Concept #2 - users, groups and permissions:


/etc/passwd lists who has accounts on the machine

/etc/group lists the "groups" defined on a machine


When a user account is created on a UNIX machine, the user is given (or assigned) a number of things. The best known is the user-ID or logon. Associated with each user-ID is a unique number called the UID (user ID). Another piece of information is a GID (group ID) which is the number of the user’s default group (every user belongs to at least one group - more about this later). Other things that get assigned are a home directory and a default shell.


The user-ID is who you are to the system. All of the files that you create are owned by this ID. (More detail than you need at this time - but interesting anyway: The file are really owned by your UID, and the group information is stored as the numeric GID. When you execute a command such as "ls -l" which displays the user and group information, the system looks up the UID in the password file and the GID in the group file and displays the words, not the numbers. If it cannot find these numbers in their respective files, it will display the numbers.)


The purpose of a group is to allow users to share some things with certain other users, but not with everyone. Systems Administrators need to share information with other SAs, but not with the DBAs. The DBAs need to share information with each other, but not with the HelpDesk. The GID identifies which group a user is a part of: SAs are part of the admin group, DBAs are part of the database group, while other users are all part of their respective groups (billing, help desk, etc.).


A home directory is the directory that a user ends up in when they first log on. There are files in the home directory that set up the environment for that user. The environment is a group of settings that can be personalized to change the way that certain things work. The best known of these settings is the path, which determines where the system searches for commands. When a user types in a command, the system searches each directory listed in the path for a file with that name; if it finds a file, it runs the command, otherwise it generates an error. Other parts of the environment include the DISPLAY used for X windows applications, the name of the current directory, and information about the user.


file properties


Every UNIX file has a set of permissions that control who can access that file, and what kind of access they have. The three types of access are Read - the ability to examine the contents, Write - the ability to change the contents, and eXecute - the ability to "run" the file as a command or the ability to "cd" into it if it is a directory. There are also three levels of permissions, what the User is allowed to do, what members of the Group are allowed, and what can be done by Others, (those who are not the user, nor members of the right group).


By combining the three levels of access with the three types of permissions, this becomes a very flexible system. This flexibility also makes things complicated - and to make things worse, there are two different ways to describe and modify permissions. Some people prefer "absolute mode" which uses numbers to describe the modes, while others prefer "relative mode" which uses letters and mathematical symbols such as ‘+’ and ‘-‘.


Absolute mode requires a new way of thinking about numbers. We all remember learning about numbers and the "hundreds" column, the "tens" column and the "ones" column. (101 = one in the "hundreds" column plus one in the "ones" column = one hundred and one.) This is called the decimal system, or "base 10" -- each column is a multiple of 10. To use "absolute mode" you need to understand "base 2" – each column is a multiple of 2.


100 10 1


4 2 1


1 1 1

= 1x100 + 0x10 +1x1

1 0 1

= 1x4 + 0x2 + 1x1 = 5


1 1 1

= 1x4 + 1x2 + 1x1 = 7


0 0 0

= 0x4 + 0x2 + 0x1 = 0


Now think of the three types of file permissions - Read, Write and eXecute and remember that there are three levels of permission (User, Group and Other).

If there is a file whose permissions look like -rwxr-xr-x.

    1. Break this into three parts:
    2. User permissions: rwx

      Group permissions: r-x

      Other permissions: r-x

    3. Now you can translate these into ones and zeros by putting a one where there is a letter, and a zero where there is a dash, giving 111, 101and 101.
    4. Using what we learned above about "base two" numbers, these become 7, 5 and 5, or more concisely 755.


If we want to make a file have these permissions we can use the command chmod 755 file.


(It might be easier to think of the permission to Read as "four," permission to Write as "two" and eXecute permission as "one." Converting the file permissions -rwxr-xr-x into numbers becomes: rwx = 4+2+1 = 7, r-x = 4+0+1 = 5, r-x = 4+0+1 = 5 or 755.)


By the way, another name for "base two" numbers is "binary" numbers...


Although I prefer to use "relative mode," some people prefer "absolute mode," especially when making small or simple changes. To use "relative mode" you don’t need to know the current permissions of the file, you only need to know what you want to change:

To make a file eXecutable for User, Group and Other you would user the command chmod +x file.

To make a file eXecutable for only the User, you would use the command chmod u+x file.

To make a file Readable and Writablefor the Group, you would use the command chmod g+rw file.

To make a file not be Readable the Group, you would use the command chmod g-r file.


Absolute mode is also useful when changing a large number of files (and/or directories) that have varying permissions. Quite often you will need to make all files within a directory Readable by the Group, but some of the files are already Readable, some are Writable and some are eXecutable. The chmod g+r * command will do what we want -- make all files readable for the group, regardless of the other permissions.



PREV UNIX part 1       NEXT UNIX part 3