Библиотека сайта rus-linux.net
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
7. Sharing Files
Groups, file ownership, and access permissions are Linux features that enable users to share files with one another. But even if you don't plan on sharing files with other users on your system, familiarity with these concepts will help you understand how file access and security work in Linux.
7.1 Groups and How to Work in Them How users can work together in groups. 7.2 File Ownership Who owns a file? 7.3 Controlling Access to Files Who has permission to access a file?
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
7.1 Groups and How to Work in Them
A group is a set of users, created to share files and to
facilitate collaboration. Each member of a group can work with the
group's files and make new files that belong to the group. The system
administrator can add new groups and give users membership to the
different groups, according to the users' organizational needs. For
example, a system used by the crew of a ship might have groups such as
galley
, deck
, bridge
, and crew
; the user
captain
might be a member of all the groups, but user
steward
might be a member of only the galley
and
crew
groups.
On a Linux system, you're always a member of at least one group: your login group. You are the only member of this group, and its group name is the same as your username.
Let's look at how to manage your group memberships.
7.1.1 Listing the Groups a User Belongs To Listing the groups a user is a member of. 7.1.2 Listing the Members of a Group Listing the members of a group.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
7.1.1 Listing the Groups a User Belongs To
To list a user's group memberships, use the groups
tool. Give a
username as an argument, and groups
outputs a line containing
that username followed by all of the groups the user is a member
of. With no arguments, groups
lists your own username and group
memberships.
-
To list your group memberships, type:
$ groups RET steward galley crew $
In this example, three groups are output: steward
(the user's
login group), galley
, and crew
.
-
To list the group memberships of user
blackbeard
, type:$ groups blackbeard RET blackbeard : blackbeard $
In this example, the command outputs the given username,
blackbeard
, followed by the name of one group, blackbeard
,
indicating that user blackbeard
belongs to only one group: his
login group.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
7.1.2 Listing the Members of a Group
@sf{Debian}: `members'
To list the members of a particular group, use the
members
tool,
giving the name of the particular group as an argument.
-
To output a list of the members of the
galley
group, type:$ members galley RET captain steward pete $
In this example, three usernames are output, indicating that these three
users are the members of the galley
group.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
7.2 File Ownership
Every file belongs to both a user and a group--usually to the user who created it and to the group the user was working in at the time (which is almost always the user's login group). File ownership determines the type of access users have to particular files (see section Controlling Access to Files).
7.2.1 Determining the Ownership of a File Who owns a file? 7.2.2 Changing the Ownership of a File Changing file ownership.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
7.2.1 Determining the Ownership of a File
To find out which user and group own a particular file, use ls
with the `-l' option to list the file's attributes (see section Listing File Attributes). The name of the user who owns
the file appears in the third column of the output, and the name of the
group that owns the file appears in the fourth column.
For example, suppose the verbose listing for a file called `cruise'
looks like this:
-rwxrw-r-- 1 captain crew 8,420 Jan 12 21:42 cruise |
The user who owns this file is captain
, and the group that owns
it is crew
.
NOTE: When you create a file, it normally belongs to you and to your login group, but you can change its ownership, as described in the next recipe. You normally own all of the files in your home directory.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
7.2.2 Changing the Ownership of a File
You can't give away a file to another user, but other users can make copies of a file that belongs to you, provided they have read permission for that file (see section Controlling Access to Files). When you make a copy of another user's file, you own the copy.
You can also change the group ownership of any file you own. To do this,
use chgrp
; it takes as arguments the name of the group to
transfer ownership to and the names of the files to work on. You must be
a member of the group you want to give ownership to.
-
To change the group ownership of file
`cruise'
tobridge
, type:$ chgrp bridge cruise RET
This command transfers group ownership of `cruise'
to
bridge
; the file's group access permissions (see section Controlling Access to Files) now apply to the members of
the bridge
group.
Use the `-R' option to recursively change the group ownership of directories and all of their contents.
-
To give group ownership of the
`maps'
directory and all the files it contains to thebridge
group, type:$ chgrp -R bridge maps RET
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
7.3 Controlling Access to Files
Each file has permissions that specify what type of access to the file users have. There are three kinds of permissions: read, write, and execute. You need read permission for a file to read its contents, write permission to write changes to or remove it, and execute permission to run it as a program.
Normally, users have write permission only for files in their own home
directories. Only the superuser has write permission for the files in
important directories, such as `/bin'
and `/etc'
---so as a
regular user, you never have to worry about accidentally writing to or
removing an important system file.
Permissions work differently for directories than for other kinds of files. Read permission for a directory means that you can see the files in the directory; write permission lets you create, move, or remove files in the directory; and execute permission lets you use the directory name in a path (see section Files and Directories).
If you have read permission but not execute permission for a directory, you can only read the names of files in that directory--you can't read their other attributes, examine their contents, write to them, or execute them. With execute but not read permission for a directory, you can read, write to, or execute any file in the directory, provided that you know its name and that you have the appropriate permissions for that file.
Each file has separate permissions for three categories of users: the user who owns the file, all other members of the group that owns the file, and all other users on the system. If you are a member of the group that owns a file, the file's group permissions apply to you (unless you are the owner of the file, in which case the user permissions apply to you).
When you create a new file, it has a default set of permissions--usually read and write for the user, and read for the group and all other users. (On some systems, the default permissions are read and write for both the user and group, and read for all other users.)
The file access permissions for a file are collectively called its access mode. The following sections describe how to list and change file access modes, including how to set the most commonly used access modes.
NOTE: The superuser, root
, can always access any file on
the system, regardless of its access permissions.
See Info file `fileutils.info', node `File permissions', for more information on file permissions and access modes.
7.3.1 Listing the Permissions of a File Listing the permissions a file has. 7.3.2 Changing the Permissions of a File Changing the permissions on a file. 7.3.3 Write-Protecting a File Write-protecting a file. 7.3.4 Making a File Private Making a file for private use. 7.3.5 Making a File Public Making a file for public use. 7.3.6 Making a File Executable Making a file executable.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
7.3.1 Listing the Permissions of a File
To list a file's access permissions, use ls
with the `-l'
option (see section Listing File Attributes). File
access permissions appear in the first column of the output, after the
character for file type.
For example, consider the verbose listing of the file `cruise'
:
-rwxrw-r-- 1 captain crew 8,420 Jan 12 21:42 cruise |
The first character (`-') is the file type; the next three characters (`rwx') specify permissions for the user who owns the file; and the next three (`rw-') specify permissions for all members of the group that owns the file except for the user who owns it. The last three characters in the column (`r--') specify permissions for all other users on the system.
All three permissions sections have the same format, indicating from left to right, read, write, and execute permission with `r', `w', and `x' characters. A hyphen (`-') in place of one of these letters indicates that permission is not given.
In this example, the listing indicates that the user who owns the file,
captain
, has read, write, and execute permission, and the group
that owns the file, crew
, has read and write permission. All
other users on the system have only read permission.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
7.3.2 Changing the Permissions of a File
To change the access mode of any file you own, use the chmod
("change mode") tool. It takes two arguments: an operation,
which specifies the permissions to grant or revoke for certain users,
and the names of the files to work on.
To build an operation, first specify the category or categories of users as a combination of the following characters:
CHARACTER | CATEGORY |
u |
The user who owns the file. |
g |
All other members of the file's group. |
o |
All other users on the system. |
a |
All users on the system; this is the same as `ugo'. |
Follow this with the operator denoting the action to take:
OPERATOR | ACTION |
+ |
Add permissions to the user's existing permissions. |
- |
Remove permissions from the user's existing permissions. |
= |
Make these the only permissions the user has for this file. |
Finally, specify the permissions themselves:
CHARACTER | PERMISSION |
r |
Set read permission. |
w |
Set write permission. |
x |
Set execute permission. |
For example, use `u+w' to add write permission to the existing permissions for the user who owns the file, and use `a+rw' to add both read and write permissions to the existing permissions of all users. (You could also use `ugo+rw' instead of `a+rw'.)
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
7.3.3 Write-Protecting a File
If you revoke users' write permissions for a file, they can no longer write to or remove the file. This effectively "write-protects" a file, preventing accidental changes to it. A write-protected file is sometimes called a "read only" file.
To write-protect a file so that no users other than yourself can write
to it, use chmod
with `go-w' as the operation.
-
To write-protect the file
`cruise'
so that no other users can change it, type:$ chmod go-w cruise RET
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
7.3.4 Making a File Private
To make a file private from all other users on the system, use
chmod
with `go=' as the operation. This revokes all
group
and other
access permissions.
-
To make the file
`cruise'
private from all users but yourself, type:$ chmod go= cruise RET
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
7.3.5 Making a File Public
To allow anyone with an account on the system to read and make changes
to a file, use chmod
with `a+rw' as the operation. This
grants read and write permission to all users, making the file
"public." When a file has read permission set for all users, it is
called world readable, and when a file has write permission set
for all users, it is called world writable.
-
To make the file
`cruise'
both world readable and world writable, type:$ chmod a+rw cruise RET
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
7.3.6 Making a File Executable
An executable file is a file that you can run as a program. To
change the permissions of a file so that all users can run it as a
program, use chmod
with `a+x' as the operation.
-
To give execute permission to all users for the file
`myscript'
, type:$ chmod a+x myscript RET
NOTE: Often, shell scripts that you obtain or write yourself do not have execute permission set, and you'll have to do this yourself.
[ << ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |