Users, groups and permissions - page 3

Now we've had a good look at the theory of users, groups and permissions, we can concentrate on applying this to our server.

We'll create files and folders and see what permissions have been applied and how to change them.

Log into your VPS and move into the sandbox directory (if you haven't got a sandbox directory simply create one with 'mkdir sandbox'), create a directory and a file:

cd sandbox
mkdir test
touch test.txt

Let's look at the permissions of the directory and the file:

ls -l

We'll look at each one in turn:

drwxr-xr-x 2 paul paul 4096 2007-05-20 09:14 test/

The directory we created, named 'test', has permissions of 'drwxr-xr-x' which should be getting familiar by now. The 'd' prefix denotes a directory.

We can quickly see that the 'user' has rwx permissions, the 'group' and 'others' have rx permissions.

That's a standard permission set: the user (owner) of the directory can enter, write and execute what's in the directory. Everyone else has limited permissions.

Looking at the rest of output, we see 'paul paul'. This shows the 'owner' and the 'group'. In this case, 'paul' happens to belong to the group 'paul'. We'll change this later so the directory has different owner and group permissions.

When we look at the text file we created, it is slightly different:

-rw-r--r-- 1 paul paul    0 2007-05-20 09:14 test.txt

Again, a standard permission set for a file - the owner can read and write to it but it is not automatically an executable file. The group and others can only read it. Giving automatic write or execute permissions to everyone would be a security hazard.

The default ownership of the file is again 'paul paul' (user and group).

The remainder of the output contains dates and names which, although interesting, are not of concern right now.

The two main commands used to change ownership and permissions are:

chown
chmod

Changing Ownership

'chown' is used to change ownership. Let's try that by changing the folder ownership so that the group 'www-data' is included. Then check the permissions:

chown paul:www-data test
ls -l

The output now gives:

drwxr-xr-x 2 paul www-data 4096 2007-05-20 09:14 test/

The 'chown' command used the same order as the permissions, i.e. user:group and when we checked the output, the folder still belongs to the user 'paul' but now includes the group 'www-data'.

Changing Permissions

Now change the permissions so that everyone has universal rights to the folder and see if our changes have taken effect:

chmod 777 test
ls -l

The output now gives:

drwxrwxrwx 2 paul www-data 4096 2007-05-20 09:14 test/

That's a little scary! As I said before, it is very rare that you would give permissions to a file or folder in this manner.

Inheriting Ownership

Let's try something by entering the 'test' directory and creating a test file and checking the permissions:

cd test
touch test.txt
ls -l

We see that the default permissions are back:

-rw-r--r-- 1 paul paul 0 2007-05-21 15:11 test.txt

You may think it's odd that the file has ignored the permissions we set on the directory, but it is a good precaution - we wouldn't want to set the same permissions to everything inside a directory just because we changed the directory.

Let's change two things at once now.

First we will add an 'inherit' bit to the directory. This means that whatever is created inside the folder will inherit the owner and group from the directory.

We'll also change the permissions of the folder as we don't want anyone else even entering the folder. We only want the user 'paul' and the webserver group 'www-data' to have full access:

chmod 2770 ~/sandbox/test

The '2' in front of the 770 permissions indicates the inheritance. Let's test it by creating a new file and checking its permissions:

touch test2.txt
ls -l

The output is now:

-rw-r--r-- 1 paul www-data 0 2007-05-21 15:22 test2.txt

Which is exactly what we wanted - the file inherited the user:group setting from the directory. The permissions of the file are as expected: '-rw-r--r--'.

Lastly, to change permissions and ownership on all the files in the 'test' directoy, we could have added a 'recursive' parameter to the commands:

chown -R paul:www-data ~/sandbox/test
chmod -R 2770 ~/sandbox/test

Try it and then look at the permissions again:

ls -l

The output now shows:

-rwxrws--- 1 paul www-data 0 2007-05-21 15:22 test2.txt
-rwxrws--- 1 paul www-data 0 2007-05-21 15:11 test.txt

At least it's what we expected!

Summary

Users, groups and permissions are not only essential concepts to understand, they are also a very large subject matter.

To be truthful, I have only scratched the surface here and there is a great deal more to learn before you should start experimenting with files owned by 'root' and so on.

However, my aim in this mini-series was to give an overview of the concepts behind the subject and to introduce some of the commands available and the consequences of giving those commands.

PickledOnion

Digg it | del.icio.us | reddit | StumbleUpon