When a new file is created on a Unix-like system, its permissions are determined from the umask of the process that created it. It denotes what permissions needs to be removed by means of masking the binary values (of the given octal value) with the default value(value when umask is not used).
eipe@eipe-system:~/temp$ umask
0022
0022
the default value of umask changes from OS to OS. In Ubuntu it's 0022. First, let's see what happens if we turn mask to all 0s. When umask is given value 0000 it's equivalent to turning it off.
eipe@eipe-system:~/temp$ umask 0000
eipe@eipe-system:~/temp$ umask
0000
eipe@eipe-system:~/temp$ umask
0000
Let's now create a file and see what it's permissions are.
eipe@eipe-system:~/temp$ > myfile
eipe@eipe-system:~/temp$ ls -l
total 0
-rw-rw-rw- 1 eipe eipe 0 2010-12-10 21:57 myfile
eipe@eipe-system:~/temp$ ls -l
total 0
-rw-rw-rw- 1 eipe eipe 0 2010-12-10 21:57 myfile
The default permission when no masking is used is read and write for user, group and everyone.
In binay notation it's 110 110 110.
Now let's give masking a value.
eipe@eipe-system:~/temp$ umask 0022
eipe@eipe-system:~/temp$ > myfile
eipe@eipe-system:~/temp$ ls -l
total 0
-rw-r--r-- 1 eipe eipe 0 2010-12-10 22:00 myfile
eipe@eipe-system:~/temp$ > myfile
eipe@eipe-system:~/temp$ ls -l
total 0
-rw-r--r-- 1 eipe eipe 0 2010-12-10 22:00 myfile
masking is actually an XOR operation of binary values. (0022 = 000 000 010 010)
1 and 0 = 1 ; 1 and 1 = 0 ; 0 and 0 = 0
000 110 110 110
000 000 010 010
-------------------
000 110 100 100
-------------------
The first 3 bits or the first octal number is used for special settings. They are used for setuid/setgid/sticky bit.
For example consider the below scenario:
Let's create a new user "tom".
It the group names (also known as primary groups) aren't changed, the default names are same as the user names. i.e, for eipe the group name is "eipe" and for tom it is "tom".
Let's change the group names to avoid confusion.
eipe@eipe-system:~$ groupmod -n eipe egroup
eipe@eipe-system:~$ groupmod -n tom tgroup
eipe@eipe-system:~$ groupmod -n tom tgroup
(we changed the default group names "eipe" and "tom" to "egroup" and "tgroup").
Let's create a new group "dev".
eipe@eipe-system:~$ groupadd dev
Add users to this group:
eipe@eipe-system:~$ usermod -a -G dev eipe tom
Let's check the individual user ID's.
eipe@eipe-system:~$ id eipe
uid=1000(eipe) gid=1000(egroup) groups=1000(egroup),4(adm),20(dialout),24(cdrom),46(plugdev),111(lpadmin),119(admin),122(sambashare),1002(dev)
eipe@eipe-system:~$ id tom
uid=1001(tom) gid=1001(tgroup) groups=1001(tgroup),1002(dev)
uid=1000(eipe) gid=1000(egroup) groups=1000(egroup),4(adm),20(dialout),24(cdrom),46(plugdev),111(lpadmin),119(admin),122(sambashare),1002(dev)
eipe@eipe-system:~$ id tom
uid=1001(tom) gid=1001(tgroup) groups=1001(tgroup),1002(dev)
Note:
All user account related information are stored in
/etc/passwd – user account details
/etc/shadow – user password details
/etc/group – group account details
A sample entry in /etc/group
egroup:x:1000:
tgroup:x:1001:
dev:x:1002:eipe,tom
tgroup:x:1001:
dev:x:1002:eipe,tom
groups [username]
To list the groups the user (given by the username) has membership.
eipe@eipe-system:~/share$ groups
egroup adm dialout cdrom plugdev lpadmin admin sambashare dev
eipe@eipe-system:~/share$ groups tom
tom : tgroup dev
egroup adm dialout cdrom plugdev lpadmin admin sambashare dev
eipe@eipe-system:~/share$ groups tom
tom : tgroup dev
members groupname
To list the members of a particular group.
eipe@eipe-system:~/share$ members dev
eipe tom
eipe tom
Let's consider a scenario.
I(eipe) create's a folder “share” that needs to be shared among other users.
eipe@eipe-system:~$ mkdir share
eipe@eipe-system:~$ ls -l | grep share
drwxr-xr-x 2 eipe egroup 4096 2010-12-12 15:01 share
eipe@eipe-system:~$ ls -l | grep share
drwxr-xr-x 2 eipe egroup 4096 2010-12-12 15:01 share
note that we need the folder to be group-executable so change the permissions if necessary for group to r-x.
Then I create a script file called “lister.sh” in share.
eipe@eipe-system:~/share$ cat>lister.sh
ls -la
eipe@eipe-system:~/share$ ./lister.sh
bash: ./lister.sh: Permission denied
ls -la
eipe@eipe-system:~/share$ ./lister.sh
bash: ./lister.sh: Permission denied
This is because any file is not executable by default.
eipe@eipe-system:~/share$ ls -l
total 4
-rw-r--r-- 1 eipe egroup 7 2010-12-12 16:39 lister.sh
total 4
-rw-r--r-- 1 eipe egroup 7 2010-12-12 16:39 lister.sh
Since I'm planning to make it shareable I need to make it executable for both me (eipe) and my groups.
eipe@eipe-system:~/share$ chmod ug+x lister.sh
eipe@eipe-system:~/share$ ./lister.sh
total 12
drwxr-xr-x 2 eipe egroup 4096 2010-12-12 16:39 .
drwxr-xr-x 53 eipe egroup 4096 2010-12-12 16:39 ..
-rwxr-xr-- 1 eipe egroup 7 2010-12-12 16:39 lister.sh
eipe@eipe-system:~/share$ ./lister.sh
total 12
drwxr-xr-x 2 eipe egroup 4096 2010-12-12 16:39 .
drwxr-xr-x 53 eipe egroup 4096 2010-12-12 16:39 ..
-rwxr-xr-- 1 eipe egroup 7 2010-12-12 16:39 lister.sh
Now tom logs in.
eipe@eipe-system:~$ su tom
Password:
tom@eipe-system:/home/eipe$ cd share
tom@eipe-system:/home/eipe/share$ ./lister.sh
bash: ./lister.sh: Permission denied
Password:
tom@eipe-system:/home/eipe$ cd share
tom@eipe-system:/home/eipe/share$ ./lister.sh
bash: ./lister.sh: Permission denied
this is because the group associated with the file is “egroup” and not “dev”. Every file belongs to a user and a group. The group is usually the group of the user who created the file.
There are 2 solutions:
Solution 1:
Since tom is given read access to the file he could copy it to another location and then run that file.
tom@eipe-system:/home/eipe/share$ cp lister.sh /home/tom/clister.sh
tom@eipe-system:/home/eipe/share$ cd /home/tom
tom@eipe-system:~$ ls -l
total 8
-rwxr-xr-- 1 tom tgroup 7 2010-12-12 17:08 clister.sh
-rw-r--r-- 1 tom tgroup 179 2010-12-11 09:40 examples.desktop
tom@eipe-system:~$ ./clister.sh
AND IT WORKS...tom@eipe-system:/home/eipe/share$ cd /home/tom
tom@eipe-system:~$ ls -l
total 8
-rwxr-xr-- 1 tom tgroup 7 2010-12-12 17:08 clister.sh
-rw-r--r-- 1 tom tgroup 179 2010-12-11 09:40 examples.desktop
tom@eipe-system:~$ ./clister.sh
Note that tom had to change the directory, since he was in eipe's home folder, where he cannot create files.
Solution 2:
Changing the group ownership of a file.
chgrp groupto filename
-r option is used to change for all files in a directory.
eipe@eipe-system:~/share$ chgrp dev lister.sh
chgrp: changing group of `lister.sh': Operation not permitted
chgrp: changing group of `lister.sh': Operation not permitted
this is because after creating the new group "dev" I didn't restart the system.
After relogging,
eipe@eipe-system:~/share$ chgrp dev lister.sh
eipe@eipe-system:~/share$ ls -l
total 4
-rwxr-xr-- 1 eipe dev 7 2010-12-12 16:39 lister.sh
eipe@eipe-system:~/share$ ls -l
total 4
-rwxr-xr-- 1 eipe dev 7 2010-12-12 16:39 lister.sh
Now tom logs in and he can execute the file.
eipe@eipe-system:~/share$ su tom
Password:
tom@eipe-system:/home/eipe/share$ ./lister.sh
total 12
drwxr-xr-x 2 eipe egroup 4096 2010-12-12 16:39 .
drwxr-xr-x 54 eipe egroup 4096 2010-12-12 18:09 ..
-rwxr-xr-- 1 eipe dev 7 2010-12-12 16:39 lister.sh
Password:
tom@eipe-system:/home/eipe/share$ ./lister.sh
total 12
drwxr-xr-x 2 eipe egroup 4096 2010-12-12 16:39 .
drwxr-xr-x 54 eipe egroup 4096 2010-12-12 18:09 ..
-rwxr-xr-- 1 eipe dev 7 2010-12-12 16:39 lister.sh
Continue Reading here
No comments:
Post a Comment