Friday, September 4, 2009

  • เป็นบทควาทที่ดีมากๆ เลย
  • คนเขียนเค้าเขียนได้ละเอียดมากๆ ครับ
  • แค่เก็บบันทึกไว้ update สมองตัวเองแค่นั้น
From http://ardchoille42.blogspot.com/2009/08/linux-file-permissions.html

By Nana Langstedt

Permissions and ownership - why?
If you can't access some of the files on your very own Linux system, it's usually because of misconfigured file access permissions. If you are the only user on your Linux box, you may be wondering what's the point of having all these permissions (or lack thereof) that restrict your access to your very own penguin OS. However, before pulling your hair off, you must keep in mind Linux is designed to be a multi-user environment. In an environment with more than one user, it is crucial to have a secure system for deciding which files are yours and who can fiddle with them.

Even if you're the only user on an ordinary desktop system, file permissions help keep your important files safe, both from outsiders and your own mistakes.

Understanding file ownership
Every file on your Linux system, including directories, is owned by a specific user and group. Therefore, file permissions are defined separately for users, groups, and others.

User: The username of the person who owns the file. By default, the user who creates the file will become its owner.

Group: The usergroup that owns the file. All users who belong into the group that owns the file will have the same access permissions to the file. This is useful if, for example, you have a project that requires a bunch of different users to be able to access certain files, while others can't. In that case, you'll add all the users into the same group, make sure the required files are owned by that group, and set the file's group permissions accordingly.

Other: A user who isn't the owner of the file and doesn't belong in the same group the file does. In other words, if you set a permission for the "other" category, it will affect everyone else by default. For this reason, people often talk about setting the "world" permission bit when they mean setting the permissions for "other."

Understanding file permissions
There are three types of access permissions on Linux: read, write, and execute. These permissions are defined separately for the file's owner, group and all other users.

Read permission. On a regular file, the read permission bit means the file can be opened and read. On a directory, the read permission means you can list the contents of the directory.

Write permission. On a regular file, this means you can modify the file, aka write new data to the file. In the case of a directory, the write permission means you can add, remove, and rename files in the directory. This means that if a file has the write permission bit, you are allowed to modify the file's contents, but you're allowed to rename or delete the file only if the permissions of the file's directory allow you to do so.

Execute permission. In the case of a regular file, this means you can execute the file as a program or a shell script. On a directory, the execute permission (also called the "search bit") allows you to access files in the directory and enter it, with the cd command, for example. However, note that although the execute bit lets you enter the directory, you're not allowed to list its contents, unless you also have the read permissions to that directory.

How to view file permissions
You can view the access permissions of a file by doing the long directory listing with the ls -l command. This is what a long directory listing might look like:

me@puter: /home/writers$ ls -l
total 17
drwxr-xr-x 3 nana writers 80 2005-09-20 21:37 dir
-rw-r----- 1 nana writers 8187 2005-09-19 13:35 file
-rwxr-xr-x 1 nana writers 10348 2005-07-17 20:31 otherfile

What does the output of ls -l mean? The very first column, the one that looks like a bunch of mumbo jumbo, shows the file type and permissions. The second column shows the number of links (directory entries that refer to the file), the third one shows the owner of the file, and the fourth one shows the group the file belongs to. The other columns show the file's size in bytes, date and time of last modification, and the filename.

The first column, the one that shows the file's permissions and looks like mumbo jumbo, is organized into four separate groups, although it certainly doesn't look very organized.

The first group consists of only one character, and it shows the file's type. For example, d means a directory and - means a normal file, so if you take a look at our example output, you'll notice dir is a directory, while file and otherfile are regular files.

The first character can be any of these:
  • d = directory
  • - = regular file
  • l = symbolic link
  • s = Unix domain socket
  • p = named pipe
  • c = character device file
  • b = block device file
The next nine characters show the file's permissions, divided into three groups, each consisting of three characters. The first group of three characters shows the read, write, and execute permissions for user, the owner of the file. The next group shows the read, write, and execute permissions for the group of the file. Similarly, the last group of three characters shows the permissions for other, everyone else. In each group, the first character means the read permission, the second one write permission, and the third one execute permission.

The characters are pretty easy to remember.
  • r = read permission
  • w = write permission
  • x = execute permission
  • - = no permission
What does this mean in practice? Let's have an example. Remember the imaginary directory listing we did at the beginning? The output looked like this:

drwxr-xr-x 3 nana writers 80 2005-09-20 21:37 dir
-rw-r----- 1 nana writers 8187 2005-09-19 13:35 file
-rwxr-xr-x 1 nana writers 10348 2005-07-17 20:31 otherfile

As we already noticed, dir is a directory, because the first column begins with a d. The owner of this directory is user nana and the group owner is writers. The first three characters, rwx, indicate the directory's owner, nana in this case, has full access to the directory. The user nana is able to access, view, and modify the files in that directory. The next three characters, r-x, indicate that all users belonging to group writers have read and execute permissions to the directory. They can change into the directory, execute files, and view its contents. However, because they don't have write permissions, they can't make any changes to the directory content. Finally, the last three characters, r-x, indicate that all the users who are not nana or don't belong into group writers, have read and execute permissions in the directory.

How about file? Because the first column begins with a -, the file is a regular file, owned by user nana and group writers, just like the directory in our example. The first three characters, rw-, indicate the owner has read and write access to the file. According to the next three characters, r--, the users belonging to group writers can view the file but not modify or execute it. The final three characters, ---, indicate no one else has any access to the file.

Similarly, you can see otherfile is a regular file and its owner has full access to it, while everyone else can read and execute the file but not modify it.

How to set file permissions - symbolic mode
You can set file permissions with the chmod command. Both the root user and the file's owner can set file permissions. chmod has two modes, symbolic and numeric.

The symbolic mode is pretty easy to remember. First, you decide if you set permissions for the user (u), the group (g), others (o), or all of the three (a). Then, you either add a permission (+), remove it (-), or wipe out the previous permissions and add a new one (=). Next, you decide if you set the read permission (r), write permission (w), or execute permission (x). Last, you'll tell chmod which file's permissions you want to change.

Let's have a couple of examples. Suppose we have a regular file called testfile, and the file has full access permissions for all the groups (long directory listing would show -rwxrwxrwx as the file's permissions).

Wipe out all the permissions but add read permission for everybody:
$ chmod a=r testfile
After the command, the file's permissions would be -r--r--r--

Add execute permissions for group:
$ chmod g+x testfile
Now, the file's permissions would be -r--r-xr--

Add both write and execute permissions for the file's owner. Note how you can set more than one permission at the same time:
$ chmod u+wx testfile
After this, the file permissions will be -rwxr-xr--

Remove the execute permission from both the file's owner and group. Note, again, how you can set them both at once:
$ chmod ug-x testfile
Now, the permissions are -rw-r--r--

As a summary, have a look at this quick reference for setting file permissions in symbolic mode:
  • Which user?
  • u means user/owner
  • g means group
  • o means other
  • a means all
  • What to do?
  • + means add this permission
  • - means remove this permission
  • = means set exactly this permission
  • Which permissions?
  • r means read
  • w means write
  • x means execute
How to set file permissions - numeric mode
The other mode in which chmod can be used is the numeric mode. In the numeric mode, the file permissions aren't represented by characters. Instead, they are represented by a three-digit octal number.
  • 4 means read (r)
  • 2 means write (w)
  • 1 means execute (x)
  • 0 means no permission (-)
To get the permission bits you want, you add up the numbers accordingly. For example, the rwx permissions would be 4+2+1=7, rx would be 4+1=5, and rw would be 4+2=6. Because you set separate permissions for the owner, group, and others, you'll need a three-digit number representing the permissions of all these groups.

Let's have an example:
$ chmod 755 testfile
This would change the testfile's permissions to -rwxr-xr-x. The owner would have full read, write, and execute permissions (7=4+2+1), the group would have read and execute permissions (5=4+1), and the world would have the read and execute permissions as well.

Let's have another example:
$ chmod 640 testfile
In this case, testfile's permissions would be -rw-r-----. The owner would have read and write permissions (6=4+2), the group would have read permissions only (4), and the others wouldn't have any access permissions (0).

The numeric mode may not be as straightforward as the symbolic mode, but with the numeric mode, you can more quickly and efficiently set the file permissions. This quick reference for setting file permissions in numeric mode might help:
  • Which number?
  • 0 means --- or no permissions
  • 1 means --x or execute permission
  • 2 means -w- or write permission
  • 3 means -wx or write and execute permission
  • 4 means r-- or read permission
  • 5 means r-x or read and execute permission
  • 6 means rw- or read and write permission
  • 7 means rwx or read, write and execute permission


File Permissions And Directories by Ian MacGregor

Recursive chmod
One very important item needs to be addressed when working with file permissions. I've seen it many times. A new Linux user will download a theme and find all graphic files have the execute bit set. In an attempt to remove them the user will use a recursive chmod command, find that access is now denied to the affected directories and wonder what happened.

When using chmod recursively to change permissions care must be taken to avoid removing the execute bit on directories because doing so will lock all users out of the affected directories.


Here is an example:
[testdir @ 13:50:42]$ ls
[testdir @ 13:50:44]$ mkdir -p test1/subtest1 test1/subtest2
[testdir @ 13:51:48]$ ls
test1
[testdir @ 13:52:16]$ ls -la test1
total 16
drwxr-xr-x 4 testuser testuser 4096 2009-08-25 13:51 .
drwxr-xr-x 4 testuser testuser 4096 2009-08-25 13:51 ..
drwxr-xr-x 2 testuser testuser 4096 2009-08-25 13:51 subtest1
drwxr-xr-x 2 testuser testuser 4096 2009-08-25 13:51 subtest2
[testdir @ 13:52:24]$ chmod -R a-x test1
chmod: cannot access `test1/subtest1': Permission denied
chmod: cannot access `test1/subtest2': Permission denied
[testdir @ 13:52:35]$ ls -la test1
ls: cannot access test1/subtest1: Permission denied
ls: cannot access test1/subtest2: Permission denied
ls: cannot access test1/..: Permission denied
ls: cannot access test1/.: Permission denied
total 0
d????????? ? ? ? ? ? .
d????????? ? ? ? ? ? ..
d????????? ? ? ? ? ? subtest1
d????????? ? ? ? ? ? subtest2
[testdir @ 13:52:49]$ cd test1
bash: cd: test1: Permission denied
[testdir @ 13:53:23]$ chmod -R a+x test1
[testdir @ 13:53:33]$ ls -la test1
total 16
drwxr-xr-x 4 testuser testuser 4096 2009-08-25 13:51 .
drwxr-xr-x 4 testuser testuser 4096 2009-08-25 13:51 ..
drwxr-xr-x 2 testuser testuser 4096 2009-08-25 13:51 subtest1
drwxr-xr-x 2 testuser testuser 4096 2009-08-25 13:51 subtest2
[testdir @ 13:53:39]$


A better method of recursively removing the execute bit from files is to pipe the find command to the xargs comand like this:

find . -type f | xargs chmod a-x

The "f" in the above command tells find to look for files of type "f", or "regular file". A "d" would be used to look for directories so using an "f" in the command above will avoid changing permissions of directories. For more information about the find command, please see man find.

Here is a demonstration:
[testdir @ 14:36:58]$ mkdir -p testdir1/subdir1 testdir1/subdir2
[testdir @ 14:37:39]$ touch testdir1/subdir1/newfile1 testdir1/subdir1/newfile2
[testdir @ 14:39:00]$ chmod -R a+x testdir1/
[testdir @ 14:39:12]$ ls -la testdir1/subdir1
total 8
drwxr-xr-x 2 testuser testuser 4096 2009-08-25 14:39 .
drwxr-xr-x 4 testuser testuser 4096 2009-08-25 14:37 ..
-rwxr-xr-x 1 testuser testuser 0 2009-08-25 14:39 newfile1
-rwxr-xr-x 1 testuser testuser 0 2009-08-25 14:39 newfile2
[testdir @ 14:39:28]$ find . -type f | xargs chmod a-x
[testdir @ 14:39:52]$ ls -la testdir1/subdir1
total 8
drwxr-xr-x 2 testuser testuser 4096 2009-08-25 14:39 .
drwxr-xr-x 4 testuser testuser 4096 2009-08-25 14:37 ..
-rw-r--r-- 1 testuser testuser 0 2009-08-25 14:39 newfile1
-rw-r--r-- 1 testuser testuser 0 2009-08-25 14:39 newfile2
[testdir @ 14:39:56]$ cd testdir1/subdir1
[subdir1 @ 14:40:12]$ pwd
/home/testuser/testdir/testdir1/subdir1
[subdir1 @ 14:40:15]$

No comments:

Post a Comment