[<--] [Cover] [Table of Contents] [Concept Index] [Program Index] [-->]
Web dsl.org

Sharing Files

Groups, file ownership, and access permissions are Linux features that enable users to share files with one another. But even if you don't plan on sharing files with other users on your system, familiarity with these concepts will help you understand how file access and security work in Linux.

Groups and How to Work in Them

A group is a set of users, created to share files and to facilitate collaboration. Each member of a group can work with the group's files and make new files that belong to the group. The system administrator can add new groups and give users membership to the different groups, according to the users' organizational needs. For example, a system used by the crew of a ship might have groups such as galley, deck, bridge, and crew; the user captain might be a member of all the groups, but user steward might be a member of only the galley and crew groups.

On a Linux system, you're always a member of at least one group: your login group. You are the only member of this group, and its group name is the same as your username.

Let's look at how to manage your group memberships.

Listing the Groups a User Belongs To

To list a user's group memberships, use the groups tool. Give a username as an argument, and groups outputs a line containing that username followed by all of the groups the user is a member of. With no arguments, groups lists your own username and group memberships.

In this example, three groups are output: steward (the user's login group), galley, and crew.

In this example, the command outputs the given username, blackbeard, followed by the name of one group, blackbeard, indicating that user blackbeard belongs to only one group: his login group.

Listing the Members of a Group

Debian: `members'

To list the members of a particular group, use the members tool, giving the name of the particular group as an argument.

In this example, three usernames are output, indicating that these three users are the members of the galley group.

File Ownership

Every file belongs to both a user and a group -- usually to the user who created it and to the group the user was working in at the time (which is almost always the user's login group). File ownership determines the type of access users have to particular files (see Controlling Access to Files).

Determining the Ownership of a File

To find out which user and group own a particular file, use ls with the `-l' option to list the file's attributes (see Listing File Attributes). The name of the user who owns the file appears in the third column of the output, and the name of the group that owns the file appears in the fourth column.

For example, suppose the verbose listing for a file called `cruise' looks like this:

-rwxrw-r--      1 captain   crew        8,420 Jan 12 21:42 cruise

The user who owns this file is captain, and the group that owns it is crew.

NOTE: When you create a file, it normally belongs to you and to your login group, but you can change its ownership, as described in the next recipe. You normally own all of the files in your home directory.

Changing the Ownership of a File

You can't give away a file to another user, but other users can make copies of a file that belongs to you, provided they have read permission for that file (see Controlling Access to Files). When you make a copy of another user's file, you own the copy.

You can also change the group ownership of any file you own. To do this, use chgrp; it takes as arguments the name of the group to transfer ownership to and the names of the files to work on. You must be a member of the group you want to give ownership to.

This command transfers group ownership of `cruise' to bridge; the file's group access permissions (see Controlling Access to Files) now apply to the members of the bridge group.

Use the `-R' option to recursively change the group ownership of directories and all of their contents.

Controlling Access to Files

Each file has permissions that specify what type of access to the file users have. There are three kinds of permissions: read, write, and execute. You need read permission for a file to read its contents, write permission to write changes to or remove it, and execute permission to run it as a program.

Normally, users have write permission only for files in their own home directories. Only the superuser has write permission for the files in important directories, such as `/bin' and `/etc'---so as a regular user, you never have to worry about accidentally writing to or removing an important system file.

Permissions work differently for directories than for other kinds of files. Read permission for a directory means that you can see the files in the directory; write permission lets you create, move, or remove files in the directory; and execute permission lets you use the directory name in a path (see Files and Directories).

If you have read permission but not execute permission for a directory, you can only read the names of files in that directory -- you can't read their other attributes, examine their contents, write to them, or execute them. With execute but not read permission for a directory, you can read, write to, or execute any file in the directory, provided that you know its name and that you have the appropriate permissions for that file.

Each file has separate permissions for three categories of users: the user who owns the file, all other members of the group that owns the file, and all other users on the system. If you are a member of the group that owns a file, the file's group permissions apply to you (unless you are the owner of the file, in which case the user permissions apply to you).

When you create a new file, it has a default set of permissions -- usually read and write for the user, and read for the group and all other users. (On some systems, the default permissions are read and write for both the user and group, and read for all other users.)

The file access permissions for a file are collectively called its access mode. The following sections describe how to list and change file access modes, including how to set the most commonly used access modes.

NOTE: The superuser, root, can always access any file on the system, regardless of its access permissions.

See Info file `fileutils.info', node `File permissions', for more information on file permissions and access modes.

Listing the Permissions of a File

To list a file's access permissions, use ls with the `-l' option (see Listing File Attributes). File access permissions appear in the first column of the output, after the character for file type.

For example, consider the verbose listing of the file `cruise':

-rwxrw-r--      1 captain   crew        8,420 Jan 12 21:42 cruise

The first character (`-') is the file type; the next three characters (`rwx') specify permissions for the user who owns the file; and the next three (`rw-') specify permissions for all members of the group that owns the file except for the user who owns it. The last three characters in the column (`r--') specify permissions for all other users on the system.

All three permissions sections have the same format, indicating from left to right, read, write, and execute permission with `r', `w', and `x' characters. A hyphen (`-') in place of one of these letters indicates that permission is not given.

In this example, the listing indicates that the user who owns the file, captain, has read, write, and execute permission, and the group that owns the file, crew, has read and write permission. All other users on the system have only read permission.

Changing the Permissions of a File

To change the access mode of any file you own, use the chmod ("change mode") tool. It takes two arguments: an operation, which specifies the permissions to grant or revoke for certain users, and the names of the files to work on.

To build an operation, first specify the category or categories of users as a combination of the following characters:
u The user who owns the file.
g All other members of the file's group.
o All other users on the system.
a All users on the system; this is the same as `ugo'.
Follow this with the operator denoting the action to take:
+ Add permissions to the user's existing permissions.
- Remove permissions from the user's existing permissions.
= Make these the only permissions the user has for this file.
Finally, specify the permissions themselves:
r Set read permission.
w Set write permission.
x Set execute permission.
For example, use `u+w' to add write permission to the existing permissions for the user who owns the file, and use `a+rw' to add both read and write permissions to the existing permissions of all users. (You could also use `ugo+rw' instead of `a+rw'.)

Write-Protecting a File

If you revoke users' write permissions for a file, they can no longer write to or remove the file. This effectively "write-protects" a file, preventing accidental changes to it. A write-protected file is sometimes called a "read only" file.

To write-protect a file so that no users other than yourself can write to it, use chmod with `go-w' as the operation.

Making a File Private

To make a file private from all other users on the system, use chmod with `go=' as the operation. This revokes all group and other access permissions.

Making a File Public

To allow anyone with an account on the system to read and make changes to a file, use chmod with `a+rw' as the operation. This grants read and write permission to all users, making the file "public." When a file has read permission set for all users, it is called world readable, and when a file has write permission set for all users, it is called world writable.

Making a File Executable

An executable file is a file that you can run as a program. To change the permissions of a file so that all users can run it as a program, use chmod with `a+x' as the operation.

NOTE: Often, shell scripts that you obtain or write yourself do not have execute permission set, and you'll have to do this yourself.

[<--] [Cover] [Table of Contents] [Concept Index] [Program Index] [-->]