Groups, Chmod, Chrgp and Chown

Groups and chown are two effective ways of sharing and/or limiting access to files, directories and programs.


Using group

Groups are different classifications of user. For example, everyone who has direct access to the PH database is in the group ph. This is defined in the file /etc/group. The specific line would look like

ph:*:123:bob,bill,jack,susan,samantha,chris,frzappa

The first field and third fields are the group name and group id (gid) respectively. These must be unique on that system. You would not want to create a group that has the same name as a user or vice versa. The second field (the one with the *) is the location of the encrypted password. You'll never actually see the password, just an asterix to act a place holder. The last field is the list of users who are members of that group. You want to be careful about who you place in a group because they will have access to all files and directories which are placed in that group.

Lets say that you place the user jack in the group infoserv. Jack would now have the ability to access any file which is in the group infoserv assuming that the permissions were correctly set. This way not only the owner of the file could work on it, but anyone in their group. You can always find out what groups you are in by typing groups

take a look at the manpage for group

It is important to remember that just being in a group or placing a file in a group does not automatically give everyone access to that file. The owner of that file must first set the proper permissions.

Setting permissions with chown, chrgrp and chmod.

If you type ls -l you will see something that resemble the following.

drwxr-xr-x 2 rapier wheel 512 Apr 26 14:25 Mail
drwxr-xr-x 2 rapier wheel 512 Apr 26 14:25 News
-rw-r--r-- 1 rapier wheel 3748 May 10 09:44 account
-rw-r--r-- 1 rapier wheel 13294 May 10 09:56 account_add

This listing actually contains a lot more information than just the file and directory names. Breaking down one line into its components we have:

file mode: links: owner: group: bytes used: modification date : filename
-rw-r--r-- 1     rapier  wheel    13294      May 10 09:56       account_add

The file mode is a string of 10 letters which is broken down into a 1 letter descriptor and then three blocks of three letters (always rwx) which describe the varying permission levels.

The descriptor: This is the first character and is a - in the case of files, a d for directories an l for a link and so forth.

Owner permissions: This is the first block of three characters (position 2 through 4). These say what the owner of the file can do to this file. r stands for read, w stands for write and x would mean that it is executable. If there is only a - there it means that the owner does not have permission to do that. So in the example above the owner rapier has read and write permission on the file account_add.

Group permissions: This is the second block of three (position 5 though 7). These describe what permission members file's group have. In the above example, people in the group wheel would have ability to read and copy the file account_add. If the permissions were set to ...rw-... members of wheel would also be able to edit the file or delete it.

Other permissions: This is the last block of three (position 8 through 10). These describe what permission the entire world have on this file or directory. You want to be very careful with this as group! Do not give any more permissions then are absolutely necessary.

chmod: This command changes the permissions as described above.
The easiest way to change permissions is to use the mnemonics instead of the bit maps. For example, making a file world executable and readable is easily done with chmod o+rx filename.

The format is chmod (options) [permission group][add or remove][permission type] filename

Permission groups can be:

Add or remove is

Permission type can be

You should also take a look at the man page for chmod.

chown: This command changes who owns the file or directory.

The format is chown (options) user filename

You must have sudo access to chown someone else's files or directories and the user must be found in the /etc/passwd file. You can find more information on the man page for chown.

chgrp: This changes what group the file or directory belongs to.

The format is chgrp (options) group filename

You must have sudo access to chgrp someone else's files or directories and the group must be found in the /etc/group file. Take a look at the manpage for chgrp.

Return to Using Unix

Revision 1.1:May 17, 1996:CJR