January 26, 2004

CLI magic: mother, may I?

Author: Joe Barr

There are few things as confusing, frustrating, and aggravating for those who come to Linux from Windows as the whole notion of permissions. Based on my own personal experience, I would say as much as 25% of the problems I've had using Linux over the years have been permissions related. It's a subject your mother didn't teach you, and you didn't learn on the playgrounds. That's why we're going to get down and dirty with the CLI today: to learn about permissions on Linux, right here, right now.

Reading, writing, and execution

Permissions are flags which control who can do what with a file. Which file? Any file on your system. For each file, there are three separate flags which indicate whether or not you can read a file, write a file, or execute a file. Just because you can do one, doesn't mean you can do the other two.

Permissions are necessary for security. Because Linux is truly a multiuser system, it needs to protect each user's data from all the other users.

Now, if you've digested that, allow me to complicate things just a bit. Permissions are not the same for everybody. They vary depending not only on your user ID, but on what groups you belong to, or don't belong to, as the case may be.
This is a big part of what differentiates Linux from that toy OS from the monopoly in Redmond, so pay close attention.

When you installed Linux, you were asked to choose a unique user name and a password. Behind the scenes, you were also made part of different groups of users. Most groups are based on functionality. There are groups that use USB, or the modem, or the printer, or mail, or disk access, or news. The list goes on.

While other users on a system may belong to all or some of the same groups you do, they don't need to to have access to your personal data. By default, they do not. Not unless you say it's ok by explicitly giving them permission.

Linux sees you as the owner of the data in your home directory. It also sees you as the owning group for those files. That's right. In that case, you are not just the owner but the group. Linux tracks both (owner and group) for every file on the system.

Sometimes you are seen as the owner (if you created the file). Other times you might just be a member of the owning group. Other times you might not be either one. Permissions are set for each contingency.

Earlier I told you that there are three separate flags which control whether or not you can read, or write, or execute a specific file. That's true, but it's not complete. Actually, there are three sets of those three flags.

One set controls what the file owner can do, the next controls what a member of the owning group can do, and the third controls what "the world" can do. In this case, "the world" means everyone else: anyone who is neither the owner nor a member of the files owning group.

But how does it keep track?

If you enter "ls -l" from the command line, you'll get a full listing of the contents of the current directory. All but the "invisible" files, but we'll worry about them another day.

One directory entry might look like this:

4 -rw-rw-r-- 1 warthawg warthawg 1163 Jan 23 09:25 story.txt

Ignore the four at the left side. Ignore the first - in the string (the -rw-rw-r--) that comes next. It's the nine characters following that "-" that we're interested in. Nine. That's three times three. Let's see, three types of permissions (read, write, execute) for three different user categories (owner, group member, world). By golly, it all adds up.

The first three characters ("rw-") reveal that I, as the owner of the file, have (r)ead and (w)rite permissions, but that I do not e(x)ecute rights.

The next three characters show the group rights, and in this case they are identical to the first three. That makes sense because my user ID is used for both the owner and the group. What about the rest of the world? The last three characters in the nine character string reveal that the world can (r)ead the file, but not write or execute it.

Change is good

What if I didn't want the world to be able to read the file? No problem. I could just change it using the wonderful chmod command. In fact, there are several ways I could change it using the same command.

The first way depends on me remembering that 6 is equal to "rw-" and that 0 is equal to "---". Remembering those two things, I could enter the following command:

chmod 660 story.txt


The first 6 sets the owner rights, the second 6 the group rights, and the 0 the world rights. Before the command, the rights were "rw-rw-r--". Afterward, the file rights are "rw-rw----". Nothing changed except the fact that the rest of the world can no longer read the file.


Here is a handy list to keep around. SCO has not yet claimed it is their property, so copy it down quickly before they get a court order to make us remove it.


chmod value =

Read

Write

Execute

7

Y

Y

Y

6

Y

Y

N

5

Y

N

Y

4

Y

N

N

3

N

Y

Y

2

N

Y

N

1

N

N

Y

0

N

N

N

Don't need no steenkin list


If you're clever, you don't need to remember that list. You just need to be able to do a little octal math, just like Linux. Think of three octal bits: b1 b2 b3. The leftmost bit (b1) has a value of 4. The one in the middle (b2), has a value of 2. The one on the right (b3), has a value of 1.


Now think of those same three bits as the three flags I talked about way up there at the beginning: one for read, one for write, and one for execute. Because that is what they are. Bits can be in one of two states, on or off. If the bit on the left is on, the read flag is on. If the bit in the middle is on, the same for the write flag. And so on for the execute flag represented by the bit on the right.


Isn't it remarkable that adding the values of the bits which are on (1 instead of 0) gives us the number on the left hand side the list above. Talk about your synchronicity.


As always, do a man chmod on your own and learn more about it as you have time. There are still other ways to set permissions than what we've gone over here.


Now, the next time you can't execute a binary file or a script that you've received in the mail, you'll know what to do. That's right. Don't ask your mother. Give yourself permission.

Click Here!