UNIX System Administration Handbook - Evi Nemeth [53]
chown and chgrp: change ownerships
The chown command changes a file’s ownership, and the chgrp command changes its group ownership. The syntax of chown and chgrp mirrors that of chmod, except that the first argument is the new owner or group, respectively. To use chgrp, you must either be the owner of the file and belong to the group you’re changing to or be the superuser.
Most versions of chown and chgrp offer the recursive -R flag, which changes the settings of a directory and all the files underneath it. For example, the sequence
# chmod 755 ~matt
# chown -R matt ~matt
# chgrp -R staff ~matt
might be used to set up the home directory of a new user after you had copied in the default startup files. Make sure that you don’t try to chown the new user’s dot files with a command such as
# chown -R matt ~matt/.*
The pattern will match ~matt/.. and will therefore end up changing the ownership of the parent directory and probably the home directories of other users.
On some systems, chown can change both the owner and group of a file at once, usually with the syntax
chown user:group file ...
For example,
# chown -R matt:staff ~matt
Older systems use a dot to separate the user and group instead of a colon.
Versions of UNIX that derive from System V often allow users to give away their files with chown, whereas BSD-based systems normally restrict the use of chown to the superuser. Real-world experience has shown that the System V convention leads to a variety of unintended and unwanted consequences, ranging from users being able to evade disk quotas to significant lapses in system security. If your system allows the promiscuous behavior to be turned off, we suggest you do that.
umask: assign default permissions
You can use the built-in shell command umask to influence the default permissions given to the files you create. The umask is specified as a three-digit octal value that represents the permissions to take away. When a file is created, its permissions are set to whatever the creating program asks for minus whatever the umask forbids. Thus, the digits allow the permissions shown in Table 5.5.
Table 5.5 Permission encoding for umask
For example, umask 027 allows all permissions for the owner but forbids write permission to the group and allows no permissions for anyone else. The default umask value is often 022, which denies write permission to the group and world.
There is no way you can force users to have a particular umask value, since they can always reset it to whatever they want. However, you can provide a suitable default in the sample .cshrc and .profile files that you give to new users.
See Chapter 6 for more information about startup files.
2. In case this isn’t clear: most filesystem disk formats do not themselves impose a limit on the total length of pathnames. However, the system calls that access the filesystem do not allow their string arguments to be longer than 1,023 characters.
3. On many systems, these modules can also be loaded dynamically by the kernel.
4. More accurately, the traditional UNIX security model does not allow this. Solaris and HP-UX can be configured with enhancements that alter many aspects of the traditional UNIX security model. Among other things, they support access control lists. However, those extensions are not described here.
5. The kernel understands the #! (“shebang”) syntax and acts on it directly. However, if the interpreter is not specified completely and correctly, the kernel will refuse to execute the file. The shell then makes a second attempt to execute the script by calling sh.
6. K stands for kilo, a metric prefix meaning 1,000; however, computer types have bastardized it into meaning 210 or 1,024. Similarly, a computer megabyte is not really a million bytes but rather 220 or 1,048,576 bytes. The International Electrotechnical Commission