LINUX Permissions Process

8/16/2019 LINUX Permissions Process

1/6

LINUX Permissions Process:-

System Names and Access Permissions

Instead of referring to your Linux system as "it"or "that thing," you can give it a name that itrecognizes to some extent. This name isespecially important when you deal with e-mail

or networks where others must have somemethod of identifying your machine from all theothers on the network. This chapter starts ylooking at how to give your machine a nameand what rules you must follow to ensure othermachines can work with your newly namedmachine.

The rest of this chapter looks at accesspermissions, a confusing su!ect for manysystem administrators. The permission lock isoften completely misunderstood, and thepermissions attached to les and directories are

often set incorrectly, preventing access to userswho need it or worse, allowing wide-openaccess to sensitive information. #fter explaininghow permissions work, this chapter explainshow to change and set permissions andownerships.

Setting a System Name

$ecause Linux is designed with networking inmind, it enales you to identify each machinewith a uni%ue name. &ou can name your systemanything you want. In some cases, the setup or

installation script that installed Linux for youmay have asked you for a system name. &oucan keep the name you entered then or enter anew one.

The name that identies your Linux system iscalled a hostname. This name, as mentioned,facilitates networking and associated serviceslike e-mail. It also lets you give your system ait of a personality. &ou can display the currentLinux system hostname with the hostnamecommand'

( hostname

artemis This code shows that the system)s hostname isartemis. If you have no system hostnamedened, Linux defaults to either no name or asystem default name. The name information isread from the Linux system startup les.If your system isn)t networked, you can callyour system anything you like, ut rememerthat you have to live with it* To set your systemname, run the hostname command with the -+

option as shown in this example'

hostname -+ superduck This sample code sets your system hostname tosuperduck. This name is tagged onto all your e-mail and some system utilities when generatingoutput. +ome versions of Linux limit thehostname to a numer of characters usually characters/, ut try any name you want. If Linuxdoesn)t allow it, you should get an error

message or see a truncated version of thename.

Creating Network System Names

If you are running on a network, the hostnameis important. 0n a network, each machine musthave a uni%ue name, or the network can)t

identify which of the duplicate names thenetwork information is for. If you are creating alocal area network that is not connected to theInternet or has no formal network name, youcan pick any network name you want. &ourmachine name and network name cominedform the full machine name. 1or example, thecommand

hostname -+ superduck.%uackersis composed of a machine name of superduckand a network name of %uackers. #s long as all

the other machines on the network have thesame network name, your machines cancommunicate properly. &our machine is uni%uelyidentied y the comination of machine andnetwork name.If your system can access the Internet, yournetwork proaly has een assigned a networkname y the Internet 2etwork Information3enter 2I3/, which assigns network names,called domains, in accordance with strictnaming conventions. 4ach domain has a uni%uename portion and an extension that identies

the type of organization to which the networkelongs. 1or example, the company 5uacks-6-7s may have a domain name %uacks.com. Theseven di8erent extensions in use are as follows'

.arpa # governmental network identier

.com 3ommercial company

.edu 4ducational institution

.gov 9overnmental ody

.mil :ilitary

.net #n Internet-administered usually/ network

.org #nything that isn)t in one of the othercategories

These identiers are usually used only fornetworks ased in the 7.+. 0ther countrieshave uni%ue identiers ased on the country)sname. 1or example, if 5uacks-6-7s were asedin the 7nited ;ingdom, the domain name coulde %uacks.uk. 4ach country has a two-letterdesignation that identies it to the Internet.+ome companies have a 7.+.-style extension

even though they are outside 7.+. orders. These companies usually have een registeredy a 7.+. company or have een on the Interneta long time./

The comination of domain name andextension, as assigned y the 2I3, is uni%ue toeach network.


2/6

and you want to name your machinesuperduck, you set the name of your machinewith this command, which comines themachine and network names'

hostname -+ superduck.%uack.com The chapters in =art I>, "2etworking," discussmachine names and network names in moredetail. &ou may also want to check with a good

T3=?I= ook for more information. The author)sTeach Yourself TCP/IP in 14 Days from +ams is agood place to start.

Storing the Hostname

Linux stores the hostname in the le ?etc?hosts.If you have !ust installed Linux and haven)tcongured a machine name, the ?etc?hosts lecontains a unch of comment lines and one lineof code'

@A.B.B. localhost

+ome Linux versions store the hostname inthe ?etc?rc or ?etc?rc.local les or in the directory?etc?rc.d, although this convention is asentfrom most versions of Linux.

The ?etc?hosts le consists of two columns, onefor the I= address and the second for machinenames. The four numers written in a formatcalled dotted-%uad as there are four groups ofnumers with periods etween them/ are the I=

address. I= stands for Internet =rotocol and isan essential component of the T3=?I= networkprotocols used on the Internet and most localarea networks involving 72IC. The I= addressfor machines connected to the Internet isassigned y the 2etwork Information 3enter,

!ust as the domain name is. The I= address anddomain name also are mapped to each other sothe network can use numers instead of names,a much more eDcient system./ If you are notconnected to the Internet, your I= address cane anything as long as each set of numers is

in the range B to @EE. The I= address is composed of the networkidentier and the machine identier. The fourparts of the I= address are split over these twoidentiers in special ways. If you are connectingto an existing T3=?I= network, your networkadministrator will give you the I= address youshould use. The I= address @A.B.B. is aspecial address known as the loopack address.

This address lets T3=?I= on your machine form aconnection to itself. 4very machine has aloopack driver, which is identied y the entry

@A.B.B. in the ?etc?hosts le and the namelocalhost.If you have identied your machine y ahostname already, that name is in the?etc?hosts le. 1or example, the stand-alonemachine called superduck from earlier in thissection is given on the same line as thelocalhost entry'

@A.B.B. superduck localhost

This line tells the system that the localhost iscalled superduck and to use that name as thesystem identier.

This naming process gets a little morecomplicated when you are on a network, aseach machine on the network has an I= addressthat is uni%ue. If your network is not connectedto the Internet, you can make up any I= addressfor your network. If you are on the Internet,

your network I= address is assigned, and thenetwork administrator can give you yourmachine)s I= address or you can choose anunused address.+uppose you are connecting to the Internet andyour I= address is A.@[email protected] and yourdomain name is %uacks.com. &our ?etc?hosts lelooks like the following'

@A.B.B. localhost

A.@[email protected] superduck.%uacks.com

The name superduck may appear on thelocalhost line as well, although it doesn)t haveto. The ?etc?hosts le may have other lineswhen you are connected to a large network thatyou move around in fre%uently. #t least thesetwo lines should appear when you areconnected to a network, though.

Using File and irectory Permissions

Linux handles access to all les and directorieson the lesystem through the permission lock.

The permission lock is part of the i-node

tale)s entries for each le and directory. &oucan display the permission lock for a le ordirectory y doing a long directory listing.

The rst column of the long directory listing isthe permission lock. It is always composed ofB characters. 4ach le and directory,regardless of its type, on a Linux system has apermission lock associated with it. Thepermission lock is made up of two di8erenttypes of information. The rst character is a letype indicator, and the next nine characters arethe access permissions themselves. The

following sections look at these two types ofinformation in a little more detail.Understanding File !y"es

Linux uses the rst character in the permissionlock to indicate the type of entry the i-nodetale contains. $ecause Linux doesn)tdi8erentiate etween les and directories in thei-node tale, this character is the only way forthe operating system to know whether theentry refers to a regular le or a directory.Girectories are not physical entities on a Linux

systemH they are instead an organizationalscheme used to make the user)s life easier. Thei-node tale entries for a le and directory lookvery similar.Linux supports a numer of valid le types,each of which has a single character value thatis used in the rst character of the permissionlock. The most common le type charactersthat Linux uses are the following'

- ordinary le


3/6

lock mode device

c character mode device

d directory

l link

+ome versions of Linux and 72IC support otherle typessuch as s for special/, ut these typesare seldom encountered and are of no real

interest as far as permissions are concerned.:ost les on the Linux system are ordinaryles. #n ordinary le can e data, anapplication, a text le, or any le that containsinformation whether directly readale y theuser or not/. The ordinary les are indicated ya hyphen in the le type lock. #ny le userscreate is an ordinary le.3hapter , "Gevices and Gevice Grivers," lookedat the di8erence etween lock and charactermode devices, which are indicated y a or cle type. These les are composed of

instructions that let Linux talk to peripherals.:ost device le types are stored in thedirectory ?dev y convention, although they canexist anywhere in the lesystem.


4/6

Using e#a$lt Permissions


5/6

&ou also can use the symolic mode of chmodto set permissions explicitly. #s you have seen,if you do not specify a parameter on thecommand line, it is not changed. In other words,if you issue the command

chmod uJr igleonly the read permission for the user ischanged, and the write and execute

permissions are left as they were. &ou can do the same sort of command to setpermissions for directories, rememering whatthey mean in the context of changing into,adding to, and listing directories. 1or example,the command

chmod goJrx mydirallows users in group and other to list mydir)scontents and change into mydir, ut theycannot add les to this directory.+ometimes you want to explicitly set the

permissions to some value, for which you canuse the e%ual sign. 1or example, the command

chmod uKrx igleturns on read and execute permission for theuser, ut turns o8 write permission whether itwas on or o8 efore the command, it will e o8after/. Mowever, the group and other permissionlocks are left una8ected. If you want to makechanges to all three locks user, group, andother/ at the same time, you must use chmod)sasolute mode.

The chmod command)s asolute mode usesnumers to specify permissions. There are threenumers, one for the user, one for the group,and one for the other permissions. #ll threemust e specied on the command line. 4achnumer is the sum of values that representread, write, and execute permissions. Thefollowing list shows the values'

BBB no permissions

BB other, execute

BB@ other, write

BB other, read

BB group, execute

B@B group, write

BB group, read

BB user, execute

@BB user, write

BB user, read

&ou can see that the numers are in three

columns. 1rom left to right, they represent user,group, and other permissions. To use thesenumers, add together the values of oneexecute/, two write/, and four read/ to formthe comination you need. 1or example, if youwant to set read and execute permissions, thenumer you specify is ve. +etting all thepermissions gives you seven, and a value ofzero signies no permissions. &ou then use

these numers on the chmod command line.1or example, the command

chmod iglesets user permissions to read and write six/,group permissions to read four/, and otherpermissions to read four/. =ermissions thataren)t set are replaced with lanks, resulting infollowing le permission lock'

rw-r--r-- &ou may recognize this lock as the defaultpermission lock for users with a umask of B@@.

This example points out the fact that the umaskand chmod asolute numering schemes arenot the same.#solute mode is useful for setting the entirepermission lock in one shot. #lthough theaddition process may seem awkward at rst, itecomes %uite easy after a while. # couple ofsettings are used fre%uently. The setting

shown previously produces the usualpermissions for les, and the command

chmod AEE mydirsets mydir to allow only the owner to add lesand let everyone list the contents and changeinto the directory. &ou can use wildcards withthis mode of chmod to make lanket changes.


6/6

To change the group owner of a le or directory,use the chgrp command not to e confusedwith newgrp, which changes your currentgroup/. 1or example, the command

chgrp accounts iglechanges the group to accounts. #gain, Linuxchecks that the group name exists in ?etc?groupand that the person changing the group is in

the group that currently owns the le. #s withchown, you can use wildcards to change manyles and directories at once.If you know the 7IG or 9IG of the user or group,you can use it on the command line instead ofthe name. Linux searches the ?etc?passwdand ?etc?group les to make sure the 7IG or 9IGis valid, and you must have permission tochange the owner for this procedure to work.

7se caution when changing ownerships. It)s

easy to change an owner or a group, and thenrealize you have locked yourself out of the le*

S$mmary This chapter explained how to give your systema name and assign access permissions. 2aminga system is very important when you areconnected to a network, ut it is more of apersonality issue when you are running a stand-alone system. +till, it is nice to refer to yourmachine as more than thing or the defaultdarkstar name.

1ile permissions are one of the mostmisunderstood and misused concepts of 72IC,yet they are surprisingly easy to manage. 7singthe commands explained in this chapter shouldmake it easy for you to alter le permissionsand ownership to suit your needs.

LINUX Permissions Process

Documents

Transcript of LINUX Permissions Process