How-to on unix permissions
You can tell who owns files/directories by:
telnet to the server (in windows, click start menu-> Run-> "telnet
physics")
login with unix username and password
cd /home3/sambapublic
ls -al
(you can also change to subdirectories, Upper/Lower case is important
and must place quotes around directories with spaces... ex: cd "Department
Directory")
drwxr-x--- 16 dkirk staff
512 Nov 5 13:28 .
drwxr-xr-x 96 root system
2048 Oct 25 15:15 ..
drwxrwxr-x 2 davis staff
512 Nov 8 11:21 Alumni
drwxrwxr-- 2 schiff staff
512 Oct 27 16:21 Assessment
drwxr-xr-x 6 schiff staff
512 Jul 21 13:13 Chair
drwxrwxr-x 3 davis staff
512 Nov 8 11:14 Department Directory
drwxrwxr-x 2 dkirk staff
512 Nov 8 11:13 Faculty Service
drwxrwxr-x 3 dkirk staff
512 Sep 16 1998 Inquiries
drwxr-xr-x 21 dkirk staff
1024 Oct 12 10:09 Local Software Installs
drwxr-xr-x 2 johnston staff
512 Nov 5 13:58 Machine Shop
drwxrwxr-x 8 davis staff
1024 Nov 5 13:27 Office Forms
drwxr-xr-x 2 davis staff
512 Oct 27 16:00 Office Procedures
drwxrwxr-x 6 dkirk staff
512 Nov 5 13:27 Pictures
drwxr-xr-x 7 davis staff
512 Oct 22 10:31 Search
drwxrwx--- 5 dkirk staff
1536 Nov 8 09:29 Temporary
drwxrwxr-x 3 dkirk staff
512 Nov 5 12:16 Wiring Inventory
^ ^ ^ ^ ^
^
| | | | |
|---group
| | | | |---owner
| | | |
| | | |--"world" permissions (everyone else who has
an account)
| | | |
| | |--group permissions
| |
| |--owner permissions
|
|---"d" if it's a direcory
The "R" is for who can read or
If a file/directory is rwx, it's readable and changeable
If it's r-x, it's readable, but not changeable
People who look at our web page are part of "world", so they must be readable by the last of the 3 groups for them to see them.
Directories must have at least r and x to be able to go into them (x) and read them (r)
So... now you may understand a little on how it works... but how do you change it?
Concepts of file permissions
Because there are multiple users on a
UNIX system, in order to protect individual user's files from tampering
by other users, UNIX provides a mechanism known as file permissions. This
mechanism allows files and directories to be ``owned'' by a particular
user. As an example, because Larry created the files in his home directory,
Larry owns those files, and has access to them.
UNIX also allows files to be shared between users and groups of users.
If Larry so desired, he could cut off access to his files, such that no
other user could access them. However, on most
systems the default is to allow other users to read your files, but
not modify or delete them in any way.
As explained above, every file is owned by a particular user.
However, files are also owned by a particular group, which is a system-defined
group of users. Every user is placed into at least one
group when that user is created. However, the system administrator
may also grant the user access to more than one group.
Groups are usually defined by the type of users which
access the machine. For example, on a university UNIX system, users may
be placed into the groups student, staff, faculty or
guest. There are also a few system-defined groups (such as bin and
admin) which are used by the system itself to control access to resources---very
rarely do actual users belong to these
system groups.
Permissions fall into three main divisions: read, write, and execute.
These permissions may be granted to three classes of users: the owner of
the file, the group to which the file belongs, and to all
users, regardless of group.
Read permission allows a user to read the contents of the file, or in
the case of directories, to list the contents of the directory (using ls).
Write permission allows the user to write to
and modify the file. For directories, write permission allows the user
to create new files or delete files within that directory. Finally, execute
permission allows the user to run the file as a program or
shell script (if the file happens to be a program or shell script,
that is). For directories, having execute permission allows the user to
cd into the directory in question.
Interpreting file permissions
Let's look at an example to demonstrate file permissions. Using the ls command with the -l option will display a ``long'' listing of the file, including file permissions.
/home/larry/foo# ls -l stuff
-rw-r--r-- 1 larry users 505 Mar 13 19:05 stuff
/home/larry/foo#
The first field printed in the listing represents the file permissions.
The third field is the owner of the file (larry), and the fourth field
is the group to which the file belongs (users). Obviously, the last
field is the name of the file (stuff), and we'll cover the other fields
later.
This file is owned by larry, and belongs to the group users. Let's look
at the file permissions. The string -rw-r--r-- lists, in order, the permissions
granted to the file's owner, the file's group,
and everybody else.
The first character of the permissions string (``-'') represents the
type of file. A ``-'' just means that this is a regular file (as opposed
to a directory or device driver). The next three letters (``rw-'')
represent the permissions granted to the file's owner, larry. The ``r''
stands for ``read'' and the ``w'' stands for ``write''. Thus, larry has
read and write permission to the file stuff.
As we mentioned, besides read and write permission, there is also ``execute''
permission---represented by an ``x''. However, there is a ``-'' here in
place of the ``x'', so Larry doesn't have execute
permission on this file. This is fine, the file stuff isn't a program
of any kind. Of course, because Larry owns the file, he may grant himself
execute permission for the file if he so desires. This will be
covered shortly.
The next three characters, r--, represent the group's permissions on
the file. The group which owns this file is users. Because only an ``r''
appears here, any user which belongs to the group
users may read this file.
The last three characters, also r--, represent the permissions granted
to every other user on the system (other than the owner of the file and
those in the group users). Again, because only an ``r''
is present, other users may read the file, but not write to it or execute
it.
Here are some other examples of group permissions.
-rwxr-xr-x
The owner of the file may read, write, and
execute the file. Users in the file's group, and all other users, may read
and execute the file.
-rw-------
The owner of the file may read and write the
file. No other user can access the file.
-rwxrwxrwx
All users may read, write, and execute the
file.
Dependencies
It is important to note that the permissions
granted to a file also depend on the permissions of the directory in which
the file is located. For example, even if a file is set to -rwxrwxrwx,
other
users cannot access the file unless they have read and execute access
to the directory in which the file is located. For example, if Larry wanted
to restrict access to all of his files, he could simply set
the permissions on his home directory /home/larry to -rwx------. In
this way, no other user has access to his directory, and all files and
directories within it. Larry doesn't need to worry about
the individual permissions on each of his files.
In other words, to access a file at all, you must have execute access to all directories along the file's pathname, and read (or execute) access to the file itself.
Usually, users on a UNIX system are very open with their files. The
usual set of permissions given to files is -rw-r--r--, which will allow
other users to read the file, but not change it in any way.
The usual set of permissions given to directories is -rwxr-xr-x, which
will allow other users to look through your directories, but not create
or delete files within them.
However, many users wish to keep other users out of their files. Setting
the permissions of a file to -rw------- will not allow any other user to
access the file. Likewise, setting the permissions of
a directory to -rwx------ will keep other users out of the directory
in question.
Changing permissions
The command chmod is used to set the permissions on a file. Only the owner of a file may change the permissions on that file.
The syntax of chmod is:
chmod {a,u,g,o}{+,-}{r,w,x} <filenames separated by spaces>
Briefly, you supply one or more of all, user, group, or other. Then
you specify whether you are adding rights (+) or taking them away (-).
Finally, you specify one or more of read, write, and
execute.
Some examples of legal commands are:
chmod a+r stuff
Gives all users read access to the file.
chmod +r stuff
Same as above---if none of a, u, g, or o is
specified, a is assumed.
chmod og-x stuff
Remove execute permission from users other
than the owner.
chmod u+rwx stuff
Allow the owner of the file to read, write,
and execute the file.
chmod o-rwx stuff
Remove read, write, and execute permission
from users other than the owner and users in the file's group.
Your own "public" writable area?
If you'd like to make a temporary area you can access from other accounts
logged into samba,
make a new directory in your home directory, like "public"
then from unix, change the permissions to rwxrwxrwx with the command
chmod a+rwx public
Then you can mount your directory with the windows "map network drive" and map to \\physics\<username> under any account.
By default, all files under unix are rwxr-xr-x (readable and changeable
by you, readable and not changeable by anyone else)
If you want other files unreadable and unwritable by others, you can
use chmod -R go-rwx <filenames>
(or you can use * in place of filenames to do everything).
But be careful, because if you have a web page under public_html, you
may lock out the web from seeing it.