Linux is a multi-user operating system. This means it can have multiple users simultaneously logged in and working. You have already seen that the system enforces some kind of security arrangement by requiring users to login and supply passwords. This allows the system (via the user's uid) individually to identify what each user does during a login session. In particular, this identification extends to marking as owned by the user all the files that the user creates during the login session. When you are the owner of any files, the system gives you permission to exercise control over them, so that you can specify what access other users have to them.
In the case of files and directories, each one has a set of permission flags associated with it, which can be seen by using the -l switch to the ls command:
$ $ ls -l text total 2 -rw-r--r- -2 pc book 22 Apr 20 20:37 motd -rw-r--r- -2 pc book 796 Apr 20 20:37 passwd
This switch tells ls to produce a long listing of the files in the given directories, including quite a lot of extra information. The first piece of information in the output gives the total number of disk data blocks (here two, at typically one kilo-byte each) occupied by all of the files in the directory. The rest of the output listing is produced with one line per file. The very first character on each line says what kind of file it is. In the example, the hyphen (-) is used to indicate that these are ordinary files. Other characters in this position are possible, the most common being the letter d, which says that this line describes a directory. The rest of the first block of characters on each line are the file's permission flags (I'll come back to these in a moment). After the permission flags is a number which says how many directory links there are to the associated inode. The next field gives the login name of the file's owner. This is followed by the name (or sometimes the gid) of the set of users who share group access to this file. Next comes a number which gives the size of the file in bytes. After that comes the date and time (or, if it was a while ago, the date and year) that the file content was last modified. And, lastly, the name of the file itself.
Incidentally, if you want to find out the extra details for a directory rather than for the files contained within the directory, you can do so with the -d switch to ls as follows:
$ ls -ld text drwxr-x--x 2 pc book 1024 Apr 20 20:35 text
The file access permission arrangements for an ordinary file are based around reading the file's contents, writing new data to the file and being able to execute the file as a command. For a directory, the equivalent permissions are for reading the names of files contained in the directory, writing information to the directory to add or delete inode links and being able to search the directory (i.e. to use the directory in a pathname so as to access a file or subdirectory it contains). For each file (and directory), there are four different classes of user and each class has its own set of access permissions to read, write or execute (search) the file. The four classes of user are:
This is the class of system privileged users. They all have access to a root login account.
This is the user who actually owns the file.
This is the name (or gid) of the class of users who will share group access to the file.
This is the set of all the users who don't fall into any of the other three classes.
In the case of the root users, they have complete read, write and search permissions to all files and directories, automatically, so there is no need to specify any permissions for them explicitly. The other three user classes can have the various permissions granted or withdrawn on an individual file and directory basis. For these three classes, therefore, each file and directory in the entire directory hierarchy has associated with its mode a set of nine permission bits giving the read, write and execute (search) permissions for each of the owner, group and world user classes. A few examples should make this clearer:
-rw-r--r-- 2 pc book 796 Apr 20 20:37 passwd
This line, taken from the previous example, shows that the file passwd is owned by the user pc and belongs to the user group book. The first character on the line (-) shows this to be an ordinary file. The next three characters show the read, write and execute (rwx) permissions for the owner. In the example the characters (rw-) show that user PC has read and write permissions granted but not execute permission. The next three characters are the permissions for the file's group (r--). Here the group can read the file but not write to it or execute it. The last three characters in the block (r--) are for the world user class (r--), who can also read the file but not write or execute it.
drwxr-x--x 2 pc book 1024 Apr 20 20:35 text
This second example shows the permission flags for the directory text. The first character on the line (d) shows that it is a directory. The next three characters (rwx) show that the file owner has read, write and search permission. The file's group permissions (r-x) allow read and search access to the group but will not allow group members to add or delete files in the directory. The world permission bits only allow search access to the directory, not read or write access. This stops the world user class from using ls to see what is in the directory (no read permission) but does allow them to access files they already know to be in the directory. The following example shows that a member of the world user class can see the contents of a readable file in a directory, without read permission on the directory itself:
$ cd /home/pc $ ls -l text ls: text: Permission denied $ cat text/motd motd contents in here.
One extra privilege granted to the owner of a file, whatever its permission bits show, is the ability to change the permission bits to another value. This is done with the command chmod. The general format of chmod is:
chmod mode files.
where mode specifies the new permission bits and files is the list of files whose permissions will be changed. The mode parameter can be specified in either of two different ways - a symbolic representation or a bit pattern given as an octal number. The octal bit pattern is probably the simplest to understand as it just involves writing three octal digits. Each octal digit is just a three-bit bit pattern which specifies the rwx permissions for one of the three user classes: owner, group or world.
Suppose you wanted to change the permissions of the text directory from the values in the previous example to the new values rwxrwxr-x, so that the owner and group classes can read, write and search the directory and the world class can read and search it, but not write to it. The first job is to convert the required permission string (rwxrwxr-x) into a binary bit pattern. This is done by writing a one-bit where a permission is to be granted and a zero-bit otherwise. This gives the nine-bit binary string 111111101 in this example. All that remains now is to split this bit pattern into groups of three bits which can then be converted directly to octal digits. This gives 111 111 101, which in octal becomes 775.
The command required to perform the change would, therefore, be:
$ cbmod 775 text $ ls -l drwxr-x--x 2 pc book 1024 Apr 20 20:35 backup drwxrwxr-x 2 pc book 1024 Apr 20 20:35 text
Notice that the permissions of the text directory have been updated as required, while leaving backup unchanged.