Instead of referring to your Linux system as "it" or "that thing,"
you can give it a name that it recognizes to some extent. This name is especially
important when you deal with e-mail or networks where others must have some method of
identifying your machine from all the others on the network. This chapter starts by
looking at how to give your machine a name and what rules you must follow to ensure other
machines can work with your newly named machine.
The rest of this chapter looks at access permissions, a confusing subject for many
system administrators. The permission block is often completely misunderstood, and the
permissions attached to files and directories are often set incorrectly, preventing access
to users who need it or worse, allowing wide-open access to sensitive information. After
explaining how permissions work, this chapter explains how to change and set permissions
and ownerships.
Because Linux is designed with networking in mind, it enables you to identify each
machine with a unique name. You can name your system anything you want. In some cases, the
setup or installation script that installed Linux for you may have asked you for a system
name. You can keep the name you entered then or enter a new one.
The name that identifies your Linux system is called a hostname. This name, as
mentioned, facilitates networking and associated services like e-mail. It also lets you
give your system a bit of a personality. You can display the current Linux system hostname
with the hostname command:
$ hostname
artemis
This code shows that the system's hostname is artemis. If you have no system hostname
defined, Linux defaults to either no name or a system default name. The name information
is read from the Linux system startup files.
If your system isn't networked, you can call your system anything you like, but
remember that you have to live with it! To set your system name, run the hostname command
with the -S option as shown in this example:
hostname -S superduck
This sample code sets your system hostname to superduck. This name is tagged onto all
your e-mail and some system utilities when generating output. Some versions of Linux limit
the hostname to a number of characters (usually 14 characters), but try any name you want.
If Linux doesn't allow it, you should get an error message or see a truncated version of
the name.
If you are running on a network, the hostname is important. On a network, each machine
must have a unique name, or the network can't identify which of the duplicate names the
network information is for. If you are creating a local area network that is not connected
to the Internet or has no formal network name, you can pick any network name you want.
Your machine name and network name combined form the full machine name. For example, the
command
hostname -S superduck.quackers
is composed of a machine name of superduck and a network name of quackers. As long as
all the other machines on the network have the same network name, your machines can
communicate properly. Your machine is uniquely identified by the combination of machine
and network name.
If your system can access the Internet, your network probably has been assigned a
network name by the Internet Network Information Center (NIC), which assigns network
names, called domains, in accordance with strict naming conventions. Each domain has a
unique name portion and an extension that identifies the type of organization to which the
network belongs. For example, the company Quacks-R-Us may have a domain name quacks.com.
The seven different extensions in use are as follows:
| .arpa | A governmental network identifier |
| .com | Commercial company |
| .edu | Educational institution |
| .gov | Governmental body |
| .mil | Military |
| .net | An Internet-administered (usually) network |
| .org | Anything that isn't in one of the other categories |
These identifiers are usually used only for networks based in the U.S. Other countries
have unique identifiers based on the country's name. For example, if Quacks-R-Us were
based in the United Kingdom, the domain name could be quacks.uk. Each country has a
two-letter designation that identifies it to the Internet. (Some companies have a
U.S.-style extension even though they are outside U.S. borders. These companies usually
have been registered by a U.S. company or have been on the Internet a long time.)
The combination of domain name and extension, as assigned by the NIC, is unique to each
network. When combined with a hostname on the network, the result is a unique name for
your machine. For example, if your local network has the domain name of quack.com and you
want to name your machine superduck, you set the name of your machine with this command,
which combines the machine and network names:
hostname -S superduck.quack.com
The chapters in Part IV, "Networking," discuss machine names and network
names in more detail. You may also want to check with a good TCP/IP book for more
information. The author's Teach Yourself TCP/IP in 14 Days from Sams is a good
place to start.
Linux stores the hostname in the file /etc/hosts. If you have just installed Linux and
haven't configured a machine name, the /etc/hosts file contains a bunch of comment lines
and one line of code:
127.0.0.1 localhost
Some Linux versions store the hostname in the /etc/rc or /etc/rc.local files or in the directory /etc/rc.d, although this convention is absent from most versions of Linux.
The /etc/hosts file consists of two columns, one for the IP address and the second for
machine names. The four numbers (written in a format called dotted-quad as there are four
groups of numbers with periods between them) are the IP address. IP stands for Internet
Protocol and is an essential component of the TCP/IP network protocols used on the
Internet and most local area networks involving UNIX. The IP address for machines
connected to the Internet is assigned by the Network Information Center, just as the
domain name is. (The IP address and domain name also are mapped to each other so the
network can use numbers instead of names, a much more efficient system.) If you are not
connected to the Internet, your IP address can be anything as long as each set of numbers
is in the range 0 to 255.
The IP address is composed of the network identifier and the machine identifier. The
four parts of the IP address are split over these two identifiers in special ways. If you
are connecting to an existing TCP/IP network, your network administrator will give you the
IP address you should use. The IP address 127.0.0.1 is a special address known as the
loopback address. This address lets TCP/IP on your machine form a connection to itself.
Every machine has a loopback driver, which is identified by the entry 127.0.0.1 in the
/etc/hosts file and the name localhost.
If you have identified your machine by a hostname already, that name is in the
/etc/hosts file. For example, the stand-alone machine called superduck from earlier in
this section is given on the same line as the localhost entry:
127.0.0.1 superduck localhost
This line tells the system that the localhost is called superduck and to use that name
as the system identifier.
This naming process gets a little more complicated when you are on a network, as each
machine on the network has an IP address that is unique. If your network is not connected
to the Internet, you can make up any IP address for your network. If you are on the
Internet, your network IP address is assigned, and the network administrator can give you
your machine's IP address or you can choose an unused address.
Suppose you are connecting to the Internet and your IP address is 47.123.23.37 and your
domain name is quacks.com. Your /etc/hosts file looks like the following:
127.0.0.1 localhost 47.123.23.37 superduck.quacks.com
The name superduck may appear on the localhost line as well, although it doesn't have
to. The /etc/hosts file may have other lines when you are connected to a large network
that you move around in frequently. At least these two lines should appear when you are
connected to a network, though.
Linux handles access to all files and directories on the filesystem through the
permission block. The permission block is part of the i-node table's entries for each file
and directory. You can display the permission block for a file or directory by doing a
long directory listing.
The first column of the long directory listing is the permission block. It is always
composed of 10 characters. Each file and directory, regardless of its type, on a Linux
system has a permission block associated with it. The permission block is made up of two
different types of information. The first character is a file type indicator, and the next
nine characters are the access permissions themselves. The following sections look at
these two types of information in a little more detail.
Linux uses the first character in the permission block to indicate the type of entry
the i-node table contains. Because Linux doesn't differentiate between files and
directories in the i-node table, this character is the only way for the operating system
to know whether the entry refers to a regular file or a directory. Directories are not
physical entities on a Linux system; they are instead an organizational scheme used to
make the user's life easier. The i-node table entries for a file and directory look very
similar.
Linux supports a number of valid file types, each of which has a single character value
that is used in the first character of the permission block. The most common file type
characters that Linux uses are the following:
| - | ordinary file |
| b | block mode device |
| c | character mode device |
| d | directory |
| l | link |
Some versions of Linux and UNIX support other file types(such as s for special), but
these types are seldom encountered and are of no real interest as far as permissions are
concerned.
Most files on the Linux system are ordinary files. An ordinary file can be data, an
application, a text file, or any file that contains information (whether directly readable
by the user or not). The ordinary files are indicated by a hyphen in the file type block.
Any file users create is an ordinary file.
Chapter 6, "Devices and Device Drivers," looked at
the difference between block and character mode devices, which are indicated by a b or c
file type. These files are composed of instructions that let Linux talk to peripherals.
Most device file types are stored in the directory /dev by convention, although they can
exist anywhere in the filesystem. When Linux encounters a file with either of these two
file types, it knows how to read the file for input and output control.
The directory file type indicates that the entry in the i-node table refers to a
directory and not a file. All directories on the system are really empty files as far as
Linux is concerned, but they can be logically assembled into the usual directory structure
based on the i-node table entries.
Links are sometimes identified in the file type character as an l, although not
all operating system versions support this character. If your version of Linux doesn't use
the l file type to indicate a link, you will have to rely on the second column of output
from a long directory listing that shows the number of links the entry has.
All UNIX systems (including Linux) control access to files and directories using
permissions that are read from the permission block. Access to a file or directory can be
one of three possible values. These values are given by a single character as shown in the
following list:
| r | read |
| w | write |
| x | execute |
If you have read access to a file, you can display the contents of the file (using any
utility like cat or more) or read the file into an application (such as a word processor
or a database). If you have write permission to a file, you can modify the contents and
save the changes over the old file. If you have execute permission, you can execute the
file, assuming it is a binary file or shell script. If the file is ASCII and you execute
it, nothing much will happen except a few error messages.
These three permission values are combined into a three-character block in the order
given above (in other words, rwx for read, write, and execute). If a permission is not
accessible, a hyphen is used in that permission's place to show that it is absent. In
other words, the permission block r-x indicates that the file has read and execute
permission, but not write permission. Similarly, the permission block --- indicates that
the file has no access permissions and cannot be read, written to, or executed.
These permissions are used for directories, too, although their meanings are slightly
different. Read permission for a directory means you can display the contents of the
directory listing (using ls, for example). Write permission for a directory means you can
add files to the directory. Execute permission means you can change into that directory
(using cd). The permission block r-x on a directory, for example, means you can display
the directory's contents and change into that directory, but you can't add a new file to
the directory.
These three permissions are set for each of three different levels of access. There is
a permission block for the owner of the file (called the user), another for anyone in the
owner's group (called the group), and another for everyone else on the system (called
other or world). The three-character blocks for read-write-execute permission are combined
for the three groups (user, group, and other) to produce the nine-character permission
block you see in the long directory listing.
Once you get used to thinking in terms of user, group, and other, you can easily read
the file permissions blocks. For example, the file permission block
rw-r--r--
means that the user (owner of the file) has read and write permission, the group
(second block of three characters) has read permission only, and everyone else on the
system (other) has only read permission also. In the following example, the permission
block
rwxr-xr--
means that the owner can read, write, and execute the file. Anyone in the same group as
the owner can read and execute the file. Finally, anyone else on the system can read the
file but can't make changes or execute it.
The same approach applies for directories. For example, if a directory has the
following permission block
rwxr-xr-x
the owner of the directory can change into the directory, add files, and display the
contents of the directory. Everyone else on the system (in the owner's group and everyone
else) can display the contents of the directory (with an ls command, for example) and
change into the directory (using cd), but they can't add files to the directory.
When you save a file or create a new directory, it is assigned a default set of
permissions. These permissions are set for each user according their file creation mask,
called the umask (user's permission mask) by UNIX. Every user on the system has a umask
setting, either one that's set for them in their startup files (.profile, .cshrc, and so
on) or the system's default umask setting.
You can display the current value of your umask setting by entering the umask command
at any shell prompt:
$ umask
022
The three-number block returned by the umask command is the current umask setting.
(Some systems return a four-number block, the first number of which is always zero. In
this case, only the last three numbers are of any importance for the umask.) The three
numbers are octal representations of the read-write-execute permissions you see in a
file's permission block. The numbers have the following meaning:
| 0 | read and write (and execute for directories) |
| 1 | read and write (not execute for directories) |
| 2 | read (and execute for directories) |
| 3 | read |
| 4 | write (and execute for directories) |
| 5 | write |
| 6 | execute |
| 7 | no permissions |
Using this list, you can see that the umask setting of 022 means that the user has read
and write permission for his own files (0), the group has read permission (the first 2),
and everyone else on the system has read permission(the second 2). Whenever a user creates
a file with this umask setting, the permission block will look like the following:
rw-r--r--
As mentioned earlier, Linux uses a system default umask setting when a user logs in
unless the user's setting is explicitly changed, either on the command line or in one of
the startup files. If you want to change the umask value, use the umask command with the
three-digit permission setting you want. For example, the command
umask 077
sets the permissions to give the owner read and write permission and to withold
permissions from everyone else on the system. This umask value can be very useful for
restricting access to files.
If you want to temporarily change your umask setting, enter the umask command and the
new setting at the shell prompt. The new values will be in effect until you change them
again. If you want to permanently change your umask setting, add a line like the preceding
one to your shell's startup file (.profile, .cshrc, and so on).
You may want to change the permissions attached to a file or directory. You change
permissions with the chmod command, which can operate in either symbolic or absolute mode.
Symbolic mode is the easiest mode to learn and use, but absolute mode offers better
control.
Using chmod in symbolic mode requires that you follow a strict syntax. Once you
understand that syntax, the command is easy to use. Symbolic mode lets you instantly
understand the changes that you are making to permissions. The general syntax of the chmod
in symbolic mode is
chmod who-change-perms files
where who indicates who you want the changes to apply to. Valid values are u for user,
g for group, and o for other, in any combination and order. The change indicates whether
you want to take away permissions (-), add them (+), or explicitly set them (=). You can
use only one symbol in each chmod command. The perms indicate whether you want to change
read (r), write (w), or execute (x) permission. These three components (who, change, and
perms) of the command are run together without a space. A few examples may help make this
concept a little clearer. The command
chmod u+rwx bigfile
alters the permissions on bigfile to add read, write, and execute for the user. If any
of these three permissions already existed on bigfile, they are left alone, but they are
added if they didn't exist before the command. The permissions for the group and other
users are not affected, as this command deals specifically with the user's permissions. On
the other hand, the command
chmod go-x bigfile
takes away execute permission for the group and other, without changing the group's and
other's read or write permissions (they stay the way they were) or the user's permissions
(as a u was not included in the command). You can use wildcards in the chmod command, as
well, so the command
chmod uo+w chapter*
adds write permission for the user and other for any file starting with chapter.
If you don't specify whether the command applies to user, group, or other, all three
are affected, so the command
chmod +rwx
changes the permissions for user, group, and other to read, write, and execute.
You also can use the symbolic mode of chmod to set permissions explicitly. As you have
seen, if you do not specify a parameter on the command line, it is not changed. In other
words, if you issue the command
chmod u+r bigfile
only the read permission for the user is changed, and the write and execute permissions
are left as they were.
You can do the same sort of command to set permissions for directories, remembering
what they mean in the context of changing into, adding to, and listing directories. For
example, the command
chmod go+rx mydir
allows users in group and other to list mydir's contents and change into mydir, but
they cannot add files to this directory.
Sometimes you want to explicitly set the permissions to some value, for which you can
use the equal sign. For example, the command
chmod u=rx bigfile
turns on read and execute permission for the user, but turns off write permission
(whether it was on or off before the command, it will be off after). However, the group
and other permission blocks are left unaffected. If you want to make changes to all three
blocks (user, group, and other) at the same time, you must use chmod's absolute mode.
The chmod command's absolute mode uses numbers to specify permissions. There are three
numbers, one for the user, one for the group, and one for the other permissions. All three
must be specified on the command line. Each number is the sum of values that represent
read, write, and execute permissions. The following list shows the values:
| 000 | no permissions |
| 001 | other, execute |
| 002 | other, write |
| 004 | other, read |
| 010 | group, execute |
| 020 | group, write |
| 040 | group, read |
| 100 | user, execute |
| 200 | user, write |
| 400 | user, read |
You can see that the numbers are in three columns. From left to right, they represent
user, group, and other permissions. To use these numbers, add together the values of one
(execute), two (write), and four (read) to form the combination you need. For example, if
you want to set read and execute permissions, the number you specify is five. Setting all
the permissions gives you seven, and a value of zero signifies no permissions. You then
use these numbers on the chmod command line. For example, the command
chmod 644 bigfile
sets user permissions to read and write (six), group permissions to read (four), and
other permissions to read (four). Permissions that aren't set are replaced with blanks,
resulting in following file permission block:
rw-r--r--
You may recognize this block as the default permission block for users with a umask of
022. This example points out the fact that the umask and chmod absolute numbering schemes
are not the same.
Absolute mode is useful for setting the entire permission block in one shot. Although
the addition process may seem awkward at first, it becomes quite easy after a while. A
couple of settings are used frequently. The 644 setting shown previously produces the
usual permissions for files, and the command
chmod 755 mydir
sets mydir to allow only the owner to add files and let everyone list the contents and
change into the directory. You can use wildcards with this mode of chmod to make blanket
changes.
Which mode of chmod you use at any time depends on the type of permission change you
want to make. If you just want to change a single permission (such as adding execute
permission for yourself or read-write permission for the group), the symbolic format is
easy. For setting complete permission block details, the absolute mode is fastest.
Every file and directory on a Linux system has an owner and a group, both of which can
be seen in the long directory listing. The owner of the file is usually the username of
the person who created the file, and the group of the file is the group the person was in
when the file was created. You may want to change the owner and group when sharing files
or moving them to another user. To do this, use the chown and chgrp commands.
To change the owner of a file or directory, use the chown command with the name of the
new owner. For example, the command
chown bill datafile
changes the owner of datafile to bill. When the command is issued, it checks to make
sure that the specified owner is valid (by searching /etc/passwd) and that you own the
file. Only the file owner or the superuser can change file ownerships. You can use
wildcards to change many files or directories at once. For example, the command
chown yvonne chapter*
changes the owner of all files starting with chapter to yvonne.
To change the group owner of a file or directory, use the chgrp command (not to be
confused with newgrp, which changes your current group). For example, the command
chgrp accounts bigfile
changes the group to accounts. Again, Linux checks that the group name exists in
/etc/group and that the person changing the group is in the group that currently owns the
file. As with chown, you can use wildcards to change many files and directories at once.
If you know the UID or GID of the user or group, you can use it on the command line
instead of the name. Linux searches the /etc/passwd and /etc/group files to make sure the
UID or GID is valid, and you must have permission to change the owner for this procedure
to work.
Use caution when changing ownerships. It's easy to change an owner or a group, and then realize you have locked yourself out of the file!
This chapter explained how to give your system a name and assign access permissions.
Naming a system is very important when you are connected to a network, but it is more of a
personality issue when you are running a stand-alone system. Still, it is nice to refer to
your machine as more than thing or the default darkstar name.
File permissions are one of the most misunderstood and misused concepts of UNIX, yet they are surprisingly easy to manage. Using the commands explained in this chapter should make it easy for you to alter file permissions and ownership to suit your needs.
