# 9 Permissions

|id| Display user identity|
|-|-|
|chmod| Change a file’s mode|
|umask| Set the default file permissions|
|su| Run a shell as another user|
|sudo Execute a command as another user|
|chown| Change a file’s owner|
|chgrp| Change a file’s group ownership|
|passwd| Change a user’s password|

## Owners, Groups Members, and Everybody Else

In the Unix security model, 
- a user may own files and directories. When a user owns a file or directory, the user has control over its access.
- Users can, in turn, belong to a group consisting of one or more users who are given access to files and directories by their owners.
-  an owner may also grant some set of access rights to everybody

In [1]:
!file /etc/shadow

/etc/shadow: regular file, no read permission


User accounts are defined in the /etc/passwd file, and groups are defined in the /etc/group file.

In [2]:
!id

uid=1000(yemane) gid=1000(yemane) groups=1000(yemane),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),117(netdev)


## Reading, Writing, and Executing

Access rights to files and directories are defined in terms of `read access, write access, and execution access.`

In [3]:
!> foo.txt

The first 10 characters of the listing are the file attributes. The first of these characters is the file type

In [4]:
!ls -ls foo.txt

0 -rwxrwxrwx 1 yemane yemane 0 Dec  8 18:23 foo.txt


|Attribute| File type|
|-|-|
|-| A regular file.|
|d| A directory.|
|l| A symbolic link. Notice that with symbolic links, the remaining file attributes are always rwxrwxrwx and are dummy values. The real file attributes are those of the file the symbolic link points to.|
|c| A character special file. This file type refers to a device that handles data as a stream of bytes, such as a terminal or /dev/null.|
|b| A block special file. This file type refers to a device that handles data in blocks, such as a hard drive or DVD drive|

The remaining nine characters of the file attributes, called the file mode, represent the read, write, and execute permissions for the file’s owner, the file’s group owner, and everybody else

|Owner|Group|World|
|-|-|-|
|rwx|rwx|rwx|

|Attribute| Files Directories|
|-|-|
|r| Allows a file to be opened and read. Allows a directory’s contents to be listed if the execute attribute is also set.|
|w| Allows a file to be written to or truncated; however, this attribute does not allow files to be renamed or deleted. The ability to delete or rename files is determined by directory attributes. Allows files within a directory to be created, deleted, and renamed if the execute attribute is also set.|
|x| Allows a file to be treated as a program and executed. Program files written in scripting languages must also be set as readable to be executed.|

### chmod: Change file mode

- Octal number representation
- Symbolic representation

#### Octal number representation

|Octal| Binary File mode|
|-|-|
|0 |000 ---|
|1 |001 --x|
|2| 010 -w| 
|3| 011 -wx|
|4 |100 r--|
|5| 101 r-x|
|6| 110 rw 111 rw|

In [18]:
!chmod 600 foo.txt

#### Symbolic representation

|Symbol| Meaning|
|-|-|
|u| Short for “user” but means the file or directory owner.|
|g| Group owner.|
|o| Short for “others” but means world.|
|a| Short for “all.” This is a combination of u, g, and o|

|Notation| Meaning|
|-|-|
|u+x| Add execute permission for the owner.|
|u-x| Remove execute permission from the owner.|
|+x| Add execute permission for the owner, group, and world. This is equivalent to a+x.|
|o-rw |Remove the read and write permissions from anyone besides the owner and group owner.|
|go=rw| Set the group owner and anyone besides the owner to have read and  write permissions. If either the group owner or the world previously had execute permission, it is removed.|
|u+x,go=rx| Add execute permission for the owner and set the permissions for the group and others to read and execute. Multiple specifications may be separated by commas|

### unmask: Set Default Permissions

The umask command controls the default permissions given to a file when 
it is created. It uses octal notation to express a mask of bits to be removed from a file’s mode attributes.

## Changing Identities

### su: Run a Shell with Substitute User and Group IDs

The su command is used to start a shell as another user. The command syntax looks like this
- su [-[l]] [user]
- If the -l option is included, the resulting shell session is a login shell for the specified user.
-  If the user is not specified, the superuser is assumed.
- After entering the command, we are prompted for the superuser’s password If it is successfully entered, a new shell prompt a appears
- o execute a single command rather than starting a new interactive `su -c 'command'`

### sudo: Execute a Command As Another User

The sudo command is like su in many ways but has some important additional capabilities. 
- The administrator can configure sudo to allow an ordinary user to execute commands as a different user (usually the superuser) in a controlled way. 
- In particular, a user may be restricted to one or more specific commands and no others. 
- Another important difference is that the use of sudo does not require access to the superuser’s password. 
- Authenticating using sudo requires the user’s own password.

### chown: Change File Owner and Group

The chown command is used to change the owner and group owner of a file 
or directory. Superuser privileges are required to use this command. The 
syntax of chown looks like this:
- chown [owner][:[group]] file...

|Argument| Results|
|-|-|
|bob| Changes the ownership of the file from its current owner to user bob.|
|bob:users| Changes the ownership of the file from its current owner to user bob and changes the file group owner to group users|
|:admins| Changes the group owner to the group admins. The file owner is unchanged.|
|bob:| Changes the file owner from the current owner to user bob and changes the group owner to the login group of user bob.|

### chgrp: Change Group Ownership

works much the same way as chown, except for being more limited.

## Change Your Password

passwd [user]

To change your password, just enter the passwd command. You will be 
prompted for your old password and your new password