GNU and Unix systems are set up to allow many people to use the same computer, while keeping certain files private or keeping certain people from modifying certain files. You can verify this for yourself. Log in as yourself, i.e. NOT as root.
Now type ls -l /etc/resolv.conf.
This will give you output that looks something like this:
First, the brief, technical explanation: The -rw-r-r- is the mode of the file, the 1 is the number of hard links to this file (or the number of files in a directory), and the two roots are the user and group owning the file, respectively.
So that was cryptic. Let's go through it slowly.
Every file has two owners: a user and a group. The above case is a little confusing because there's a group called root in addition to the root user. Groups are just collections of users who are collectively permitted access to some part of the system. A good example is a games group. Just to be mean, you might create a group called games on your computer and then set up your system so that only people in a games group are allowed to play games.
Here's a more practical example. Consider a case in which you're setting up a computer for a school. You might want certain files to be accessible only to teachers, not students, so you put all the teachers in a single group. Then you can tell the system that certain files belong to members of the group teachers, and that no one else can access those files.
Let's explore groups on the system. First, you can use the groups command at the shell prompt. This will show you a list of the groups to which you belong. Here's an example:
It's likely that you're a member of only one group, which is identical to your username. However, root can add you to other groups. The above example shows a person that is a member of five groups.
Tip: If you just installed Debian, you may be the only user. You can use the adduser command to add more users to the system.
In addition to being owned by one user and one group, every file and directory also has a mode, which determines who's allowed to read, write, and execute the file (and run it, if it's a program). There are a few other things also determined by the mode, but they're advanced topics so we'll skip them for now.
The mode looks like this in the ls output: -rw-r-r-. For now, we'll consider nine of these parts: those that control read, write, and execute permissions for the user owning the file, the group owning the file, and others (everyone on the system, sometimes called world).
In the mode line, the first ``element'' gives the file type. The - in this case means it's a regular file. If it was d, we'd be looking at a directory. There are also other possibilities too complex to go into here; for details, see section 13.2.2 on page .
The remaining nine elements are used to display the file's mode. The basic 9 bits (read, write, and execute for user, group, and other) are displayed as three blocks of rwx.
So if all permissions are turned on and this is a regular file, the mode will look like this: -rwxrwxrwx. If it was a directory with all permissions turned off for others and full permissions for user and group, it would be drwxrwx--.
|
Directory modes can be a little confusing, so here are some examples of the effects of various combinations:
Directory write permission determines whether you can delete files in a directory. A read-only file can be deleted if you have permission to write to the directory containing it. You can't delete a file from a read-only directory even if you're allowed to make changes to the file.
This also means that if you own a directory you can always delete files from it, even if those files belong to root.
Directory execute permission determines whether you have access to files - and thus whether file permissions come into play. If you have execute permissions to a directory, file permissions for that directory become relevant. Otherwise, file permissions just don't matter; you can't access the files anyway.
This section goes through a short example session to demonstrate how permissions are used. To change permissions, we'll use the chmod command.
$ touch myfile
Recall that cd by itself returns you to your home directory. touch is normally used to change the modification time of the file to the current time. But it has another interesting feature: If the file doesn't exist, touch creates the file. So you're using it to create a file to practice with. Use ls -l to confirm that the file has been created and notice the permissions mode:
-rw-r-r- 1 user user 0 Nov 18 22:04 myfile
What was that 0444 business in the question from rm? The permissions mode is a twelve-digit binary number, like this: 000100100100. 0444 is this binary number represented as an octal (base 8) number, which is the conventional way to write a mode. So you can type chmod 444 myfile instead of chmod ugo=r myfile.
John Goerzen / Ossama Othman