File System Permissions
File System Permissions
File System Permissions
4 Determining file and directory access File System Permissions Determining file and directory access All files and directories have a user identifier (UID) and group identifier (GID) number associated with them. The kernel uses these numbers to identify ownership of files rather than the user or group name familiar to the user. The ls -n command displays the numeric UID and the GID. Note that the -a (all) option may be included to see the .profile file that normally is hidden. Two other useful commands when working with UIDs and GIDs are the id and group commands. The id command displays numeric and alphabetic UIDs and GIDs for the student's effective user identifier (EUID). The groups command displays all the groups the student is a member of. Process for Determining Permissions Every system process is initiated by the operating system. Every system also has a UID and GID, depending on who initiated the process. When a process or user attempts to read, write to, or execute a file, the UID and GID of the process are compared. First compared to the UID of the file or directory and then to the GID. If neither matches, the other category of permissions is used. When a match is made, the permissions specified on the file or directory for that category of user as a user, group, or other, are applied. To determine whether the user should be permitted to perform the action, the user ID and group ID of a file or directory are compared to the allowable access list for the file or directory. The flowchart below illustrates the logic applied to determine whether a system process is allowed to access a file or directory. This flowchart is applied to a user attempting to perform an action such as viewing (cat) a file.
Default Permissions When a user accesses the system, files and directories are protected by default permissions. These default permissions are put in place automatically when a file or directory is created. The default permissions for a new file are read/write for the user or owner who created the file, and read for group and other. For directories, the default permissions are read/write/execute for the user and read/execute for group and other. Figure shows the default permission for a new file created with
the touch command and a new directory created with the mkdir command. The default size for a new directory is 512 bytes. A new empty file is 0 bytes.
Explain in detail, the default directory access permissions? With the use of appropriate illustrations, explain the process of determining permissions when a use executes a command such as cat.
************************************************************************************ Changing Permissions from the Command Line Ownership and groups When a file or directory is created, the owner or user is automatically assigned. In Linux, only the superuser or root can change ownership. In Linux, using the chown (change owner) command transfers ownership from one user to another. In Solaris both the current file owner and root can use the chown command. When the ownership is changed for a file, the user is no longer the owner. The user may or may not be able to access the file even though it is in the user's directory. Because the user is no longer the owner, group or other permissions will determine the access. The following shows the syntax for the chown command for a file and then for a directory: chown new_owner filename or chown -R new_owner directoryname Like the chmod command, the -R option recursively changes ownership on directories and all files. This is a quick way to change ownership on all files in a directory at once. More on Groups A user can belong to two types of groups: Primary group are where each user must belong to a primary group. A user's primary group is determined by the system administrator at the time the user account is created, and it is stored in the /etc/password file. See Chapter 2, "Accessing a System and UNIX Graphical Interfaces". The primary group is the group the operating system assigns to files and directories created by the user. The chgrp command, to be mentioned later, is used to change primary group ownership of a file. Secondary group or groups are where each user also can belong to between 8 and 16 secondary groups. The number of these secondary groups depends on the version of UNIX. These groups are stored in the /etc/groups file.
When a user logs on, that user obtains a primary group from the /etc/passwd file. Next, the /etc/groups file is scanned looking for the login name and any additional groups that the user belongs to. This enables a user to belong to several groups at the same time for file and directory access purposes.
Figure shows how group membership is assigned when user2 logs on. In this example, the /etc/passwd file is read to determine the primary group or staff. The /etc/groups file is read to determine that the user is also a member of the managers (mgrs) and the accounting (acctg) secondary groups. As a result, user2 will have permissions to any files and directories assigned to any of the three groups, primary or secondary. Tip: If a user copies a file to the student's home directory, that user is still the owner. The student cannot use the chown command to make the student the owner. Only the owner can give up ownership. In most cases, there will be read permissions on the file allowing the student to make a copy. When the file is copied, the student becomes the owner of that copied file. Some systems might be set up to prevent the use of the chown command for security reasons. When this is the case, the student should contact the system administrator. UNIX HISTORY NOTE Current group functionality came from BSD UNIX and was implemented in SVR4. When a user logged on prior to SVR4, that user could belong to only one group at a time, the primary group, by default. A user would use the newgroup command to switch to another group temporarily. A user could switch to only another group in which they were a member. Today, the newgroup command is used to temporarily change primary group membership to another group. The user must be a member of that group, in order to run programs or create files with other than the primary group membership. Tip: To determine the user's primary and secondary groups, use the id -a command or the groups command. The id command is covered later in the chapter. Changing Group Ownership When a file or directory is created, the user's primary group automatically is assigned. In Linux, only the superuser (root) can change group ownership using the chgrp (change group) command to transfer group ownership from one group to another. In Solaris both the current file owner and root can use the chgrp command. The format for the chgrp command is shown here: chgrp new_group filename or chgrp -R new_group directoryname Like the chmod command, the -R option recursively changes group ownership on directories and all files. This is a quick way to change the group ownership on all files in a directory at once.