Main index

Introducing UNIX and Linux

Files

Overview
The UNIX directory hierarchy
Filesystems
Manipulating files
      Creating directories
      Creating files
      links
      'Dot' files
Protecting files
      Groups
      File access control
      Changing privileges
File contents
      Text files
      Comparing files
      Filtering files
      Non-text files
Printing files
File archives and file compression
Other relevant commands
Summary
Exercises

File access control

UNIX has a flexible method of protecting files to deal with the situations we described earlier. First of all, each file on the machine divides the users of the machine into three categories:

  • the file's owner (normally the user who created the file)
  • a group of users
  • other users.

For each of these categories of user, that user may be either given or denied the following access privileges:

  • read
  • write
  • execute.

If a file has read permission, it can be examined at a terminal, printed (if it is a text file), viewed by an editor, and so on. If it has write permission, the contents of the file can be changed (for example, by an editor), and the file can be overwritten or deleted. If it has execute permission, and is a binary program or a shell script, that program can be run (but copied only if it also has read permission). An example is given later on in this chapter.

Access control is determined as follows. The system first of all checks to see whether the user is the owner of a file, and if so the owner permissions are used. Otherwise, it checks to see if the user is a member of the group allocated to that file, and if so checks group file permissions. If the user is neither the file owner nor in the file's group, they come under the heading of other users. The group to which a file has been allocated must be a valid group the system administrator has already set up, as discussed above. The owner of a file can change the group to which the file has been allocated.

Access privileges for directories have a different meaning than for ordinary files. If a directory has write permission, files in that directory may be created or deleted. If it has read permission, it is possible to see the files that are contained in that directory (using ls, say); if it has execute permission it is possible to cd to it. A directory with execute but not read permission is useful if you wish to allow someone else to run one of your commands located in that directory, but do not wish them to see what other files you have.

To find out the access privileges for a file, use ls. As an example, consider user chris who has 6 files in the home directory (including two subdirectories). By typing ls -l ('long') (on some systems you need ls -lg) the following output might be seen:

total 561
-rw-r--r--   1   chris  ugrads      122 Dec 21 18:40 myfile
drwxr-xr-x   2   chris  general     512 Dec 22 14:55 dir1
drwx------   2   chris  general     512 Dec 22 14:55 dir2
-rw-r-----   1   chris  proj       9912 Nov 22 17:55 prog.c
-r-x------   2   chris  general     147 Dec 22 17:56 foo
-r-x------   2   chris  general     147 Dec 22 17:56 bar

In fact, ls -l will display most information you are likely to need about files for routine work. The general format for the output is:

-rw-r--r--   1   chris  ugrads      122 Dec 21 18:40 myfile
^^^^^^^^^^   ^   ^^^^^  ^^^^^^^^^  ^^^^ ^^^^^^^^^^^^ ^^^^
access     links owner   group     size  last change name

The access privileges are presented as a string of 10 characters. The first character is usually either a d or a -, indicating that the file is a directory or an ordinary file respectively. There are other possible values, which we discuss later. Characters 2-4, 5-7 and 8-10 describe the access privileges for the owner, the group and for others respectively. Each of these 3-character substrings denotes whether read, write and execute privileges have been allowed or denied.

For read privilege, the first character will be r, otherwise -; for write privilege the second will be w, otherwise -. Lastly, for execute privilege, the third will be x, otherwise -.

For example, file myfile above can be read by anybody, but only Chris can write to it (that is, change the contents of the file in any way). File prog.c can only be written to by Chris, but users who are members of the group proj can also read it. File foo can be read by Chris, and also executed, but no-one else can access it at all. Nor can Chris write to it - this is not necessarily a mistake, it is often useful to deny yourself write access to a file to prevent yourself accidentally deleting the file if it contains important data.

If a directory does not have write permission, then files in that directory cannot be deleted, nor can new ones be created. However, files within that directory that do have write permission can have their contents changed.

The other information that ls -l provides is as follows. The number of links to a file is printed, followed by the owner of the file and the group the file is currently assigned to. Then comes the size of the file in bytes and the date and time the file last had any of its contents changed. At the end of the line comes the name of the file.

Copyright © 2002 Mike Joy, Stephen Jarvis and Michael Luck