Some Useful Details: Ownership, Protection, Privacy

Unix allows you to control who can access your files. If you don't do anything special, anyone on the system can read or execute any of your files. However you can do things to exercise more control over file access. You can control access at two levels: the individual file, or the whole directory. In order to get to one of your files, someone else must have the authorization to look in your directory. If he can't look in your directory, then nothing else matters. Once he can look into your directory, then each individual file has its own code to say what he can do. So you can lock out users from individual files by changing the file permissions. Or you can lock them out from the whole directory by changing the directory's permissions. Some aspects of file protection depend upon ``groups". A group is a set of users. It has a group id, which is a number, and a group name. The groups are set up by the system administrator. Normally they represent classes and research projects. For example, there could be a group ``cs231-a", which contains all students in Computer Science 231, section A. One of the things you can do is to say that everyone in a certain group can access your files. If you find that you need a group that is not already defined, you should contact your system administrator. The groups are listed in the file /etc/group. In order to provide you with maximum flexibility, Unix allows each file to have three attributes that affect who can access it.

1. owner: this person can normally delete or modify the file, and can change its protection and the group that is associated with it. The owner is normally the user that created the file. This means that if someone else puts a file into your directory, he owns it! (As a special convenience, you can always delete a file that is in your directory, even if its permissions would not normally allow you to.)
2. group: different files can have different groups associated with them. You would normally choose a group that you want to have more access to the file than the rest of the world. For example, you might decide that members of your research project should be able to change the file, and everybody else should just be able to read it. Then you would set the group to your project's group. If you don't specify a group, it defaults to the group associated with the directory. The owner can change a file to any group that he belongs to.
3. mode: the mode is a number that controls who can do what. It has separate fields for the owner, the group, and others. Thus the owner could allow himself to change the file, members of his group to read it, an other to do nothing at all. Or any other combination...

You can look at the modes of your files or directories by using the ``ls -l" command. It displays the mode in a form that looks like the first line below.
-rwxr-x-r-
r read w write x execute (search for directory) There are three consecutive groups of three letters. The first group applies to the owner, the second to the group, and the third to all others. The letters mean read, write, and execute. So the code ``-rwxr-x--" means that the owner can do anything; others in his group can read or execute the program, but not change it; and others can't do anything with it at all. As mentioned above, in order to be able to access one of your files, a user must have the appropriate permission in the file mode, but (s)he must also have access to the directory itself. The protection bits have a slightly different meaning for directories. Read allows the user to read the directory as a file. In practice, this controls whether he can do wildcard operations such as listing all the files in the directory. Write controls whether he can do operations that involve changing the directory, i.e. create or remove files. Execute controls whether he can open existing files. If execute is missing, the user cannot open any file in the directory, even if the files themselves have permissions that would allow him to do so. If the execute bit is on, then the user can do operations on individual files according to their permissions. Typically directories are set up to have modes ``-rwxr-xr-x", which means that the owner can do anything, and everyone else can access files according to their individual modes. The ``r-x" allows other users to look into the directory and at the files in the directory. Because ``w" is missing, the other users can't create new files in the directory. If you wanted to have a totally private directory, you would use ``-rwx---". In this case, no one else could look at anything in it. If you wanted members of your group to be able to create files in your directory, you might use ``- rwxrwxr-x". The commands ``chown", ``chgrp", and ``chmod" are used to change the owner, group, and mode of a file. (However only a superuser can use chown.) ``chmod'' works as follows. chmod permission files ``permission'' is created by concatenating members of who, opcode, and mode, in that order. who can be one of u (user, owner), g (group), o (others), a (all above). opcode can be one of + (add permission), - (remove permission), = (assign permission). mode can be one of r (read), w (write), x (execute). For example, ``chmod ug+rx afile'' will let the owner and the group to read and execute the ``afile'', and ``chmod o+rx afile'' makes the ``afile'' public except that others can't change it. For other ways of using ``chmod'', please refer to the online help: ``man chmod''.