 |  |
50.11. Juggling Permissions
Like any security feature, Unix permissions occasionally get in your way. When you want to let people use your apartment, you have to make sure you can get them a key; and when you want to let someone into your files, you have to make sure they have read and write access.
In the ideal world, each file would have a list of users who can access it, and the file's owner could just add or delete users from that list at will. Some secure versions of Unix are configured this way, but standard Unix systems don't provide that degree of control. Instead, we have to know how to juggle Unix file permissions to achieve our ends.
For example, suppose I have a file called ch01 that I want edited by another user, joe. I tell him that the file is /books/ptools/ch01, but he reports to me that he can't access it.
joe % cd /books/ptools joe % more ch01 ch01: Permission denied
The reason joe can't read the file is that it is set to be readable only by me. joe can check the permissions on the file using the -l option to the ls command:
joe % ls -l ch01 -rw------- 1 lmui 13727 Sep 21 07:43 ch01
joe asks me (lmui) to give him read and write permission on the file. Only the file owner and root can change permission for a file. Now, what's the best way to give joe access to ch01?
The fastest and most sure-fire way to give another user permission is to extend read and write permission to everyone:
lmui % chmod 666 ch01 lmui % ls -l ch01 -rw-rw-rw- 1 lmui 13727 Sep 21 07:43 ch01
But this is sort of like leaving your front door wide open so your cat can get in and out. It's far better to extend read and write access to a common group instead of to the entire world. I try to give joe access to the file by giving group read and write access:
lmui % chmod 660 ch01 lmui % ls -l ch01 -rw-rw---- 1 lmui 13727 Sep 21 07:43 ch01
But joe reports that it still doesn't work:
joe % more ch01 ch01: Permission denied
What happened? Well, I gave read and write permission to the file's group, but joe doesn't belong to that group. You can find out the group a file belongs to using the -lg option to ls. (This is the default on many systems when you type ls -l. Other systems are different. For instance, the GNU ls command ignores -g and has a -G option for when you don't want to see the group name.)
joe % ls -lg ch01 -rw-rw---- 1 lmui power 13727 Sep 21 07:43 ch01
You can use the groups command (Section 49.6) to find out what groups a user belongs to:
% groups joe joe : authors ora % groups lmui lmui : authors power wheel ora
The ch01 file belongs to group power. joe isn't a member of this group, but both lmui and joe are in the authors group. To give joe access to the file ch01, therefore, I need to put the file in group authors. To do that, I use the chgrp (Section 1.17) command:
lmui % chgrp authors ch01 lmui % ls -lg ch01 -rw-rw---- 1 lmui authors 13727 Sep 21 07:43 ch01
Now joe can read and write the file. (On some systems, he may need to run newgrp (Section 49.4) first.)
-- LM
|  | |
| 50.10. A Directory That People Can Access but Can't List |  | 50.12. File Verification with md5sum |
Copyright © 2003 O'Reilly & Associates. All rights reserved.