Permissions

All UNIX files (executable and otherwise ) have an associated set of owner permission bits that are used by the operating system to determine access. The permission bits are grouped into three sets of three bits each. Each bit within a set determines if a file can be read, written to, or executed. The three sets correspond to three classes of users: the file owner , those in the file owner's group and all other users. We can think of the nine permission bits as representing a three-digit octal number, as shown in Figure 2.3. This permission set would indicate that the file owner has read, write, and execute permission; group members have read and write permission; and all others have execute-only permission. The permissions for a file are part of the information stored by the operating system in an I-list (with one unique entry per file). When a file is accessed, its attributes are stored in a system inode table.

Figure 2.3. File permissions as octal values.

At a system level, the permissions of a file are modified using the chmod command. The permissions of a file can be listed with the ls command using the -l (long format) flag. For example, in the ls command output shown in Figure 2.4, the file owner ( root ) of the file ( vi ) has permission to read ( r ), write ( w ), and execute ( x ) the file. Members of the file owner's group can read and execute the file, as can users classified as other. In Linux, the group name for a file is shown by default when issuing the ls -l command. In some forms of UNIX (such as true-blue BSD), the -g flag must be added to the command (i.e., ls -lg ) to obtain the group name.

Figure 2.4. File permissions displayed by ls .

The interpretation of the permission bits for directories is slightly different than for files. When the file is a directory, setting the read bit indicates the directory can be read or displayed. Setting the write bit indicates files or links can be added or removed from the directory, and setting execute permission indicates traversal permission is granted. If traversal permission is not set, the directory name can only be used as part of a path name but cannot be examined directly.

EXERCISE

Is the owner of a file also a member of the class "other"? If the file protections on a file are set so that only those in the class "other" have read/write/execute access, does the owner still have access to the file? Is this reasonable? Why?

When generating files in UNIX, such as by I/O redirection or compiling a source program into an executable, the operating system will assign permissions to the file. The default permissions assigned to the file are determined by a bitwise operation on two three-digit octal mask values. These mask values are the creation mask and the umask . Unless otherwise specified (such as when creating or opening a file within a program), the creation mask used by the system is 777 for executable and directory files and 666 for text files. The default umask value is set by the system administrator and is most commonly 022. If you want to change the value of umask and would like the value available to all your processes, insert the command umask nnn (where nnn is the new value for umask) in your startup .login (or .profile ) file.

At a system level the current umask value may be displayed/modified by using the umask command. An example using the umask command is shown in Figure 2.5 (notice that leading 0s are displayed on some systems).

Figure 2.5 Using the umask command.

linux$ umask 22 linux$ umask 011 linux$ umask 11

When a new file is created, the system will exclusive OR ( XOR ) the creation mask for the file with the current umask value. The exclusive OR operation acts the same as a subtract (without any borrow ) of the umask value from the creation mask. The net result determines the permissions for the new file. For example, generating a text file called foo using command-line I/O redirection, as shown in Figure 2.6.

Figure 2.6 Generating a plain text file using I/O redirection.

linux$ cat > foo hello foo ^d

This will set the permissions for the text file foo to 644 (666 minus 022). This is verified by the output of the ls command using the l option, as shown in Figure 2.7.

Figure 2.7 The default permissions of a plain text file.

linux$ ls -l foo -rw-r--r-- 1 gray faculty 10 Jan 1 14:58 foo

If we generate a directory (or executable file such as a.out using the C/C++ compiler), the default permissions, using the 022 umask, will be 755 (777 minus 022). See Figure 2.8.

Figure 2.8 The default permission of a directory entry.

linux$ mkdir bar linux$ ls -ld bar drwxr-xr-x 2 gray faculty 4096 Jan 1 15:00 bar

The use of system calls chmod , stat (file status information), and umask that allow a process access to this information is presented in Section 2.7.

Категории