And then, to deny write and execute permissions to all others:

chmod o-wx filename

Numeric terms

Numeric or absolute terms are based on the combinations allowed by octal numbers where, for each access class, the mode of the file is set as follows:

o

grants no permission 1 grants execute permission 2 grants write permission 4 grants read permission

These numbers can in tum be combined in the following way:

3 (1 + 2) grants execute and write permissions 5 (1 + 4) grants execute and read permissions 6 (2 + 4) grants write and read permissions 7 (1 + 2 + 4) grants all permissions

The format for invoking chmod with numeric terms is

chmod pennission filename

where pennission is the numerical representation for each access class. For example, using the

chmod command with the following numeric terms makes the file readable, write able, and executable by the owner and group, and inaccessible to others:

chmod 770 filename

3-18 A/UX Local System Administration

The first 7 represents rwx for the user, the second 7 represents rwx for the group, and the 0

represents no access permission for all others. The permissions of the file are then

-rwxrwx---set-uid and set-gid commands

It is possible under A/UX to set up commands that act as if they were being invoked by a specified user or by a member of a specified group. The mechanism for this is simple:

a set-uid command takes on the user ID of its owner (the owner of the file that is being executed). The set-gid commands function similarly but take on the group ID of the executed file.

For example, a user might wish to change his or her password in the / etc/pas swd file. It would normally be quite insecure to allow every user to modify the file in question, so a

set-uid program, passwd, is used. When invoked, passwd takes on the identity of the owner of the passwd program, in this case root, for the time needed to modify

/ etc/passwd.

Of the two, set-gid commands tend to be safer, since group membership typically confers less power. Both should be treated with respect, however. In any case, it may be desirable to have a set-uid program that can be run only by a selected set of users. This can be

accomplished by putting the set of users into the same group to which the program belongs and denying execute permission to others. Only group members can then run the program, performing the action as if they were the owner of the executable file.

You can use chmod to tum on the set-uid bit or set-gid bit for a file. You use the first field of the chmod command for this. The meanings of the numbers, as well as the symbolic characters (in parenthesis) that correspond to this field follow:

1 (t) Set sticky bit (not used by A/UX)

2 (s) Set gid bit on execution 4 (s) Set uid bit on execution

• Note: set-uid and set-gid are applicable only with u or g.

Chapter 3 User and Group Administration 3-19

In swapping systems, the sticky bit indicates that the file should remain in main memory once it has been loaded in; this can shorten initialization time for frequently used programs at the cost of tying up a portion of main memory indefinitely. Because A/UX is a paging system, however, the sticky bit has no effect. In systems that load an entire file into physical memory, data is swapped in and out of memory as needed. Paging systems, however, load a page of the requested data (4K in A/UX) instead of a file at a time, which speeds data retrieval.

For additional information see Chapter 10, "System Activity Package." Note that neither set-user ID nor set-group ID modes apply to· directories or nonexecutable files.

Turning on the set-uid or set-gid bit is useful with very specific and restricted files-for example, the passwd program. The command to turn on the set-gid bit on a file with read, write, and execute permissions for all (mode 7 77) is

chmod 2777 fikname

The command to tum on the set-uid bit on a file with read, write, and execute permissions for the owner, read and execute permissions for the group, and no permissions for all others (mode 750) is

chmod 4750 filename

The permissions field in the output of the 1 s -1 command in the first case is

-rwxrwsrwx

where the s in the group execution field represents the set-gid bit.

The permissions field in the output of the ¹ s -1 command in the second case is

-rwsr-x---where the s in the owner execution field represents the set-uid bit.

You can combine the setting of the set -uid bit and the set -gid bit, as you can with all other numeric terms, so that

chmod 6755 filename results in

-rwsr-sr-x

3-20 AlUX Local System Administration

uma s k and ftIe permissions

The umask command defines the default permissions for each file created by a user. You can run this command for all users in the / etc/profile or / etc/ cshrc file, or you can run it individually for each user in his or her .profile or .login file. See "How A/UX Establishes the Environment," earlier in this chapter. The value assigned to umask in the individual files

. profile, .login, or . cshrc overrides the values set in / etc/profile or / etc/ cshrc.

The umask command, like the permissions associated with chmod, is assigned a numeric value of three octal numbers. The value of each specified digit is subtracted from the corresponding digit specified by the system for the creation of files.

For example, to ensure that all files created by a user have the permissions

-rwxr-x---you must set the uma s k for that user as umask 027

so that, when the 027 is subtracted from 7 7 7, the files' permissions are 750. The default uma skin the A/UX standard startup files is 027 for regular users.

The notation umask 27

is shorthand for umask 027

That is, leading zeros can be eliminated from the notation.

Note that changing a user's umask does not affect the permissions on existing files.

Chapter 3 User and Group Administration 3-21

Dans le document A / UX® Local System Administration (Page 95-99)