Yale University Library

 

Workstation and Technology Services

Quick Links

Understanding Unix Permissions

What Do Permissions Do?

Permissions determine which users can read, write or execute the files that you own. In the case of directories, they determine which users can access, delete or list the contents of  directories that you own.

Commercial Unix systems (including ours) allow you to specify permissions down to the individual user (in order to meet US government C2 security) , but we don't use that here. If you think chmod 644 is complex.... :)

I'm assuming that Unix  knowledge is limited, so there'll be some simple introductions to commands, parameters and pipes along the way...I'm also going to leave some things out...

Viewing Permissions

ls -l filename or directoryname

$ls -l test.out
-rw-r--r-- 1 spaniel dogs 1435 Nov 24 10:17 test.out

If you type ls -l with no filename, it lists the files and directories in your current directory.

$ls -l
total 4085
-rw----r-- 1 spaniel dogs 2360 Aug 26 1997 assign.htm
-rw-rw-r-- 1 terrier dogs 97230 Feb 13 1996 backup.pdf
-rw-r--r-- 1 spaniel dogs 6703 Feb 20 13:10 backup_contrib_users.htm
-rw-r--r-- 1 spaniel dogs 6185 Sep 23 1997 backup_tips.htm
-rw----r-- 1 spaniel dogs 2110 May 30 1997 banshee.htm
-rw----r-- 1 spaniel dogs 1882 Oct 25 1996 bansheemac.htm
-rw-rw-r-- 1 spaniel dogs 56109 Feb 08 1996 care.pdf
drwxr-xr-x 2 spaniel dogs 1024 Nov 03 16:21 efficientlynt
drwxr-xr-x 2 spaniel dogs 1024 Mar 19 1997 email_class

If you type ls -l directory name, it lists the files inside the directory
$ls -l docs
total 4096
-rw----r-- 1 spaniel dogs 2360 Aug 26 1997 assign.htm
-rw-rw-r-- 1 spaniel dogs 97230 Feb 13 1996 backup.pdf

To display the permissions on the directory only, use ls -ld
$ls -ld docs
drwxrwxr-x 29 spaniel dogs 2048 Jun 11 11:02 docs

I like ls -lF because F shows directories with a / at the end (it also shows symbolic links with @ and executables with  *).

$ls -lF
total 2
-rw-r--r-- 2 spaniel dogs 0 Apr 23 14:54 1.hard_link
lrwxrwxrwx 1 spaniel dogs 1 Apr 23 15:04 1.symbolic_link@ -> 1
-rw-r--r-- 2 spaniel dogs 0 Apr 23 14:54 1.txt
-rw-r--r-- 1 spaniel dogs 0 Apr 23 14:55 2.txt
-rw-r--r-- 1 spaniel dogs 0 Apr 23 14:55 3.txt
-rw-r--r-- 1 spaniel dogs 0 Apr 23 14:55 4.txt
-rw-r--r-- 1 spaniel dogs 0 Apr 23 14:55 5.txt
drwxr-xr-x 2 spaniel dogs 512 Apr 23 14:55 dir1/
drwxr-xr-x 2 spaniel dogs 512 Apr 23 14:55 dir2/
-rwxr-xr-x 1 spaniel dogs 0 Apr 23 15:10 executable_script*

If you have more than one screen of files, you can use a pipe to send the output of ls to more, which is a pager. Hit the space bar to advance one screen or the enter key to advance one line in more.

Sidebar: What's a pipe? It's a way for 2 processes (ls and more) to communicate. In the unix shell, a pipe is symbolized with the | symbol. It says, take the standard output of ls, which usually goes to your screen, and, instead of sending it to the screen, send it to the standard input of another command, more.

$ls -l | more

total 4086
-rw----r-- 1 spaniel dogs 2360 Aug 26 1997 assign.htm
-rw-rw-r-- 1 terrier dogs 97230 Feb 13 1996 backup.pdf
-rw-r--r-- 1 spaniel dogs 6703 Feb 20 13:10 backup_contrib_users.htm
-rw-r--r-- 1 spaniel dogs 6185 Sep 23 1997 backup_tips.htm
-rw----r-- 1 spaniel dogs 2110 May 30 1997 banshee.htm
-rw----r-- 1 spaniel dogs 1882 Oct 25 1996 bansheemac.htm
-rw-rw-r-- 1 spaniel dogs 56109 Feb 08 1996 care.pdf
drwxr-xr-x 2 spaniel dogs 1024 Nov 03 16:21 efficientlynt
drwxr-xr-x 2 spaniel dogs 1024 Mar 19 1997 email_class
drwxrwxr-x 2 spaniel dogs 512 Nov 03 16:32 emergency_repair
-rw-r--r-- 1 terrier dogs 485763 Apr 17 1996 eudora.pdf
-rw-r--r-- 1 spaniel dogs 10066 May 16 1996 eudora3.pdf
drwxr-xr-x 2 spaniel dogs 512 Jul 02 1997 eudora_configuration_change
-rw----r-- 1 spaniel dogs 3086 Feb 23 13:44 eudora_transfer.htm
-rw----r-- 1 spaniel dogs 1508 Jun 09 1997 eudoramac.htm
drwxrwxr-x 2 spaniel dogs 512 Apr 03 09:16 expert_user_handbook
drwxrwx--- 2 shepard dogs 512 Apr 03 09:16 expert_user_only
-rw-rw-r-- 1 terrier dogs 224686 Feb 09 1996 filemgr.pdf
-rw-rw-r-- 1 spaniel dogs 130095 Feb 08 1996 fileshar.pdf
drwxr-xr-x 2 spaniel dogs 512 Jun 05 1997 formmanual
-rw-r--r-- 1 spaniel dogs 888 Aug 26 1997 forms.htm
lrwxrwxrwx 1 spaniel dogs 25 Sep 28 1997 graphictiny.gif -> /graphic

Reading the output of ls -l to determine the permissions of a file:

-rw-rw-r-- 1 spaniel dogs 56109 Feb 08 1996 care.txt
drwxr-xr-x 2 spaniel dogs 1024 Nov 03 16:21 efficientlynt

- rw-rw-r-- 1 spaniel dogs 56109 Feb 08 1996 care.txt
d rwxr-xr-x 2 spaniel dogs 1024 Nov 03 6:21 efficientlynt
File Type: 
- regular file 
d directory 
l symbolic link 
other characters are usually I/O devices
Permissions # of 
links
Owner Group 
owner
Size in bytes Date Name

Every file and directory has nine permissions associated with it.
Files and directories have three types of permissions:

  • r (read)
  • w (write)
  • x (execute)
These three permissions occur for each of the following classes of users:
  • u (user/owner)
  • g (group)
  • o (other or world)
What this means:
  • r allows you to view or print a file
  • w allows you to write (modify) a file
  • x allows you to execute a file or search a directory
Permissions As applied to FILES As applied to DIRECTORIES
r (read) Can be viewed or printed Contents can be read, but not searched. Normally r and x are used together
w (write) Contents can be changed or deleted Entries can be added or removed
x (execute) File can be used as a program Directory can be searched

If you own a file, you can change permissions with the chmod command.

If you own a file, you can change the group with the chgrp command.

Default Permissions

  • When you ftp a file the following permissions are set automatically:
    -rw-r----- 1 spaniel dogs 1508 May 27 10:10 yyy
  • If you create a file directly on the server, the default permissions are different:
    -rw-r--r-- 1 spaniel dogs 0 May 27 10:14 zzz
  • If you create a directory with ftp:
    drwxr-x--- 2 spaniel dogs 512 May 27 10:16 dir1
  • If you create a directory directly on the server with mkdir:
    drwxr-xr-x 2 spaniel dogs 512 May 27 10:17 dir2
Default permissions are controlled by your umask and site umask (for ftp). You can change them, but that's beyond the scope of this class. You can also ignore the whole issue, since you probably will set the permissions manually anyway.

Changing permissions

Octal Method: You can change permissions with the chmod command using letters and symbols (symbolic method) or using numbers 0-7(octal method). Changing permissions can be very confusing, and there are multiple ways to accomplish what you want, so I'm not going to cover everything.

Most people here use the "octal" method of setting permissions:

$chmod 644 file4

$ls -l file4
-rw-r--r-- 1 spaniel dogs 0 May 26 12:01 file4

0 No permissions
1 Execute
2 Write
4 Read

The permissions are cumulative: I add 4+2 (read +write) and get 6. Any combination is legal, but not necessarily meaningful :)

If I want members of the group dogs to write to this file, I would set it to 664:

-rw-rw-r-- 1 spaniel dogs 0 May 26 12:01 file4

Remember that a user coming in with a web browser is subject to the permissions set for other.

Directories are a little different:

755 is a common directory setting:

drwxr-xr-x 2 spaniel dogs 512 May 26 13:46 dir1

The owner has read write and execute and group and other have read and execute. Remember, other needs read and execute on a directory in order for a web browser to view files in that directory. Although you can give read but not execute (or vice-versa) on a directory, there's almost no reason for it.

You'd have to set it 775 if you wanted members of the group to be able to write to it:

drwxrwxr-x 2 spaniel dogs 512 May 26 13:46 dir1

Keep in mind that if you give someone write permission to a directory, they can delete any file in the directory, even if they don't have permission to write or read that specific file.

Letters and Symbols: You can also change permissions using a combination of letters and symbols. Some people think this is easier. Use whichever you prefer. I tend to use both, depending on the situation.

The general format of the command is chmod userclass operation permission

Userclass

User (owner)
g Group
o Other
a All (user, group, other)
Operation
+ Add permission
- Remove permission
Assign permission regardless of previous setting
Permission
r Read
s Set user or group ID (Don't worry about this for now)
w Write
x Execute

$ls -l trak
-r--r--r-- 1 spaniel dogs 1207 Apr 01 10:10 trak

User, group and other are all set for read only. If I want to give user and group write access, I would type:

$chmod ug+w trak

$ls -l trak
-rw-rw-r-- 1 spaniel dogs 1207 Apr 01 10:10 trak

Userclass is user and group, operation is add, and permission is write

Notice that when you use add or remove, it only affects permissions directly addressed by the command. The file already had read access for everyone and my command didn't touch that, since it was addressing write access only. This can be a helpful feature of this method of setting permissions.

If you want to make multiple changes, separate them with commas

$chmod ug+w,o+r trak

Using the = operator resets ALL permissions on the file, regardless of how the were set previously.

$ls -l trak
-rw-rw-r-- 1 spaniel dogs 1207 Apr 01 10:10 trak

$chmod a=r trak

$ls -l trak
-r--r--r-- 1 spaniel dogs 1207 Apr 01 10:10 trak

Notice that even though the command only addressed read permissions, it also cleared the write permissions.

Groups

Every user on a Unix system is a member of at least one group. Most are probably members of several groups. Groups are a convenient way to let muliple users access file based on shared needs, without letting everyone access them. Everyone has a "primary group." If you are only in one group, that's your primary group. To find out what groups you or someone else are in, type id username at the shell prompt.

$id mmouse
uid=220(mmouse)gid=208(rodents)groups=1(staff),216(cats)

Your primary group is listed first (rodents) and all other groups are listed after.

When you create a file on the server, or ftp one there, you are the owner of the file, and the group is your primary group. This may cause a complication for mmouse if mmouse is working with members of the group cats when her primary or default group is rodents

-rw-rw-r-- 1 mmouse rodents 1207 Apr 01 10:10 trak

The permissions are set to allow the group to write, but it's the wrong group!

You can change the group with the chgrp command. You must own the file and be a member of the group to which you are changing.

$chgrp cats trak

$ls -l trak
-rw-rw-r-- 1 mmouse cats 1207 Apr 01 10:10 trak

There's another way around this--the sgid (set group id) flag. I posted instructions on using this to yulwww-l already, but I'll go over it here too.