others to open and write to the file.
> x indicates permission for an owner, member of the owner's group, or others to execute the file (or read a directory).
In the previous example for the file named file, the owner, andrew, has read and write permission, as does any member of the group named andrew. All other users may only read the file. Also note that default permissions for files created by the root operator will differ! This happens because of umask settings assigned by the shell.
Many users prefer to represent permissions with numeric codes, based on octal (base 8) values. Here's what these values mean:
> 4 indicates read permission.
> 2 indicates write permission.
> 1 indicates execute permission.
In octal notation, the previous example file has a permission setting of 664 (read + write or 4 + 2, read + write or 4 + 2, read-only or 4). Although you can use either form of permissions notation, octal is easy to use quickly after you visualize and understand how permissions are numbered.
In Linux, you can create groups to assign a number of users access to common directories and files based on permissions. You might assign everyone in accounting to a group named accounting, for example, and allow that group access to accounts payable files while disallowing access by other departments. Defined groups are maintained by the root operator, but you can use the newgrp command to temporarily join other groups to access files (as long as the root operator has added you to the other groups). You can also allow or deny access to your files by other groups by modifying the group permissions of your files.
Directory Permissions
Directories are also files under Linux. For example, again use the ls command to show permissions like this:
$ mkdir foo
$ ls -ld foo
drwxrwxr-x 2 andrew andrew 4096 2007-10-23 19:06 foo
In this example, the mkdir command is used to create a directory. The ls command and its -ld option is used to show the permissions and other information about the directory (not its contents). Here you can see that the directory has permission values of 775 (read+write+execute or 4+2+1 , read+write+execute or 4+2+1, and read+execute or 4+1).
This shows that the owner and group members can read and write to the directory and, because of execute permission, also list the directory's contents. All other users can only list the directory contents. Note that directories require execute permission for anyone to be able to view their contents.
You should also notice that the ls command's output shows a leading d in the permissions field. This letter specifies that this file is a directory; normal files have a blank field in its place. Other files, such as those specifying a block or character device, have a different letter.
For example, if you examine the device file for a Linux serial port, you will see the following:
$ ls -l /dev/ttyS0
crw-rw---- 1 root uucp 4, 64 2007-10-23 18:11 /dev/ttyS0
Here, /dev/ttyS0 is a character device (such as a serial communications port and designated by a c) owned by root and available to anyone in the uucp group. The device has permissions of 660 (read + write, read + write, no permission).
