In Files and Directories, Section 4.2 we covered moving/renaming files with mv, copying them with cp, removing them with rm, removing directories with rmdir, and creating directories with mkdir. This chapter will cover some more aspects of files.
GNU and Unix systems are set up to allow many people to use the same computer, while keeping certain files private or keeping certain people from modifying certain files. You can verify this for yourself:
Verifies that you are not root.
You should be told "Permission denied." /etc/resolv.conf is an essential system configuration file --- you aren't allowed to change or remove it unless you're root. This keeps you from accidentally messing up the system, and if the computer is a public one such as at an office or school, it keeps users from messing up the system on purpose.
Now type ls -l /etc/resolv.conf
This will give you output that looks something like this:
-rw-r--r-- 1 root root 119 Feb 23 1997 /etc/resolv.conf
The -l option to ls requests all that additional information. The info on the right is easy - the size of the file is 119 bytes, the date the file was last changed is Feb 23 1997, the file's name is /etc/resolv.conf. On the left side of the screen, things get a little more complicated.
First, the brief, technical explanation: the -rw-r--r-- is the mode of the file, the 1 is the number of hard links to this file (or the number of files in a directory), and the two root are the user and group owning the file.
So that was cryptic. Let's go through it slowly (except the hard links part --- for that see The real nature of files: hard links and inodes, Section 16.2.1).
Every file has two owners --- a user, and a group. The above case is a little confusing, since there's a group called root in addition to the root user. Groups are just collections of users who are collectively permitted access to some part of the system. A good example is a games group. Just to be mean, you might set up your system so that only people in a games group are allowed to play games.
A more practical example: say you're setting up a computer for a school. You might want certain files to be accessible only to teachers, not students, so you put all the teachers in a single group. Then you can tell the system that certain files belong to members of the group teachers, and that no one else can access those files.
Here are some things you can do to explore groups on your system:
Typing this at the shell prompt will tell you what groups you're a member of. It's likely that you're a member of only one group, which is identical to your username.
This file lists the groups that exist on your system. Notice the root group (the only member of this group is the root user), and the group which corresponds to your username. There are also groups like dialout (users who are allowed to dial out on the modem), and floppy (users who can use the floppy drive). However, your system is probably not configured to make use of these groups --- it's likely that only root can use the floppy or the modem right now. For details about this file, try reading man group.
Observe how every user's directory is owned by that user and that user's personal group. (If you just installed Debian, you may be the only user.)
In addition to being owned by one user and one group, every file and directory also has a mode, which determines who's allowed to read, write, and execute the file. There are a few other things also determined by the mode, but they're advanced topics so we'll skip them for now.
The mode looks like this in the ls output: -rw-r--r--. There are ten "elements" here, and the mode actually consists of twelve bits (think of bits as switches which can be on or off). But for now, we'll consider only nine of these bits: those that control read, write, and execute permissions for the user owning the file, the group owning the file, and others (everyone on the system, sometimes called world).
Notice that three kinds of permission (read, write, execute) times three sets of people who can have permission (user, group, others) makes a total of nine elements.
In the mode line, the first "element" gives the type of the file. The - in this case means it's a regular file. If it was d, we'd be looking at a directory. There are other possibilities too complex to go into now (see Advanced aspects of file permissions, Section 16.2.4).
The remaining nine "elements" are used to display the 12 bits that make up the file's mode. The basic 9 bits (read, write, and execute for user, group, and other) are displayed as three blocks of rwx.
So if all permissions are turned on and this is a regular file, the mode will look like this: -rwxrwxrwx. If it was a directory with all permissions turned off for others and full permissions for user and group, it would be drwxrwx---. (The remaining three bits are displayed by changing the x to s, t, S, or T, but this is a complex topic we're saving for Advanced aspects of file permissions, Section 16.2.4.)
For regular files, "read", "write", and "execute" have the following meanings:
Since directories can never be executed, the execute bit has a different meaning. For directories, execute permission means permission to access files in the directory. Note that this interacts with write permissions: execute permissions must be set to be able to access files in a directory at all, so without execute permission on a directory, write permission is useless. Execute permission for directories is often called "search" permission, since it really has nothing to do with execution. "File access" permission would probably be a still better name.
Directory modes are a little confusing, so here are some examples of the effects of various combinations:
The user, group, or other with these permissions may list the contents of the directory, but nothing else. The files in the directory can't be read, changed, deleted, or manipulated in any way. The only permitted action is reading the directory itself, that is, seeing what files it contains.
Write permission has no effect in the absence of execute permission, so this mode behaves just like the above mode.
This mode permits the files in a directory to be listed, and permits access to those files. However, files can't be created or deleted. Access means that you can view, change, or execute the files as permitted by the files' own permissions.
Files in this directory can be accessed, but the contents of the directory can't be listed, so you have to know what filename you're looking for in advance (unless you're a good guesser). Files can't be created or deleted.
You can do anything you want with the files in this directory, as long as it's permitted by the permissions on the files themselves.
Directory write permission determines whether you can delete files in a directory --- a read-only file can be deleted, if you have permission to write to the directory containing it. You can't delete a file from a read-only directory, even if you're allowed to make changes to the file. File permissions have nothing to do with deleting files.
This also means that if you own a directory you can always delete files from it, even if those files belong to root.
Directory execute permission determines whether you have access to files --- and thus whether file permissions come into play. If you have execute permissions to a directory, file permissions for that directory become relevant. Otherwise file permissions just don't matter; you can't access the files anyway.
If you have execute permission for the directory, file permissions determine whether you can read the contents of the file, change the file, and/or execute the file as a command.
Finally, permission to change permissions on a file or directory is not affected by the permissions of that file or directory. Rather, you can always change the permissions on files or directories that you own, but not on files owned by someone else, as long as you are permitted access to the file. So if you can access a file you own at all (that is, you have execute permission for the directory containing it) then you can change its permissions.
This means that you can't permanently remove permissions from yourself because you can always give them back. Say you remove user write permission from a file you own, then try to change the file. It won't be permitted, but you can always give yourself write permission again and then change the file. The only way to lose the ability to change permissions back is to lose access to the file entirely.
This section goes through a short example session to demonstrate how permissions are used.
To change permissions, we'll use the chmod command.
There are a couple of new tricks here. First, you can use ; to put two commands on one line. You can type the above as:
$ cd
$ touch myfile
or as:
$ cd; touch myfile
and the same thing will end up happening.
Recall that cd by itself returns you to your home directory. touch is normally used to change the modification time of the file to the current time, but it has another interesting feature: if the file doesn't exist, touch creates the file. So we're using it to create a file to practice with. Use ls -l to confirm that the file has been created, and notice the permissions mode:
$ ls -l
-rw-r--r-- 1 havoc havoc 0 Nov 18 22:04 myfile
Obviously the time and user/group names will be different when you try it. The size of the file is 0, since touch creates an empty file. -rw-r--r-- is the default permissions mode on Debian .
This command means to add (+) execute (x) permissions for the user (u) who owns the file. Use ls -l to see the effects.
Here we've subtracted (-) read permission (r) from the group (g) owning the file, and from everyone else (others, o). Again, use ls -l to verify the effects.
Here we've set (=) user, group, and other permissions to read and execute. This sets permissions to exactly what you've specified, and unsets any other permissions. So all rx should be set, and all w should be unset. Now, no one can write to the file.
a is a shortcut for ugo, or "all". So all the x permissions should now be unset.
We're removing the file, but without write permissions. rm will ask if you're sure:
rm: remove `myfile', overriding mode 0444?
You should respond by typing y and pressing enter. This is a feature of rm, not a fact of permissions - permission to delete a file comes from the directory permissions, and you have write permission in the directory. However, rm tries to be helpful, figuring that if you didn't want to change the file (and thus removed write permission), you don't want to delete it either, so it asks you.
What was that 0444 business in the question from rm? The permissions mode is a twelve-digit binary number, like this: 000100100100. 0444 is this binary number represented as an octal (base 8) number, which is the conventional way to write a mode. So you can type chmod 444 myfile instead of chmod ugo=r myfile. This is fully explained in Advanced aspects of file permissions, Section 16.2.4.
Now that you can navigate the directory tree, let's take a guided tour of the files and directories you created when you installed Debian. If you're curious, cd to each directory and type ls to see its contents. If the listing doesn't fit on the screen, try ls | more, where | is the "pipe" character, generally found on the same key with backslash.
Your home directory is where you put all your personal work, email and other documents, and personal configuration preferences. It's your home on the system.
While not essential to get the computer working,/usr does contain the applications you'll use to get real work done. Also in /usr you'll find the /usr/man, /usr/info, and /usr/doc directories --- these contain manual pages, info pages, and other documentation, respectively. And don't forget /usr/games!
Clearly there are many more directories on the system, too many to describe every one.
For changing things, you'll usually want to confine yourself to your home directory and /etc. On a Debian system, there's rarely an occasion to change anything else, because everything else is automatically installed for you.
/etc is used to configure the system as a whole. You'll use your own home directory, a subdirectory of /home, for configuring your own preferences, and storing your personal data. The idea is that on a day-to-day basis you confine yourself to /home/yourname, so there's no way you can break anything. Occasionally you log in as root to change something in a system-wide directory, but only when absolutely necessary. Of course, if you're using Debian at a school or business and someone else is the system administrator, you won't have root access and will only be able to change your home directory. This limits what you can do with the system.
Instead of moving files around by hand, you can use a file manager.
If you move a lot of files around a file manager can make your work more
efficient. There are text-based file managers, such as GNU Midnight Commander
(type mc), and a number of file managers for the X Window System
(for example gmc for the X Window version of GNU Midnight
Commander).
Describing each of these is outside the scope of this manual; but you may want to try them out if the command line doesn't meet your needs.
Debian Tutorial
[email protected]