Command | Meaning |
---|---|
chmod 400 file | To protect a file against accidental overwriting. |
chmod 500 directory | To protect yourself from accidentally removing, renaming or moving files from this directory. |
chmod 600 file | A private file only changeable by the user who entered this command. |
chmod 644 file | A publicly readable file that can only be changed by the issuing user. |
chmod 660 file | Users belonging to your group can change this file, others don't have any access to it at all. |
chmod 700 file | Protects a file against any access from other users, while the issuing user still has full access. |
chmod 755 directory | For files that should be readable and executable by others, but only changeable by the issuing user. |
chmod 775 file | Standard file sharing mode for a group. |
chmod 777 file | Everybody can do everything to this file. |
Logging on to another group
When you type id on the command line, you get a list of all the groups that you can possibly belong to, preceded by your user name and ID and the group name and ID that you are currently connected with. However, on many Linux systems you can only be actively logged in to one group at the time. By default, this active or primary group is the one that you get assigned from the /etc/passwd file. The fourth field of this file holds users' primary group ID, which is looked up in the /etc/group file. An example:
Special modes
For the system admin to not be bothered solving permission problems all the time, special access rights can be given to entire directories, or to separate programs. There are three special modes:
Sticky bit mode: After execution of a job, the command is kept in the system memory. Originally this was a feature used a lot to save memory: big jobs are loaded into memory only once. But these days memory is inexpensive and there are better techniques to manage it, so it is not used anymore for its optimizing capabilities on single files. When applied to an entire directory, however, the sticky bit has a different meaning. In that case, a user can only change files in this directory when she is the user owner of the file or when the file has appropriate permissions. This feature is used on directories like /var/tmp, that have to be accessible for everyone, but where it is not appropriate for users to change or delete each other's data. The sticky bit is indicated by a t at the end of the file permission field:
~> ls -ld /var/tmp
drwxrwxrwt 19 root root 8192 Jan 16 10:37 /var/tmp/The sticky bit is set using the command chmod o+t directory. The historic origin of the "t" is in UNIX' save Text access feature.
SUID (set user ID) and SGID (set group ID): represented by the character s in the user or group permission field. When this mode is set on an executable file, it will run with the user and group permissions on the file instead of with those of the user issuing the command, thus giving access to system resources.
SGID (set group ID) on a directory: in this special case every file created in the directory will have the same group owner as the directory itself (while normal behavior would be that new files are owned by the users who create them). This way, users don't need to worry about file ownership when sharing directories:
No comments:
Post a Comment