I don't fully understand CHMOD file permissions, can anyone better explain it?

I've searched the internet for some time for a good explanation of CHMOD, but have yet to come by a good explanation, since every explanation uses the same words with small variations.

What I know so far: There is the CHMOD number, which corresponds to 3 levels of access: Owner, Group, and everyone else. You can set Read, Write and Execute. 777 means all users can do everything and 000 means no one can do anything.

What I need help understanding Who ARE the "Owner, group, and everyone else". Typical explanations state that the owner is "Me", but I don't read, write or execute? I go onto my website as an anonymous user to test it. Who is a group user? they typically expain is a user in a group :P, does this mean my account on my shared hosting account? and who is everyone else?

This isn't a difficult concept to understand, but the explanations I've read are lacking any thorough explanation. From my understanding there is 2 types of users accessing my website. There is the server that accesses scripts/files and random people who ask the server to access these script/files.

Last but not least, the 3 accessors. from what I understand if "read" is disabled for a file, it will not be displayed, if "write" is disabled, it can't be modified by a script. and if execute is disabled, then i'm not really sure.

I would GREATLY appeciate a solid explanation and answer to these questions. It probably seems like a simple idea to most experienced server admins, but I'm currently learning server administration on shared hosting with Network Solution by myself, so i'm a little inexperienced.

Solution 1:

Your center of attention is wrong. Forget about the web and webpages.

Chmod changes permissions on files, not on web pages.

You will need files if you want to display web pages, but then you are looking at an edge case. Start with the basic part.

If you grab a windows computer and log in as, say 'joe'. Then you will have files in c:\users\joe. Only you (when logged in as joe) may read those. If you create a second account (say jane, joe's wife), then she will have files in c:\users\jane.

Joe may read files from Joe, but not the files from Jane. Joe may read files from Jane, but not the files from Joe.

In unix this is similar.

You will not have files in c:/user/*, but in /home.

If you have a web page then you will have files for that webpage. You need to set who may read that file, who may write to it, and who may execute that files (assuming it is an executable).

The classic way to do that in unis is by file owner (e.g. Jane or Joe), groups (e.g. all users) and the rest of the world.

Once you understand this you can expand into web pages. And depending on the http things might even be a bit non standard. But start with the basic part. Ignore web stuff for now.

Edit: As an example part of my directories. This is about the same as your filemanager should show you.

toad:/home/hennes/.html>ls -l
total 18364
-rw-r--r--  1 hennes  users  1320216 Jan 27  2012 20050326_Australia_Uluru_from_plane.jpg
-rw-r--r--  1 hennes  users  2012406 Dec 16  2010 20101216_Kerstboom2010.JPG
lrwxrwxrwx  1 hennes  users        9 Apr 30  2006 Pictures -> pictures/
-rw-r--r--  1 hennes  users   240548 May  3 20:54 Western_realm.png
-rw-r--r--  1 hennes  users     1654 Apr 24  2004 about_me.html
-rw-r--r--  1 hennes  users     1899 Aug  7  2007 appeltaart
-rw-r--r--  1 hennes  users  4090644 Dec  1  2011 book_list.txt
-rw-------  1 hennes  users      385 Aug 11  2005 booklist.html
-rw-r--r--  1 hennes  users     4384 May 15  2005 bookmarks.html
-rw-------  1 hennes  users     1999 Feb 28  2011 bug.txt

The first part are the permissions. In groups of three.
Then the link count number (Which I will ignore since it not important for chmod)
Then the user. In your case that would be 'abc'
Behind the user is the group the file belongs to. On this computer all people who can log in are added to this group.
Then file size
File modification date
And finally file name

As the owner of your files you want to be able to read and write your own files. So usually the first column has rw- or rwx in it. Without 'r' you can not read your own files. Without 'w' you can not write to them (and thus you can not change them).

The displayed groups 'users' is a bit generic. But you can set the same flags on it. The advantage of a group is that you can add multiple people to it. E.g. you could have a file with these settings
- rw- rw- --- 1 Joe SalesWeb 2048 Feb 30 2012 index.html
User 'joe' created the file. He owns it. He can read it and write to it.
All other people who have been added to the group' SalesWeb' can also read and write to it. (This allows you to work with groups on files).
The rest of the world is not allowed to do anything at all with the file.

Solution 2:

Who ARE the "Owner, group, and everyone else".

The salient computer system concept is that a person has to identify himself in order to use a secure system like Linux. This is the log-in procedure, which involves a username or userID and a security mechanism such as a password or a biometeric comparison (e.g. fingerprint or iris scan).

Before any log-in can be attempted, some system administration must occur.

• The username (or userID) must be entered into the list of valid users.
• The username (or userID) will also be entered into any number of group lists. That is, each group list is a roster of all the users that are members of that group

Who is a group user?

These 2 questions do not make sense, since "group" is not a "who". A group is a list of users. Those users belong to that group. Given a specific user and a specific group, that user is either in that group or not a member of that group.

There is the CHMOD number, which corresponds to 3 levels of access

Besides these three levels of access, the file has two other salient properties:

• the username that owns (controls) this file.
• the groupname that owns (controls) this file.

There are three levels of access, but only one level of read/write/execute access is applied. Which one of the three rwx permissions is to be is determined by a simple test:

• If the user attempting to access this file is the user-owner, then the owner rwx permissions are to be used.
• Otherwise if the user attempting to access this file is a member of the file's group-owner, then the group rwx permissions are to be used.
• Otherwise the other rwx permissions are to be used.

The type of access is compared to the selected permissions once the rwx permissions are established:

• The access operation is allowed for execution (i.e. transfer from file into memory and mark as executable) only if the "x" permission bit is set (enabled). Also used for searching permission if file is actually a directory.
• The access operation is allowed for writing (i.e. transfer from memory to file) only if the "w" permission bit is set (enabled).
• The access operation is allowed for reading (i.e. everything else: transfer from file into memory and mark as not executable) only if the "r" permission bit is set (enabled).

I go onto my website as an anonymous user to test it.

As mentioned in the beginning, the salient concept is that a person has to identify himself by logging into the system. The involves a login procedure through a local console or terminal or a remote terminal in order to establish the username. Access to the computer system that does not require a login typically involve very constrained access or access through a service, such as a web server that can deliver web pages to your browser. This service typically executes as a daemon and is owned by specific user and belongs to specific groups. (Note that the user that "owns" the service is usually an abstract entity and not a real person. There are usually security measures to prevent login as the service's username.) Since the kernel starts the daemon, the service does not have to "log-in". But the access capabilities of this service can be controlled just like any real user who logs-in in the conventional manner.

BTW web pages are output (data) from the web server (program) to your web browser (program). The data that comprise these web pages can come from individual .html file(s) or generated dynamically, e.g. by .CGI programs. If the web server does encounter a files permission error while try to complete a request from your browser, you might get an "Error 403" HTTP status code.

Addendum If you want to discuss or evaluate a file permissions issue, you need to ask and get answers to some questions:

• What is the usename of the process performing the access? If you are executing a program from the command line, then use

  $ whoami
  

• Who owns the file being accessed? You need to obtain both the user and group owners. The method you use to obtain file permissions should also be able to report ownership. Never assume that just because you own a directory, then you also own all the files in that directory. Extracting an archive with preserved permissions and owners might surprise you.

• What are the file permissions? You seem to already know how to obtain this. But you seem to focus solely on this piece of information, and omit or ignore the above two items.

Perhaps usernames and file ownership concepts are the holes in your understanding.