Setting File Permissions
Part of the security provided by every operating system involves the rights to read, copy, change, delete, and execute the files stored on a machine's file system. The way those rights are handled and modified varies from OS to OS.
The basic rights to all files are similar across both Unix and Windows operating systems. The permissions on those files fall into three basic categories:
- Read: This includes permission to view the contents of a file or directory, and to make a copy of it.
- Write: This includes permission to change the contents of a file, to make a new file on a directory, and even to delete the file or directory.
- Execute: This is the permission to run the program contained in the file.
Each operating system provides other rights. For example, in Windows the ability to change file rights is separate from the ability to change the contents of a file, while in Unix the ability to change permissions on the file is included in the "write" permission. Both operating systems provide rights based on the groups of which one is a member.
One may view the permissions on files in Windows using the cacls command. For example
cacls myfile.txt
should show each account or group that has any rights to the file, and the nature of those rights. For example, it may give a listing such as "everyone:r", which indicates that the group called "everyone", which includes all accounts, has "read" access. It might also show "administrator:f", which indicates that the administrator of the machine has full control of the file. The possibilities include
- :r - read access
- :c - change access includes read, and write access
- :f - full control includes read and write access as well as the ability to change permissions.
- :w - write access is actually a collection of special privileges, less than change access.
We can set the rights on a file for which we have full control using the cacls command. For example, the command
cacls myfile.txt /e /g everyone:r
grants all accounts in the group "everyone" read access to the file. The switch "/e" indicates that we are just changing the permissions, not replacing them. The "/g" switch grants the privilege. To revoke privileges, use a command such as
cacls myfile.txt /e /r everyone
This revokes all rights for users in the group "everyone" . Note that you must use the /e switch in order to use the /r switch.
The command to change file rights in Unix is called chmod (change mode). In order to use it, we must understand the listing of rights on files in Unix. Each file has a 10-character string associated with it that describes its nature and rights completely. We can view this string using the ls -l command:
ls -l myfile.txt
The result of this command is a line that begins with e.g. -rw-rw-r--. The first dash corresponds to a file descriptor that tells whether the file corresponds to a directory, a link (shortcut, if you will), or a device. The dash means it is a plain file. If it were a directory, the first character would be a "d". The next nine characters are broken into three sets of three. The first three characters correspond to the rights of the owner of the file (the user). The next three give the rights for members of the group that owns the file. The third set of three gives the rights of everyone who has an account on the machine. Thus, if we run the command ls -l and look at "WebSite" we see
drwxr-xr-x 3 owner grp 1024 Dec 13 14:16 WebSite
The first ten characters say that WebSite is a directory, the owner (called "owner") has read, write, and execute permission on the file, while members of the group (called "grp") are treated the same as anyone else: they can read or execute the file, but not write to it. This means that anyone can view, copy or run the files in the directory, but cannot change it or delete its contents. Here is another example: the command ls -l VandS*.pdf yields
-rw-rw-r-- 1 sally grp 2384061 Jan 4 10:45 VandS_Book_3.pdf
In this case, VandS_Book_3.pdf is a plain file whose owner ("sally") and group ("grp") has read and write permission, while everyone else has only read permission.
We can change these permissions using the chmod command. The command has the form
chmod [ugo][+-][rwx] filename
where the characters inside the brackets represent choices. The following commands take away read permission from others, and add execute permission for the the user (owner) and group members on the file VandS_Book_3.pdf.
chmod o-r VandS_Book_3.pdf
chmod ug+x Vc
There is a shorthand notation for the chmod command that uses numbers to set all nine permissions at once. For example, consider a permission string of the form
| rwx | -w- | --x | As it appears from an ls -l command | |
| 111 | 010 | 001 | Each permission that is set gets a 1, each that is off gets a 0 | |
| 7 | 2 | 1 | Octal representation of the binary numbers above them | |
| chmod 721 VandS_Book_3.pdf (sets the permissions as indicated) |
Thus we can set permissions to rwxr-xr-x using the command chmod 755 VandS_Book_3.pdf, and can set them to rw-r--r-- using chmod 644 VandS_Book_3.pdf.
The last test will take place at the final exam time on
Tuesday, 12 December, from 1:30-3:30. It will be written as a one-hour (not
50 minute) exam, but you may have the full two hours for it.
In other respects it will be very like the other tests, but
comprehensive - it will emphasize Python, but cover all the
topics we have seen.
There is a
Sample Exam, but be aware that things will have changed somewhat
with the advent of ChatGPT.
The scores are posted on the Info tab at
My.math.
Notify the instructor of discrepancies immediately.