December 12th, 2001, 10:21 PM
*nix Commands: 102 - Part 2: Tha Perms
*nix Commands: Tha' Perms
Ok. For this section we are going to cover an introduction to files and navigation. As a reminder who think I should add something more, please send it to me as a PM. There are many tutorials envisioned for the *nix commands and everything shall be done step-by-step rather than to throw everything out at once.
Let's begin with the concept of permissions. As many of you know and realize *nix is an excellent server based OS and was developed as such right from the beginning. As such, users had to be kept from getting into each other's files and stuff. File names and directory names can be up to 256 characters in length. Any combination of numbers and letters are allowed but it is recommended not to use special characters as they have meaning to the OS. Some special characters like . are used to hide files or identify system files. These can be seen through the usage of ls -a. If you think someone has been into your *nix box, always check for these kinds of hidden files or directories.
I created a dumdumfile for this section. (Editor's Note:you'll see me reference these a lot. I might actually post some labs for the tutorials, perhaps here or on my website when I update it this month (yes, I will update it!)). The example I will use is from my RH box:
-rw-rw-r-- 1 mittens mittens 0 Dec 13 10:46 dumdumfile
This is further divided down into the following areas:
- = column 0 represents whether this is a file, directory or link; - means file, d means directory, l means link
rw-rw-r-- = is divided into 3 sections: columns 1-3 (rw-) represents permissions for owner/user, columns 4-6 (rw-) represents permissions for group and columns 7-9 represents permissions for everyone else or other.
1 = number of absolute links to the location. Files have 1 while directories have at least 2, one for the directory and one for it's parent directory
mittens = name of the owner/user of the file/directory
mittens = name of the group that has permission to the file
0 = size of the file/directory in bytes
Dec 13 10:46 = date of creation/modification/access
dumdumfile = name of file or directory
Now what is important to us is really the permissions for owner, group and others (everyone else). You'll notice that they are in groups of three. Permissions are assigned by a combination of r (read), w (write) and x (execute). To assign or alter permissions you would use:
chmod permissions <file/directory name>: prounounced as ch-mod and basically, to my understanding, means change mode. The permissions can either be added in the octal (numeric) method or the character (alphabetical) method. Now, the combination of permissions has an affect as to how one can use the file or directory.
r only = allows you to read the files contents
rw = allows you to read and modify the files contents
rx = allows you to read and execute (assuming its a program or a script)
r only = allows you to see what is in the directory (files and subdirectories) using ls
rx = allows you to get a long listing (ls -l) of the directory as well as navigate into it
wx = allows you to create and delete directory contents
x = allows you to move into a directory
Remember that directory permissions affect the contents of the directory while file permissions affect the contents of the file. You'll notice that both are very similar in their concept. That is because *nix views everything that is on it -- you as a user, the files, the directories, the components, etc. -- as a series of files. Everything to *nix kernel and OS is a file.
Now that said, if I wanted to change the permissions of my dumdumfile to ensure that no one but me has access I can use either method:
chmod u+rwx,go-rwx dumdumfile
This would result as such:
-rwx------ 1 mittens mittens 0 Dec 13 10:46 dumdumfile
This would be the character method. The character method identifies the various permissions by their starting letter -- r, w and/or x -- and the users/groups by the starting letter: u = user/owner, g = users group, o = others/everyone else. By simply adding a permission or subtracting a permission you can alter the permissions. You need not add or subtract them all at once. I may decide that others should be allowed to read the file:
chmod o+r dumdumfile
results in perms as:
-rw----r-- 1 mittens mittens 0 Dec 13 10:46 dumdumfile
Simple. Easy enough. But what about octal method? Well, much like any computer system, *nix likes it's binary. You can find my tutorial on Binary here: http://www.antionline.com/showthread...hreadid=124423 . Remember that there are only 3 permissions. Which results in the following:
rwx **decimal **perm
So if I wanted to alter my permissions on my dumdumfile (say its a script and I want my group and others to be able to use it but not modify it) I would then try:
chmod 755 dumdumfile
results in perms as:
-rwxrw-rw- 1 mittens mittens 0 Dec 13 10:46 dumdumfile
Now, with the octal method this is an all or nothing. You cannot assign individual permissions but have to assign all the permissions needed. Sort of an all or nothing kind of deal. Play with some dumdum files and directories experimenting with the permissions to see more as to how they work. Ah but we need to know how to create those dumdum files and directories now, don't we?
Well for that we have two commands we can use:
touch <filename>: Touch creates an empty file.
file <filename/directory name>: tells you what kind of "file" something is. i.e., is it an ascii file, executable, script, directory, etc.
I had to edit this after reading some of the comments thus far. It had occurred to me to put this in but when a tutorial gets long I sometimes forget. By default, when a file is first created or a directory created they each have permissions of 666 and 777 respectively. Files do not have execute enabled by default because not all files will be scripts or programs. Directories, however, do need to be navigated into.
Now, if I wanted to ensure a secure system where users weren't getting into each other's stuff, I'd have to go and manually change everything, right? Well, nope.
umask value: refers to user mask. And basically removes the permissions you do not want to apply. The most common permission that we don't want to have is write of course, especially for our group and everyone else. So if I want to make sure that when I create files that permission is removed I would type umask 022. This will remove only the write permission every time I create a file or directory. Note that this applies only to new files. Existing files permissions will not be changed. (Note: there is no DOS command to match this one)
mkdir -p <directory(ies)>: to create a single directory use, mkdir directory name. To create a directory with subdirectories use the option -p. As an example I could create mkdir -p dir1/dir2/dir3 dir4. (note the space in between dir3 and dir4) This would result in two directories being created in my present location and dir1 would have a subdirectory of dir2 with a subdirectory of dir3.
I'm going to finish this off with the navigation command, cd. Much like it's DOS child, cd allows you to "change directory". Typing cd by itself results in being taken back to the home directory of the user you are logged in as. You can cd to the parent directory by typing cd ... Note the spaces. Unlike DOS, *nix is not forgiving with this command if you forget the spaces.
*nix CommandDOS Command
chmodattrib (this is the closest that exists)
mkdirno true equivilant other than multiple mds
touchno equivilant in DOS; in Windows you can create empty files by right-clicking on the desktop
ls -adir /ah
My next tutorial will probably cover commands that allow us to copy files, remove files and move/rename files. In addition, I will cover the differences between absolute addressing and relative addressing in*nix. As you may have noticed, their ain't no drive letters! Eeep!
December 12th, 2001, 10:29 PM
Good tutorial, It certainly refreshed my memory!
I usually do file permissions and file manipulation from inside X, well, KDE really, so it's just a case of clicking a box, but thanks for refreshing my memory on the command-line way of doing things, its always useful if the machine refuses to boot up for some reason!
December 12th, 2001, 10:55 PM
Some remark while playing with CHMOD:
Beware 666 and 777. Biblical implications aside, either of these settings will allow everyone to read and write to a file or directory. Such settings as these could allow tampering with sensitive files, so in general, it's not a good idea to allow these settings. (See: RedHat Linux 6.1 Reference Guide )
(Just some remark cause you were speaking about Dumdum files.)
December 12th, 2001, 11:20 PM
yes victorkaum thats right...better yet look out for the deadly umask command (esp 666) as it sets your default permissions for file viewing
December 12th, 2001, 11:32 PM
Indeed: didn't thought about that one
December 13th, 2001, 03:07 AM
I suggested Ms Mittens mention this for the Linux users. She asked me to say something about it, so I just copied the man file that came with my Mandrake distro. This way I won't forget an important option. This only works on Linux (so far as I know) because it sets bits specific to the ext2 or ext3 file system. This is great for modifying files that you don't want deleted on accident (by intruders) or overwritten with bogus information. An example would be system log files. (as well as system commands) Two important options are:
+a for append only mode and
+i for immutable (can't be deleted or modified)
chattr - change file attributes on a Linux second extended
chattr [ -RV ] [ -v version ] [ mode ] files...
chattr changes the file attributes on a Linux second
extended file system.
The format of a symbolic mode is +-=[ASacdisu].
The operator `+' causes the selected attributes to be
added to the existing attributes of the files; `-' causes
them to be removed; and `=' causes them to be the only
attributes that the files have.
The letters `ASacdijsu' select the new attributes for the
files: don't update atime (A), synchronous updates (S),
append only (a), compressed (c), no dump (d), immutable
(i), data journalling (j), secure deletion (s), and
-R Recursively change attributes of directories and
their contents. Symbolic links encountered during
recursive directory traversals are ignored.
-V Be verbose with chattr's output and print the pro*
Set the file's version/generation number.
When a file with the 'A' attribute set is modified, its
atime record is not modified. This avoids a certain
amount of disk I/O for laptop systems.
A file with the `a' attribute set can only be open in
append mode for writing. Only the superuser can set or
clear this attribute.
A file with the `c' attribute set is automatically com*
pressed on the disk by the kernel. A read from this file
returns uncompressed data. A write to this file compresses
data before storing them on the disk.
A file with the `d' attribute set is not candidate for
backup when the dump(8) program is run.
A file with the `i' attribute cannot be modified: it can*
not be deleted or renamed, no link can be created to this
file and no data can be written to the file. Only the
superuser can set or clear this attribute.
A file with the `j' attribute has all of its data written
to the ext3 journal before being written to the file
itself, if the filesystem is mounted with the
"data=ordered" or "data=writeback" options. When the
filesystem is mounted with the "data=journalled" option
all file data is already journalled and this attribute has
When a file with the `s' attribute set is deleted, its
blocks are zeroed and written back to the disk.
When a file with the `S' attribute set is modified, the
changes are written synchronously on the disk; this is
equivalent to the `sync' mount option applied to a subset
of the files.
When a file with the `u' attribute set is deleted, its
contents are saved. This allows the user to ask for its
chattr was written by Remy Card <Remy.Card@linux.org>.
BUGS AND LIMITATIONS
As of Linux 2.2, the `c', 's', and `u' attribute are not
honored by the kernel filesystem code. These attributes
will be implemented in a future ext2 fs version.
The `j' option is only useful if the filesystem is mounted
chattr is part of the e2fsprogs package and is available
Warfare is the Way of deception.
-Sun Tzu \"The Art of War\"
December 13th, 2001, 04:28 AM
Not entirely true. You can achieve the same thing in DOS by using:
touch***************************no equivilant in DOS; in Windows you can create empty files by right-clicking on the desktop
echo "" > filename.
Also, it might be worth mentioning that chmod +s filename will force a script to execute as its owner. This is useful for creating scripts for applications that don't need root permissions, but will be run by the init process as root.
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
December 13th, 2001, 04:36 AM
thanks for the tut toots. (no offense for all those femiNazis out here.)