The permissions string is ten characters long, the first character of which indicates whether the item is a directory. The other nine characters are broken into three groups of three that display privileges: The first group shows permissions for the file owner, the second group permissions for the group, and the third permissions for all other users.
The first character in each group represents read, the second write, and the third execute. Consider this listing:
..........................................................................................
−rwxr−xr−− 1 mwlucas admins 1188 Sep 14 09:35 file1
..........................................................................................
You can see that the first group of three characters is rwx. This tells us that the owner, mwlucas, can read, write, and execute the file. The second group of characters, r−x, tells us that people in the admins group can read and execute the file, but cannot write it. And the final group, r−−, tells us that anyone on the system can read the file, but may not write or execute it.
Changing Permissions
The permissions on a file are also called its mode. Chmod(1), or "change mode," lets anyone with write permission on a file change its permissions. Chmod can be used in many different ways (see the man page for a full listing), but we'll concentrate on the most common way to change permissions. Although this is not necessarily the easiest method to learn, it is the one you'll see most often and the one that all sysadmins should understand.
The modes as shown in the ls output are kind of clumsy−looking. They're difficult to say, difficult to type, and just all−around difficult to work with. UNIX professionals don't generally put up with that sort of thing for long, especially when it's easy to simplify.[3] You have to know how to read the permissions that were shown earlier, but when you use chmod you can use the short form.
In its short form, the mode is given as a three−digit number, with a range of digits from 0 to 7.[4] The first number represents the owner's permissions, the second the group permissions, and the third everyone else's permissions. (This is octal (base−8) math, much like the binary math we played with in Chapter 5 on networking.) The number 4 means "read," 2 means "write," and 1 means "execute." To set the permissions on a file, add the appropriate numbers together. Clear as mud, eh? Don't worry, we're going to go very slowly here; if you already understand modes, you might want to skip ahead a couple of paragraphs.
Assume that you want a file to be readable, writable, and executable by the owner, readable and executable by the group, and readable to others. This means that our permissions string would look like this: rwxr−xr−−.
The first digit of our mode is made up of the owner's permissions, the initial three−letter "rwx" chunk of the permissions string. Read is 4, write is 2, and execute is 1; 4 + 2 + 1 is 7, so the first digit of our mode is 7.
The group permissions are read and execute. Read is 4 and execute is 1; 4 + 1 is 5, so the second digit of our mode is 5.
145
Finally, others can only read the file. Read is 4, giving us a total of 4, so the third digit of our mode is 4. To change the mode, enter the chmod command:
..........................................................................................
#
chmod 754 file1
# ls −l file1
−rwxr−xr−− 1 mwlucas admin 1188 Sep 14 09:35 file1
#
..........................................................................................
You'll most commonly see permissions documented by their mode. Once you've worked with mode for a while, it'll be second nature. Log into your FreeBSD box and play with the permissions on a test file for a while to get the hang of it.
Changing File Ownership
Use chown(1) to change who owns a file, and use chgrp(1) to change the group. Both programs take two arguments: a username and the filename.
In the following listing, we see that file1 is owned by mwlucas, and it is in the group wheel:
..........................................................................................
# ls −l file1
−rwxrwxr−− 1 mwlucas wheel 1188 Sep 14 09:35 file1
#
..........................................................................................
You can change the group with chgrp by entering the following command:
..........................................................................................
#chgrp dns file1
#ls −l file1
−rwxrwxr−− 1 mwlucas dns 1188 Sep 14 09:35 file1
#
..........................................................................................
Now, the file is in the group dns.
You can change both owner and group with chown. To change the owner, use chown as shown here:
..........................................................................................
# ls −l file1
−rwxrwxr−− 1 mwlucas wheel 1188 Sep 14 09:35 file1
#chown bind file1
#ls −l file1
−rwxrwxr−− 1 bind wheel 1188 Sep 14 09:35 file1
#
..........................................................................................
To change both the owner and the group with chown, separate the names with a colon:
146
..........................................................................................
#chown bind:wheel file2
#
..........................................................................................
Note Only root can give away files. If you're logged in as a regular user and want someone else to own your files, you cannot do chown otheruser filename. Similarly, if you're not in a group, you cannot give that group ownership of the file.
Assigning Permissions
So, now you know how to set permissions and change file owners and groups. What should you set or change?
Well, for one thing, many sysadmins set files needed by vital system resources, such as DNS server zone files (see Chapter 11), to be owned by root and writable only by root. Thus, regular users cannot access them.
While this approach works acceptably when you only have one administrator, it fails when delegating tasks. Some administrators work around this with add−ons like sudo(8) (in /usr/ports/security/sudo), but these programs are easily misconfigured.
In the past, I've had assistants who, while not yet competent sysadmins, needed to edit vital files, but under no circumstances could they be given the root password. My solution has been to use groups, which lets me restrict access to these files without giving out root. (I'll use DNS in this example, but this approach applies to any system where a restricted list of users needs to edit a set of files.)
First, consider what sort of access you want people to have to the files. In this DNS example, the file owner must be able to read and write the files, and people in the group need to be able to read and write the files as well. Other users must be able to view them but not edit them. Since DNS files are plain text files, not programs, nobody should be able to execute the files. (It does no harm to set executable permissions on a file that isn't a program, but it can confuse people.) So our permissions string will look like rw−rw−r−−. The owner's permissions include read (4) and write (2), the group has read (4) and write (2), and others have read−only permissions (4). So, we can set the permissions on the files with chmod 664 filename.
Then you need to assign an owner to the file, bearing in mind that many system programs run as a particular user. For example, the named DNS server runs as bind, while the Apache Web server runs as nobody. While you might think that the server user is a logical owner, that's not necessarily the case, because if someone broke into your DNS server, he could execute commands as the user bind. You may not mind if someone reads these files, but you don't want anyone unauthorized to change them. The simplest solution is to create a separate user to own them.
Creating a New User
You can create a new user with adduser(8). (In Chapter 9, we will discuss adduser(8) and some /etc/login.conf tricks that ensure nobody can actually log in as this user.) Use vipw(8) to disable the password entirely (we will also discuss vipw(8) in Chapter 9), and then change the group on the affected file to "dns". Next, set the permissions for the owner and the group to read and write, but for others to read−only, as shown here:
147