Every user in a Unix system is assigned a user name and an integer user id number.
Users in Unix systems can also belong to groups, which are sets of users.
To create a group in a Unix system, use the groupadd command in a terminal. The command
sudo groupadd test
creates a new group named test. To add users to a group, use the usermod command with the -a option to add and -G option to specify a group. For example,
sudo usermod -a -G test joe
adds the user joe to the test group.
One important bit of metadata stored in every file in a Unix system is the identity of the user who owns the file. This is stored as the integer user id of the user who created the file. Also, all files also have a group ownership which lists the group id of the group that owns the file.
User ids are set automatically when a user creates a file or directory.
This user id can be changed by using the chown command. For example, the command
sudo chown root myfile.txt
changes the owner of the myfile.txt to the root user. You can also use the chown command to set the group ownership on a file:
sudo chown root:test myfile.txt
An important piece of metadata that Unix file systems store in the inodes associated with files are the file's permission bits. The purpose of this data is to indicate who has permission to perform common actions on the file, including reading the file and writing the file. Also, since just about everything is in Unix is a file, these permissions also affect the behavior of application executables, directories, and other objects on a Unix system.
Each of the permissions listed in the permission bits is in the form of a simple yes/no switch. The operating system uses a single bit to represent each distinct permission, with a value of 0 indicating that the permission is denied and a value of 1 indicating that the permission is granted. Permissions are also organized into three sets, called triads. The first triad, owner, applies to the owner of the file in question. The second triad, group, applies to users who belong to a particular group of users. The third triad, other, applies to all users who don't fall into one of the first two groups.
Each of the triads contains three distinct permissions: read, write, and execute. The read permission gives permission to open the file for reading. The write permission grants permission to open the file for writing. The execute permission has different meanings in different situations. The most common use for the execute permission applies to program executable files and scripts, and grants permission to run the program or script. The execute permission also applies to directories. If a user does not have execute permission for a particular directory, that user will not be able to enter the directory via the cd terminal command, and they will not be able to access any files or directories stored inside the directory.
In addition to the bits mentioned above, files also have three additional bits that can be set, the setuid bit, the setgid bit, and the sticky bit. Once again, these bits have slightly different interpretations for different kinds of files.
When applied to an executable file, the setuid bit will cause the program to run with the privileges of the owner of the file instead of the privileges of the user who is executing the file. The most common use case is when the root user owns an executable, and the executable has the execute bit set to 1 in the other triad. In this scenario, any user can run the program, and the program will have root as its effective user when the program runs, giving the program all of the access privileges of the root user.
Similarly, having the setgid bit set on an executable causes the program to run with its group set to the group that owns the file, rather than the group that the user who launched the program belongs to.
The setgid bit has a different interpretation when applied to a directory. A directory with the setgid bit set will cause any files and directories created in that directory to inherit the group of the directory.
The sticky bit is somewhat more obscure. Setting the sticky bit on a directory restricts the directory so only the file's owner, the directory's owner, or root user can rename or delete any file in that directory.
The ls command can be used to list information about files in a directory. Using the -l switch displays extended information about each file listed.
drwxr-xr-x 2 joe joe 4096 Feb 26 13:11 Desktop drwxr-xr-x 16 joe joe 4096 Jan 18 12:23 Documents drwxr-xr-x 4 joe joe 4096 Mar 1 09:05 Downloads -rw-rw-r-- 1 joe joe 31681 Feb 6 20:26 notes.txt
Setting permission bits
The various permission bits can be set by using the chmod command in a terminal. The chmod command can work with either numeric codes or alphabetic codes.
The numeric codes encode all of the permission bits into four base 8 digits. The four digits refer to the special bits, the owner triad, the group triad, and the other triad in that order. Base 8 is appropriate, because numbers in base 8 have three bits, corresponding to the three bits in each set.
Here are some examples:
chmod 0777 myfile.txt
The base 8 digit 7 has all three bits set to 1. In this example the read, write, and exectute permissions would be turned on for each of the triads, with none of the special bits set to 1.
chmod 0660 myfile.txt
This example grants read and write permissions for the owner and the group, and no permissions for others.
chmod 0755 myscript.sh
This example grants read, write, and execute permissions to the script's owner, while granting only read and execute permissions to the group and others.
The alphabetic form is use to flip individual permissions on or off. Here are some examples
chmod g+w myscript.sh
flips the write permission bit on in the group triad for the script.
chmod oga+x myscript.sh
flips the execute permission on for the owner, group, and others (all). The command
chmod +x myscript.sh
has the same effect.
chmod a-x myscript.sh
removes the execute permission for the other triad.
When an application program creates a file with the open() system call and specifies the O_CREAT flag, the program should provide a third parameter to open() that specifies the file permissions for the newly created file:
open("output.txt",O_CREAT | O_WRONLY,0660);
will grant read and write permissions to owner and group, and no permissions to other.
These permissions can be further limited by the application's umask. The umask is a set of bits that specify permissions to be explictly denied in all cases when an application creates a file. The umask is set via a call to the umask() system call:
umask(0033);
sets a umask value that will deny write and execute privileges to group and other for any files created by the application. This restriction applies even if the program tries to grant these privileges in the open() call.