Linux Permissions

From RCSWiki
Jump to navigation Jump to search

This page provides a somewhat detailed introduction to managing linux permissions on RCS Clusters. For more details, you can consult the manual page for chown or chmod using the commands man chown and man chmod. By running these statements at the command line on ARC you will be able to view the Linux manual for commands related to linux permissions. A detailed explanation of Linux permissions and file system interfacees can also bee found in Chapter 4 of Advanced Programming in the UNIX environment.

Understanding ls Output

When we examine a group allocation directory with ls -l, we will get a lot of details that we may not usually pay attention to for files in our home directory.

$cd /work/somepi_lab
$ ls -lh
total 2.4G
-rw-rw-r-- 1  username1 somepi_lab 2.4G Feb  3 10:13  A.csv
drwxr-x--- 2  username1 somepi_lab 4096 Feb  3 10:16  username1_files
drwxr-x--- 12 username2 username2  4096 Feb  9 1:13   user2
drwxr-S--- 3  username2 somepi_lab 2.4G Feb  9 1:16   user2_shared

Understanding this output and the implications for group sharing requires some careful discussion of ideas from Linux permissions. There are three parts to permissions for every directory and regular file: user, group, and mode. The first piece of information printed on each line is the mode and looks like -rw-rw-r--. It is exactly 10 characters long and they are all important to permissions. The second piece of information is the number of links and we won't need it for our discussion. The third piece of information is called the user (or owner) of the file. The fourth piece of information is called the group of the file. The fifth, sixth, and seventh pieces of information are the size, file status change date, and the file or directory name.

Permission Types in the Mode String

We will begin by explaining the user and group and then we will use these to explain how to make sense of the mode string. The user of the file or directory is the username of a user who owns the file or directory. This user can change permissions on the file or directory (and usually has the most privileges for reading and writing). The group of the file or directory is a name for a collection of users that (often) have special privileges for accessing the file or directory (but typically less than the owner). If a particular user is trying to access the file, the system will ask what their relationship is to the file. If they are the owner then they have user permissions. If they are not the owner but belong to the file's group then they have group permissions. If they are not the owner, and do not belong to the file's group, then their relationship to the file is other.

Interpreting the Mode String

We are now able to talk about what the mode tells us. The mode can be read as consisting of 4 parts

-rw-rw-r--
drwxr-x---
(file type)(user permissions)(group permissions)(other permissions)
(    -    )(       rw-      )(        rw-      )(      r--        )
(    d    )(       rwx      )(        r-x      )(      ---        )

The file type of a file is - if it is a regular file, d if it is a directory, and l if it is a symbolic link to another file or directory.

Each type of permissions consists of three characters for three types of permissions: (r)ead, (w)rite, and e(x)ecute. For regular files, read permissions generally allow users to access data in the file, write permissions allow users to change the contents of the file, and execute permissions allow users to run it like a piece of software. For directories, the combination of read and execute permissions allow users to look in the directory, while the combination of write and execute allows adding or removing files and directories inside it. Broadly speaking, execute is required to do anything with directories.

If the permissions string contains a - where "r", "w", or "x" would be, then the respective users do not have that permission. If the character is the letter then they do have that permission. There are two more important options called set-user-id and set-group-id. In the user and group permissions respectively they are indicated by s or S in the execute character. s is used if execute is also set and S if it is not. These enable special behaviours and should not appear on most files. However, setting the set-group-id bit on a directory causes its group to inherit in files created under it. Consequently, you are likely to see this in at least some parts of your group allocation directory.

In our example above, the first record is a file and its owner can read or write but not execute on it, while anyone belonging to the group of the file can read or write but not execute and anyone else can read it but not write or execute. The second record is a directory and the owner can read write or execute, members of the group can read or execute, and no one else can do anything.

Examples of Linux Permissions

Returning to our original example,

-rw-rw-r-- 1 username1 somepi_lab 2.4G Feb  3 10:13 A.csv

The regular file, A.csv, is owned by username1 and has a group somepi_lab. The user with the username, username1, is the owner of the file and can change its permissions, they can also read and write in the file. Likewise, any member of somepi_lab can read and write in the file. Finally, anyone on ARC at all can read the file if they know where it is to begin with and its name.

drwxr-x--- 2  username1 somepi_lab 4096 Feb  3 10:16  username1_files

The directory, username1_files, is owned by username1 and has a group somepi_lab. The user with username, username1, is the owner of the directory and can change its permissions, they can also inspect the contents of the directory and create and delete files in it. Any member of somepi_lab can inspect the contents of the directory but not create or delete files or directories in it. However, note that the set-group-id bit is not set so the group will not automatically inherit. No one else can look in the directory or create or delete files or directories in it.

drwxr-x--- 12 username2 username2  4096 Feb  9 1:13   user2

The directory, user2, is owned by username2 and has a group username2 (a group exclusive to username2). The user with username, username2, is the owner of the directory and can change its permissions, they can also inspect the contents of the directory and create and delete files in it. Any member of the group username2 can inspect the contents of the directory but not create or delete files or directories in it. No member of somepi_lab would be part of this group so the group permissions are ultimately immmaterial. No one else can look in the directory or create or delete files or directories in it. In effect, this is a private directory for the user with username: username2.

drwxr-S--- 3  username2 somepi_lab 2.4G Feb  9 1:16   user2_shared

The directory, user2_shared, is owned by username2 and has a group somepi_lab. The user with username, username2, is the owner of the directory and can change its permissions, they can also inspect the contents of the directory and create and delete files in it. Any member of somepi_lab can inspect the immediate contents of the directory but not create or delete files or directories in it. They also won't be able to inspect the contents of directories beneath it. However, the set-group-id bit is set, so the group of somepi_lab will inherit for files created in the directory. No one else can look in the directory or create or delete files or directories in it.

Finally, to modify this directory so that was completely open to the group, username2 could run a change mode command (chmod):

[username2@arc somepi_lab]$chmod g+wx user2_shared
[username2@arc somepi_lab]$ls -l
...
drwxrws--- 3  username2 somepi_lab 2.4G Feb  9 1:16   user2_shared

where the command says to add write and execute permissions to the group permissions. chmod -R causes the mode to be changed recursively on the directory and every file and directory anywhere under it.

To change a file or directory's ownership, the owner can use the chown command to change the owner and/or group:

[username2@arc somepi_lab]$chown -R username2:somepi_lab user2
[username2@arc somepi_lab]$ls -l
...
drwxr-x--- 12 username2 somepi_lab  4096 Feb  9 1:13   user2
...