History of statistics at UVa and Halsey Hall.
Degree programs and application materials.
The Statistical Consulting Service at UVa.
Computing information and resources.
Course offerings and links to class web pages.
Recent news, announcements, and the statistics events/seminar calendar.
Faculty, staff and graduate student directory.
Listing of publications by people in the department.
Go to the University of Virginia Home Page.Go to the UVa Statistics Home Page.Go to the UVa Biostatistics Home Page.Go to the UVa Mathematics Home Page.Find statistics related sites.
UNIX File Protection Overview (cont.)

page: 1 | 2 | 3 | 4

There are three other modes (encoded in three additional bits) that modify the behavior of the other nine modes. These modifiers are "set user", "set group", and "sticky". The "set user" mode changes the behavior of an executable file. Ordinarily when you execute a file, the resulting process has your access rights, i.e., you are the owner of the process. But if you execute a file that has "set user" enabled, then the resulting process belongs to the owner of the file and has the access rights of that user. Some commonly used programs such as "su" and "login" are owned by superuser (root) and have "set user" mode. These programs require superuser privileges to work. If "set user" were not enabled, these programs would fail when run by ordinary users.

The "set group" mode is analogous to the "set user" mode. When you execute a file with "set group" enabled, the resulting process is assigned to the group of the executable file, even though you may not be a member of this group. Some programs use this feature to obtain access to files that are ordinarily inaccessible to users. The "set group" mode has a different meaning on directories. If a directory has "set group" enabled, then any object you create in that directory inherits the group of the directory, regardless of what groups you belong to.

The "sticky" mode pertains to directories. If a directory has "sticky" enabled, then having write and execute access is not enough to remove an object from the directory. You must also own the object or you must own the directory. The system temporary directory /tmp has read, write, and execute access enabled for everybody. Many programs such as editors and compilers create temporary files in /tmp, so it is wide open. To keep sociopaths from removing other users' files, /tmp also has "sticky" mode enabled.

Note that "set user" mode has no effect on how the system grants access to directories and that "sticky" mode has no effect on file access. However, a programmer could write software that depends on the settings of these modes, even though Unix itself doesn't care.

INSPECTING THE PERMISSIONS OF OBJECTS WITH "LS"
The "ls -l" command displays much information about files and directories, including the access modes, owner, and group. Note that on some systems, including Suns, you need "ls -lg" to see the group and on other systems "ls -lg" suppresses outputting the group. So much for standards. Consider the following line of "ls" output:

-rw-r--r-- 1 scl staff 5872 Jul 28 1992 answerbook

The first character ("-") indicates that this is a regular file. The next three characters ("rw-") represent the "user" access modes, which are read, write, but no execute. The next three characters ("r--") are the "group" modes, which are read only. The next three characters ("r--") are the "other" modes, which are also read only. None of the "set user", "set group" or "sticky" modes are enabled. After the permissions comes the link count (1), which indicates how many links (or names) this object has. Most files have one link. Directories have at least two, because the "." entry in the directory itself is a link. After the link count comes the owner (scl), the group (staff), the size of the file in bytes (5872), the time the file was last modified (Jul 28, 1992), and the name of the file (answerbook). Another example:

drwxr-sr-x 3 scl staff 512 Mar 16 1992 astro

The "d" indicates that this is a directory. The owner is "scl" and the group is "staff". The owner has read, write, and execute access (rwx). Both group and other have read and execute access. Note how group execute access appears as "s" instead of "x". This indicates that "set group" mode is also enabled. Ls displays "Set user" and "sticky" similarly. "User" execute access appears as "s" when "set user" is also enabled (eg, -rwsr-xr-x). "Other" execute access appears as "t" when "sticky" is also enabled (eg, drwxrwxrwt). If you see a capital "S" or "T" instead of lower case, it indicates that the modifier is enabled, but the corresponding execute access is disabled (rare).

SETTING THE PERMISSIONS OF OBJECTS WITH CHMOD
Only the owner of an object (and superuser) can change its permissions. The command for this is "chmod" (change access modes). The owner may chmod an object regardless of its permissions, so if you ever inadvertently deny yourself access to something, you have the power to restore your access rights. If you have a very important file that you do not want to inadvertently overwrite, you can deny yourself write access. If you have files that you do not want to inadvertently remove, you can put them in a directory and then disable your own write access to the directory.

Chmod has very flexible syntax for representing permissions, but here we only discuss the numeric syntax. The access modes are encoded in a three digit number, which is the sum of the enabled access modes.

  • 400 user read
  • 200 user write
  • 100 user execute
  • 40 group read
  • 20 group write
  • 10 group execute
  • 4 other read
  • 2 other write
  • 1 other execute

For example, 644 is user read (400) + user write (200) + group read (40) + other read (4). To set these permissions on a file use "chmod 644 file". This appears as -rw-r--r-- in "ls" output. Directories and executable files commonly have read + write + execute for user (700) and read + execute for group (50) and read + execute for other (5), or 755 (-rwxr-xr-x). For those familiar with octal, the numeric argument to chmod is simply the octal representation of the access mode bits.

page: 1 | 2 | 3 | 4