File Permissions - Introduction

Every file and directory on the system has file permissions which determine who on the system can access the file and how. The "how" part of it determines three different things: Is the file readable? Is the file writable? Is the file executable. The "who" part of it figures out who can access the file by dividing people into three categories: the owner of the file; those users who are in the same group as the file; and all other users.

How to check file permissions

To check both the permissions and the ownership of a file, use the "ls" command, with the options "-l" and "-g":

> ls -lg filename -rw-r--r-- 1 smith cls-au92 1138 Apr 1 04:01 filename

This lists several things, which are in order: permissions, number of links, owner, group owner, file size, last modification date, and the filename. The file permissions section is a 10 character string, and each character has a different meaning:

+--- file type | | +--- group permissions | | | -+- drwxrwxrwx -+- -+- | | | +--- other permissions (the rest of the world) | +-----user permissions (the owner of the file)

File type will be "d" for directories, or "-" for regular files. For the rest of the permissions, each set of three characters defines read, write and execute priveleges. "r" represents read, "w" for write, and "x" for execute. In each case, a dash "-" means they lack this permission.

For directories, the write priveleges determine whether or not you can create or delete files in that directory. Read permissions indicate whether you can list the files in that directory. Execute permissions (also called search permissions when referring to directories) determine whether or not you can access files within this directory. This means that if a directory has search permissions but not read permissions, you can't list the contents of that directory, but if you already know what's in it, you can access those files.

Examples

drwxr-xr-x A directory that anyone can access, but only the owner can create files. drwx--x--x A directory that which restricts other users from listing its contents, but which will allow them to access files within that directory if they already know the filename. -rwxr-xr-x An executable file. Anyone can run it, only the owner can modify it. -rw------- A file which is only accessible (read/write) by the owner.

How to change file permissions

The command used to change file permissions is chmod. There are two different ways you can use chmod. In both, you specify the permissions, followed by one or more file names. Specifying permissions is different in each method.

Method 1

In this method the permissions are specifed using letters to represent different categories and permissions. Categories are represented by "u" for user, "g" for group, and "o" for other. A plus or minus indicates wheter you are adding or removing some permission, and permissions are specified by "r", "w", and "x", as above. These things are put together with no spaces in the order described:

> chmod go+r file1 file2 file3 add read priveleges for everyone > chmod +x filename make file executable > chmod g+w filename add write privelegs for group > chmod go-rwx filename remove all non-owner priveleges

Method 2

In this method, the privelegs are described with a three-digit octal number each digit represens (left to right) the owner, the group, and the world permissions. Each digit is built by adding 4 for read priveleges, 2 for write priveleges and 1 for execute:

> chmod 755 filename corresponds to -rwxr-xr-x > chmod 744 directory corresponds to -rwx--x--x > chmod 750 filename corresponds to -rwxr-x--- > chmod 644 filename corresponds to -rw-r--r-- > chmod 600 filename corresponds to -rw------- > chmod 666 filename corresponds to -rw-rw-rw-

More complicated things

Odd permissions

The permissions are examined in order from left to right, and the first set of rules that match are applied. This means that it is possible to restrict the owner of a file, while giving access to the rest of the world:

----r--rw- The owner if this file cannot access it at all, even though he is probably in the correct group. The group owner of the file can read it only. Everyone else can both read it and write it. -rw----r-- This file is readable by everyone except those who are in the same group as the file (except for the owner). This feature is probably only useful for restricting one single group from gaining access.

Umask

When chmod is used as in method one above, and the category is left out the permissions default to the umask. The umask is something defined for every process which defines the permissions that files get created with. The default umask is 077, which tells the operating system which permissions to strip when creating a file. In other words, for the default shown, strip out all permissions for group and world. The "umask" command sets and displays the umask value.

Last Update: 1/10/94 JGW

Original author: TAF