NEXT UP previous
Next: Processes

Security

Linux is a multi-user operating system. This means it can have multiple users simultaneously logged in and working. You have already seen that the system enforces some kind of security arrangement by requiring users to login and supply passwords. This allows the system (via the user's uid) individually to identify what each user does during a login session. In particular, this identification extends to marking as owned by the user all the files that the user creates during the login session. When you are the owner of any files, the system gives you permission to exercise control over them, so that you can specify what access other users have to them.

In the case of files and directories, each one has a set of permission flags associated with it, which can be seen by using the -l switch to the ls command:

	$
	$ ls -l text 
	total 2
	-rw-r--r-   -2 pc	book          22 Apr 20 20:37 motd
	-rw-r--r-   -2 pc	book         796 Apr 20 20:37 passwd 

This switch tells ls to produce a long listing of the files in the given directories, including quite a lot of extra information. The first piece of information in the output gives the total number of disk data blocks (here two, at typically one kilo-byte each) occupied by all of the files in the directory. The rest of the output listing is produced with one line per file. The very first character on each line says what kind of file it is. In the example, the hyphen (-) is used to indicate that these are ordinary files. Other characters in this position are possible, the most common being the letter d, which says that this line describes a directory. The rest of the first block of characters on each line are the file's permission flags (I'll come back to these in a moment). After the permission flags is a number which says how many directory links there are to the associated inode. The next field gives the login name of the file's owner. This is followed by the name (or sometimes the gid) of the set of users who share group access to this file. Next comes a number which gives the size of the file in bytes. After that comes the date and time (or, if it was a while ago, the date and year) that the file content was last modified. And, lastly, the name of the file itself.

Incidentally, if you want to find out the extra details for a directory rather than for the files contained within the directory, you can do so with the -d switch to ls as follows:

	$ ls -ld text
	drwxr-x--x	2 pc	book	1024 Apr 20 20:35 text

The file access permission arrangements for an ordinary file are based around reading the file's contents, writing new data to the file and being able to execute the file as a command. For a directory, the equivalent permissions are for reading the names of files contained in the directory, writing information to the directory to add or delete inode links and being able to search the directory (i.e. to use the directory in a pathname so as to access a file or subdirectory it contains). For each file (and directory), there are four different classes of user and each class has its own set of access permissions to read, write or execute (search) the file. The four classes of user are:

In the case of the root users, they have complete read, write and search permissions to all files and directories, automatically, so there is no need to specify any permissions for them explicitly. The other three user classes can have the various permissions granted or withdrawn on an individual file and directory basis. For these three classes, therefore, each file and directory in the entire directory hierarchy has associated with its mode a set of nine permission bits giving the read, write and execute (search) permissions for each of the owner, group and world user classes. A few examples should make this clearer:

	-rw-r--r--	2 pc	book	796 Apr 20 20:37 passwd

This line, taken from the previous example, shows that the file passwd is owned by the user pc and belongs to the user group book. The first character on the line (-) shows this to be an ordinary file. The next three characters show the read, write and execute (rwx) permissions for the owner. In the example the characters (rw-) show that user PC has read and write permissions granted but not execute permission. The next three characters are the permissions for the file's group (r--). Here the group can read the file but not write to it or execute it. The last three characters in the block (r--) are for the world user class (r--), who can also read the file but not write or execute it.

	drwxr-x--x	2 pc	book	1024 Apr 20 20:35 text

This second example shows the permission flags for the directory text. The first character on the line (d) shows that it is a directory. The next three characters (rwx) show that the file owner has read, write and search permission. The file's group permissions (r-x) allow read and search access to the group but will not allow group members to add or delete files in the directory. The world permission bits only allow search access to the directory, not read or write access. This stops the world user class from using ls to see what is in the directory (no read permission) but does allow them to access files they already know to be in the directory. The following example shows that a member of the world user class can see the contents of a readable file in a directory, without read permission on the directory itself:

	$ cd /home/pc
	$ ls -l text
	ls: text: Permission denied
	$ cat text/motd
	motd contents in here.

One extra privilege granted to the owner of a file, whatever its permission bits show, is the ability to change the permission bits to another value. This is done with the command chmod. The general format of chmod is:

	chmod mode files.

where mode specifies the new permission bits and files is the list of files whose permissions will be changed. The mode parameter can be specified in either of two different ways - a symbolic representation or a bit pattern given as an octal number. The octal bit pattern is probably the simplest to understand as it just involves writing three octal digits. Each octal digit is just a three-bit bit pattern which specifies the rwx permissions for one of the three user classes: owner, group or world.

Suppose you wanted to change the permissions of the text directory from the values in the previous example to the new values rwxrwxr-x, so that the owner and group classes can read, write and search the directory and the world class can read and search it, but not write to it. The first job is to convert the required permission string (rwxrwxr-x) into a binary bit pattern. This is done by writing a one-bit where a permission is to be granted and a zero-bit otherwise. This gives the nine-bit binary string 111111101 in this example. All that remains now is to split this bit pattern into groups of three bits which can then be converted directly to octal digits. This gives 111 111 101, which in octal becomes 775.

The command required to perform the change would, therefore, be:

	$ cbmod 775	text
	$ ls -l
	drwxr-x--x	 2 pc	book	1024 Apr 20 20:35 backup
	drwxrwxr-x	 2 pc	book	1024 Apr 20 20:35 text

Notice that the permissions of the text directory have been updated as required, while leaving backup unchanged.


NEXT UP previous
Next: Processes