-->
Previous | Table of Contents | Next |
Files (and users) also belong to groups. Groups are normally used in larger installations, and it may be that you never have to worry about them. But remember that groups are a convenient way of providing access to files for more than one user but not to every user on the system. For instance, users working on a special project could all belong to the group project. Files used by the whole group would also belong to the group project, giving those users special access.
Groups are typically used for logical groups of users. The example above uses a project as the grouping, but groups can be used for different departments, types of users (administrator, accounting, programmers, and so on), or for locations on a large network.
You are a member of one group at all times. When you log in you are placed in your default group, which is set when root creates your user account. You can belong to many different groups, but you can be logged in to only one group at a time. To change the group you are a member of, use the newgrp command. For example, if you are a member of a group called users and also a group called programmers, and you need to change to the programmers group because they have special access to a compiler, issue this command:
newgrp programmers
Linux does not tell you which group youre in. Usually the only way to find out which group is active is to save a file and then look at the permissions. If you try to change to another group that you dont belong to with newgrp, Linux will give you a friendly warning like this one:
newgrp programmers newgrp: Sorry
Youve already seen how to change the ownership of a file. You might also want to change the group owner. To change the ownership of a group, you dont have to belong to the group, but you must own the file. Before you can begin, Linux first checks that the group exists.
The chgrp command is used to change the group the file belongs to. It works just like chown:
chgrp <group> <filename>
For example, to change the ownership of the file book to a group called editors, issue this command:
$ l book* -rwxr-xr-x 2 tparker group 4512 May 9 09:20 book $ chgrp editors book $ l book* -rwxr-xr-x 2 tparker editors 4512 May 9 09:20 book
You can use wildcards with both chown and chgrp, as the following example shows:
$ l book* -rwxr-xr-x 2 tparker group 4512 May 9 09:20 book1 -rwxr-xr-x 2 tparker group 4625 May 9 09:21 book2 -rwxr-xr-x 2 tparker group 7834 May 9 09:22 book3 $ chown bills book* $ l book* -rwxr-xr-x 2 bills group 4512 May 9 09:20 book1 -rwxr-xr-x 2 bills group 4625 May 9 09:21 book2 -rwxr-xr-x 2 bills group 7834 May 9 09:22 book3 $ chgrp editors book* $ l book* -rwxr-xr-x 2 bills editors 4512 May 9 09:20 book1 -rwxr-xr-x 2 bills editors 4625 May 9 09:21 book2 -rwxr-xr-x 2 bills editors 7834 May 9 09:22 book3
Notice that the chgrp and chown commands dont affect anything else about the file, such as the date and time it was created or the permissions in the first field.
Since the early days, UNIX has tried to set up a flexible, powerful, yet simple set of file access permissions that balances security with convenience. The approach UNIX (and hence Linux) takes is simple. It sets only three different types of access (called permissions) that you may have on a file or directory. These are read, write, and execute permissions.
Having read permission to a file enables you to look at the files contents. In the case of a directory, read permission lets you list the directorys contents using ls.
Write permission enables you to modify (or delete) the file, even if you are not the owner. In the case of a directory, you must have write permission in order to create, move, or delete files in that directory.
Execute permission enables you to execute the file by typing its name. This has no effect if the contents of the file cant be understood by an application. For example, having execute permission on a file that has statistical data in it wont allow you to run it. On the other hand, if the file is a statistical analysis program, it needs execute permission for it to run. With directories, execute permission enables you to cd into them.
So, we have three types of permissions: read, write, and execute. UNIX separates all users on the system into three categories based on the ownership of the file or directory. There is one set of permissions (read, write, and execute) for the owner, another set (read, write, and execute) for anyone in the group that owns the file, and a third set (read, write, and execute) for everyone else on the system (called other or world). The three sets of permissions are written one after another in a consistent format. The permissions are always in order of read, write, and execute; first for owner, then for group, then for other.
Thats nine bits of information to indicate the permissions of the file or directory. These bits always appear in a block of ten and are the first thing you see in a long directory listing. The first character is special and indicates whether the entry is a file or directory (there are a few other valid values, but we wont bother with them now). For a concrete example, lets look at the long directory listing for myfile again:
-rw-r--r-- 1 fido users 163 Dec 7 14:31 myfile
The first character of the permissions is -, which indicates that its an ordinary file. If this were a directory, the first character would be d. The next nine characters are broken into three groups of three, giving permissions for owner, group, and other. Each triplet gives read, write, and execute permissions, always in that order. Permission to read is signified by an r in the first position, permission to write is shown by a w in the second position, and permission to execute is shown by an x in the third position. If a particular permission is absent, its space is filled by -.
Previous | Table of Contents | Next |