Библиотека сайта rus-linux.net
Linux System Administrator's Survival Guide lsg17.htm
System Names and Access Permissions
Instead of referring to your Linux system as "it" or "that thing," you can give it a name that it recognizes to some extent. This name is especially important when you deal with e-mail or networks where others must have some method of identifying your machine from all the others on the network. This chapter starts by looking at how to give your machine a name and what rules you must follow to ensure other machines can work with your newly named machine.
The rest of this chapter looks at access permissions, a confusing subject for many system administrators. The permission block is often completely misunderstood, and the permissions attached to files and directories are often set incorrectly, preventing access to users who need it or worse, allowing wide-open access to sensitive information. After explaining how permissions work, this chapter explains how to change and set permissions and ownerships.
Setting a System Name
Because Linux is designed with networking in mind, it enables you to identify each machine with a unique name. You can name your system anything you want. In some cases, the setup or installation script that installed Linux for you may have asked you for a system name. You can keep the name you entered then or enter a new one.
The name that identifies your Linux system is called a hostname. This name, as mentioned, facilitates networking and associated services like e-mail. It also lets you give your system a bit of a personality. You can display the current Linux system hostname with the hostname command:
$ hostname artemis
This code shows that the system's hostname is artemis. If you have no system hostname defined, Linux defaults to either no name or a system default name. The name information is read from the Linux system startup files.
If your system isn't networked, you can call your system anything you like, but remember that you have to live with it! To set your system name, run the hostname command with the -S option as shown in this example:
hostname -S superduck
This sample code sets your system hostname to superduck. This name is tagged onto all your e-mail and some system utilities when generating output. Some versions of Linux limit the hostname to a number of characters (usually 14 characters), but try any name you want. If Linux doesn't allow it, you should get an error message or see a truncated version of the name.
Creating Network System Names
If you are running on a network, the hostname is important. On a network, each machine must have a unique name, or the network can't identify which of the duplicate names the network information is for. If you are creating a local area network that is not connected to the Internet or has no formal network name, you can pick any network name you want. Your machine name and network name combined form the full machine name. For example, the command
hostname -S superduck.quackers
is composed of a machine name of superduck and a network name of quackers. As long as all the other machines on the network have the same network name, your machines can communicate properly. Your machine is uniquely identified by the combination of machine and network name.
If your system can access the Internet, your network probably has been assigned a network name by the Internet Network Information Center (NIC), which assigns network names, called domains, in accordance with strict naming conventions. Each domain has a unique name portion and an extension that identifies the type of organization to which the network belongs. For example, the company Quacks-R-Us may have a domain name quacks.com. The seven different extensions in use are as follows:
|.arpa||A governmental network identifier|
|.net||An Internet-administered (usually) network|
|.org||Anything that isn't in one of the other categories|
These identifiers are usually used only for networks based in the U.S. Other countries have unique identifiers based on the country's name. For example, if Quacks-R-Us were based in the United Kingdom, the domain name could be quacks.uk. Each country has a two-letter designation that identifies it to the Internet. (Some companies have a U.S.-style extension even though they are outside U.S. borders. These companies usually have been registered by a U.S. company or have been on the Internet a long time.)
The combination of domain name and extension, as assigned by the NIC, is unique to each network. When combined with a hostname on the network, the result is a unique name for your machine. For example, if your local network has the domain name of quack.com and you want to name your machine superduck, you set the name of your machine with this command, which combines the machine and network names:
hostname -S superduck.quack.com
The chapters in Part IV, "Networking," discuss machine names and network names in more detail. You may also want to check with a good TCP/IP book for more information. The author's Teach Yourself TCP/IP in 14 Days from Sams is a good place to start.
Storing the Hostname
Linux stores the hostname in the file /etc/hosts. If you have just installed Linux and haven't configured a machine name, the /etc/hosts file contains a bunch of comment lines and one line of code:
<NOTE>Some Linux versions store the hostname in the /etc/rc or /etc/rc.local files or in the directory /etc/rc.d, although this convention is absent from most versions of Linux.<NOTE>
The /etc/hosts file consists of two columns, one for the IP address and the second for machine names. The four numbers (written in a format called dotted-quad as there are four groups of numbers with periods between them) are the IP address. IP stands for Internet Protocol and is an essential component of the TCP/IP network protocols used on the Internet and most local area networks involving UNIX. The IP address for machines connected to the Internet is assigned by the Network Information Center, just as the domain name is. (The IP address and domain name also are mapped to each other so the network can use numbers instead of names, a much more efficient system.) If you are not connected to the Internet, your IP address can be anything as long as each set of numbers is in the range 0 to 255.
The IP address is composed of the network identifier and the machine identifier. The four parts of the IP address are split over these two identifiers in special ways. If you are connecting to an existing TCP/IP network, your network administrator will give you the IP address you should use. The IP address 127.0.0.1 is a special address known as the loopback address. This address lets TCP/IP on your machine form a connection to itself. Every machine has a loopback driver, which is identified by the entry 127.0.0.1 in the /etc/hosts file and the name localhost.
If you have identified your machine by a hostname already, that name is in the /etc/hosts file. For example, the stand-alone machine called superduck from earlier in this section is given on the same line as the localhost entry:
127.0.0.1 superduck localhost
This line tells the system that the localhost is called superduck and to use that name as the system identifier.
This naming process gets a little more complicated when you are on a network, as each machine on the network has an IP address that is unique. If your network is not connected to the Internet, you can make up any IP address for your network. If you are on the Internet, your network IP address is assigned, and the network administrator can give you your machine's IP address or you can choose an unused address.
Suppose you are connecting to the Internet and your IP address is 188.8.131.52 and your domain name is quacks.com. Your /etc/hosts file looks like the following:
127.0.0.1 localhost 184.108.40.206 superduck.quacks.com
The name superduck may appear on the localhost line as well, although it doesn't have to. The /etc/hosts file may have other lines when you are connected to a large network that you move around in frequently. At least these two lines should appear when you are connected to a network, though.
Using File and Directory Permissions
Linux handles access to all files and directories on the filesystem through the permission block. The permission block is part of the i-node table's entries for each file and directory. You can display the permission block for a file or directory by doing a long directory listing.
The first column of the long directory listing is the permission block. It is always composed of 10 characters. Each file and directory, regardless of its type, on a Linux system has a permission block associated with it. The permission block is made up of two different types of information. The first character is a file type indicator, and the next nine characters are the access permissions themselves. The following sections look at these two types of information in a little more detail.
Understanding File Types
Linux uses the first character in the permission block to indicate the type of entry the i-node table contains. Because Linux doesn't differentiate between files and directories in the i-node table, this character is the only way for the operating system to know whether the entry refers to a regular file or a directory. Directories are not physical entities on a Linux system; they are instead an organizational scheme used to make the user's life easier. The i-node table entries for a file and directory look very similar.
Linux supports a number of valid file types, each of which has a single character value that is used in the first character of the permission block. The most common file type characters that Linux uses are the following:
|b||block mode device|
|c||character mode device|
Some versions of Linux and UNIX support other file types(such as s for special), but these types are seldom encountered and are of no real interest as far as permissions are concerned.
Most files on the Linux system are ordinary files. An ordinary file can be data, an application, a text file, or any file that contains information (whether directly readable by the user or not). The ordinary files are indicated by a hyphen in the file type block. Any file users create is an ordinary file.
Chapter 6, "Devices and Device Drivers," looked at the difference between block and character mode devices, which are indicated by a b or c file type. These files are composed of instructions that let Linux talk to peripherals. Most device file types are stored in the directory /dev by convention, although they can exist anywhere in the filesystem. When Linux encounters a file with either of these two file types, it knows how to read the file for input and output control.
The directory file type indicates that the entry in the i-node table refers to a directory and not a file. All directories on the system are really empty files as far as Linux is concerned, but they can be logically assembled into the usual directory structure based on the i-node table entries.
Links are sometimes identified in the file type character as an l, although not all operating system versions support this character. If your version of Linux doesn't use the l file type to indicate a link, you will have to rely on the second column of output from a long directory listing that shows the number of links the entry has.
Understanding Access Permissions
All UNIX systems (including Linux) control access to files and directories using permissions that are read from the permission block. Access to a file or directory can be one of three possible values. These values are given by a single character as shown in the following list:
If you have read access to a file, you can display the contents of the file (using any utility like cat or more) or read the file into an application (such as a word processor or a database). If you have write permission to a file, you can modify the contents and save the changes over the old file. If you have execute permission, you can execute the file, assuming it is a binary file or shell script. If the file is ASCII and you execute it, nothing much will happen except a few error messages.
These three permission values are combined into a three-character block in the order given above (in other words, rwx for read, write, and execute). If a permission is not accessible, a hyphen is used in that permission's place to show that it is absent. In other words, the permission block r-x indicates that the file has read and execute permission, but not write permission. Similarly, the permission block --- indicates that the file has no access permissions and cannot be read, written to, or executed.
These permissions are used for directories, too, although their meanings are slightly different. Read permission for a directory means you can display the contents of the directory listing (using ls, for example). Write permission for a directory means you can add files to the directory. Execute permission means you can change into that directory (using cd). The permission block r-x on a directory, for example, means you can display the directory's contents and change into that directory, but you can't add a new file to the directory.
These three permissions are set for each of three different levels of access. There is a permission block for the owner of the file (called the user), another for anyone in the owner's group (called the group), and another for everyone else on the system (called other or world). The three-character blocks for read-write-execute permission are combined for the three groups (user, group, and other) to produce the nine-character permission block you see in the long directory listing.
means that the user (owner of the file) has read and write permission, the group (second block of three characters) has read permission only, and everyone else on the system (other) has only read permission also. In the following example, the permission block
means that the owner can read, write, and execute the file. Anyone in the same group as the owner can read and execute the file. Finally, anyone else on the system can read the file but can't make changes or execute it.
The same approach applies for directories. For example, if a directory has the following permission block
the owner of the directory can change into the directory, add files, and display the contents of the directory. Everyone else on the system (in the owner's group and everyone else) can display the contents of the directory (with an ls command, for example) and change into the directory (using cd), but they can't add files to the directory.
Using Default Permissions
When you save a file or create a new directory, it is assigned a default set of permissions. These permissions are set for each user according their file creation mask, called the umask (user's permission mask) by UNIX. Every user on the system has a umask setting, either one that's set for them in their startup files (.profile, .cshrc, and so on) or the system's default umask setting.
You can display the current value of your umask setting by entering the umask command at any shell prompt:
$ umask 022
The three-number block returned by the umask command is the current umask setting. (Some systems return a four-number block, the first number of which is always zero. In this case, only the last three numbers are of any importance for the umask.) The three numbers are octal representations of the read-write-execute permissions you see in a file's permission block. The numbers have the following meaning:
|0||read and write (and execute for directories)|
|1||read and write (not execute for directories)|
|2||read (and execute for directories)|
|4||write (and execute for directories)|
Using this list, you can see that the umask setting of 022 means that the user has read and write permission for his own files (0), the group has read permission (the first 2), and everyone else on the system has read permission(the second 2). Whenever a user creates a file with this umask setting, the permission block will look like the following:
As mentioned earlier, Linux uses a system default umask setting when a user logs in unless the user's setting is explicitly changed, either on the command line or in one of the startup files. If you want to change the umask value, use the umask command with the three-digit permission setting you want. For example, the command
sets the permissions to give the owner read and write permission and to withold permissions from everyone else on the system. This umask value can be very useful for restricting access to files.
If you want to temporarily change your umask setting, enter the umask command and the new setting at the shell prompt. The new values will be in effect until you change them again. If you want to permanently change your umask setting, add a line like the preceding one to your shell's startup file (.profile, .cshrc, and so on).
You may want to change the permissions attached to a file or directory. You change permissions with the chmod command, which can operate in either symbolic or absolute mode. Symbolic mode is the easiest mode to learn and use, but absolute mode offers better control.
Using chmod in symbolic mode requires that you follow a strict syntax. Once you understand that syntax, the command is easy to use. Symbolic mode lets you instantly understand the changes that you are making to permissions. The general syntax of the chmod in symbolic mode is
chmod who-change-perms files
where who indicates who you want the changes to apply to. Valid values are u for user, g for group, and o for other, in any combination and order. The change indicates whether you want to take away permissions (-), add them (+), or explicitly set them (=). You can use only one symbol in each chmod command. The perms indicate whether you want to change read (r), write (w), or execute (x) permission. These three components (who, change, and perms) of the command are run together without a space. A few examples may help make this concept a little clearer. The command
chmod u+rwx bigfile
alters the permissions on bigfile to add read, write, and execute for the user. If any of these three permissions already existed on bigfile, they are left alone, but they are added if they didn't exist before the command. The permissions for the group and other users are not affected, as this command deals specifically with the user's permissions. On the other hand, the command
chmod go-x bigfile
takes away execute permission for the group and other, without changing the group's and other's read or write permissions (they stay the way they were) or the user's permissions (as a u was not included in the command). You can use wildcards in the chmod command, as well, so the command
chmod uo+w chapter*
adds write permission for the user and other for any file starting with chapter.
If you don't specify whether the command applies to user, group, or other, all three are affected, so the command
changes the permissions for user, group, and other to read, write, and execute.
You also can use the symbolic mode of chmod to set permissions explicitly. As you have seen, if you do not specify a parameter on the command line, it is not changed. In other words, if you issue the command
chmod u+r bigfile
only the read permission for the user is changed, and the write and execute permissions are left as they were.
You can do the same sort of command to set permissions for directories, remembering what they mean in the context of changing into, adding to, and listing directories. For example, the command
chmod go+rx mydir
allows users in group and other to list mydir's contents and change into mydir, but they cannot add files to this directory.
Sometimes you want to explicitly set the permissions to some value, for which you can use the equal sign. For example, the command
chmod u=rx bigfile
turns on read and execute permission for the user, but turns off write permission (whether it was on or off before the command, it will be off after). However, the group and other permission blocks are left unaffected. If you want to make changes to all three blocks (user, group, and other) at the same time, you must use chmod's absolute mode.
The chmod command's absolute mode uses numbers to specify permissions. There are three numbers, one for the user, one for the group, and one for the other permissions. All three must be specified on the command line. Each number is the sum of values that represent read, write, and execute permissions. The following list shows the values:
You can see that the numbers are in three columns. From left to right, they represent user, group, and other permissions. To use these numbers, add together the values of one (execute), two (write), and four (read) to form the combination you need. For example, if you want to set read and execute permissions, the number you specify is five. Setting all the permissions gives you seven, and a value of zero signifies no permissions. You then use these numbers on the chmod command line. For example, the command
chmod 644 bigfile
sets user permissions to read and write (six), group permissions to read (four), and other permissions to read (four). Permissions that aren't set are replaced with blanks, resulting in following file permission block:
You may recognize this block as the default permission block for users with a umask of 022. This example points out the fact that the umask and chmod absolute numbering schemes are not the same.
Absolute mode is useful for setting the entire permission block in one shot. Although the addition process may seem awkward at first, it becomes quite easy after a while. A couple of settings are used frequently. The 644 setting shown previously produces the usual permissions for files, and the command
chmod 755 mydir
sets mydir to allow only the owner to add files and let everyone list the contents and change into the directory. You can use wildcards with this mode of chmod to make blanket changes.
Which mode of chmod you use at any time depends on the type of permission change you want to make. If you just want to change a single permission (such as adding execute permission for yourself or read-write permission for the group), the symbolic format is easy. For setting complete permission block details, the absolute mode is fastest.
Changing the Owner and Group
Every file and directory on a Linux system has an owner and a group, both of which can be seen in the long directory listing. The owner of the file is usually the username of the person who created the file, and the group of the file is the group the person was in when the file was created. You may want to change the owner and group when sharing files or moving them to another user. To do this, use the chown and chgrp commands.
To change the owner of a file or directory, use the chown command with the name of the new owner. For example, the command
chown bill datafile
changes the owner of datafile to bill. When the command is issued, it checks to make sure that the specified owner is valid (by searching /etc/passwd) and that you own the file. Only the file owner or the superuser can change file ownerships. You can use wildcards to change many files or directories at once. For example, the command
chown yvonne chapter*
changes the owner of all files starting with chapter to yvonne.
To change the group owner of a file or directory, use the chgrp command (not to be confused with newgrp, which changes your current group). For example, the command
chgrp accounts bigfile
changes the group to accounts. Again, Linux checks that the group name exists in /etc/group and that the person changing the group is in the group that currently owns the file. As with chown, you can use wildcards to change many files and directories at once.
If you know the UID or GID of the user or group, you can use it on the command line instead of the name. Linux searches the /etc/passwd and /etc/group files to make sure the UID or GID is valid, and you must have permission to change the owner for this procedure to work.
<NOTE>Use caution when changing ownerships. It's easy to change an owner or a group, and then realize you have locked yourself out of the file!<NOTE>
This chapter explained how to give your system a name and assign access permissions. Naming a system is very important when you are connected to a network, but it is more of a personality issue when you are running a stand-alone system. Still, it is nice to refer to your machine as more than thing or the default darkstar name.
File permissions are one of the most misunderstood and misused concepts of UNIX, yet they are surprisingly easy to manage. Using the commands explained in this chapter should make it easy for you to alter file permissions and ownership to suit your needs.