|[<--] [Cover] [Table of Contents] [Concept Index] [Program Index] [-->]|
Groups, file ownership, and access permissions are Linux features that enable users to share files with one another. But even if you don't plan on sharing files with other users on your system, familiarity with these concepts will help you understand how file access and security work in Linux.
A group is a set of users, created to share files and to
facilitate collaboration. Each member of a group can work with the
group's files and make new files that belong to the group. The system
administrator can add new groups and give users membership to the
different groups, according to the users' organizational needs. For
example, a system used by the crew of a ship might have groups such as
crew; the user
captain might be a member of all the groups, but user
steward might be a member of only the
On a Linux system, you're always a member of at least one group: your login group. You are the only member of this group, and its group name is the same as your username.
Let's look at how to manage your group memberships.
To list a user's group memberships, use the
groups tool. Give a
username as an argument, and
groups outputs a line containing
that username followed by all of the groups the user is a member
of. With no arguments,
groups lists your own username and group
$ groups [RET] steward galley crew $
In this example, three groups are output:
steward (the user's
$ groups blackbeard [RET] blackbeard : blackbeard $
In this example, the command outputs the given username,
blackbeard, followed by the name of one group,
indicating that user
blackbeard belongs to only one group: his
To list the members of a particular group, use the
giving the name of the particular group as an argument.
$ members galley [RET] captain steward pete $
In this example, three usernames are output, indicating that these three
users are the members of the
Every file belongs to both a user and a group -- usually to the user who created it and to the group the user was working in at the time (which is almost always the user's login group). File ownership determines the type of access users have to particular files (see Controlling Access to Files).
To find out which user and group own a particular file, use
with the `-l' option to list the file's attributes (see Listing File Attributes). The name of the user who owns
the file appears in the third column of the output, and the name of the
group that owns the file appears in the fourth column.
For example, suppose the verbose listing for a file called `cruise' looks like this:
-rwxrw-r-- 1 captain crew 8,420 Jan 12 21:42 cruise
The user who owns this file is
captain, and the group that owns
NOTE: When you create a file, it normally belongs to you and to your login group, but you can change its ownership, as described in the next recipe. You normally own all of the files in your home directory.
You can't give away a file to another user, but other users can make copies of a file that belongs to you, provided they have read permission for that file (see Controlling Access to Files). When you make a copy of another user's file, you own the copy.
You can also change the group ownership of any file you own. To do this,
chgrp; it takes as arguments the name of the group to
transfer ownership to and the names of the files to work on. You must be
a member of the group you want to give ownership to.
$ chgrp bridge cruise [RET]
This command transfers group ownership of `cruise' to
bridge; the file's group access permissions (see Controlling Access to Files) now apply to the members of
Use the `-R' option to recursively change the group ownership of directories and all of their contents.
$ chgrp -R bridge maps [RET]
Each file has permissions that specify what type of access to the file users have. There are three kinds of permissions: read, write, and execute. You need read permission for a file to read its contents, write permission to write changes to or remove it, and execute permission to run it as a program.
Normally, users have write permission only for files in their own home directories. Only the superuser has write permission for the files in important directories, such as `/bin' and `/etc'---so as a regular user, you never have to worry about accidentally writing to or removing an important system file.
Permissions work differently for directories than for other kinds of files. Read permission for a directory means that you can see the files in the directory; write permission lets you create, move, or remove files in the directory; and execute permission lets you use the directory name in a path (see Files and Directories).
If you have read permission but not execute permission for a directory, you can only read the names of files in that directory -- you can't read their other attributes, examine their contents, write to them, or execute them. With execute but not read permission for a directory, you can read, write to, or execute any file in the directory, provided that you know its name and that you have the appropriate permissions for that file.
Each file has separate permissions for three categories of users: the user who owns the file, all other members of the group that owns the file, and all other users on the system. If you are a member of the group that owns a file, the file's group permissions apply to you (unless you are the owner of the file, in which case the user permissions apply to you).
When you create a new file, it has a default set of permissions -- usually read and write for the user, and read for the group and all other users. (On some systems, the default permissions are read and write for both the user and group, and read for all other users.)
The file access permissions for a file are collectively called its access mode. The following sections describe how to list and change file access modes, including how to set the most commonly used access modes.
NOTE: The superuser,
root, can always access any file on
the system, regardless of its access permissions.
See Info file `fileutils.info', node `File permissions', for more information on file permissions and access modes.
To list a file's access permissions, use
ls with the `-l'
option (see Listing File Attributes). File
access permissions appear in the first column of the output, after the
character for file type.
For example, consider the verbose listing of the file `cruise':
-rwxrw-r-- 1 captain crew 8,420 Jan 12 21:42 cruise
The first character (`-') is the file type; the next three characters (`rwx') specify permissions for the user who owns the file; and the next three (`rw-') specify permissions for all members of the group that owns the file except for the user who owns it. The last three characters in the column (`r--') specify permissions for all other users on the system.
All three permissions sections have the same format, indicating from left to right, read, write, and execute permission with `r', `w', and `x' characters. A hyphen (`-') in place of one of these letters indicates that permission is not given.
In this example, the listing indicates that the user who owns the file,
captain, has read, write, and execute permission, and the group
that owns the file,
crew, has read and write permission. All
other users on the system have only read permission.
To change the access mode of any file you own, use the
("change mode") tool. It takes two arguments: an operation,
which specifies the permissions to grant or revoke for certain users,
and the names of the files to work on.
To build an operation, first specify the category or categories of users as a combination of the following characters:
||The user who owns the file.|
||All other members of the file's group.|
||All other users on the system.|
||All users on the system; this is the same as `ugo'.|
||Add permissions to the user's existing permissions.|
||Remove permissions from the user's existing permissions.|
||Make these the only permissions the user has for this file.|
||Set read permission.|
||Set write permission.|
||Set execute permission.|
If you revoke users' write permissions for a file, they can no longer write to or remove the file. This effectively "write-protects" a file, preventing accidental changes to it. A write-protected file is sometimes called a "read only" file.
To write-protect a file so that no users other than yourself can write
to it, use
chmod with `go-w' as the operation.
$ chmod go-w cruise [RET]
To make a file private from all other users on the system, use
chmod with `go=' as the operation. This revokes all
other access permissions.
$ chmod go= cruise [RET]
To allow anyone with an account on the system to read and make changes
to a file, use
chmod with `a+rw' as the operation. This
grants read and write permission to all users, making the file
"public." When a file has read permission set for all users, it is
called world readable, and when a file has write permission set
for all users, it is called world writable.
$ chmod a+rw cruise [RET]
An executable file is a file that you can run as a program. To
change the permissions of a file so that all users can run it as a
chmod with `a+x' as the operation.
$ chmod a+x myscript [RET]
NOTE: Often, shell scripts that you obtain or write yourself do not have execute permission set, and you'll have to do this yourself.
[<--] [Cover] [Table of Contents] [Concept Index] [Program Index] [-->]