|
|
|
Understanding UNIX and NFS Permissions
Technical Note 1178
Last Reviewed 20-Feb-2004
Applies To
Reflection NFS Client version 10.0 or higher
Reflection for UNIX and OpenVMS version 10.0 or higher
Reflection X version 10.0 or higher
Summary
Technical Note 1178
Last Reviewed 20-Feb-2004
Applies To
Reflection NFS Client version 10.0 or higher
Reflection for UNIX and OpenVMS version 10.0 or higher
Reflection X version 10.0 or higher
Summary
Many Reflection products, such as Reflection NFS, Reflection X, and Reflection for UNIX and OpenVMS, provide connectivity to UNIX host computers. This technical note describes UNIX file and directory permissions and how file and directory ownership interacts with these permissions. This note also illustrates how an exports file on a UNIX host computer can affect client access to NFS file systems.
Note: The Reflection NFS Client standalone product is also included as a component of several Reflection products. For details, refer to Technical Note 3000.
Accessing Resources on a UNIX Host Computer
Access to a file or directory is determined by comparing three pieces of information:
- User and group information
- Ownership information for the file or directory
- Read, write, and execute permissions for the file or directory
This technical note explains each of these items and then demonstrates how to combine this information to determine access. An additional section is provided to explain file and directory access using NFS.
Users and Groups
Each user account on a UNIX host computer has a unique user name and primary group name. To identify your user name and primary group name, connect to your UNIX host using a terminal or terminal emulator and type id at the host prompt.
Note the following:
- The UNIX host computer uses a system of numbers called User Identifications (UIDs) and Group Identifications (GIDs) to track individuals and group members. User and group names are provided by the operating system to simplify administration. UIDs and GIDs and their corresponding names can be viewed in the /etc/passwd and /etc/groups files on the UNIX host computer. See your UNIX host documentation or man pages for more information.
- Illegal characters or formatting problems in the /etc/groups or /etc/passwords file can cause access problems. Problems in these files can also affect NIS maps, if NIS is used for authentication. To determine if there are errors in either of these files, run the gpck and pwck UNIX utilities.
The gpck and pwck UNIX utilities will detect problems in the /etc/groups and /etc/passwords files respectively. Use the hosts man pages to determine how to run gpck and pwck.
Example syntax for a Sun host: /usr/sbin/grpck /etc/group
File and Directory Ownership
Access to a specific file or directory depends on your category of ownership. There are three possible categories:
- Owner (if you are the owner of the file or directory)
- Group (if you are a member of the same group as the owner of the file or directory)
- Other (if you are not the owner or a member of the same group as the owner of the file or directory)
Your user and group names are used to determine which category of ownership is applicable for determining access to a particular file or directory. Comparing user and group names to file and directory ownership is explained below in "Determining Access to a File or Directory."
Read, Write, and Execute Permissions
Every file and directory has read, write, execute, or no permissions for owner, group, and other. The permissions are listed from left to right when you do a full file or directory listing.
The following diagram shows a typical listing for a file on a UNIX host computer:
Figure 1 - Permissions in Directory Listing
The first character indicates whether this is a file (-) or a directory (d). The next nine characters can be examined in groups of three. The first set of three characters corresponds to the owner permissions, the second set corresponds to the group permissions, and the third set shows the permissions for anyone who is not the owner or a group member (other).
Differences Between File and Directory Permissions
Both files and directories can be assigned read (r), write (w), execute (x), or no (-) permissions. The meaning of these permissions, however, is different for files and directories, as is shown in the following table:
| Permission Type |
File Access |
Directory Access |
| r |
User can open and read the file. |
User can do a directory listing and can read files in the directory. |
| w |
User can modify the contents of the file. |
User can create, modify, and delete files in the directory. |
| x |
User can execute the file (Only applies to binary files and scripts). |
User can change directories (cd) into this directory. |
| - |
User does not have the type of access replaced by this character (either read, write, or execute). |
User does not have the type of access replaced by this character (either read, write, or execute). |
Determining Access to a File or Directory
To determine whether you have access to a specific file or directory, follow these steps:
- Determine your user name and group name by logging on to the host computer and typing id at a UNIX host prompt.
- List the owner and group information and the permissions for the file or directory using the command ls -l at a host prompt. The output from the host will look similar to the following example:
$ -rwxr-x--- 1 bobr sales 1422 Apr 7 11:25 /mrktg/file.txt- Record the permissions in a table, such as the following:
| Owner |
Group |
Other |
| (bobr) |
(sales) |
(all other users) |
| rwx |
r-x |
--- |
- Compare your user name and group name to the file or directory owner and group names.
- If your user name matches the file or directory owner, you have Owner rights.
- If your group name matches the file or directory group name, you have Group rights.
- If neither the user name nor the group name matches, you have Other rights.
Example of File Permissions
In the following example, user bobr needs to determine if he has access to the hope.txt file in the /mrktg/june directory.
- He determines his user and group names by typing id at a host prompt:
User name: bobr
Group name: mgr
- Using ls -l, he gets the owner, group, and permissions information for the file:
$ -rwxr-x--- 1 bobr sales 1422 Apr 7 11:25 /mrktg/hope.txt- Use the following table to determine access for user bobr:
| Owner |
Group |
Other |
| (bobr) |
(sales) |
(all other users) |
| rwx |
r-x |
--- |
- Since bobr is the owner of the file, he has owner permissions to the file. In this example, the owner has read, write, and execute permissions.
Example of Directory Permissions
In the following example, user mattg needs to determine if he has access to the north directory.
- He determines his user and group names by typing id at a host prompt, which returns:
User name: mattgGroup name: sales- Using ls -l, he gets the owner, group, and permissions information for the directory:
$ drwxr-xr-x 13 bobr sales 3072 Jan 2 9:13 north- Use the following table to determine directory access for user mattg:
| Owner |
Group |
Other |
| (bobr) |
(sales) |
(all other users) |
| rwx |
r-x |
r-x |
- Since mattg shares group ownership with the directory, he has group permissions to the directory. In this example, group members have read and execute permissions.
Example of Combined File and Directory Permissions
The user's access to a file is based on both the file and directory permissions, and the most restrictive privileges take precedence.
For example, user bobr is trying to access notes.txt in the north directory. Here are the relevant file and directory permissions:
-rwxr-x--- 1 bobr sales 1422 Apr 7 11:25 /sales/north/notes.txtdr-xr-xr-x 13 bobr sales 3072 Jan 2 09:13 northThis information shows that bobr is the owner of the file and the directory. He has rwx permissions to the file, and r-x permissions to the directory in which the file resides. Therefore, his combined access for the notes.txt file will be r-x.
NFS Permissions
If you are accessing UNIX host files from an NFS client or gateway, such as Reflection NFS, there may be additional restrictions placed on the host resources. NFS servers use an exports file to limit access to specific file systems (directories) and users.
Exporting File Systems (/etc/exports)
In order to access host file systems or printers using an NFS client, the file systems must be exported. To export a file system or printer, it must be added to the host /etc/exports file.
The exports file allows the administrator to control the following access:
- Which file systems are made available to remote users
- Which remote users can access each file system
- What access limitations the remote users have to each exported file system
Note: Though generally similar, the exports file and access-control parameters and switches used in the exports file vary from host to host. For example, Sun UNIX host computers use an /etc/dfs/dfstab file for controlling NFS exports. Check your UNIX host computer man pages for host-specific NFS exports file location and configuration information.
Switches, Parameters, and Settings
These are common switches and access parameters in the /etc/exports file:
| Switch |
Function |
| -rw=[user,user,...] |
Provides read, write access to only the listed users, read-only access to all other users |
| -ro |
Provides read-only access to the file system |
| -access=[user,user,...] |
Provides access to only the listed users |
| -root=[user,user,...] |
Provides root access to the listed users |
Export Examples
These are examples of some possible exports settings on an RS6000 host computer:
| File System and Access Switch |
Resulting Access |
| /usr1/south |
All users, with no restrictions |
| /usr1/north -access=bobr |
User bobr only (denies access to all other users) |
| /usr1/west -ro |
Read-only access to all users |
Combined Permissions for NFS File Access
If a user is attempting to access a file on a UNIX host from a remote NFS client, access to that file will be determined by a combination of individual permissions. When combining the file, directory, and /etc/exports permissions, the most restrictive rights apply to the file.
The following example illustrates combined permissions for the user bobr, who is attempting to access the estimates.txt file in the year directory:
| bobr group name: |
sales |
| File permissions: |
-rwxr-x--- 1 bobr jefe 6145 Nov 4 8:14 /year/estimates.txt |
| Directory permissions: |
dr-xr-xr-- 13 lindac sales 7696 Jan 17 09:13 year |
| /etc/exports entry: |
/year -access=bobr,charleso |
In this example, bobr is the owner of the estimates.txt file. The owner has rwx permissions.
The directory containing estimates.txt (/year) is owned by lindac, but has sales as the group owner. User bobr is a member of the sales group, so his access to the /year directory is determined by the group permissions. In this case, the directory group permissions are r-x.
The combined permissions for bobr are r-x.
For NFS access, it is necessary to check the /etc/exports file to see if the year directory is being exported, and whether it has any restrictions for access. In this case, the /year directory is being exported with access for users bobr and charleso only.
User bobr, therefore, has r-x (read and execute) access to the estimates.txt file in the year directory using NFS. The user can cd into this directory, and can read and execute files within the directory. However, he cannot delete, rename, or create any files in this directory.
