Thursday, 18 September 2008

Permissions

Something we haven't touched on yet is permissions in Ubuntu. The concept of permissions is highly important to how Linux works.
As you may know, Linux is a clone of the Unix operating system. Unix was originally designed to be used on huge systems which might have hundreds or even thousands of users, such as in universities, and it was therefore important to establish who was entitled to do what. The concept of groups therefore came about. By creating groups, and making individual users members of these groups, system administrators could set what users could do quickly and easily.
For example, refer back to the VirtualBox install article a while back and you'll notice that in order to use VirtualBox, a user needs to be a member of a group called "vboxusers". By adding a user name "fred"to this group, this shows that the administrator has given permission for the user fred to use VirtualBox. Now, to a certain extent this is a little redundant on a desktop system that will have only a handful of users, but it illustrates how Unix-like operating systems such as Linux handle files. In Ubuntu, a normal user will belong to a group based on their username, but other Linux distributions may instead have a group called "users".
A user account has limits. Each user has their own directory in the /home folder (so in this example, fred has /home/fred), in which they can save and edit files, but normally they can't save elsewhere. Users can move around, but some files are out of bounds. Some files (normally system files, such as your /etc/apt/sources.list), can be read, but not written to, so you could open it in a text editor, edit it and save a copy in your own home folder, for example, but you couldn't edit and save the original. This is enforced by the use of file permissions.
Each file or directory is owned by a user. For instance, if the user fred rips a CD using Sound Juicer and save it to a directory called Music in his /home directory, he will be the owner of the audio files created. He's therefore free to do as he wishes with these files. If he then logs out and another user, jane, logs in, she is not the owner and what she can do with these files will be subject to the permissions fred has set for these files. He can if he wishes make these files available for other users to edit or delete if they wish, or he can make them read-only. If he prefers not to share these, he can deny anyone else access to the files.
Another thing to note is the Unix philosophy that "everything is a file". This includes folders, so fred can also make entire folders read only, or can deny others access to them completely. So he could make his entire /home directory available for others to access or edit, or keep people from accessing it entirely.
There are three sets of permissions for each file or folder. There is one for the user, one for the specified group, and one for everyone else. To demonstrate this, open your file manager (Nautilus in Ubuntu, Konqueror or Dolphin in Kubuntu and Thunar in Xubuntu). Right-click on a file or folder and select Properties. Select the Permissions tab and you'll see something like this:


You may want to open this image in a separate tab so you can see it better. As you can see, each set of users has a dropdown box for you to set the permissions, and Group has an additional dropdown so you can set the permissions for each group. So far, this may have seemed quite technical, but hopefully this makes it a bit easier to understand!

There's three types of access you can set for a file:
  • You can set out who is allowed to read a file;
  • You can set out who is allowed to write to a file;
  • And you can set who can execute (run) a file
Normally, a file in your /home directory which you own will allow you to read or write to it, but not execute it (this is just another one of the reasons why Linux is regarded as being more secure than Windows, as by default a freshly downloaded file can't be executed straight away). So, if you wanted to run it, you'd have to change the permissions on it. For instance, if you write a shell script to automate a task for you, you'll need to give yourself permission to run it.

One other thing to remember: Opening a folder is executing it, not reading it. So if you want to prevent other people looking in a folder, it should not be executable for others.

To illustrate the permissions on the files in a directory, run the following command:
ls -lh

You should see something like this:
matthew@matthew-laptop2:~/Demonstration$ ls -lh
total 8.0K
drwxr-xr-x 2 matthew matthew 4.0K 2008-09-18 20:31 Example
-rw-r--r-- 1 matthew matthew 13 2008-09-18 20:30 example.txt
matthew@matthew-laptop2:~/Demonstration$
Now, pay attention to the string of characters at the start of each sentence. The d at the start of the Example line indicates this is a directory, while this is a dash for example.txt, showing that this is not a directory.

The next three characters give the permissions for the owner. The r shows this can be read, the w shows this can be written, and the x shows it's executable. As example.txt shows a dash instead of an x, it shows it's not executable, but the r and w show it can still be read or written to.

The next three characters show the permissions for the group specified (more on this a bit later). The format is the same. Then, the final three characters are the permissions for everyone else.

You'll notice there are two names afterwards. The first is the name of the owner, while the second is the owner's group. As stated previously, in Ubuntu each user has their own group. The rest is information about the file.

OK, so we've established what permissions are. Now, how can we change them? You can easily use a file manager to change these, as demonstrated in the screenshot above, but as usual I'm going to point you towards the terminal as the best way to do it.

First, to change permissions, you use the chmod command. In this example, to make the example.txt document available so that everyone can read and write to it, you enter this:
chmod a+rw example.txt

This is quite easy to follow - all users (a) add (+) read (r) and write (w) permissions. Another example:
chmod a-w example.txt

This means all users (a) take away (-) write (w) permission. You can edit permissions for just the user as follows:
chmod u+rw example.txt

Similarly, you can edit it for the group like this:
chmod g+rw example.txt

Or you can edit it for others:
chmod o+rw example.txt

Please note that you can leave out the first character, which means it will default to a (all), as in this example:
chmod +x example.txt

Now, say you've written a shell script called housekeeping to automate a common task for you. To enable this to run, you need to make it executable, like this:
chmod +x housekeeping

OK, so now you should understand how to change permissions for a file or folder. But what about changing the user who owns it? There's an easy way to do this, using the chown (CHange OWNer) command. Please note, this must be run using sudo for security reasons. So if fred wants jane to own his example.mp3 file, he should run the following:
sudo chown jane example.mp3

He can also change the group at the same time:
sudo chown jane.examplegroup example.mp3

Or, he can change the group alone with chgrp (CHange GRouP):
sudo chgrp examplegroup example.mp3

This is a fairly complex concept, so you may want to spend some time getting familiar with the idea of permissions.

No comments: