MA10126

Essential Unix

7. File access control

In the section on directories, we saw that the absolute pathname for the home directory of user mapabc can be abbreviated to ~mapabc. We also saw in the exercise that we could change up one level into the parent directory above your own home directory, and list all the other home directories of maths undergraduates. The more imaginative of you may then have tried to change into someone else’s home directory by typing

cd ~mapxyz

and inspecting his/her files. And been surprised to find that you could do this. In fact, on a Unix network, any user can go into any directory, unless the file/directory permissions have been set to prevent this! This page tells you how to change the protection on files.

File security distinguishes between three categories of user:

the owner of the file;
the group to which the owner of the file belongs;
all other users.

Protection levels can be set separately for each category.

The protection level is determined by whether three types of operation are permitted:

reading the file;
writing to or modifying the file;
executing the file (i.e. running it as a program).

When you list your files using ls with the –l option, the listing tells you the permissions which have been set. For example,

-rwxr-x--- 1 mapabc map 12357 Aug 12 14:03 cv

tells you that the file cv was last modified after lunch on the 12^th August, is 12357 characters in size, and belongs to user mapabc, who is a member of the map group. The first ten-character string tells you the file permissions:

The first character (-) tells you this is a normal file, as distinct from a directory (d).
The next three characters tell you the permissions given to the owner. An r means s/he can read the file, w means s/he can write to it, and x means s/he can execute it. A hyphen in place of one of these characters means that this permission is denied.
The next three characters tell you the file permissions for the owner’s group, in the same format.
The final three characters tell you the file permissions for everyone else outside the group.

Thus, the file cv can be read, written to and executed by mapabc, can be read and executed (but not modified) by other map group members, and cannot be accessed in any way by users outside the group. This is the default set of permissions given when a file is created.

The default permissions setting for a file you create is –rw-r—-r--, and for a directory it is drwxr-xr-x. This means that everyone can read your files!

To change the permissions on a file, you use the command chmod. There are several formats to this, but the simplest is as follows. A set of file permissions can be specified by a three-digit integer between 000 and 777. The three digits specify the access level for the owner, the group and all other users respectively. To calculate an access level, proceed as follows:

start with 0;
add 4 if you want to give read permission;
add 2 if you want to give write permission;
add 1 if you want to give execute permission.

The permission set rwxr-x--- would thus be represented by the access code 750. To assign this code to the file cv, type the command:

chmod 750 cv

To prevent anyone other than yourself having access to the file diary, type

chmod 700 diary

Remember that whatever file permissions you set, any user can at least enter your root directory and list the files and directories there – so be discreet in choosing names! You can set directory permissions in the same way as for files, to prevent intruders from going any further down the file structure. Thus, to set permissions for all files in the directory named personal, and in its subdirectories, use the recursion option:

chmod –r 700 personal

Exercise:

Use the pico editor to produce a file named obey containing the following text:

whoami

date

pwd

ls –tal

and any other Unix commands you can remember. Save the file.

Try to run this file by typing its name. It doesn’t work, because it is a text file which by default is not executable. Change this by using the chmod command to alter the file permissions to make it executable by the owner, i.e. to have the setting

–rwxr—-r--.

Now run the file, with output going to a file named obey.out.

Look at the output file using pico.

Try doing that in Windows!!!

There is more about file permissions in the BUCS Unix documentation. You can find a link to this in the Links page, together with other useful links to online Unix resources. There is much, much more to Unix, but if you can remember all that has been covered in these pages, you are already Unix-literate.

I would be keen to hear if you have found these webpages useful. Please email any comments to m.b.reed@bath.ac.uk.

To see the Links page, click on the final link in the linkbar below…