As we said, most of the time you can get by with the default security
the system gives you. But there are always exceptions,
particularly for system administrators. To take a simple example,
suppose you are creating a directory under /home
for a
new user. You have to create everything as root, but when you’re
done you have to change the ownership to the user; otherwise, that
user won’t be able to use the files! (Fortunately, if you use the
adduser command discussed in
Section 5.7.5 in Chapter 5, it takes
care of ownership for you.)
Similarly, there are certain utilities such as UUCP and News that have their own users. No one ever logs in as UUCP or News, but those users and groups must exist so that the utilities can do their job in a secure manner. In general, the last step when installing software is usually to change the owner, group, and permissions as the documentation tells you to do.
The chown command changes the owner of a file, and the chgrp command changes the group. On Linux, only root can use chown for changing ownership of a file, but any user can change the group to another group he belongs to.
So after installing some
software named sampsoft
, you might change both the owner and
the group to bin by executing:
#chown bin sampsoft
#chgrp bin sampsoft
You could also do this in one step by using the dot notation:
# chown bin.bin sampsoft
The syntax for changing permissions is more complicated. The
permissions can also be called the file’s “mode,” and the command
that changes permissions is chmod. Let’s start our exploration of
this command through a simple example; say you’ve written a neat
program in Perl or Tcl named header
, and you want to be able to
execute it. You would type the following command:
$ chmod +x header
The plus sign means “add a permission,” and the x
indicates
which permission to add.
If you want to remove execute permission, use a minus sign in place of a plus:
$ chmod -x header
This command assigns permissions to all levels—user, group, and other. Let’s say that you are secretly into software hoarding and don’t want anybody to use the command but yourself. (No, that’s too cruel; let’s say instead that you think the script is buggy and want to protect other people from hurting themselves until you’ve exercised it.) You can assign execute permission just to yourself through the command:
$ chmod u+x header
Whatever goes before the plus sign is the level of permission, and
whatever goes after is the type of permission. User permission (for
yourself) is u, group permission is
g
, and other is o
. So, to assign permission to both
yourself and the file’s group, enter:
$ chmod ug+x header
You can also assign multiple types of permissions:
$ chmod ug+rwx header
There are a few more shortcuts you can learn from the chmod manual page in order to impress someone looking over your shoulder, but they don’t offer any functionality besides what we’ve shown you.
As arcane as the syntax of the mode argument may seem, there’s another syntax that is even more complicated. We have to describe it though, for several reasons. First of all, there are several situations that cannot be covered by the syntax, called symbolic mode, that we’ve just shown. Second, people often use the other syntax, called absolute mode, in their documentation. Third, there are times you may actually find the absolute mode more convenient.
To understand absolute mode, you have to think in terms of bits and octal notation. Don’t worry, it’s not too hard. A typical mode contains three characters, corresponding to the three levels of permission (user, group, and other). These levels are illustrated in Figure 4-3. Within each level, there are three bits corresponding to read, write, and execute permission.
Let’s say you want to give yourself read permission and no permission to anybody else. You want to specify just the bit represented by the number 400. So the chmod command would be:
$ chmod 400 header
To give read permission to everybody, choose the correct bit from each level: 400 for yourself, 40 for your group, and 4 for other. The full command is:
$ chmod 444 header
This is like using a mode +r
, except that it simultaneously
removes any write or execute permission. (To be precise, it’s just
like a mode of =r
, which we didn’t mention earlier. The equal
sign means “assign these rights and no others.”)
To give read and execute permission to everybody, you have to add up the read and execute bits. 400 plus 100 is 500, for instance.
So the corresponding command is:
$ chmod 555 header
which is the same as =rx
. To give someone full access, you
would specify that digit as a 7—the sum of 4, 2, and 1.
One final trick: how to set the default mode that is assigned to each
file you create (with a text editor, the > redirection operator, and so on). You do so by executing a umask command, or
putting one in your shell’s start-up file. This file could be called
.bashrc
, .cshrc
, or something else depending on the
shell you use (we’ll discuss startup files in the next section).
The umask command takes an argument like the absolute mode in chmod, but the meaning of the bits is inverted. You have to determine the access you want to grant for user, group, and other, and subtract each digit from 7. That gives you a three-digit mask.
For instance, say you want yourself to have all permissions (7), your group to have read and execute permissions (5), and others to have no permissions (0). Subtract each bit from 7 and you get 0 for yourself, 2 for your group, and 7 for other. So the command to put in your start-up file is:
umask 027
A strange technique, but it works. The chmod command looks at the mask when it interprets your mode; for instance, if you assign execute mode to a file at creation time, it will assign execute permission for you and your group, but will exclude others because the mask doesn’t permit them to have any access.
Get Running Linux, Third Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.