Files, Filesystems, & Permissions The original goal of UNIX was to develop a workable filesystem that was tightly integrated with a simple operating system. For this reason, the concept of the file is central to the way UNIX works. Over and above the typical uses of files that everyone is familiar with, UNIX uses files to control access and privileges, communication between programs, and even hardware devices. For example, to record data on a magnetic tape a program simply "writes" the data and a few control codes to a special file. UNIX itself takes care of the nasty work. The ability to perform complex tasks by simply reading or writing to a file is the primary reason all true programmers love UNIX. The UNIX filesystem is a conglomeration of all the disks in a system as well as any file devices such as floppy disks and CD-ROMs. Like other modern operating systems, the UNIX filesystem is structured like a tree, with the "root" directory represented by a /. Hard disk partitions and file devices are referenced by subdirectories of /. For example, /floppy would probably represent a floppy disk. Of course, it doesn't have to be named /floppy - you could mount the floppy disk in a directory named /buddy if you like. Unlike some operating systems, each physical disk drive in the system doesn't get its own "root" like the letter descriptors (C:\, D:\, and so on) in most other operating systems. All of the disk drives get slotted into the main directory tree. Say for example that a system is being used as a database server and contains two physical disks. One disk is used solely for the database, and the other disk contains the operating system and other files. The disk that contains only the database files would appear in the directory tree as something like /db while the system disk would appear normally. A user on the system would have no idea that their database files were located on a completely different disk - it just looks like a subdirectory of the system disk. This demonstrates an interesting feature of the UNIX filesystem - the difference between a subdirectory and an entirely different disk is transparent, and unless you're the system administrator you really don't have any reason to care. This makes life easy for system administrators on systems that grow and shrink in their storage requirements. If you suddenly need more storage space on some part of the system (/home is a favorite, since that's where user accounts are located), you can just slide a new disk into the system and map the disk to appear as that subdirectory. The users will never notice a difference in the way they access their files, which will keep them from calling you at all hours of the night asking questions. All security on a UNIX system is based on controlling who can access which file, and how they can access it. By using the -l option with the ls command, you can display all of the information you need to figure out permissions for a file or directory. By typing ls -l you should get an extended file listing that looks something like
-rw-r--r-- 1 lamonml ncc 4914 Sep 15 13:08 BinaryTreeInsert.java While the fields containing the file name, size, and modification date are interesting, what we're really interested in are the permissions field (1st field) and the ownership fields (3rd and 4th fields). The ownership fields list the user who "owns" the file (usually the user who created the file) and the group that the file belongs to. Most larger systems divide users into groups for the purposes of file access - a favorite on university systems is to give each academic department its own group. For example, everyone in the computer science department would be a member of the cs group, and everyone in the physics department would be in the phys group. In a business situation, the groups might be sales and admin. By doing this, users in related groups can give other members of their group access to files without opening them up to the entire system. For example, several physics professors may teach the same course, and use the same test. Rather than continuously copying files back and forth, they would create one copy of the test and have the file belong to the physics group. This way all of the physics professors can access it, but a user that doesn't belong to the physics group (such as a student) would not be able to access it. A user may belong to more than one group - a graduate teaching assistant in the physics department might belong to both the phys and grad groups. A file may only belong to one group, however. If a user has a file that they wish to transfer ownership of from one group to another, they can do so using the chgrp command. To change the group ownership of a file named newton.cpp to the phys group, a member of the phys group would type: chgrp phys newton.cpp Note that a user can only change the group ownership of a file to a group that they belong to. A user who doesn't belong to the phys group cannot change group ownership of a file to the phys group. In addition, a user can only change the group ownership of a file that they own. Of course, none of these restrictions apply to the root account. The system administrator may change the group ownership of any file. In addition, the system administrator may change the user who owns a file by using the chown command. This command may only be run as root - for security reasons normal users are not allowed to change the ownership of files. If the system administrator wants to change the owner of a file named newton.cpp to the user hooke and the group phys, he would type chown hooke:phys newton.cpp If you only want to change the owner and leave the group ownership unchanged, the colon and group name may be omitted so the command would look like chown hooke newton.cpp When a new file is created, it belongs to the primary group of the user who created it. A user's primary group is set when the user's account is created, but may be changed by the system administrator. By default most versions of Solaris put user accounts in a group named staff; under Linux each user is given their own group that has the same name as their username. See Chapter 6 for more information about managing groups. The permission field consists of 10 characters. The first character classifies the file by type - in our example listing, this field is either a hyphen or the letter d. A hyphen indicates a "normal" file, and a d indicates that the file is actually a directory. For the most part, the hyphen and the d are all you should see in your directory listings. On occasion you'll run across other types of files - they're described in Chapter 4 of this guide. The remaining 9 fields are divided into three sets of three permissions each. The three sets are (in order from left to right) user, group, and world. The three permissions are read, write, and execute (represented by r, w, and x). By selecting only certain permissions from certain sets, you can create any combination of permissions that you need. For example if you want all permissions to a file, you want your group to be able to read and write to the file, but you only want to give read access to everyone else you would set your permissions so the permission field looks like -rwxrw-r--. Notice that the first character is a hyphen since it's a regular file. The next three characters are the owner's permissions - we've set those to rwx so the owner has all permissions. The next three characters are rw- which gives the file's group read and write but not execute permissions. The last three characters are r-- which gives everyone on the system read permissions, but nothing more. For the most part, the meanings of the permissions are pretty straightforward. For a regular file the read permission allows a user to view the contents of a file, the write permission allows them to change the contents of the file, and the execute permission allows them to execute the file as a process if it contains a program or a script. The permissions have a slightly different meaning if they apply to a directory, but the different meanings make sense if you think about it. The read permission allows a user to list the files in the directory, the write permission lets them add or remove files from the directory, and the execute permissions lets them make the directory their current directory by using the cd command. Unfortunately, changing the permissions for a file or directory isn't so straightforward. The permissions for a file or a directory are stored in a binary format that makes life easy for system programmers, but difficult for system administrators to explain to their users. If you don't understand the basics behind how binary works, may God have mercy on your soul at this point. I'm going to assume you can do basic binary to decimal conversion, but that's about it. If you honestly have no idea how binary works and don't care to know, just tape a copy of the below chart in your cubicle and use it to cheat. Each set of three permissions is stored in three bits (bet you never would've guessed that). The bit in the one's place represents the executable permission, the bit in the two's place represents the write permission, and the bit in the four's place represents the read permission. UNIX is all about doing a minimal amount of typing, so rather than typing out three sets of three bits each in binary on the command line, you only have to type three decimal numbers - the first decimal number for the user permissions, the second decimal number for the group permissions, and the last decimal number for the world permissions. The chart below shows the relationship between the decimal number, the binary bits, and the permission set.
As the chart shows much better than I can explain, there's a direct correspondence between bits with a value of 1 and a permission being turned on. The first step to setting the permissions for a file or directory is to pick the three decimal numbers that represent the permissions you want to set for user, group, and world. For example, most HTML files on a web server are set so the owner has read and write access, while the group and world have only read access. If you performed an ls -l on the file, the permission field would look like -rw-r--r--. By looking at the chart, you can see that the decimal number 6 corresponds to the user permissions of rw- and the decimal number 4 corresponds to the group and world permissions of r--. With this information, we know that decimal representation of this file's permissions is 644. To set the permissions for a file or directory, the chmod command is given the decimal file permissions and the name of the file or directory to change permissions for. As an example, typing chmod 644 index.html would change the file permissions for index.html to be user readable and writeable, and group and world readable. Only a file's owner may change its permissions, except for the root user who has the authority to change the permissions for any file on the system. |
Generously hosted by: