The manual Page
Version française
   
index | glossary | news | downloads | links ]
  Unix
Unix rights
manual pages
Unix commands
how to use vi
cron
rm
 
news
glossary
links
downloads
 
credits
contact 		 
 
search
  
last update
19/02/2003
Valid HTML 4.0!
Valid CSS!
Hit-Parade
Mesurez votre audience


  Unix rights

Introduction

Notion of user

Any entity (person or program) that shall interfere with a Inux system is identified on the machine as a user. A user is recognized by a unique name and a unique ID number (mapping between names and numbers is held in the file /etc/passwd).

All Unix users do not have the same rights on the machine (i.e. they cannot all do the same things). This is because of reasonnable administration and security reasons. Typically, to avoid problem from the Internet, the user that manage the web server cannot execute local commands. Indeed some users cannot log on the machine and access a shell (command interpreter). For instance, this is the case of the user bin. This does not mean that the user cannot do anything (otherwise he is completely useless!); it can actually read and write files on the machine through a program the super user (see below) has started for him. This mechanism is usually used for daemons: the super user starts the daemon and to avoid it doing anything on the machine, it is set to the user bin for instance.

On all Unix systems, there is a super user usually called "root". This user can absolutely do anything on the system in place of any other user. On working servers (web servers for instance), only one person knows the root password. The user ID of a super user is 0.

Notion of group

A Unix user has a name but also belongs to one or several groups. A group is a "container" of users: groups are used to gather users that must have common rights. For instance, all users of the group ftp are users that can access the server only with FTP.

Notion of ownership

Any file on a Unix system has a owner. At the beginning, the owner is the user that creates the file, but this user can give the ownership to another user. None user but the owner and the super user (root) can set the rights and the ownership of a file. Beware! Root is the only user that can set ownership to himself, but an ordinary user x can give on of his files to the ordinary user y.

A Unix file also belongs to a group. This fully gives sense to the notion of group. It is then possible to define the actions a group can perform on a file. The group is often the group of the owner, but this configuration is not mandatory. That depends on what people want to do. For instance, we can imagine a case of delegation of administration: the super user is the owner of a given configuration file, but he also allows users from the admin group to change this file. The configuration file then will have root as its owner and will belong to the group admin.

Please, remember that Unix directories are also files. Rights on directories (but also on devices of /dev, etc.) work therefore the same way they do on ordinary files.

Notion of rights

Any Unix file has a set of rights. Rights simply tell what actions users can perform on files.

Working

The different rights

Rights on a Unix file concern 3 different possible "actions": to read (r), to write (w) and to execute (x) a file. For directories, x means accessing the directory. r, w and x are sometimes called flags. On a file, these 3 flags must be set towards its owner, its group and other users (different from the owner and that do not belong to its group).

Being allowed to write into a file do not mean we can change its rights: only root and the owner can set them without any special restrictions.

Representation of rights

The 3 basic rights towards these 3 entities are generally represented as follow: we write side by side the r, w and x rights respectively for the owner (u), the group (g) and the other users (o). u, g and o are often used by Unix commands to set rights and ownership on a file. When a given right is set for an entity, we write the flag (r, w or x) and when it is unset, we simply write a '-'. Example:

Unix rights

means that the owner can read, write and execute the file, but the users from the group of the file can only read it and execute it, and finally other user cannot but read the file.

Another way of representing rights is in a binary format: we consider that each set of basic rights (r, w and x) is a binary word of 3 bits:

Binary notation of Unix rights

Hence, rwx is equivalent to 7 (4+2+1), r-x is equivalent to 5 (4+1) and r-- is equivalent to 4. The complet set of rights (rwxr-xr--) is equivalent to 754. It is very useful to directly set the proper rights to a file with the chmod command (see below).

Use

To check the rights set on a file, just type ls -l name_of_the_file:

# ls -l foo
-rwxr-xr--    1 user     group     12345 Nov 15 09:19 foo

This means that the file foo (size 12345) belongs to the user called "user", that it belongs to the group "group", and that thr rwxr-xr-- rights are set on it. We may notice that there are 10 characters in the rights area. The first - is not a right, it is a reserved character to say what kind of file it is (for instance, it is a d when it is a directory).

We set rights with the chmod command and ownership with chown.

It is very easy to change the owner and the group:

chown new_user:new_group name_of_the_file

It is also very simple to set rights with the digital notation we have just seen. For instance, to set the rights r-xr-xr-x (i.e. 555), we just do:

chmod 555 name_of_the_file

For further details on how to use chown and chmod, please refer to the manual pages or the corresonding pages of this web site.

References

  • Unix manual pages (section 1): man chmod and man chown
  • chown --help
  • chmod --help

printable format printable format
Copyright © 2000-2002 themanualpage.org - This site is submissive to the terms of the GNU GPL and FDL licences.