About files and directories

Access control for files and directories

Because the UnixWare system is a multiuser system, it is important that strict control is placed on file access. For example, as a user you cannot change files that belong to someone else without their authorization. Controlling access to files is achieved by use of permissions.

Every file has three sets of permissions that control who can read it, write it (that is, change it), and execute it. You can change the permissions on your own files to make them more or less accessible to other users on the system.
The permissions field for a file is made up of nine character positions following the file type indicator. They are divided into three sets of three permissions each; a set for the owner of the file, a set for the group of users to which the file belongs, and a set for everyone else on the system. These are respectively known as ``owner'', ``group'' and ``other''.

Note that the superuser (root) can always read or write every file on the system. This is a special privilege that is not available to any other user.

Each set of permissions can include none, one, or more than one of the following privileges:

Read

If you have read permission, you can look at the contents of a file. For a directory, this means you can see a list of the files it holds. Read permission is represented by an ``r'' in the first of the three character positions for each of the three sets of permissions, as follows:

-r--r-----   1 johnd   unixdoc    10586 Feb 25 12:26 1.start

The ``r'' in the first character position of owner's set and the group set means that the owner and members of the owner's group can read the file; nobody else is permitted to do so.

Write

If you have write permission on a file, you can alter its contents. For a directory, this means you can create files and subdirectories within that directory. It also means you can remove files from that directory even if you do not have write permission on the files.

--w--w--w-   1 johnd   unixdoc     8660 Feb 25 13:08 2.start

The ``w'' in the owner's set, the group set and the other users' set means that all classes of user can alter this file.

You cannot remove a file unless you have write permission on the directory it is stored in. If you try to remove a file from a directory for which you do not have write permission, you will see an error message like the following:

$ rm freds.file
rm: fred/freds.file not removed.
Permission denied

Execute

For a file, this means that if the file is a program, you can execute it. Execute permission on a directory means you can change to it.

---x--x--x   1 johnd   unixdoc      Feb 25 13:08 2.start

In all cases, a hyphen in any of the permissions fields indicates that the permission is not set.

More uncommonly, you may encounter other permissions in a long listing, for example ``s'' or ``t''. For details, see ls(1).

To see the permissions on the current directory, use the ls -d (directory) command, as follows:

   $ ls -d
   drwxrwxrwx  21 johnd   techpubs    1552 Dec 07 15:40 .

Changing file permissions

To change the permissions on a file, use the chmod(1) (change mode) command, which has two formats, ``symbolic'' and ``absolute'', as follows:

chmod who operator permission filename
chmod mode filename

Using the first, symbolic, format, the who field is one or more of the following characters:

a: all users; change all three sets of permissions at once
u: user; change the user, or owner, permissions
g: group; change the group members' permissions
o: others; change the other users' permissions

The operator field is one of the following symbols:

+: add a new permission
-: remove a new permission
=: set permissions while clearing (removing) all other permissions

The following sample usages of chmod show a number of symbolic permissions being set:

$ chmod g+w memo: adds write permission for group members on the file memo.
$ chmod o-wx memo: removes write and execute permission for others (users other than the owner or those in the file's group).
$ chmod o= memo: clears (removes) all permissions for other (setting a NULL permission clears any existing value).
$ chmod u=rx memo: sets read and execute for user, clearing (removing) write permission (which is not specified in the ``='' command.)
$ chmod a+w memo: adds write permission to the existing permissions for all categories of user.

You can also change permissions using their absolute numeric values, by giving a three-digit octal number to specify the permissions. This method is harder to use but less verbose.

Using octal numbers to set permissions

Permissions Octal number

--- 0

--x 1

-w- 2

-wx 3

r-- 4

r-x 5

rw- 6

rwx 7

Permission to execute a file is represented by a value of 1. Permission to write a file is represented by a value of 2. Permission to read a file is represented by a value of 4. These values are added together to produce the combinations in the table above.

Permissions	Octal number
---	0
--x	1
-w-	2
-wx	3
r--	4
r-x	5
rw-	6
rwx	7

Three octal numbers (numbers in the range 0 to 7) are used to represent the owner, group and other permissions respectively. Thus, by adding the permissions for a given category of user, you produce a digit; and by specifying three digits (one for each set of users) you can specify all the permissions on a file, as follows:

   $ l myfile
   -rw-r--r--   1 johnd techpubs    5061 Feb 10 15:01 myfile
   $ chmod 640 myfile
   $ l myfile
   -rw-r-----   1 johnd techpubs    5061 Feb 10 15:01 myfile

myfile originally possessed permissions 644. The ``6'' gives read and write permissions (2 plus 4) to users in the specified group, while the ``4'' gives read permissions only. ``0'' gives no permissions at all. The effect of executing chmod 640 on this file was to deny all permissions to users of group ``other''.

Setting the default permissions for a new file

When new files are created, their initial permissions are determined by their file creation mask. The umask(1) command is executed whenever you log in, and it automatically sets the mask to restrict the permissions placed on any files that you create. You can change the permissions placed on new files by running umask again; the new permissions override the old ones.

To change the permissions applied to a newly created file, specify the permissions you want to have removed from the new file. In this way, specifying a file creation mask of o=rwx causes read, write and execute permission to be denied to other users.

   $ touch test
   $ l test
   -rw-rw-r--   1 charles techpubs       0 Feb 22 09:29 test
   $ umask u=,g=w,o=rwx
   $ touch test.2
   $ l test.2
   -rw-r-----   1 charles techpubs       0 Feb 22 09:30 test.2

The touch(1) command creates an empty file, in this case called test.

In the command lines above, the umask command specifies that write permission is to be removed from members of the file's group, and that read, write, and execute permissions are to be removed from other users. No change is made to the permissions available to the file's owner.

NOTE: Where the = operator is used in umask, it has the opposite effect to the = in chmod. With chmod, it sets any specified permissions, and unsets the rest, whereas with umask, it unsets the specified permissions while setting all the others.

Note that you cannot normally create an executable file using umask; you can only change a file's permissions to make it executable. For example, if your umask is umask u=,g=,o=rwx this gives your default file permissions of 660 (rw-rw----), not 770 (rwxrwx---), even though execute permissions for user and group have not been removed. The only exceptions to this rule are when creating a directory or compiling a program to create an executable binary (in which case the executable bits are set in accordance with your umask).

You can set umask using octal permissions. To set the umask, work out what permissions you want to give newly created files in octal, then subtract them from 777. (Remember, the permissions specified in your umask are removed from the file, not added.) Accordingly, umask 022 removes write permission from the group and other user classes: a file created with an initial mode of 777 becomes 755 and a file created with 666 becomes 644.

Giving a file to someone else

To give a file to someone else, change the ownership of the file with the chown(1) (change owner) command, as follows:

chown new_owner filename

The new_owner argument is the login name of the new owner.

For example, the following command line assigns ownership of 01.intro to the user charles:

   $ chown charles 01.intro

You must be the current owner of a file to change its ownership; that is, you cannot give the file to someone else unless it is yours to give. When you create a file, you automatically become its owner.

Depending on the permissions on a file, if you give away ownership you may give away your right to access the file afterwards.

Finding out your group

In order to find out the groups of which you are a member, use the id(1M) command, as follows:

   $ id
   uid=13052(johnd) gid=1014(techpubs)

The command displays your numeric user identification (UID) and your group identification (GID). Your login and group names are given in parentheses.

Changing the group of a file

To change the group of a file, use the chgrp(1) (change group) command, as follows:

chgrp new_group filename

For example, to change the group of a file called using_unix to techpubs, use the following command:

   $ chgrp techpubs using_unix

Files and users on the system are identified as members of a group by their group name. Groups, together with group permissions, allow people who need to use the same files to share those files without sharing them with all users. When you create a file, it is automatically given the same group as your own. You must be the owner of a file to change its group.