|
Chapter 22 File Security, Ownership, and Sharing |
|
22.15 Juggling Permissions
Like any security feature, UNIX permissions occasionally get in your way. When you want to let people use your apartment, you have to make sure you can get them a key; and when you want to let someone into your files, you have to make sure they have read and write access.
In the ideal world, each file would have a list of users who can access it, and the file's owner could just add or delete users from that list at will. Some secure versions of UNIX are configured this way, but standard UNIX systems don't provide that degree of control. Instead, we have to know how to juggle UNIX file permissions to achieve our ends.
For example, suppose I have a file called ch01 that I want edited by another user, val . I tell her that the file is /books/ptools/ch01 , but she reports to me that she can't access it.
val %cd /books/ptoolsval %more ch01ch01: Permission denied
The reason val can't read the file is that it is set to be readable only by me. val can check the permissions on the file using the -l option to the ls command:
val %ls -l ch01-rw------- 1 lmui 13727 Sep 21 07:43 ch01
val asks me ( lmui ) to give her read and write permission on the file. Only the file owner and root can change permission for a file. Now, what's the best way to give val access to ch01 ?
The fastest and most sure-fire way to give another user permission is to extend read and write permission to everyone:
lmui %chmod 666 ch01lmui %ls -l ch01-rw-rw-rw- 1 lmui 13727 Sep 21 07:43 ch01
But this is sort of like leaving your front door wide open so your cat can get in and out. It's far better to extend read and write access to a common group instead of to the entire world. I try to give val access to the file by giving group read and write access:
lmui %chmod 660 ch01lmui %ls -l ch01-rw-rw---- 1 lmui 13727 Sep 21 07:43 ch01
But val reports that it still doesn't work:
val %more ch01ch01: Permission denied
What happened?
Well, I gave read and write permission to the
file's group, but
val
doesn't belong to that group.
You can find out the group a file
belongs to using the
-lg
option to
ls
(this is the default on System V when you type
ls -l
):
val %ls -lg ch01-rw-rw---- 1 lmui power 13727 Sep 21 07:43 ch01
|
groups
|
You can use the groups command (the GNU version is on the CD-ROM) to find out what groups a user belongs to: |
|---|
%groups valval : authors ora %groups lmuilmui : authors power wheel ora
The ch01 file belongs to group power . val isn't a member of this group, but both lmui and val are in the authors group. To give val access to the file ch01 , therefore, I need to put the file in group authors . To do that, I use the chgrp ( 1.23 ) command:
lmui %chgrp authors ch01lmui %ls -lg ch01-rw-rw---- 1 lmui authors 13727 Sep 21 07:43 ch01
Now val can read and write the file. (On System V systems, she may need to run newgrp ( 22.13 ) first.)
-
|
|
|
|
| 22.14 Add Users to a Group to Deny Permission |
|
22.16 Copying Permissions with cpmod |
