|Introduction to Basic Unix System Administration|
|<<< Previous||Access to the Unix system, to files and directories||Next >>>|
Every file and every directory has 3 types of access, being read access, write access and exectue access for 3 types of groups: user, group and other. The first group is the group of the owner of the file. The second group contains access rights for a group of users. The third set of access rights is for any other user (not being the owner and not belonging to the group having access rights to the file or directory).
With the -l option (long list) of ls, you can find out the access rights for any given file or directory:
tille:~>ls -l verlanglijst -rw-rw-r-- 1 tille tille 200 Apr 13 10:23 verlanglijst
The file verlanglijst is owned by user tille, who has a separate group (the fact of each user having his own group is common on some newer Unix systems). It is readable and writeable for the user tille and other users that may be in group tille, and every other user can read the file.
The types of access have a value:
read access: value 4
write access: value 2
execute access: value 1
The chmod command (change mode) uses these values by making the sum of rights given to each group, thus obtaining 3 numbers between 0 and 7. In the above example the file verlanglijst would have a value of 664.
full access to everybody:
chmod 777 filename
share a file with users in your group:
chmod 775 filename
to share a directory with other users in your group without giving them opportunity to rename, remove or add files:
chmod 755 dirname
to protect files from other users:
chmod 700 file
to prevent yourself from accidentally removing, renaming or deleting files in a directory:
chmod 500 dirname
to make a private file that only you can edit:
chmod 600 file
to protect a file from accidental editing:
chmod 400 file
to let users of your group edit a file while keeping it unaccessable for any other user:
chmod 660 file
This is a simple explanation on chmod. In the manual, you will see that there are actually 4 octal digits specifying security on a file, as showed in this extract from the chmod manual:
Some Unix systems provide extra permission facilities, which go beyond the standard Unix file permission. Examples are filesystem specific attributes (ie. on Linux ext2 filesystems, files can have extra restrictions such as append-only, compressed, immutable or undeletable) and Access Control Lists (ie. on Solaris). Type man chattr or consult your vendor's system-specific documentation.
Changing user or group ownership of a file is done with the GNU chown command (change owner). Although both types of ownership are changed with the same command, they are independent of each other. E.g. you need not be a member of the group that owns the file in order to be able to change it. Your own group will be considered as "other", and if permissions allow, you can change the file.
User and group ownership can be changed in one command:
chown newuser:newgroup file
See man chown for more.
When you know the password of another user's account, you can present yourself to the system with that user's permissions using the su command (switch user). E.g. the intranet website of your company is managed by a special user called "www". In order to change the site, use
su - www
You will be prompted to enter the password for user "www". After the authentication process, you are working on the system using the permissions of user "www". Check with the id -a command:
[tille@rincewind tille]$ su - www Password: [www@rincewind www]$ id -a uid=501(www) gid=501(www) groups=501(www)
So every file is owned by somebody. And so is every process. If you want to handle a file or a process, you have to be the owner. It is clear that some actions need to be undertaken to circumvent this situation. Who will clean up the mess? Who will modify the system files and services? On a Unix system, this force is called the "superuser" or "root".
The root account should always be protected with a password, and the root user is not obliged in any way to communicate this to the other users. This prevents people from reading eachother's mail, from harassing other people and generally prevents a great deal of accidents.
The root user (system administrator) should only use the root status when necessary, and only when concentrated. Root status gives full controll over the system, so you should be careful when "being" root. Should you need to become root, always log in as a normal user and then use the su - (switch user) command, which will give you root status when no options are given. When connecting to a system over the network, use ssh (see above: connecting to a system) if you want to connect directly using the root account.
In this document, we'll assume that you don't know the password for the root account. Almost any command discussed in this document can be executed without superuser status.