The Unix file security system can prevent unauthorised users from reading or altering files.
Every file and directory has specific permissions associated with it, giving different categories of user certain permissions to look at or change a file, and to run executable files.
NOTE Executable files are files containing commands than can themselves be executed as if the file itself were a command.
The file permissions can be displayed using the command:
% ls -l [filename]
For example, to display the permissions on the file lookup.icn, type the command:
% ls -l lookup.icn -rw-r--r-- 1 lnp5jb 777 Dec 18 lookup.icn
The first set of characters in the output from the command (-rw-r--r--) gives the permissions. The username in the middle of the line (lnp5jb) is the owner of the file. This is user who created the file. The following fields tell you the number of characters in the file, the date it was created and the name of the file.
Note that the first character specifies the file type. This is normally one of the following:
- indicates a file
d indicates a directory
The following nine characters represent permissions for different classes of users. Users on a Unix system are assigned to a group or groups, which might correspond to a particular department, or research group in the real world. Members of a particular group can be allowed access to files belonging to other members of the group.
The second, third and fourth characters in the permissions string represent permissions that apply to the owner of the file. The next three characters apply to members of the owner's group. The last three apply to all other users. The file in this example therefore has rw- for the owner, r-- for the group and r-- for others.
The three characters corresponding to each class of user each represent a different type of permission. The first character represents 'read' permission. This means that a user has permission to open a file and view the contents. If there is an r in this position then that class of users has read permission. In this example all users have read permission. In this, and in every case, a horizontal bar character (-) means that permission is denied.
The second position represents 'write' permission (the right to make changes to a file). In the example, only the owner has write permission. Normally, you will not want others to be allowed to make changes to your files, so write permission is only allowed to the owner.
The third position represents 'execute permission'. This means permission to 'execute', or run, a file that works like a command. In this example no-one has execute permission for the file lookup.icn (it is an Icon program, and it would have to be compiled before it could be executed, so execute permission would be useless). To summarise the above, this is how the permissions string is divided up:
- rw- r-- r-- type of file owner group others
Here is another example, this time an executable file:
-rwxr-x--x 1 lnp5jb 562 Jan 10 hello
This tells us that hello is a file; the owner is lnp5jb, the owner has read, write and execute permission; the group has read and execute permission; others just have execute permission.
PRACTICE
What are the default permissions for your files and directories? Are they all the same?
When you copy a file what file permissions does the new file have?
The command chmod is used to change the permissions on a file. The format of this command is:
% chmod mode filename
For example, to add read permission for the group to the file file1, give the command:
% chmod g+r file1
In the command:
% chmod mode filename
the mode consists of three elements:
who
operator
permissions
The following options are possible:
u user (owner)
g group
o other
a all
- remove permission
+ add permission
= assign permission
r read
w write
x execute
For example:
chmod o-rw file1.f
removes read and write permissions from others.
chmod u+x test
adds execute permission to the owner.
Read, write and execute permissions are set for directories as well as files. Read permission means that the user may see the contents of a directory (e.g. use ls for this directory.) Write permission means that a user may create files in the directory. Execute permission means that the user may enter the directory (i.e. make it his current directory.)
1. Try to move to the home directory of someone else in your group. There are several ways to do this, and you may find that you are not permitted to enter certain directories. See what files they have, and what the file permissions are. (Remember that you can protect your own files from prying eyes, or from interference.)
2. Try to copy a file from another user's directory to your own.
3. Set permissions on all of your files and directories to those that you want. You may want to give read permission on some of your files and directories to members of your group.