blogger templates blogger widgets
This is part of a list of blog posts.
To browse the contents go to

Modes and Permissions - Advanced


When a new file is created on a Unix-like system, its permissions are determined from the umask of the process that created it. It denotes what permissions needs to be removed by means of masking the binary values (of the given octal value) with the default value(value when umask is not used).
eipe@eipe-system:~/temp$ umask

the default value of umask changes from OS to OS. In Ubuntu it's 0022. First, let's see what happens if we turn mask to all 0s. When umask is given value 0000 it's equivalent to turning it off.
eipe@eipe-system:~/temp$ umask 0000
eipe@eipe-system:~/temp$ umask

Let's now create a file and see what it's permissions are.
eipe@eipe-system:~/temp$ > myfile
eipe@eipe-system:~/temp$ ls -l
total 0
-rw-rw-rw- 1 eipe eipe 0 2010-12-10 21:57 myfile

The default permission when no masking is used is read and write for user, group and everyone.
In binay notation it's 110 110 110.

Now let's give masking a value.
eipe@eipe-system:~/temp$ umask 0022
eipe@eipe-system:~/temp$ > myfile
eipe@eipe-system:~/temp$ ls -l
total 0
-rw-r--r-- 1 eipe eipe 0 2010-12-10 22:00 myfile

masking is actually an XOR operation of binary values. (0022 = 000 000 010 010)
1 and 0 = 1 ; 1 and 1 = 0 ; 0 and 0 = 0

000 110 110 110
000 000 010 010
000 110 100 100

The first 3 bits or the first octal number is used for special settings. They are used for setuid/setgid/sticky bit.

For example consider the below scenario:

Let's create a new user "tom".
It the group names (also known as primary groups) aren't changed, the default names are same as the user names. i.e, for eipe the group name is "eipe" and for tom it is "tom".

Let's change the group names to avoid confusion.
eipe@eipe-system:~$ groupmod -n eipe egroup
eipe@eipe-system:~$ groupmod -n tom tgroup

(we changed the default group names "eipe" and "tom" to "egroup" and "tgroup").

Let's create a new group "dev".
eipe@eipe-system:~$ groupadd dev

Add users to this group:
eipe@eipe-system:~$ usermod -a -G dev eipe tom

Let's check the individual user ID's.
eipe@eipe-system:~$ id eipe
uid=1000(eipe) gid=1000(egroup) groups=1000(egroup),4(adm),20(dialout),24(cdrom),46(plugdev),111(lpadmin),119(admin),122(sambashare),1002(dev)

eipe@eipe-system:~$ id tom
uid=1001(tom) gid=1001(tgroup) groups=1001(tgroup),1002(dev)

All user account related information are stored in
/etc/passwd – user account details
/etc/shadow – user password details
/etc/group – group account details

A sample entry in /etc/group


groups [username]

To list the groups the user (given by the username) has membership.

eipe@eipe-system:~/share$ groups
egroup adm dialout cdrom plugdev lpadmin admin sambashare dev

eipe@eipe-system:~/share$ groups tom
tom : tgroup dev

members groupname

To list the members of a particular group.
eipe@eipe-system:~/share$ members dev
eipe tom

Let's consider a scenario.

I(eipe) create's a folder “share” that needs to be shared among other users.
eipe@eipe-system:~$ mkdir share
eipe@eipe-system:~$ ls -l | grep share
drwxr-xr-x 2 eipe egroup 4096 2010-12-12 15:01 share

note that we need the folder to be group-executable so change the permissions if necessary for group to r-x.

Then I create a script file called “” in share.
eipe@eipe-system:~/share$ cat>
ls -la
eipe@eipe-system:~/share$ ./
bash: ./ Permission denied

This is because any file is not executable by default.
eipe@eipe-system:~/share$ ls -l
total 4
-rw-r--r-- 1 eipe egroup 7 2010-12-12 16:39

Since I'm planning to make it shareable I need to make it executable for both me (eipe) and my groups.
eipe@eipe-system:~/share$ chmod ug+x
eipe@eipe-system:~/share$ ./
total 12
drwxr-xr-x 2 eipe egroup 4096 2010-12-12 16:39 .
drwxr-xr-x 53 eipe egroup 4096 2010-12-12 16:39 ..
-rwxr-xr-- 1 eipe egroup 7 2010-12-12 16:39

Now tom logs in.
eipe@eipe-system:~$ su tom
tom@eipe-system:/home/eipe$ cd share
tom@eipe-system:/home/eipe/share$ ./
bash: ./ Permission denied

this is because the group associated with the file is “egroup” and not “dev”. Every file belongs to a user and a group. The group is usually the group of the user who created the file.

There are 2 solutions:

Solution 1:

Since tom is given read access to the file he could copy it to another location and then run that file.
tom@eipe-system:/home/eipe/share$ cp /home/tom/
tom@eipe-system:/home/eipe/share$ cd /home/tom
tom@eipe-system:~$ ls -l
total 8
-rwxr-xr-- 1 tom tgroup 7 2010-12-12 17:08
-rw-r--r-- 1 tom tgroup 179 2010-12-11 09:40 examples.desktop
tom@eipe-system:~$ ./

Note that tom had to change the directory, since he was in eipe's home folder, where he cannot create files.

Solution 2:

Changing the group ownership of a file.
chgrp groupto filename
-r option is used to change for all files in a directory.
eipe@eipe-system:~/share$ chgrp dev
chgrp: changing group of `': Operation not permitted

this is because after creating the new group "dev" I didn't restart the system.

After relogging,
eipe@eipe-system:~/share$ chgrp dev
eipe@eipe-system:~/share$ ls -l
total 4
-rwxr-xr-- 1 eipe dev 7 2010-12-12 16:39

Now tom logs in and he can execute the file.
eipe@eipe-system:~/share$ su tom
tom@eipe-system:/home/eipe/share$ ./
total 12
drwxr-xr-x 2 eipe egroup 4096 2010-12-12 16:39 .
drwxr-xr-x 54 eipe egroup 4096 2010-12-12 18:09 ..
-rwxr-xr-- 1 eipe dev 7 2010-12-12 16:39

Continue Reading here

No comments:

Post a Comment