Understanding Unix Permissions
- What do Permissions Do?
- Viewing Permissions
- Changing Permissions
- Groups
- Appendix A: Shell Metacharacters
- Appendix B: Command Parameters
- Appendix C: Using SGID to control directory permissions
What Do Permissions Do?
Permissions determine which users can read, write or execute the files that you own. In the case of directories, they determine which users can access, delete or list the contents of directories that you own.
Commercial Unix systems (including ours) allow you to specify permissions down to the individual user (in order to meet US government C2 security) , but we don't use that here. If you think chmod 644 is complex.... :)
I'm assuming that Unix knowledge is limited, so there'll be some simple introductions to commands, parameters and pipes along the way...I'm also going to leave some things out...
Viewing Permissions
ls -l filename or directoryname
$ls -l test.out
-rw-r--r-- 1 spaniel dogs 1435 Nov 24 10:17 test.out
If you type ls -l with no filename, it lists the files and directories in your current directory.
$ls -l
total 4085
-rw----r-- 1 spaniel dogs 2360 Aug 26 1997 assign.htm
-rw-rw-r-- 1 terrier dogs 97230 Feb 13 1996 backup.pdf
-rw-r--r-- 1 spaniel dogs 6703 Feb 20 13:10 backup_contrib_users.htm
-rw-r--r-- 1 spaniel dogs 6185 Sep 23 1997 backup_tips.htm
-rw----r-- 1 spaniel dogs 2110 May 30 1997 banshee.htm
-rw----r-- 1 spaniel dogs 1882 Oct 25 1996 bansheemac.htm
-rw-rw-r-- 1 spaniel dogs 56109 Feb 08 1996 care.pdf
drwxr-xr-x 2 spaniel dogs 1024 Nov 03 16:21 efficientlynt
drwxr-xr-x 2 spaniel dogs 1024 Mar 19 1997 email_class
If you type ls -l directory name, it lists the files inside the directory
$ls -l docs
total 4096
-rw----r-- 1 spaniel dogs 2360 Aug 26 1997 assign.htm
-rw-rw-r-- 1 spaniel dogs 97230 Feb 13 1996 backup.pdf
To display the permissions on the directory only, use ls -ld
$ls -ld docs
drwxrwxr-x 29 spaniel dogs 2048 Jun 11 11:02 docs
I like ls -lF because F shows directories with a / at the end (it also shows symbolic links with @ and executables with *).
$ls -lF
total 2
-rw-r--r-- 2 spaniel dogs 0 Apr 23 14:54 1.hard_link
lrwxrwxrwx 1 spaniel dogs 1 Apr 23 15:04 1.symbolic_link@ -> 1
-rw-r--r-- 2 spaniel dogs 0 Apr 23 14:54 1.txt
-rw-r--r-- 1 spaniel dogs 0 Apr 23 14:55 2.txt
-rw-r--r-- 1 spaniel dogs 0 Apr 23 14:55 3.txt
-rw-r--r-- 1 spaniel dogs 0 Apr 23 14:55 4.txt
-rw-r--r-- 1 spaniel dogs 0 Apr 23 14:55 5.txt
drwxr-xr-x 2 spaniel dogs 512 Apr 23 14:55 dir1/
drwxr-xr-x 2 spaniel dogs 512 Apr 23 14:55 dir2/
-rwxr-xr-x 1 spaniel dogs 0 Apr 23 15:10 executable_script*
If you have more than one screen of files, you can use a pipe to send the output of ls to more, which is a pager. Hit the space bar to advance one screen or the enter key to advance one line in more.
Sidebar: What's a pipe? It's a way for 2 processes (ls and more) to communicate. In the unix shell, a pipe is symbolized with the | symbol. It says, take the standard output of ls, which usually goes to your screen, and, instead of sending it to the screen, send it to the standard input of another command, more.
$ls -l | more
total 4086
-rw----r-- 1 spaniel dogs 2360 Aug 26 1997 assign.htm
-rw-rw-r-- 1 terrier dogs 97230 Feb 13 1996 backup.pdf
-rw-r--r-- 1 spaniel dogs 6703 Feb 20 13:10 backup_contrib_users.htm
-rw-r--r-- 1 spaniel dogs 6185 Sep 23 1997 backup_tips.htm
-rw----r-- 1 spaniel dogs 2110 May 30 1997 banshee.htm
-rw----r-- 1 spaniel dogs 1882 Oct 25 1996 bansheemac.htm
-rw-rw-r-- 1 spaniel dogs 56109 Feb 08 1996 care.pdf
drwxr-xr-x 2 spaniel dogs 1024 Nov 03 16:21 efficientlynt
drwxr-xr-x 2 spaniel dogs 1024 Mar 19 1997 email_class
drwxrwxr-x 2 spaniel dogs 512 Nov 03 16:32 emergency_repair
-rw-r--r-- 1 terrier dogs 485763 Apr 17 1996 eudora.pdf
-rw-r--r-- 1 spaniel dogs 10066 May 16 1996 eudora3.pdf
drwxr-xr-x 2 spaniel dogs 512 Jul 02 1997 eudora_configuration_change
-rw----r-- 1 spaniel dogs 3086 Feb 23 13:44 eudora_transfer.htm
-rw----r-- 1 spaniel dogs 1508 Jun 09 1997 eudoramac.htm
drwxrwxr-x 2 spaniel dogs 512 Apr 03 09:16 expert_user_handbook
drwxrwx--- 2 shepard dogs 512 Apr 03 09:16 expert_user_only
-rw-rw-r-- 1 terrier dogs 224686 Feb 09 1996 filemgr.pdf
-rw-rw-r-- 1 spaniel dogs 130095 Feb 08 1996 fileshar.pdf
drwxr-xr-x 2 spaniel dogs 512 Jun 05 1997 formmanual
-rw-r--r-- 1 spaniel dogs 888 Aug 26 1997 forms.htm
lrwxrwxrwx 1 spaniel dogs 25 Sep 28 1997 graphictiny.gif -> /graphic
Reading the output of ls -l to determine the permissions of a file:
-rw-rw-r-- 1 spaniel dogs 56109 Feb 08 1996 care.txt
drwxr-xr-x 2 spaniel dogs 1024 Nov 03 16:21 efficientlynt
| - | rw-rw-r-- | 1 | spaniel | dogs | 56109 | Feb 08 1996 | care.txt |
| d | rwxr-xr-x | 2 | spaniel | dogs | 1024 | Nov 03 6:21 | efficientlynt |
| File Type:
- regular file d directory l symbolic link other characters are usually I/O devices |
Permissions | # of links |
Owner | Group owner |
Size in bytes | Date | Name |
Every file and directory has nine permissions associated with it.
Files and directories have three types of permissions:
- r (read)
- w (write)
- x (execute)
- u (user/owner)
- g (group)
- o (other or world)
- r allows you to view or print a file
- w allows you to write (modify) a file
- x allows you to execute a file or search a directory
| Permissions | As applied to FILES | As applied to DIRECTORIES |
| r (read) | Can be viewed or printed | Contents can be read, but not searched. Normally r and x are used together |
| w (write) | Contents can be changed or deleted | Entries can be added or removed |
| x (execute) | File can be used as a program | Directory can be searched |
If you own a file, you can change permissions with the chmod command.
If you own a file, you can change the group with the chgrp command.
Default Permissions
- When you ftp a file the following permissions are set automatically:
-rw-r----- 1 spaniel dogs 1508 May 27 10:10 yyy - If you create a file directly on the server, the default permissions are different:
-rw-r--r-- 1 spaniel dogs 0 May 27 10:14 zzz - If you create a directory with ftp:
drwxr-x--- 2 spaniel dogs 512 May 27 10:16 dir1 - If you create a directory directly on the server with mkdir:
drwxr-xr-x 2 spaniel dogs 512 May 27 10:17 dir2
Changing permissions
Octal Method: You can change permissions with the chmod command using letters and symbols (symbolic method) or using numbers 0-7(octal method). Changing permissions can be very confusing, and there are multiple ways to accomplish what you want, so I'm not going to cover everything.Most people here use the "octal" method of setting permissions:
$chmod 644 file4
$ls -l file4
-rw-r--r-- 1 spaniel dogs 0 May 26 12:01 file4
| 0 | No permissions |
| 1 | Execute |
| 2 | Write |
| 4 | Read |
The permissions are cumulative: I add 4+2 (read +write) and get 6. Any combination is legal, but not necessarily meaningful :)
If I want members of the group dogs to write to this file, I would set it to 664:
-rw-rw-r-- 1 spaniel dogs 0 May 26 12:01 file4
Remember that a user coming in with a web browser is subject to the permissions set for other.
Directories are a little different:
755 is a common directory setting:
drwxr-xr-x 2 spaniel dogs 512 May 26 13:46 dir1
The owner has read write and execute and group and other have read and execute. Remember, other needs read and execute on a directory in order for a web browser to view files in that directory. Although you can give read but not execute (or vice-versa) on a directory, there's almost no reason for it.
You'd have to set it 775 if you wanted members of the group to be able to write to it:
drwxrwxr-x 2 spaniel dogs 512 May 26 13:46 dir1
Keep in mind that if you give someone write permission to a directory, they can delete any file in the directory, even if they don't have permission to write or read that specific file.
Letters and Symbols: You can also change permissions using a combination of letters and symbols. Some people think this is easier. Use whichever you prefer. I tend to use both, depending on the situation.The general format of the command is chmod userclass operation permission
Userclass
| u | User (owner) |
| g | Group |
| o | Other |
| a | All (user, group, other) |
| + | Add permission |
| - | Remove permission |
| = | Assign permission regardless of previous setting |
| r | Read |
| s | Set user or group ID (Don't worry about this for now) |
| w | Write |
| x | Execute |
$ls -l trak
-r--r--r-- 1 spaniel dogs 1207 Apr 01 10:10 trak
User, group and other are all set for read only. If I want to give user and group write access, I would type:
$chmod ug+w trak
$ls -l trak
-rw-rw-r-- 1 spaniel dogs 1207 Apr 01 10:10 trak
Userclass is user and group, operation is add, and permission is write
Notice that when you use add or remove, it only affects permissions directly addressed by the command. The file already had read access for everyone and my command didn't touch that, since it was addressing write access only. This can be a helpful feature of this method of setting permissions.
If you want to make multiple changes, separate them with commas
$chmod ug+w,o+r trak
Using the = operator resets ALL permissions on the file, regardless of how the were set previously.
$ls -l trak
-rw-rw-r-- 1 spaniel dogs 1207 Apr 01 10:10 trak
$chmod a=r trak
$ls -l trak
-r--r--r-- 1 spaniel dogs 1207 Apr 01 10:10 trak
Notice that even though the command only addressed read permissions, it also cleared the write permissions.
Groups
Every user on a Unix system is a member of at least one group. Most are probably members of several groups. Groups are a convenient way to let muliple users access file based on shared needs, without letting everyone access them. Everyone has a "primary group." If you are only in one group, that's your primary group. To find out what groups you or someone else are in, type id username at the shell prompt.$id mmouse
uid=220(mmouse)gid=208(rodents)groups=1(staff),216(cats)
Your primary group is listed first (rodents) and all other groups are listed after.
When you create a file on the server, or ftp one there, you are the owner of the file, and the group is your primary group. This may cause a complication for mmouse if mmouse is working with members of the group cats when her primary or default group is rodents
-rw-rw-r-- 1 mmouse rodents 1207 Apr 01 10:10 trak
The permissions are set to allow the group to write, but it's the wrong group!
You can change the group with the chgrp command. You must own the file and be a member of the group to which you are changing.
$chgrp cats trak
$ls -l trak
-rw-rw-r-- 1 mmouse cats 1207 Apr 01 10:10 trak
There's another way around this--the sgid (set group id) flag. I posted instructions on using this to yulwww-l already, but I'll go over it here too.