LINUX Permissions Process:System Names and Access Permissions

Instead of referring to your Linux system as "it"

or "that thing," you can give it a name that it
recognizes to some extent. This name is
especially important when you deal with e-mail
or networks where others must have some
method of identifying your machine from all the
others on the network. This chapter starts by
looking at how to give your machine a name
and what rules you must follow to ensure other
machines can work with your newly named
machine.
The rest of this chapter looks at access
permissions, a confusing subject for many
system administrators. The permission block is
often completely misunderstood, and the
permissions attached to files and directories are
often set incorrectly, preventing access to users
who need it or worse, allowing wide-open
access to sensitive information. After explaining
how permissions work, this chapter explains
how to change and set permissions and
ownerships.
Setting a System Name
Because Linux is designed with networking in
mind, it enables you to identify each machine
with a unique name. You can name your system
anything you want. In some cases, the setup or
installation script that installed Linux for you
may have asked you for a system name. You
can keep the name you entered then or enter a
new one.
The name that identifies your Linux system is
called a hostname. This name, as mentioned,
facilitates networking and associated services
like e-mail. It also lets you give your system a
bit of a personality. You can display the current
Linux system hostname with the hostname
command:
$ hostname
artemis
This code shows that the system's hostname is
artemis. If you have no system hostname
defined, Linux defaults to either no name or a
system default name. The name information is
read from the Linux system startup files.
If your system isn't networked, you can call
your system anything you like, but remember
that you have to live with it! To set your system
name, run the hostname command with the -S
option as shown in this example:
hostname -S superduck
This sample code sets your system hostname to
superduck. This name is tagged onto all your email and some system utilities when generating
output. Some versions of Linux limit the
hostname to a number of characters (usually 14
characters), but try any name you want. If Linux
doesn't allow it, you should get an error

message or see a truncated version of the

name.
Creating Network System Names
If you are running on a network, the hostname
is important. On a network, each machine must
have a unique name, or the network can't
identify which of the duplicate names the
network information is for. If you are creating a
local area network that is not connected to the
Internet or has no formal network name, you
can pick any network name you want. Your
machine name and network name combined
form the full machine name. For example, the
command
hostname -S superduck.quackers
is composed of a machine name of superduck
and a network name of quackers. As long as all
the other machines on the network have the
same network name, your machines can
communicate properly. Your machine is uniquely
identified by the combination of machine and
network name.
If your system can access the Internet, your
network probably has been assigned a network
name by the Internet Network Information
Center (NIC), which assigns network names,
called domains, in accordance with strict
naming conventions. Each domain has a unique
name portion and an extension that identifies
the type of organization to which the network
belongs. For example, the company Quacks-RUs may have a domain name quacks.com. The
seven different extensions in use are as follows:
.arpa A governmental network identifier
.com Commercial company
.edu Educational institution
.gov Governmental body
.mil

Military

.net An Internet-administered (usually) network

.org Anything that isn't in one of the other
categories
These identifiers are usually used only for
networks based in the U.S. Other countries
have unique identifiers based on the country's
name. For example, if Quacks-R-Us were based
in the United Kingdom, the domain name could
be quacks.uk. Each country has a two-letter
designation that identifies it to the Internet.
(Some companies have a U.S.-style extension
even though they are outside U.S. borders.
These companies usually have been registered
by a U.S. company or have been on the Internet
a long time.)
The combination of domain name and
extension, as assigned by the NIC, is unique to
each network. When combined with a hostname
on the network, the result is a unique name for
your machine. For example, if your local
network has the domain name of quack.com

and you want to name your machine

superduck, you set the name of your machine
with this command, which combines the
machine and network names:
hostname -S superduck.quack.com
The chapters in Part IV, "Networking," discuss
machine names and network names in more
detail. You may also want to check with a good
TCP/IP book for more information. The author's
Teach Yourself TCP/IP in 14 Days from Sams is a
good place to start.
Storing the Hostname
Linux stores the hostname in the file /etc/hosts.
If you have just installed Linux and haven't
configured a machine name, the /etc/hosts file
contains a bunch of comment lines and one line
of code:
127.0.0.1 localhost
Some Linux versions store the hostname in
the /etc/rc or /etc/rc.local files or in the directory
/etc/rc.d, although this convention is absent
from most versions of Linux.
The /etc/hosts file consists of two columns, one
for the IP address and the second for machine
names. The four numbers (written in a format
called dotted-quad as there are four groups of
numbers with periods between them) are the IP
address. IP stands for Internet Protocol and is
an essential component of the TCP/IP network
protocols used on the Internet and most local
area networks involving UNIX. The IP address
for machines connected to the Internet is
assigned by the Network Information Center,
just as the domain name is. (The IP address and
domain name also are mapped to each other so
the network can use numbers instead of names,
a much more efficient system.) If you are not
connected to the Internet, your IP address can
be anything as long as each set of numbers is
in the range 0 to 255.
The IP address is composed of the network
identifier and the machine identifier. The four
parts of the IP address are split over these two
identifiers in special ways. If you are connecting
to an existing TCP/IP network, your network
administrator will give you the IP address you
should use. The IP address 127.0.0.1 is a
special address known as the loopback address.
This address lets TCP/IP on your machine form a
connection to itself. Every machine has a
loopback driver, which is identified by the entry
127.0.0.1 in the /etc/hosts file and the name
localhost.
If you have identified your machine by a
hostname already, that name is in the
/etc/hosts file. For example, the stand-alone
machine called superduck from earlier in this
section is given on the same line as the
localhost entry:
127.0.0.1 superduck localhost

This line tells the system that the localhost is

called superduck and to use that name as the
system identifier.
This naming process gets a little more
complicated when you are on a network, as
each machine on the network has an IP address
that is unique. If your network is not connected
to the Internet, you can make up any IP address
for your network. If you are on the Internet,
your network IP address is assigned, and the
network administrator can give you your
machine's IP address or you can choose an
unused address.
Suppose you are connecting to the Internet and
your IP address is 47.123.23.37 and your
domain name is quacks.com. Your /etc/hosts file
looks like the following:
127.0.0.1 localhost
47.123.23.37 superduck.quacks.com
The name superduck may appear on the
localhost line as well, although it doesn't have
to. The /etc/hosts file may have other lines
when you are connected to a large network that
you move around in frequently. At least these
two lines should appear when you are
connected to a network, though.
Using File and Directory Permissions
Linux handles access to all files and directories
on the filesystem through the permission block.
The permission block is part of the i-node
table's entries for each file and directory. You
can display the permission block for a file or
directory by doing a long directory listing.
The first column of the long directory listing is
the permission block. It is always composed of
10 characters. Each file and directory,
regardless of its type, on a Linux system has a
permission block associated with it. The
permission block is made up of two different
types of information. The first character is a file
type indicator, and the next nine characters are
the access permissions themselves. The
following sections look at these two types of
information in a little more detail.
Understanding File Types
Linux uses the first character in the permission
block to indicate the type of entry the i-node
table contains. Because Linux doesn't
differentiate between files and directories in the
i-node table, this character is the only way for
the operating system to know whether the
entry refers to a regular file or a directory.
Directories are not physical entities on a Linux
system; they are instead an organizational
scheme used to make the user's life easier. The
i-node table entries for a file and directory look
very similar.
Linux supports a number of valid file types,
each of which has a single character value that
is used in the first character of the permission
block. The most common file type characters
that Linux uses are the following:
-

ordinary file

block mode device

character mode device

directory

link

Some versions of Linux and UNIX support other

file types(such as s for special), but these types
are seldom encountered and are of no real
interest as far as permissions are concerned.
Most files on the Linux system are ordinary
files. An ordinary file can be data, an
application, a text file, or any file that contains
information (whether directly readable by the
user or not). The ordinary files are indicated by
a hyphen in the file type block. Any file users
create is an ordinary file.
Chapter 6, "Devices and Device Drivers," looked
at the difference between block and character
mode devices, which are indicated by a b or c
file type. These files are composed of
instructions that let Linux talk to peripherals.
Most device file types are stored in the
directory /dev by convention, although they can
exist anywhere in the filesystem. When Linux
encounters a file with either of these two file
types, it knows how to read the file for input
and output control.
The directory file type indicates that the entry
in the i-node table refers to a directory and not
a file. All directories on the system are really
empty files as far as Linux is concerned, but
they can be logically assembled into the usual
directory structure based on the i-node table
entries.
Links are sometimes identified in the file type
character as an l, although not all operating
system versions support this character. If your
version of Linux doesn't use the l file type to
indicate a link, you will have to rely on the
second column of output from a long directory
listing that shows the number of links the entry
has.
Understanding Access Permissions
All UNIX systems (including Linux) control
access to files and directories using permissions
that are read from the permission block. Access
to a file or directory can be one of three
possible values. These values are given by a
single character as shown in the following list:
r

read

write

execute

If you have read access to a file, you can

display the contents of the file (using any utility
like cat or more) or read the file into an
application (such as a word processor or a
database). If you have write permission to a file,
you can modify the contents and save the
changes over the old file. If you have execute
permission, you can execute the file, assuming
it is a binary file or shell script. If the file is ASCII
and you execute it, nothing much will happen
except a few error messages.

These three permission values are combined

into a three-character block in the order given
above (in other words, rwx for read, write, and
execute). If a permission is not accessible, a
hyphen is used in that permission's place to
show that it is absent. In other words, the
permission block r-x indicates that the file has
read and execute permission, but not write
permission. Similarly, the permission block --indicates that the file has no access
permissions and cannot be read, written to, or
executed.
These permissions are used for directories, too,
although their meanings are slightly different.
Read permission for a directory means you can
display the contents of the directory listing
(using ls, for example). Write permission for a
directory means you can add files to the
directory. Execute permission means you can
change into that directory (using cd). The
permission block r-x on a directory, for example,
means you can display the directory's contents
and change into that directory, but you can't
add a new file to the directory.
These three permissions are set for each of
three different levels of access. There is a
permission block for the owner of the file (called
the user), another for anyone in the owner's
group (called the group), and another for
everyone else on the system (called other or
world). The three-character blocks for readwrite-execute permission are combined for the
three groups (user, group, and other) to
produce the nine-character permission block
you see in the long directory listing.
Once you get used to thinking in terms of user,
group, and other, you can easily read the file
permissions blocks. For example, the file
permission block
rw-r--r-means that the user (owner of the file) has read
and write permission, the group (second block
of three characters) has read permission only,
and everyone else on the system (other) has
only read permission also. In the following
example, the permission block
rwxr-xr-means that the owner can read, write, and
execute the file. Anyone in the same group as
the owner can read and execute the file. Finally,
anyone else on the system can read the file but
can't make changes or execute it.
The same approach applies for directories. For
example, if a directory has the following
permission block
rwxr-xr-x
the owner of the directory can change into the
directory, add files, and display the contents of
the directory. Everyone else on the system (in
the owner's group and everyone else) can
display the contents of the directory (with an ls
command, for example) and change into the
directory (using cd), but they can't add files to
the directory.

Using Default Permissions

When you save a file or create a new directory,
it is assigned a default set of permissions.
These permissions are set for each user
according their file creation mask, called the
umask (user's permission mask) by UNIX. Every
user on the system has a umask setting, either
one that's set for them in their startup files
(.profile, .cshrc, and so on) or the system's
default umask setting.
You can display the current value of your umask
setting by entering the umask command at any
shell prompt:
$ umask
022
The three-number block returned by the umask
command is the current umask setting. (Some
systems return a four-number block, the first
number of which is always zero. In this case,
only the last three numbers are of any
importance for the umask.) The three numbers
are octal representations of the read-writeexecute permissions you see in a file's
permission block. The numbers have the
following meaning:
0 read and write (and execute for directories)
1 read and write (not execute for directories)
2 read (and execute for directories)
3 read
4 write (and execute for directories)
5 write
6 execute
7 no permissions
Using this list, you can see that the umask
setting of 022 means that the user has read
and write permission for his own files (0), the
group has read permission (the first 2), and
everyone else on the system has read
permission(the second 2). Whenever a user
creates a file with this umask setting, the
permission block will look like the following:
rw-r--r-As mentioned earlier, Linux uses a system
default umask setting when a user logs in
unless the user's setting is explicitly changed,
either on the command line or in one of the
startup files. If you want to change the umask
value, use the umask command with the threedigit permission setting you want. For example,
the command
umask 077
sets the permissions to give the owner read and
write permission and to withold permissions
from everyone else on the system. This umask
value can be very useful for restricting access
to files.
If you want to temporarily change your umask
setting, enter the umask command and the new

setting at the shell prompt. The new values will

be in effect until you change them again. If you
want to permanently change your umask
setting, add a line like the preceding one to
your shell's startup file (.profile, .cshrc, and so
on).
Changing Permissions
You may want to change the permissions
attached to a file or directory. You change
permissions with the chmod command, which
can operate in either symbolic or absolute
mode. Symbolic mode is the easiest mode to
learn and use, but absolute mode offers better
control.
Using chmod in symbolic mode requires that
you follow a strict syntax. Once you understand
that syntax, the command is easy to use.
Symbolic mode lets you instantly understand
the changes that you are making to
permissions. The general syntax of the chmod
in symbolic mode is
chmod who-change-perms files
where who indicates who you want the changes
to apply to. Valid values are u for user, g for
group, and o for other, in any combination and
order. The change indicates whether you want
to take away permissions (-), add them (+), or
explicitly set them (=). You can use only one
symbol in each chmod command. The perms
indicate whether you want to change read (r),
write (w), or execute (x) permission. These
three components (who, change, and perms) of
the command are run together without a space.
A few examples may help make this concept a
little clearer. The command
chmod u+rwx bigfile
alters the permissions on bigfile to add read,
write, and execute for the user. If any of these
three permissions already existed on bigfile,
they are left alone, but they are added if they
didn't exist before the command. The
permissions for the group and other users are
not affected, as this command deals specifically
with the user's permissions. On the other hand,
the command
chmod go-x bigfile
takes away execute permission for the group
and other, without changing the group's and
other's read or write permissions (they stay the
way they were) or the user's permissions (as a
u was not included in the command). You can
use wildcards in the chmod command, as well,
so the command
chmod uo+w chapter*
adds write permission for the user and other for
any file starting with chapter.
If you don't specify whether the command
applies to user, group, or other, all three are
affected, so the command
chmod +rwx
changes the permissions for user, group, and
other to read, write, and execute.

You also can use the symbolic mode of chmod

to set permissions explicitly. As you have seen,
if you do not specify a parameter on the
command line, it is not changed. In other words,
if you issue the command
chmod u+r bigfile
only the read permission for the user is
changed, and the write and execute
permissions are left as they were.
You can do the same sort of command to set
permissions for directories, remembering what
they mean in the context of changing into,
adding to, and listing directories. For example,
the command
chmod go+rx mydir
allows users in group and other to list mydir's
contents and change into mydir, but they
cannot add files to this directory.
Sometimes you want to explicitly set the
permissions to some value, for which you can
use the equal sign. For example, the command
chmod u=rx bigfile
turns on read and execute permission for the
user, but turns off write permission (whether it
was on or off before the command, it will be off
after). However, the group and other permission
blocks are left unaffected. If you want to make
changes to all three blocks (user, group, and
other) at the same time, you must use chmod's
absolute mode.
The chmod command's absolute mode uses
numbers to specify permissions. There are three
numbers, one for the user, one for the group,
and one for the other permissions. All three
must be specified on the command line. Each
number is the sum of values that represent
read, write, and execute permissions. The
following list shows the values:
000

no permissions

001

other, execute

002

other, write

004

other, read

010

group, execute

020

group, write

040

group, read

100

user, execute

200

user, write

400

user, read

You can see that the numbers are in three

columns. From left to right, they represent user,
group, and other permissions. To use these
numbers, add together the values of one
(execute), two (write), and four (read) to form
the combination you need. For example, if you
want to set read and execute permissions, the
number you specify is five. Setting all the
permissions gives you seven, and a value of
zero signifies no permissions. You then use

these numbers on the chmod command line.

For example, the command
chmod 644 bigfile
sets user permissions to read and write (six),
group permissions to read (four), and other
permissions to read (four). Permissions that
aren't set are replaced with blanks, resulting in
following file permission block:
rw-r--r-You may recognize this block as the default
permission block for users with a umask of 022.
This example points out the fact that the umask
and chmod absolute numbering schemes are
not the same.
Absolute mode is useful for setting the entire
permission block in one shot. Although the
addition process may seem awkward at first, it
becomes quite easy after a while. A couple of
settings are used frequently. The 644 setting
shown previously produces the usual
permissions for files, and the command
chmod 755 mydir
sets mydir to allow only the owner to add files
and let everyone list the contents and change
into the directory. You can use wildcards with
this mode of chmod to make blanket changes.
Which mode of chmod you use at any time
depends on the type of permission change you
want to make. If you just want to change a
single permission (such as adding execute
permission for yourself or read-write permission
for the group), the symbolic format is easy. For
setting complete permission block details, the
absolute mode is fastest.
Changing the Owner and Group
Every file and directory on a Linux system has
an owner and a group, both of which can be
seen in the long directory listing. The owner of
the file is usually the username of the person
who created the file, and the group of the file is
the group the person was in when the file was
created. You may want to change the owner
and group when sharing files or moving them to
another user. To do this, use the chown and
chgrp commands.
To change the owner of a file or directory, use
the chown command with the name of the new
owner. For example, the command
chown bill datafile
changes the owner of datafile to bill. When the
command is issued, it checks to make sure that
the specified owner is valid (by searching
/etc/passwd) and that you own the file. Only the
file owner or the superuser can change file
ownerships. You can use wildcards to change
many files or directories at once. For example,
the command
chown yvonne chapter*
changes the owner of all files starting with
chapter to yvonne.

To change the group owner of a file or directory,

use the chgrp command (not to be confused
with newgrp, which changes your current
group). For example, the command
chgrp accounts bigfile
changes the group to accounts. Again, Linux
checks that the group name exists in /etc/group
and that the person changing the group is in
the group that currently owns the file. As with
chown, you can use wildcards to change many
files and directories at once.
If you know the UID or GID of the user or group,
you can use it on the command line instead of
the name. Linux searches the /etc/passwd
and /etc/group files to make sure the UID or GID
is valid, and you must have permission to
change the owner for this procedure to work.
Use caution when changing ownerships. It's
easy to change an owner or a group, and then
realize you have locked yourself out of the file!
Summary
This chapter explained how to give your system
a name and assign access permissions. Naming
a system is very important when you are
connected to a network, but it is more of a
personality issue when you are running a standalone system. Still, it is nice to refer to your
machine as more than thing or the default
darkstar name.
File permissions are one of the most
misunderstood and misused concepts of UNIX,
yet they are surprisingly easy to manage. Using
the commands explained in this chapter should
make it easy for you to alter file permissions
and ownership to suit your needs.