MA10126
Introduction | Logging in | Directories | Files | Text Editors | Miscellany | File access | Links
7. File access control
In the section on
directories, we saw that the absolute pathname for the home directory of user
mapabc can be abbreviated to ~mapabc. We also saw in the exercise that we could change up
one level into the parent directory above your own home directory, and list all
the other home directories of maths undergraduates. The more imaginative of you
may then have tried to change into someone else’s home directory by typing
cd ~mapxyz
and inspecting his/her
files. And been surprised to find that you could do this. In fact, on a Unix
network, any user can go into any directory, unless the file/directory
permissions have been set to prevent this! This page tells you how to change
the protection on files.
File security distinguishes
between three categories of user:
Protection levels can be set
separately for each category.
The protection level is
determined by whether three types of operation are permitted:
When you list your files
using ls with the –l option, the listing tells you the permissions which
have been set. For example,
-rwxr-x--- 1
mapabc map 12357
Aug 12 14:03 cv
tells you that the file cv
was last modified after lunch on the 12th August, is 12357
characters in size, and belongs to user mapabc, who is a member of the map
group. The first ten-character string tells you the file permissions:
Thus, the file cv can
be read, written to and executed by mapabc, can be read and executed (but not
modified) by other map group members, and cannot be accessed in any way by
users outside the group. This is the default set of permissions given when a
file is created.
The default permissions
setting for a file you create is –rw-r—-r--,
and for a directory it is drwxr-xr-x. This means that everyone can read your files!
To change the permissions on
a file, you use the command chmod. There are several formats to this, but the simplest
is as follows. A set of file permissions can be specified by a three-digit
integer between 000 and 777. The three digits specify the access level for the
owner, the group and all other users respectively. To calculate an access
level, proceed as follows:
The permission set rwxr-x--- would thus be represented by the access code 750. To assign this code
to the file cv, type the command:
chmod 750 cv
To prevent anyone other than
yourself having access to the file diary, type
chmod 700 diary
Remember that whatever file
permissions you set, any user can at least enter your root directory and list
the files and directories there – so be discreet in choosing names! You can set
directory permissions in the same way as for files, to prevent intruders from
going any further down the file structure. Thus, to set permissions for all
files in the directory named personal,
and in its subdirectories, use the recursion option:
chmod –r 700
personal
Exercise: Use the pico editor to produce a file named obey containing the following text: whoami date pwd ls –tal and any other Unix
commands you can remember. Save the file. Try to run this file by typing
its name. It doesn’t work, because it is a text file which by default is not
executable. Change this by using the chmod command to alter the file permissions to make it
executable by the owner, i.e. to have the setting –rwxr—-r--. Now run the file, with
output going to a file named obey.out. Look at the output file
using pico. Try doing
that in Windows!!! |
There is more about file permissions in the
BUCS Unix documentation. You can find a link to this in the Links page, together
with other useful links to online Unix resources. There is much, much more to
Unix, but if you can remember all that has been covered in these pages, you are
already Unix-literate.
I would be keen to hear if
you have found these webpages useful. Please email any comments to m.b.reed@bath.ac.uk.
To see the Links page, click
on the final link in the linkbar below…
Introduction | Logging in | Directories | Files | Text Editors | Miscellany | File access | Links