Octal value Binary equivalent 0 000 1 001 2 010 3 011 4 100 5 101 6 110 7 111
To turn the mode bits 110111101001 110111101001 into an octal representation, first separate them into chunks of three bits: into an octal representation, first separate them into chunks of three bits: 110, 111, 101 110, 111, 101, and 001 001. The first group, representing the special permissions, is 110 110. This can be thought of as 4 + 2 + 0 = 6. The second group, representing user permissions, is 111 111, or 4 + 2 + 1 = 7. The third group, representing group permissions, is 101 101, or 4 + 0 + 1 = 5. The last group, representing other permissions, is 001 001, or 0 + 0 + 1 = 1. The mode string for this example can then be written as the octal 6751.
This is the form used to display the file mode in the output from the stat stat command. Here, the octal access mode for the command. Here, the octal access mode for the mount mount command is 4755: command is 4755: #stat/bin/mount File:"/bin/mount"
Size:69100Blocks:144IOBlock:4096regularfile Device:fd00h/64768dInode:14671934Links:1 Access:(4755/-rwsr-xr-x)Uid:(0/root)Gid:(0/root) Access:2009-08-0715:40:29.000000000-0500 Modify:2009-06-0106:17:46.000000000-0500 Change:2009-06-2914:37:58.000000000-0500 The special permissions are represented in this example by octal 4, or binary 100, indicating that the SUID permission is set (-rws). The user permission is octal 7, or binary 111, indicating read, write, and execute for the file"s owner (in this case, root root). Both the group and other permissions are set to octal 5, or binary 101, indicating read and execute, but not write.
The mode string As mentioned earlier, the user, group, and other permissions are often spelled out in symbolic mode descriptions such as rwxr-xr-x rwxr-xr-x. This notation is found in the output of the ls -l ls -l and and stat stat commands. As you can see in the access mode for commands. As you can see in the access mode for mount mount, this scheme is modified slightly in the presence of special permissions. Instead of adding three more bits to the left of rwxr-xr-x rwxr-xr-x, the SUID permission is indicated in the string by changing the user execute position from x x to to s s. SGID permission is handled the same way. The sticky permission is indicated by replacing x x in the other execute position with in the other execute position with T T. For example, an executable program with mode 6755 would have the following equivalent symbolic mode: rwsr-sr-x A directory with mode 1774 would have this equivalent string: rwxr-xr-T While this layering of special permissions may appear to obscure the underlying execute permissions, it makes sense. The special permissions are relatively rare in the filesystem, so depicting the three extra bits would waste s.p.a.ce on your terminal or terminal window. When the executable bits are set, the setuid and setgid bits are represented with s s. When the executable bits are not set, the setuid and setgid bits are represented with S S. Similarly, the sticky bit is represented with either t t or or T T.
Setting Access Modes New files are created with a default access mode to automatically set the permission levels. Regardless of your default umask, access modes on existing files can be changed or modified at will.
New files When new files are created, the protection bits are set according to the user"s default setting. That default is established using the umask umask command, probably in a startup script. This command accepts only one argument, which is a three-digit octal string that masks the user, group, and other permission bits for newly created files and directories. Without a value, command, probably in a startup script. This command accepts only one argument, which is a three-digit octal string that masks the user, group, and other permission bits for newly created files and directories. Without a value, umask umask reports the current value: reports the current value: $umask 0022 When provided with an integer, umask umask sets the value for the current sh.e.l.l: sets the value for the current sh.e.l.l: $umask2 $umask 0002 A umask umask of 22 can be rewritten as 022, or as 000010010 in binary. of 22 can be rewritten as 022, or as 000010010 in binary.
The process of creating the initial mode for newly created files begins with a raw initial mode string, as defined in Table7-4 Table7-4.
Table7-4.Initial access modes
Form For files For directories Symbolic rw-rw-rw- rwxrwxrwx Binary 110110110 111111111 Octal 6 6 6 7 7 7
The special bits are always turned off and are not masked by the umask umask. When a file is created, the umask umask is subtracted from 666; for directories, it is subtracted from 777. This calculation yields the effective protection mode for the file or directory. For example, a is subtracted from 666; for directories, it is subtracted from 777. This calculation yields the effective protection mode for the file or directory. For example, a umask umask of 22 (022) is applied to a new file, masking the write permission for group and other user cla.s.ses: of 22 (022) is applied to a new file, masking the write permission for group and other user cla.s.ses: 110110110 -000010010 ------------- 110100100 This is the same as mode 644, or rw-r--r-- rw-r--r--.
Using the same mask on a directory yields a similar result: 111111111 -000010010 ------------- 111101101 This is the same as mode 755, or rwxr-xr-x rwxr-xr-x, which is appropriate for directories. A umask of 002 or 022 is typical, although if you wish to ensure maximum privacy, a umask of 077 blocks all access except for the superuser. To set a custom umask, enter the umask umask command in a startup script, such as command in a startup script, such as ~/.bash_profile ~/.bash_profile. Here"s an example of the umask umask in action: in action: $umask27 $touchafile $mkdiradir $ls-ldadirafile drwxr-x---2jdeanjdean1024Jan220:31adir -rw-r-----1jdeanjdean0Jan220:31afile In this case, the umask umask of 27 makes the file of 27 makes the file afile afile read-only to members of the group and disallows access to the file to all others. read-only to members of the group and disallows access to the file to all others.
As you can see in the output of the previous example, ls ls adds an extra letter at the beginning of the mode string for the adds an extra letter at the beginning of the mode string for the adir adir directory. This symbol indicates the type of file being listed and is not part of the access mode. The letter directory. This symbol indicates the type of file being listed and is not part of the access mode. The letter d d indicates a directory, a indicates a directory, a - - indicates a file, the letter indicates a file, the letter l l indicates a symbolic link, a indicates a symbolic link, a b b indicates a block device (such as a disk), and a indicates a block device (such as a disk), and a c c indicates a character device (such as a terminal). indicates a character device (such as a terminal).
Changing access modes Access modes can be changed with the chmod chmod command, which accepts either command, which accepts either octal octal or or symbolic symbolic access mode specifications. Octal bits, as shown in the previous section, are specified explicitly. However, some people prefer to use symbolic forms because they usually modify an existing mode instead of completely replacing it. Symbolic mode specifications have three parts, made up of individual characters, as shown in access mode specifications. Octal bits, as shown in the previous section, are specified explicitly. However, some people prefer to use symbolic forms because they usually modify an existing mode instead of completely replacing it. Symbolic mode specifications have three parts, made up of individual characters, as shown in Table7-5 Table7-5.
Table7-5.Symbolic modes for the chmod command
Category Mode Description User cla.s.s u User
g Group
o Other
a All cla.s.ses Operation - Take away permission
+ Add permission
= Set permission exactly Permissions r Read permission
w Write permission
x Execute permission
X Execute permission for directories and files with another execute permission, but not plain files
s SUID or SGID permissions
t Sticky bit
The individual user cla.s.s characters and permissions characters may be grouped to form compound expressions, such as ug ug for user and group combined or for user and group combined or rw rw for read and write. Here are some examples of symbolic mode specifications: for read and write. Here are some examples of symbolic mode specifications: u+x Add execute permission for the user.
go-w Remove write permission from group and other cla.s.ses.
o+t Set the sticky bit.
a=rw Set read and write, but not execute, permissions for everyone.
a+X Give everyone execute permission for directories and for those files with any existing execute permission.
The chmod chmod command is used to modify the mode. command is used to modify the mode.
Setting Up a Workgroup Directory The steps you may use to create a useful workgroup directory for a small team of people are briefly described here. The goals of the directory are as follows: The workgroup is to be called sales sales and has members and has members jdoe jdoe, bsmith bsmith, and jbrown jbrown.
The directory is /home/sales /home/sales.
Only the creators of files in /home/sales /home/sales should be able to delete them. should be able to delete them.
Members shouldn"t worry about file ownership, and all group members require full access to files.
Nonmembers should have no access to any of the files.
The following steps will satisfy the goals: 1. Create the new group:#groupaddsales 2. Add the existing users to the group:#usermoda-Gsalesjdoe #usermoda-Gsalesbsmith #usermoda-Gsalesjbrown 3. Create a directory for the group:#mkdir/home/sales 4. Set the ownership of the new directory:#chgrpsales/home/sales 5. Protect the directory from others:#chmod770/home/sales 6. Set the SGID bit to ensure that the sales sales group will own all new files. Also set the sticky bit to protect files from deletion by nonowners: group will own all new files. Also set the sticky bit to protect files from deletion by nonowners:#chmodg+s,o+t/home/sales 7. Test it:#su-jdoe $cd/home/sales $touchafile $ls-lafile -rw-rw-r--1jdoesales0Jan302:44afile $exit #su-bsmith #cd/home/sales #rmafile rm:cannotunlink"afile":Operationnotpermitted After the ls ls command, we see that the group ownership is correctly set to command, we see that the group ownership is correctly set to sales sales. After the rm rm command, we see that command, we see that bsmith bsmith cannot delete cannot delete afile afile, which was created by jdoe jdoe. We also note that although afile afile has mode 664, the directory containing it has mode 770, preventing other users from reading the file. has mode 664, the directory containing it has mode 770, preventing other users from reading the file.
On the ExamFor the exam, you should be prepared to answer questions on file and directory permissions in both symbolic and numeric (octal) forms. You should also be able to translate between the two forms given an example.
Name chmod Syntax chmod[options]symbolic_mode[,symbolic_mode]...files chmod[options]octal_modefiles chmod[options]--reference=rfilefiles Description Modify the access mode on files files. In the first form, use one or more comma-separated symbolic_mode symbolic_mode specifications to modify specifications to modify files files. In the second form, use an octal_mode octal_mode to modify to modify files files. In the third form, use the mode of rfile rfile as a template to be applied to as a template to be applied to files files.
Frequently used options -c Like verbose mode, but report only changes.
-R Use recursive mode, descending through directory hierarchies under files files and making modifications throughout. and making modifications throughout.
-v Use verbose behavior, reporting actions for all files files.
Example 1 Set the mode for a file to rw-r--r-- rw-r--r--, using an octal specification: $chmod644afile $ls-lafile -rw-r--r--1jdeanjdean0Jan220:31afile Example 2 Set the same permission using a symbolic specification, using the verbose option: $chmod-vu=rw,go=rafile modeofafileretainedas0644(rw-r--r--) Example 3 Recursively remove all permissions for other other on a directory: on a directory: $chmod-R-vo-rwxadir modeofadirretainedas0770(rwxrwx---) modeofadir/file1changedto0660(rw-rw----) modeofadir/file2changedto0660(rw-rw----) modeofadir/file3changedto0660(rw-rw----) modeofadir/file4changedto0660(rw-rw----) modeofadir/dir1changedto0770(rwxrwx---) modeofadir/dir1/file6changedto0660(rw-rw----) modeofadir/dir1/file5changedto0660(rw-rw----) modeofadir/dir2changedto0770(rwxrwx---) Example 4 Set the sticky bit on a directory: $chmod-v+tadir modeofadirchangedto1770(rwxrwx--T) Modification of ownership parameters may become necessary when moving files, setting up workgroups, or working in a user"s directory as root root. This is accomplished using the chown chown command, which can change user and group ownership, and the command, which can change user and group ownership, and the chgrp chgrp command for modifying group ownership. command for modifying group ownership.
Name chown Syntax chown[options]user-ownerfiles chown[options]user-owner.files chown[options]user-owner.group-ownerfiles chown[options].group-ownerfiles chown[options]--reference=rfilefiles Description Used to change the owner and/or group of files files to to user-owner user-owner and/or and/or group-owner group-owner. In the first form, user-owner user-owner is made the owner of is made the owner of files files and the group is not affected. In the second form (note the trailing dot on and the group is not affected. In the second form (note the trailing dot on user-owner user-owner), the user-owner user-owner is made the owner of is made the owner of files files, and the group of the files is changed to user-owner user-owner"s default group. In the third form, both user-owner user-owner and and group-owner group-owner are a.s.signed to are a.s.signed to files files. In the fourth form, only the group-owner group-owner is a.s.signed to is a.s.signed to files files, and the user is not affected. In the fifth form, the owner and group of rfile rfile is used as a template and applied to is used as a template and applied to files files. Only the superuser may change file ownership, but group ownership may be set by anyone belonging to the target group-owner group-owner.
NoteNote that historically BSD systems have used the user user.group syntax, but SysV-based systems have used syntax, but SysV-based systems have used user user:group ( (: instead of instead of . .). Older versions of GNU chown chown accepted only the BSD syntax, but recent versions support both. accepted only the BSD syntax, but recent versions support both.
Frequently used options -c Like verbose mode, but report only changes.
-R Use recursive mode, descending through directory hierarchies under files files and making modifications throughout. and making modifications throughout.
-v Use verbose behavior, reporting actions for all files files.
Example 1 As root, set the user owner of a file: #chown-vjdoeafile ownerofafilechangedtojdoe Example 2 As root, set the user and group owner of a file: #chown-vjdoe.salesafile ownerofafilechangedtojdoe.sales
Name chgrp Syntax chgrp[options]group-ownerfiles chgrp[options]--reference=rfilefiles Description Change the group owner of files files to to group-owner group-owner. In the first form, set the group-owner group-owner of of files files. In the second form, the group of rfile rfile is used as a template and applied to is used as a template and applied to files files. Options and usage are the same as that of chown chown.
Example 1 Recursively change the group owner of the entire sales sales directory: directory: #chgrp-Rvsalessales changedgroupof"sales"tosales changedgroupof"sales/file1"tosales changedgroupof"sales/file2"tosales ...
Objective 6: Create and Change Hard and Symbolic Links Often it is useful to have access to a file in multiple locations in a filesystem. To avoid creating multiple copies of the file, use a link link. Links don"t take up very much s.p.a.ce, as they only add a bit of metadata to the filesystem, so they"re much more efficient than using separate copies.
There are two types of links used on Linux: Symbolic links A symbolic link is simply a pointer to another filename. When Linux opens a symbolic link, it reads the pointer and then finds the intended file that contains the actual data. Symbolic links can point to other filesystems, both local and remote, and they can point to directories. The ls -l ls -l command clearly lists them as links by displaying a special "l" (a lowercase command clearly lists them as links by displaying a special "l" (a lowercase L L) in column one, and they have no file protections of their own (the actual file"s permissions are used instead).A symbolic link can point to a filename that does not actually exist. Such a symbolic link is said to be broken broken or or stale stale.
Hard links A hard link is not really a link at all; it is simply another directory entry for an existing file. The two directory entries have different names but point to the same inode and thus to the same actual data, ownership, permissions, and so on. In fact, when you delete a file, you are only removing a directory entry (in other words, one hard link to the file). As long as any directory entries remain, the file"s inode is not actually deleted. In fact, a file is not deleted until its link count link count drops to zero (and the file is no longer open for reading or writing). drops to zero (and the file is no longer open for reading or writing).Hard links have two important limitations. First, because all of the links to a file point to the same inode, any hard links must by definition reside on the same filesystem. Second, hard links cannot point to directories. However, hard links take no disk s.p.a.ce beyond an additional directory entry.
Why Links?
To see an example of the use of links in practice, consider the directories in /etc/rc.d /etc/rc.d on a typical RPM-based system: on a typical RPM-based system: drwxr-xr-x2rootroot1024Dec1523:05init.d -rwxr-xr-x1rootroot2722Apr151999rc -rwxr-xr-x1rootroot693Aug171998rc.local -rwxr-xr-x1rootroot9822Apr131999rc.sysinit drwxr-xr-x2rootroot1024Dec209:41rc0.d drwxr-xr-x2rootroot1024Dec209:41rc1.d drwxr-xr-x2rootroot1024Dec2415:15rc2.d drwxr-xr-x2rootroot1024Dec2415:15rc3.d drwxr-xr-x2rootroot1024Dec2415:16rc4.d drwxr-xr-x2rootroot1024Dec2415:16rc5.d drwxr-xr-x2rootroot1024Dec1423:37rc6.d Inside init.d init.d are scripts to start and stop many of the services on your system, such as are scripts to start and stop many of the services on your system, such as httpd, crond httpd, crond, and syslogd syslogd. Some of these files are to be executed with a start argument, while others are run with a stop argument, depending on the runlevel runlevel of your system. To determine just which files are run and what argument they receive, a scheme of additional directories has been devised. These directories are named of your system. To determine just which files are run and what argument they receive, a scheme of additional directories has been devised. These directories are named rc0.d rc0.d through through rc6.d rc6.d, one for each runlevel (see Chapter4 Chapter4 for a complete description of this scheme). Each of the runlevel-specific directories contains several links, each with a name that helps determine the configuration of services on your system. For example, for a complete description of this scheme). Each of the runlevel-specific directories contains several links, each with a name that helps determine the configuration of services on your system. For example, rc3.d rc3.d contains the following links, among many others: contains the following links, among many others: S30syslog->../init.d/syslog S40crond->../init.d/crond S85httpd->../init.d/httpd All of these links point back to the scripts in init.d init.d as indicated by the arrows ( as indicated by the arrows (->) after the script name. If these links were copies of the scripts, editing would be required for all of the runlevel-specific versions of the same script just to make a single change. Instead, links allow us to: Make changes to the original file once. References to the links will yield the updated contents as long as the filename doesn"t change.
Avoid wasting disk s.p.a.ce by having multiple copies of the same file in different places for "convenience."
As another example, consider the directory for the kernel source, /lib/modules/ /lib/modules/kernel_version/build: build->/usr/src/linux-2.4.18 Makefiles and other automated tools for building third-party kernel modules can refer to /lib/modules/"uname r"/build /lib/modules/"uname r"/build, but in reality they reference /usr/src/linux-2.4.18 /usr/src/linux-2.4.18. If a new kernel is added, say, version 2.4.20, its source would be placed into an appropriately named directory and the build build link in the new modules directory would be set, as follows: link in the new modules directory would be set, as follows: build->/usr/src/linux-2.4.20 Now the appropriate directory can be selected simply by changing the link. No files need to be moved or deleted. Once created, links are normal directory entries, which may be copied, renamed, deleted, and backed up.
Symbolic and hard links are created with the ln ln command. command.
Name ln Syntax ln[options]filelink ln[options]filesdirectory Description Create links between files. In the first form, a new link link is created to point to is created to point to file file, which must already exist. In the second form, links are created in directory directory for all for all files files specified. specified.
Hard links are created unless the -s -s option is specified. option is specified.
Frequently used options -f Overwrite (force) existing links or existing files in the destination directory directory.
-i Prompt interactively before overwriting destination files.
-s Create a symbolic link rather than a hard link.
Example 1 Note that the Bourne sh.e.l.l (sh) on a Linux system is a symbolic link to bash bash: $ls-l/bin/bash/bin/sh -rwxr-xr-x1rootroot626028Feb1107:34/bin/bash lrwxrwxrwx1rootroot4Feb2310:24/bin/sh->bash Example 2 Create a file named myfile myfile, a symbolic link to that file named myslink myslink, and a hard link to that file named myhlink myhlink, and then examine them: $touchmyfile $ln-smyfilemyslink $lnmyfilemyhlink $ls-lmy*
-rw-r--r--2jdoejdoe0Jan313:21myfile -rw-r--r--2jdoejdoe0Jan313:21myhlink lrwxrwxrwx1jdoejdoe6Jan313:21myslink->myfile Using the stat stat command on command on my* my* demonstrates that demonstrates that myfile myfile and and myhlink myhlink both ultimately reference the same inode (the inode numbers are the same) and indicates the number of hard links to the file: both ultimately reference the same inode (the inode numbers are the same) and indicates the number of hard links to the file: #statmy*
File:"myfile"
Size:0Blocks:0IOBlock:4096RegularFile Device:3a05h/14853dInode:1212467Links:2 Access:(0644/-rw-r--r--)Uid:(0/root)Gid:(0/root) Access:2009-03-1521:36:33.000000000-0600 Modify:2009-03-1521:36:33.000000000-0600 Change:2009-03-1521:36:33.000000000-0600 File:"myhlink"
Size:0Blocks:0IOBlock:4096RegularFile Device:3a05h/14853dInode:1212467Links:2 Access:(0644/-rw-r--r--)Uid:(0/root)Gid:(0/root) Access:2009-03-1521:36:33.000000000-0600 Modify:2009-03-1521:36:33.000000000-0600 Change:2009-03-1521:36:33.000000000-0600 File:"myslink"->"myfile"
Size:6Blocks:0IOBlock:4096SymbolicLink Device:3a05h/14853dInode:1213365Links:1 Access:(0777/lrwxrwxrwx)Uid:(0/root)Gid:(0/root) Access:2009-03-1521:36:33.000000000-0600 Modify:2009-03-1521:36:33.000000000-0600 Change:2009-03-1521:36:33.000000000-0600 Note that the symbolic link has an inode of its own, which can also be displayed using the -i -i option to option to ls ls: #ls-limy*
1212467-rw-r--r--2rootroot0Mar1521:36myfile 1212467-rw-r--r--2rootroot0Mar1521:36myhlink 1213365lrwxrwxrwx1rootroot6Mar1521:36myslink->myfile Here you can see that the directory entries for myfile myfile and and myhlink myhlink both point to inode 1212467, while the directory entry for both point to inode 1212467, while the directory entry for myslink myslink points to inode 1213365. That inode contains the symbolic link to points to inode 1213365. That inode contains the symbolic link to myfile myfile.
As another example, consider the two filesystems in Figure7-3 Figure7-3. The root part.i.tion on /dev/sda1 /dev/sda1 holds a file intended as an example holds a file intended as an example bash bash startup file, located in startup file, located in /etc/bashrc_user /etc/bashrc_user. On the same filesystem, the root root user has elected to use user has elected to use /etc/bashrc_user /etc/bashrc_user. Not wanting to maintain both files individually, root root has created a hard link, has created a hard link, /root/.bashrc /root/.bashrc, to the example file.
Both of the directory entries, /etc/bashrc_user /etc/bashrc_user and and /root/.bashrc /root/.bashrc, point to the same text data in the same file, described by the same inode, on /dev/sda1 /dev/sda1. User jdoe jdoe has also elected to link to the example file. However, since his home directory is located in has also elected to link to the example file. However, since his home directory is located in /home /home on on /dev/sda9 /dev/sda9, jdoe jdoe cannot use a hard link to the file on cannot use a hard link to the file on /dev/sda1 /dev/sda1. Instead, he created a symbolic link, /home/jdoe/.bashrc /home/jdoe/.bashrc, which points to a small file on /dev/sda9 /dev/sda9. This contains the pointer to directory entry /etc/bashrc_user /etc/bashrc_user, which finally points at the text. The result for root root and and jdoe jdoe is identical, though the two styles of links implement the reference in completely different ways. is identical, though the two styles of links implement the reference in completely different ways.
Name Preserving links Programs such as tar tar and and cp cp contain options that control whether symbolic links are followed during operation. In the case of a contain options that control whether symbolic links are followed during operation. In the case of a tar tar backup, this may be important if you have multiple links to large files, because you would get many redundant backups of the same data. backup, this may be important if you have multiple links to large files, because you would get many redundant backups of the same data.
When a symbolic link is encountered with cp cp, the contents of the file to which the link points are copied, unless the -d -d option is specified. This "no dereference" operator causes option is specified. This "no dereference" operator causes cp cp to copy the links themselves instead. For example, consider a directory to copy the links themselves instead. For example, consider a directory dir1 dir1 containing a symbolic link, which is recursively copied to other directories with and without the containing a symbolic link, which is recursively copied to other directories with and without the -d -d option: option: #ls-ldir1 total13 lrwxrwxrwx1rootroot19Jan402:43file1->/file1 -rw-r--r--1rootroot10240Dec1217:12file2 #cp-rdir1dir2 #ls-ldir2 total3117 -rw-r--r--1rootroot3164160Jan402:43file1 -rw-r--r--1rootroot10240Jan402:43file2 #cp-rddir1dir3 #ls-ldir3 total13 lrwxrwxrwx1rootroot19Jan402:43file1->/file1 -rw-r--r--1rootroot10240Jan402:43file2 Directory dir2 dir2 has a copy of the entire has a copy of the entire file1 file1, which is large, probably wasting disk s.p.a.ce. Directory dir3 dir3, created with cp -rd cp -rd, is the same as dir1 dir1 (including the symbolic link) and takes very little s.p.a.ce. (including the symbolic link) and takes very little s.p.a.ce.