The permission mask is used to determine what, if any access each level or class of user has to each file on a Unix system. The permission mask is one of the data elements stored in the inode table entry for the file.
Every file has protection or permission attributes for 3 classifications or levels of system user, i.e.
Group <-> - rwx r-x r-x 1 bin 114688 Jun 23 1987 /bin/csh <-> <-> User Other
The permission mask is divided into three areas,
also called levels of permission. The left most
group of three permissions are those permissions
that apply to the user, or individual who
owns the file. (We refer to this individual as
the "user" rather than the "owner" because the third
field, "other" starts with the letter "o", and we
don't want to get confused.)
In this case, ownership is determined by the user identification number assigned when the file is created. Don't worry about the user identification number at this point, we'll look closely at it when we look at how your user record is created and stored. This number is the UID or "User Identification Number", the third field in /etc/passwd.
The second three permissions are those assigned to all the individuals who share the same group identification number as the user. This is the fourth field in /etc/passwd.
The third set of three permissions are those assigned to the "other" users. Anyone who has a valid login ID on the system, but is not the user of the file, nor in the users group is considered "other". In other words, the nine bit permission mask is divided into three, three bit permission sub masks one for user, one for group, and one for everyone else other.
Each permission sub mask, or level of permission, is divided into three different individual permissions. The left most permission r allows the file to be read, the center permission w allows the file to be written, and the right most permission in each level x allows the file to be executed.
The actual meaning of the write and execute permissions have slightly different meaning depending on whether the file is a regular file or a directory. In the case of a regular file writing simply means that the contents of the file can be modified. Executing a regular file means that the command line interpreter will attempt to run the text contained within the file as if it were instructions.
In the case of a directory file, writing means that the contents of the directory can be changed, files added or deleted. Execute permission on a directory file allows the use of file matching meta- characters to search within the directory. If you think about it, writing is actually the same for a directory or regular file because both are simply ASCII files.
The figure below shows the permissions mask:
8 7 6 5 4 3 2 1 0 |-------|-------|------| | USER GROUP OTHER | | r w x | r w x | r w x| |----------------------|
The owner of a file may change the permission bits using an octal representation of the required permissions. If you choose this method remember that you must specify the whole permissions mask, (all 9 bits), not just one individual permission.
You will need to use the octal representation for each of the three different levels of permission. That means the permission mask you will specify will be 3 octal numbers.
Since each octal number can be represented by 3 bits, each bit can represent one permission. Each bit position corresponds to one permission value. A three bit number has the following positional values:
|3||011||write + execute|
|5||101||read + execute|
|6||110||read + write|
|7||111||read + write + execute|
The code example below shows how the octal values can
be used to modify the permissions mask on a file. For
this example, please note that both ringo and lennon
are in the same group.
ringo % chmod 710 /usr/ringo ringo % ls -lg /usr/ringo drwx--x--- 1 ringo beatles 512 Nov 24 18:00 /ringo ringo % chmod 740 /usr/ringo/help ringo % ls -lg /usr/ringo/help -rwxr----- 1 ringo beatles 1511 Nov 24 18:21 /usr/ringo/help lennon % cp ~ringo/help . lennon %
Refer to the table above to
interpet the octal values.
The first command gives full permission to the directories owner (ringo), execute permission to the group and no permissions to anyone not a member of the owners group (beatles). Members of the owners group may access a directory (usually for a known filename) but may not list the files in owners directory.
The second command gives full permission to the directories owner (ringo)allows group members (e.g. lennon) and the owner to read the file but denys any access to "other".
Alternatively symbolic notation may be used,
e.g. to grant or deny read, write, or execute permission
to the user, group and others permission masks.
Usually this method is used to modify only one (1) permission, for one level. For example, giving execute permission to the owner of a file, or removing read permission from the group.
The table below shows the three levels of permission, and the three permissions for each level.
|u - user||r - read w - write e - execute|
|g - group||r - read w - write e - execute|
|o - other||r - read w - write e - execute|
lennon % chmod o+r john/sgtpepper lennon % chmod go-w john/sgtpepper
Security of file contents (as opposed to access) can be achieved using the crypt program or other encryption tools like pgp or the Unix crypt command. (Consult your system documentation man crypt
[ Back ]