$24
We have three goals in this assignment: to learn about file permissions in Unix, to get a basic introduction to the Andrew File System and it’s directory access control commands, and to learn how to redirect program input and output to a file.
Unix File Permissions
Every file in a Unix system has a unique owner, and an associated group. The owner of a file is the user who created it, and the group is a collection of other users who may have access to the file. Each file also has a set of permission flags which specify separate read, write, and execute permissions for User (i.e. the owner), Group, and Other (everyone else with an account on the system.) All of this information is displayed by the ls command with the –l option. To run some examples, log on to your UCSC IC Unix account, and use your favorite editor to create a couple of text files in your cs12a directory, which you created in lab1. The contents of each file is unimportant. We will refer to them here as junk1 and junk2. Do ls –l (that's the letter "l" not the number "1") at the command prompt, and you will see something like the following.
total 2
-rw-r--r--. 1 ptantalo users 126 Jan 11 18:23 junk1 -rw-r--r--. 1 ptantalo users 61 Jan 11 18:24 junk2
The first line total 2 gives the number of files. Since you probably have other files in your cs12a directory, you will likely see a longer listing. Reading from left to right along the second line above we have:
-rw-r--r--. : permission flags for this file (explained below)
1 : the number of links (I won’t explain this, so don’t worry about it)
ptantalo : the User (owner) for this file (your cruzid, when you do it)
users : the Group for this file
126 : the size of the file in bytes
Jan 11 18:23 : the date and time (military) of the most recent modification
junk1 : the name of the file
The permission flags are read from left to right as follows:
position 1: the directory flag: d for a directory, and - for a file
positions 2-4: read, write, execute permissions for User (owner)
positions 5-7: read, write, execute permissions for Group
positions 8-10: read, write, execute permissions for Other
position 11: should always be . indicating selinux context (not covered here, so ignore it)
The meanings of the values appearing in positions 2-10 are:
in any column means that the flag is turned off
in positions 2, 5, or 8 means the file is readable by User, Group, or Other (respectively) w in positions 3, 6, or 9 means the file is writeable by User, Group, or Other (respectively) x in positions 4, 7, or 10 means the file is executable by User, Group, or Other (respectively)
Position:
1
2
3
4
5
6
7
8
9
10
11
directory
read
write
execute
read
write
execute
read
write
execute
SELinux
flag
User
User
User
Group
Group
Group
Other
Other
Other
.
1
Thus -rw-r--r--. indicates a file that is readable, writeable, and not executable by its User; readable, not writeable and not executable by its Group; readable, not writable and not executable by Others on the system. The owner of a file can change its permissions by use of the chmod command. For instance
% chmod go+w junk1
has the effect of adding write permission to Group and Other for the file junk1. (As always, % represents the Unix command prompt.) Doing ls –l now gives
-rw-rw-rw-. 1 ptantalo users 126 Jan 13 18:23 junk1 -rw-r--r--. 1 ptantalo users 61 Jan 13 18:24 junk2
As you can see, the usage of chmod is chmod mode filename. In the above example, the permissions mode go+w is of the form (who)(operator)(permission), where
who is some combination of:
: User g : Group o : Other
a : All (User, Group, and Other)
operator is one of:
: add specified permission - : delete specified permission
permission is some combination of:
: read permission w : write permission x : execute permission
Do the commands chmod go-w junk1 and chmod a+rx junk2, then try to predict what permission changes will take effect. Check your answer by doing ls –l.
Another convenient way to specify the permissions mode for a file is by giving chmod a sequence of 3 octal digits (0-7). Each octal digit is equivalent to 3 binary digits, and thus we are giving chmod a sequence of 9 binary digits, each bit corresponding to one of positions 2-10 in the string of file permission flags. For instance, the octal sequence 645 is equivalent to the binary sequence 110 100 101, which is in turn equivalent to the permission flags rw-r--r-x (including only positions 2-10). Do chmod 467 junk1 and chmod 721 junk2, and try to predict the permission changes which result. Check your answer by doing ls -l. See http://www.robotroom.com/NumberSystems4.html for a description of octal to binary (and other) conversions.
Read permission on a file simply means that the specified user can view it’s contents (using more, less or cat for instance). Write permission means that the specified user can modify the contents of the file (using editing commands like ed, vi, emacs, pico, or other file manipulation operations.) If you have followed the above instructions, then files junk1 and junk2 will have permissions r--rw-rwx and rwx-w---x respectively (again including only positions 2-10). Thus if you (the file’s owner) try to modify junk1 (using an editor like vi for instance) you will get the error message: Permission denied.
2
Execute permission means that the file is a program that can be run by the specified user. To run an executable file in Unix, one simply types its name at the command prompt. Type junk1 then junk2. You’ll see that junk1 gives the Permission denied error, while junk2 does not. Instead, you will most likely see each line of junk2 printed out with the error message command not found next to it. Here is my output.
junk2: line 1: lskdjflsks: command not found
junk2: line 2: jdsflfksdksdf: command not found
junk2: line 3: iouwriuoerw: command not found
When you attempt to execute junk2 the command interpreter reads each line of the file, then tries to parse it as a Unix command, which may or may not succeed. Thus when a file has ‘executable’ permission, it does not mean that the file is able to be executed successfully, but rather that the command interpreter will try to execute it for the specified users. In fact, all Unix commands are nothing more than the names of executable files, although most such files contain binary machine language instructions instead of text.
An executable text file that contains Unix commands is often called a Shell Script. (‘Shell’ because that’s another name for a Unix command interpreter, and ‘Script’ since it is a text file and not binary.) Create a new file with your favorite text editor called prog1 containing the following lines.
prog1
this is a shell script pwd
cp prog1 prog2 ls -l
more prog1
After you exit your editor do chmod 700 prog1 to make it executable. Obviously the next thing to do is just type prog1 to run the script, but before you do, take a moment to study the commands in the file and predict exactly what it will do. Note that anything on a line after the # symbol is a comment and is ignored by the shell.
The Andrew File System
The Andrew File System (AFS) is a distributed networked file system developed by Carnegie Mellon University in the 1980s. The UCSC Instructional Computing (IC) Unix Timeshare servers (unix.ic.ucsc.edu) use AFS to manage all directories and files associated with the Linux computing environment, which includes your UCSC computer account. AFS commands are not standard Unix however, so the material in this section will not necessarily pertain to other Unix systems on which you may have an account, such as the Baskin SOE servers, or your personal Linux or Mac OS X machines.
AFS provides access control levels that are finer and more flexible than the user/group/other permissions described in the previous section, but they work at the level of directories, not files. In a standard Unix system, the file permissions described above would operate on directories in the very same way that they do on files. This is not the case under AFS, where directory permissions are controlled by an Access Control List (ACL). These ACLs take precedence over the Unix permissions assigned to directories via chmod. In fact, under AFS, chmod any_mode any_directory has no effect on the actual access rights for that directory (although it would appear to do so, if you look at the output of ls –l.) In AFS, each directory has seven distinct access rights, each of which may be either on or off.
Name
Code
Permission to
read
r
View the contents of the files in a directory
lookup
l
Lookup filenames and examine the ACL of a directory
3
insert
i
Add new files and subdirectories to a directory
delete
d
Remove files from a directory
write
w
Modify file contents and change file attributes via chmod
lock
k
Lock files (not explained here, so don’t worry about it)
administer
a
Change the ACL of a directory
The main AFS command is fs, which has a number of subcommands. (Type fs help to see a complete listing of all the subcommands to fs.) Of these, we are primarily interested in two: listacl which prints out an ACL, and setacl which modifies an ACL. Their usage is:
% fs listacl directory_name
% fs setacl directory_name user_or_group_name rights
Commands listacl and setacl can be abbreviated as la and sa respectively. For example, create a new subdirectory in cs12a called junk3 (using mkdir), then examine it’s ACL by doing fs la junk3. You will see something like
Access list for junk3 is
Normal rights:
system:anyuser rl
ptantalo rlidwka
This indicates that the group system:anyuser, consisting of all users of AFS worldwide, has read and lookup rights. The individual user ptantalo, which will be your cruzid when you do this, has all rights. The ACL you get for junk3 may be slightly different, depending on the ACL of its parent cs12a. Generally a newly created directory will inherit the ACL of it’s parent. Now modify the ACL for junk3 by doing fs sa junk3 system:anyuser none, then list it again using fs la junk3. You will see something like
Access list for junk3 is
Normal rights:
ptantalo rlidwka
As you can see, none means to remove all rights. Similarly, all means to add all rights. For instance, if you type fs sa junk3 system:authuser all, then view the ACL. You should have
Access list for junk3 is
Normal rights:
system:authuser rlidwka
ptantalo rlidwka
The group system:authuser consisting of local users (at UCSC) now has all rights. For more on the Andrew File System go to http://claymore.rfmh.org/public/computer_resources/AFSinfo.html.
Redirection of Program Input/Output
As mentioned in class, all running Java programs are equipped with the three data streams: stdin, stdout, and stderr. In fact the same is true of all Unix processes. By default, stdin represents the sequence of characters typed at the keyboard as program input. Likewise stdout and stderr represent program output, which is ordinarily sent to the terminal window. The Unix redirect operators <, , , &, and & can be used to redirect these streams to flow to/from files rather than to their defaults. Their general usage is as follows.
4
command < file1 Read standard input from file1. file1 should contain exactly those characters that would ordinarily be typed at the keyboard.
command file2 Write standard output to file2 instead of the terminal. file2 will be created if it does not already exist, and will be overwritten if it does exist.
command file3 Append standard output to file3. file3 will not be created if it does not already exist, and will be appended to if it does exist.
command & file4 Write standard error to file4.
command & file5 Append standard error to file5.
Try this out on some Unix commands, such as:
pwd junk4
ls -l junk5
ls -l junk5
Try to predict the contents of the new files junk4 and junk5 before viewing them. Compile the programs HelloWorld.java and HelloWorld2.java in your lab1 subdirectory, then move the executables HelloWorld.class and HelloWorld2.class into the directory cs12a. If you don't know how to do this study the Unix mv (move) command in one of the tutorials, or do man mv, or Google "unix mv". Run the
HelloWorld and HelloWorld2 programs as follows:
java HelloWorld junk6
java HelloWorld2 junk6
then predict the contents of the new file junk6. Recall that HelloWorld4.java from the class webpage was interactive, in that it read input from stdin. Save this file to cs12a and compile it. Prepare a file called junk7 containing an appropriate line of text. Do
java HelloWorld4 < junk7
java HelloWorld4 < junk7 junk8
Predict and then view the contents of junk8.
What to turn in
All the exercises you’ve done so far have been practice. Delete all the files and directories you’ve created up to now. Perform the following steps exactly as stated, and in the given order so that the file you end up with is correct.
Create a subdirectory called lab2 within your cs12a directory, and cd into it.
Create two subdirectories called public and private within lab2. Set their ACLs as indicated in the following table. Here foobar stands for your username.
public
private
foobar
all
all
system:anyuser
rl
none
system:authuser
rlid
none
system:operator
rlidwk
none
Copy the file HelloWorld.java from lab assignment 1 to your lab2 directory. Edit it so that it prints out the single line “Hello, lab2!”. Compile it, creating the file HelloWorld.class. Delete the file HelloWorld.java from your lab2 directory. Do not delete HelloWorld.class.
5
Create a text file in lab2 called prog containing the following shell script.
prog
shell script for lab2
pwd result
echo result
fs la public result
echo result
fs la private result
echo result
ls -l result
echo result
java HelloWorld result
Use chmod to give User (yourself) read, write, and execute permissions on the file prog. Group and Other should have no permissions.
Run the shell script prog. Notice that a new file called result is created.
If you followed instructions to the letter, the file result will contain exactly 21 lines. Submit result with no further changes to the assignment name lab2.
This is a considerably longer assignment that lab1 so please start early and get help in lab sessions.
6