This lab is intended for beginners who have experience with basic Linux commands (such as cp, cd, mv, ls, rm, rmdir, and mkdir). You might want to brush up on your basic commands if you are really rusty (see the Basic Linux Commands lab in this series).
Windows users: You must have an SSH-capable terminal program, such as Putty, installed on your machine so you can log into the Linux machine using SSH.
Upon completion of this lab, you will be able to:
You will have practiced changing permissions and ownership attributes on a text file and a directory you create.
As in the previous lab, the bash prompt in this lab will be written as ninja@ultimatepower:~$. Yours will be different, but don't worry about it.
To make sure that your system behaves in the same way as the examples, do the following:
ninja@ultimatepower:~$ umask 0002
ninja@ultimatepower:~$ umask 0022
ninja@ultimatepower:~$ umask 0022
For one exercise, you will need "root privileges" on your system either through the "root account" or the sudo command. The name of the Administrator account in Linux is "root"; note that the "root account" is not the same as / , the "root directory".) Using the sudo command (SuperUser DO), you can temporarily "act as root", which means you can tell your machine (and sometimes your friends) to do a lot more things (such as make you a sandwich... just kidding, but do check out the xkcd.com comic about sudo).
To find out if you have sudo access, try running the ls command as sudo, as shown.
ninja@ultimatepower:~$ sudo ls
Enter your password when prompted.
If sudo works, you will see the expected ls output.
If sudo does not work, you will see an error message and will need to do one of the following:
Bit 'O History: In the 1960s, computers were rare, extremely expensive, generally only existed in big research labs, and were shared by many users. Because of shared access situation, the UNIX computer operating system (OS) was designed to accommodate multiple users while keeping each user's files secure and accessible by that user only.
Today's Linux systems inherit many features from UNIX including being a multi-user OS. For example, you might be sitting at your computer while two trusted friends are logged in remotely through SSH (or another service) and sharing your machine (one would hope that these are trusted friends...).
You and your friends can share your Linux computer because Linux uses a system of file ownership and permissions to determine:
Even if you are the only user of a Linux machine, you really are not the only "user" as far as the system is concerned. You are merely the only human user. As in UNIX, Linux has a number of non-human user accounts, such as:
Because user accounts and permissions are such an integral part of the system, this lab will teach you about how these work in Linux.
Since we'll be creating some example files, it would be nice to have a working directory other than our homes. The /tmp (temporary) directory is perfect for this job. Just don't ever put anything important there — files in /tmp sometimes get deleted automagically!
ninja@ultimatepower:~$ cd /tmp ninja@ultimatepower:/tmp$
In the first training module, you learned how to use an editor to create a text file. Now you will learn how you can use the touch command to quickly create a new file to work with. The touch command is used primarily to update the "last modified" timestamp information on an existing file, but if you touch a filename that doesn't exist, a zero-byte (0 byte) file is automatically created.
Type the command as shown, and then press Enter.
ninja@ultimatepower:/tmp$ touch thestars.txt
Since there was (hopefully) no file with that name in your working directory, a new file has been created.
To display the new file, type the ls -l command (and then press Enter). Note that adding the -l flag to the ls command displays the permissions and timestamp information for all of the files displayed:
ninja@ultimatepower:/tmp$ ls -l total 0 -rwxr-xr-x 1 ninja ninjas 0 Apr 26 12:07 thestars.txt
The permissions, owners and groups are displayed for each file. In this example, ninja is the owner of the only file in this directory.
Notice that the group ninja belongs to is named ninjas. At the moment, the group ninjas contains only one user, ninja.
To find out what groups you are a member of, use the groups command:
ninja@ultimatepower:/tmp$ groups ninjas
What if ninja wants to share the thestars.txt with a user named pirate but not with anyone else?
To share the file, ninja needs to be in a group with pirate and set permissions on that file that will allow the just the two of them to access it (it's a secret!).
However... since it's unlikely the account already exists on your system, you will need to add a user account named pirate to your system. ;)
Acting as sudo (or using a root account) you can create a new user very quickly with the useradd command. (Want to know more? Try searching www.google.com/linux.)
ninja@ultimatepower:/tmp$ sudo useradd pirate
Password: [ type your password here ]
Make sure you created the new user by tying id pirate, and then press Enter.
ninja@ultimatepower:/tmp$ id pirate uid=1001(pirate) gid=100(users) groups=100(users)
Acting as sudo (or root), create a new group using the groupadd command, as shown.
ninja@ultimatepower:/tmp$ sudo groupadd piratesandninjas
Now, add pirate to the new group piratesandninjas using the usermod -G command (usermod stands for User Modify, -G for the group option. You can check the man page for that command for lots of details!).
ninja@ultimatepower:/tmp$ sudo usermod -G piratesandninjas pirate
You (ninja in the example) need to log out and back in to load the new group memberships
ninja@ultimatepower:/tmp$ exit
[ log in ]
Once you are logged back in, verify your new group memberships and then hop back to the /tmp directory as shown.
ninja@ultimatepower:~$ groups ninja piratesandninjas
ninja@ultimatepower:~$ cd /tmp
The file thestars.txt is still owned by the old (ninja) group. In order for pirate to access the file, you will need to change the ownership of thestars.txt from the old group to to piratesandninjas. The command for changing ownership of a file is chown (change owner).
The syntax is chown user:group filename, so type chown yourname:piratesandninjas thestars.txt and press Enter.
ninja@ultimatepower:/tmp$ chown ninja:piratesandninjas thestars.txt
To see what changed, type ls -l and press Enter.
ninja@ultimatepower:/tmp$ ls -l total 0 -rwxr-xr-x 1 ninja piratesandninjas 0 Apr 26 12:07 thestars.txt
The file is now owned by the piratesandninjas group! So what happens if ninja wants to give sole ownership of the file to pirate?
Could ninja change the ownership of thestars.txt to pirate using chown as shown?
ninja@ultimatepower:/tmp$ chown pirate:piratesandninjas thestars.txt chown: changing ownership of `thestars.txt': Operation not permitted
Oops! Ninja didn't remember that changing the user who owns a file (instead of the group) requires root account privileges. If ninja were acting as root, this command would work perfectly. Try doing this yourself!
If you have forgotten how to act like root, think back to how you created the user pirate (hint: SuperUser DO) and try again. After giving ownership to pirate, use ls -l to verify that he is the owner, and then return ownership back to ninja so we can continue manipulating it.
Take another look at the ls -l output for the new file you made. The line for thestars.txt should look something like this:
-rwxr-xr-x 1 pirate piratesandninjas 0 Apr 26 12:07 thestars.txt
The first 10 characters on the line give you lots of information about the file. Each character position contains a value that tells you something about the file type or what sort of access restrictions have been placed on the file.
| Spaces | 0123456789 |
|---|---|
| File Type and Permission Values |
-rwxr-xr-x |
In the example, the spaces for thestars.txt are set as follows:
| First space | Owner | Group | Other |
|---|---|---|---|
| - | rwx | r-x | r-x |
The first (leftmost) space indicates whether or not a given filename is a directory, a special sort of file (we haven't talked about these yet), or just a plain regular file. If the first space contains a "d", the file is a directory. In our example, there is no "d" because thestars.txt is just a plain old file.
The next nine (9) spaces are permissions for each of three (3) user types: Owner, Group, and Other (everyone else). Each user has three permissions types: read (r), write (w), or execute (x). These are either "granted" or "not granted".
If a space contains a letter, that means a permission has been granted. If any space has a hyphen (-) in it instead of a letter, that means that permission is not granted. If a permission is not granted, the space for it is marked with a hyphen.
Notice that for thestars.txt, the Owner has read, write, and execute permissions while Group and Other have only read and execute permission:
| First space | Owner | Group | Other |
|---|---|---|---|
| - | rwx | r-x | r-x |
A very useful way to represent the permissions is by using a number value instead of the letter combinations. You will see this permission "shorthand" used shortly and you will learn how to use it to set file permissions yourself.
In this permissions representation scheme, the numbers from 0 to 7 indicate the settings for read, write and execute permissions for a particular user, as shown in the following table:
| Number | Read (r) | Write (w) | Execute (x) |
|---|---|---|---|
| 0 | - | - | - |
| 1 | - | - | x |
| 2 | - | w | - |
| 3 | - | w | x |
| 4 | r | - | - |
| 5 | r | - | x |
| 6 | r | w | - |
| 7 | r | w | x |
Using this table, find the line that indicates the three permissions set for each of the three users. The value for the Owner is 7 (rwx). The value for Group and Other is 5 (r-x).
Now you can see that the permission settings for all three users can be represented by the number 755.
These numbers are derived from the octal notation (Base 8) that represents the settings (in bits), but you don't have to know about bits to read or set the values.
Instead, when you want to set permissions, you can add up the values for permissions you want to grant for each user type, using the following table.
You can put in the value 0 if you want to deny all permissions for a given user type.
| Owner | Group | Other | |
|---|---|---|---|
| Read | 4 | 4 | 4 |
| Write | 2 | 2 | 2 |
| Execute | 1 | 1 | 1 |
| Total |
Add up the numbers for the permission settings of thestars.txt. As before, the value for the Owner is 7 (read, write, execute). The value for Group and Other is 5 (read, none, execute). The permission settings for all three users can be represented by the number 755.
| Owner | Group | Other | |
|---|---|---|---|
| permissions | rwx | r-x | r-x |
| written numerically | 4 + 2 + 1 | 4 + 0 + 1 | 4 + 0 + 1 |
| equals | 7 | 5 | 5 |
So, the number 755 means that thestars.txt can be read, written to, and executed by pirate (remember, he's the new owner), and it can only be read and executed by associated group members and the rest of the world. This numeric permissions shorthand will come in handy soon...
(Want to know more? Try searching www.google.com/linux to find more tutorials and resources.)
Before continuing with this lab, perform the following tasks. Refer to the charts above for help if you need to.
Open your copy of thestars.txt in your favorite text editor (nano, pico, or anything else you like) by typing the editor name and filetype. You can type, for example, nano thestars.txt and press Enter.
In the editor, type the ls commands shown below, following each one with Enter. Be sure to enter the commands exactly as shown with one command per line.
ls -a ls -l ls -F
When you are finished, save the file and then exit the editor (refer to the Basic Linux Commands lab if you don't remember how to work with the editor).
Type ls -l and press Enter to see how the file size changed as a result of your edits. In the example, the file size changed to 19 bytes; yours may be slightly different.
ninja@ultimatepower:/tmp$ ls -l total 4 -rw-r--r-- 1 ninja piratesandninjas 19 Apr 26 13:35 thestars.txt
Type the cat command (short for concatenate) and thestars.txt, then press Enter to display the file's contents. This works because you (ninja) still have access to the file.
ninja@ultimatepower:/tmp$ cat thestars.txt ls -a ls -l ls -F
To change the file's permissions, you will use the chmod (change mode) command in numeric mode (using the octal numbers to set permissions. Note that chmod has additional modes — explore using man if you are curious about the command).
To begin, remove all permissions from the file using chmod 000 (read, write and execute = not set), and the name of the file, as shown:
ninja@ultimatepower:/tmp$ chmod 000 thestars.txt
When you list the file with ls -l, you can see that all permissions were removed.
ninja@ultimatepower:/tmp$ ls -l total 4 ---------- 1 ninja piratesandninjas 19 Apr 26 13:35 thestars.txt
Do you think the owner of a file can use cat to display the contents of a file when read permission is disabled? That is, does being the owner of a file override the file's set permissions?
Try using cat to display the contents of the file and see!
Next, use chmod to set full permissions to the file owner, give read-only access to the piratesandninjas group, and give no permission at all for outsiders.
ninja@ultimatepower:/tmp$ chmod 740 thestars.txt
When you gave full permissions to the file owner (7), you changed something you might not have expected to change.
Type ls -l --color to see a visual representation of the change.
|
ninja@ultimatepower:/tmp$ ls -l --color
total 4
-rwxr----- 1 ninja piratesandninjas 19 Apr 26 13:35 thestars.txt
When you use --color, directories are typically shown in blue and files are colorless, usually white on a black screen (note, your color scheme may be different). In the example, thestars.txt displays in green which usually signals that the file was changed into an executable file.
This is an important difference between Linux and Windows. Windows uses file extensions to recognize if a file is executable (for example, a .exe or .com file). In Linux, the "x" execute permission attribute determines if a file is executable.
So... you might think that since the file is just a text file it can't really be executed, but in Linux, that is not true! The file you made contains a list of valid commands, so if you try to execute the file, each of those commands inside will be run by the shell just as if you'd typed them in one by one.
In Linux, a text file containing a list of valid commands is called a "shell script". If that file has the execute permission set, the script can be "run" and the commands will execute, one after the other until all of the commands are processed. Shell scripts are similar to DOS "batch files" in Windows (files that have a .bat extension), but, unlike DOS, the Linux shell commands cannot be run unless the file has execute permissions set.
Since the file is executable, perhaps you can "run" it to see how a script works. Type in the file name, and press Enter to see if you can execute the file.
ninja@ultimatepower:/tmp$ thestars.txt bash: thestars.txt: command not found
Command not found? But... but... it is right there! Why can't Bash (our default shell) run the file?
The answer is that Bash usually doesn't check the current working directory for executable files (programs). By default, Bash looks in what are called "command paths," which are lists of directories where executable files are usually placed, such as /bin and /usr/bin. It is possible to configure Bash to look in more directories, but for now, let us just explicitly tell Bash where our file is located and try again.
To tell Bash where the file is, you can type the full path of the file (/tmp/thestars.txt), or use the dot (.) to specify the current working directory, as shown below. Recall from the Basic Linux Commands lab that a dot by itself represents the current directory. You can follow it with a slash just like any other directory name — adding the slash says "a file (or yet another directory) inside the current directory".
ninja@ultimatepower:/tmp$ ./thestars.txt . .. thestars.txt total 4 -rwx------ 1 ninja piratesandninjas 19 Jun 10 15:20 thestars.txt thestars.txt*
The Bash shell processed the three commands (each on a separate line) in the text file! The output on your screen is a result of running ls -a, ls -l, and ls -F, in that order.
Try adding more commands to thestars.txt and then execute the file again. As you experiment, keep in mind that all these commands are run as soon as you execute the file without any prompting, so be careful using commands such as rm, mv, and other commands that make changes to files.
Here are some suggestions for commands to add to thestars.txt.
What else can you do with file permissions beyond making a file executable by you?
To find out, you will create a new directory and make sure you can read it, write things in it, and go into it (enter the directory).
Remember how to create a new directory (hint: MaKe a DIRectory)?
Make a directory called "coffee", and then view its permissions, as shown.
ninja@ultimatepower:/tmp$ mkdir coffee
ninja@ultimatepower:/tmp$ ls -l total 8 drwxr-xr-x 2 ninja ninja 4096 Apr 26 15:52 coffee -rwxr----- 1 ninja piratesandninjas 19 Apr 26 13:35 thestars.txt
The permissions column shows that ninja is the owner of the file, which is a directory (notice the d). She also has read, write, and execute permissions for that directory. Why would anyone need execute permission on a directory? You'll find out in a moment.
Your first task is to move thestars.txt file into the coffee directory so you can explore what the permissions on the directory do. Enter the command, as shown, to move the file:
ninja@ultimatepower:/tmp$ mv thestars.txt ./coffee/
Use the change directory command, cd, to change your working directory to coffee, and then list the contents of your working directory.
ninja@ultimatepower:/tmp$ cd coffee
ninja@ultimatepower:/tmp/coffee$ ls -l -rwxr----- 1 ninja piratesandninjas 19 Apr 26 13:35 thestars.txt
Now you can play with the permissions on coffee/ and figure out what the x permission means.
Use cd to go back up a level to the parent directory of coffee (you can't change a directory's permissions while it is your working directory), then use chmod as shown to change the coffee directory's permissions to "read-only" for all users.
ninja@ultimatepower:/tmp/coffee$ cd ..
ninja@ultimatepower:/tmp$ chmod 444 coffee
List the files and see how the permissions on the coffee directory changed.
ninja@ultimatepower:/tmp$ ls -l total 4 dr--r--r-- 2 ninja ninja 4096 Apr 26 15:52 coffee
Try listing the contents of coffee:
ninja@ultimatepower:/tmp$ ls -l coffee/ -rwxr----- 1 ninja piratesandninjas 19 Apr 26 13:35 thestars.txt
So far so good! Now try changing your working directory to coffee:
ninja@ultimatepower:/tmp$ cd coffee bash: cd: coffee: Permission denied
It turns out that the execute permission is what allows you to enter a directory! Read access is what allows you list a directory's contents. Write access is what you needed to be able to add (or write) a file into to the directory.
What do you think would happen if you had execute permission but no read permission on a directory?
To find out, use chmod to change the coffee directory's permissions for all users to "execute only", as shown.
ninja@ultimatepower:/tmp$ chmod 111 coffee
Use cd to change your working directory to coffee.
ninja@ultimatepower:/tmp$ cd coffee/
ninja@ultimatepower:/tmp/coffee$ ls ls: .: Permission denied
Aha! Permission was denied because you only have execute permission for the directory! You can go inside it, but can't see what's there.
You have now learned what read, write and execute permissions on directories mean. Try to think of where changing the read, write or execute permissions on a directory might be useful, such as on a supervisor's "drop box" directory where employees would be able to turn in (cp) their reports but not be able to see (ls) what their co-workers had turned in.
Change the permissions on coffee back to 755 so that you have read, write, and execute permissions again.
ninja@ultimatepower:/tmp/coffee$ cd ..
ninja@ultimatepower:/tmp$ chmod 755 coffee
You can prove that you have write access to the file (even though it's not your working directory!) without editing the file by using the touch command to write a new timestamp onto the file. (Your timestamp will be the current date and time, unlike this example.)
ninja@ultimatepower:/tmp$ touch ./coffee/thestars.txt
ninja@ultimatepower:/tmp$ ls -l ./coffee/thestars.txt -rwxr----- 1 ninja piratesandninjas 19 Apr 26 16:10 ./coffee/thestars.txt
Do you think you would be able to touch thestars.txt if you no longer had write permission on coffee?
Change the permissions to remove your write access:
ninja@ultimatepower:/tmp$ chmod 500 coffee
Can you still view what's inside coffee?
ninja@ultimatepower:/tmp$ ls -l coffee/ -rwxr----- 1 ninja piratesandninjas 19 Apr 26 16:10 thestars.txt
Type touch thestars.txt and press Enter, then type ls -l to check if the timestamp changed:
ninja@ultimatepower:/tmp$ touch ./coffee/thestars.txt
ninja@ultimatepower:/tmp$ ls -l ./coffee/thestars.txt -rwxr----- 1 ninja piratesandninjas 19 Apr 26 16:15 ./coffee/thestars.txt
Amazing! The timestamp changed! Why are you allowed to touch thestars.txt if you didn't have write access to the coffee directory? Take a look at the permissions on thestars.txt itself? Did you have write access to the file? Yes!
This illustrates an important point: Even though you may not be allowed to write to a directory, you may still have write permissions for files inside the directory, depending on how those files were created. Each file has its own permissions that do not automatically change if you move the file into a directory with different permissions.
To prove that you really don't have write access to coffee, change your working directory to coffee, and then see if you can use touch to create a new file called "this":
ninja@ultimatepower:/tmp$ cd coffee/
ninja@ultimatepower:/tmp/coffee$ touch this touch: cannot touch `this': Permission denied
Can't touch this, indeed!
At the beginning of the lab, you used the umask command without learning what it does. Now that you know more about permissions, you are well equipped to learn about umask.
umask is short for "user file-creation mode mask ", which is a cryptic way of saying "the default permissions on newly created files".
The normal default umask value for the root user is 0022 and you were instructed to change the umask value to 0022 if that was not the default value for your account (corresponding to ninja). Giving yourself broad permissions makes sense when you consider that if you create a file or directory, you probably want full permission to access them. But how does the 0022 relate to the permissions?
The first digit in in the umask string can be used for special purposes, however, what you need to know now is that a zero (0) value for the first digit represents "standard file or directory". The next three digits are how much permission you want to take away from the default file permissions which start out at 777 for directories and 666 for regular files.
When you create new files, you generally want to have the default set for yourself at the maximum: 7 (read, write, and execute) for directories and 6 (read and write) for files. You probably want your group to be able to read files you create, but not overwrite them unless you specifically want them to, so you would set group permission to 5 (dir) or 4 (file). If you want all users to be able to read your file, you would set that permission to 5 (dir) or 4 (file) as well. So, your desired default permission settings would be 755 or 644.
Now, when you subtract the number 0022 from the default values for directories and files, as shown, you are taking away the permissions you don't want people to have!
| Directories | Owner | Group | All | |
|---|---|---|---|---|
| Default directory permissions | 0 | 7 | 7 | 7 |
| umask value | 0 | 0 | 2 | 2 |
| numeric subtraction result | 7 | 5 | 5 | |
| permission result | rwx | r-x | r-x |
| Files | Owner | Group | All | |
|---|---|---|---|---|
| Default directory permissions | 0 | 6 | 6 | 6 |
| umask value | 0 | 0 | 2 | 2 |
| numeric subtraction result | 6 | 4 | 4 | |
| permission result | rw- | r-- | r-- |
So, setting the umask to 0022 means that when you create a new directory, the default permissions for it will be 755. When you create a new file, the default permissions will be 644. That's a lot more convenient than setting them manually every time , don't you think?
Question: How would the default permissions be affected if you change the umask to 0027?
Flex your muscles because you now have the power to restrict (and grant) read, write, and execute access to files and directories! Don't think your powers are unlimited though. You can't block your little sister from accessing her favorite social networking site... yet. (Just imagine how she'd cry if you could!)
What are the minimum permissions for the coffee directory that you'd need in order to touch the this file? Of course, 777 for coffee works, but what are the minimum permissions for you to be able to touch this?
Lucy is a member of your group (You don't need to create Lucy. Just assume she's a member of your group). I (yes, I am the author of this lab, but I could be anyone!) am not you and I am not a member of your group.
Set the minimum permissions needed to:
You have a rather... um, retro pair of very baggy pants (file) in your closet (directory). These have considerable sentimental value to you, but you don't like people to see them because they are so '80s!