Child pages
  • Unix File Permissions
Skip to end of metadata
Go to start of metadata

This document contains information about Unix/Linux file and directory permissions. Particular attention is given to the default file permissions and how to customize them in the Indiana University School of Informatics and Computing environment. Understanding this information is critical if you want to make sure your files are not readable by other users or if you want to give other users access to certain files.

Please note that Access Control Lists (ACLs) are also available which give greater control over permissions and access.

Index

  1. File Permissions Introduction
  2. Changing File Permissions - Gnome Nautilus File Manager
  3. Changing File Permissions - The Command Line
  4. Numeric File Modes
  5. Permissions On Newly Created Files/Directories
  6. Higher Order Mode Bits (setuid, setgid, sticky)
  7. Using Access Control Lists (ACLs)

File Permissions Introduction

Unix file permissions are broken down into basic permissions (read, write, and execute) and three classes of users (user/owner, group, and other). You can use this model to grant any combination of the 3 permissions to any of the classes of users. For example, you can give the user (also known as the owner of the file) the permission to read and write a file while giving others permission to read the file but not write to the file. Before we go too far, let's define these basic concepts.

  • Permission Modes

     

    • Read (r) - Read permission on a file controls the ability to view the contents of the file. Read permission on a directory controls the ability to view the contents of the directory.
    • Write (w) - Write permission on a file controls the ability to modify the contents of the file. Write permission on a directory controls the ability to create files in that directory.
    • eXecute/search (x) - Execute permission on a file controls whether the file can be executed as a program. Execute permission on a directory controls whether the directory can be searched. If a directory can be searched, that means that a file in that directory can be accessed (assuming the permissions on the file permit it) but you cannot see the contents of the directory unless the directory is also readable. This provides a way to allow access to a file in a directory if the filename is known but preventing someone from getting a listing of the available files.

     

  • Classes of Users

     

    • User/owner (u) - The user refers to the owner of the file or directory.
    • Group (g) - All files and directories belong to a group, which is a collection of users. By default all students are in the student group and all of the files and directories will be a part of the student group. The permission that apply to the group apply to all members of that group, which may well be a lot of people.
    • Other (o) - Other refers to everyone except the owner of the file and everyone that is in the group to which the file belongs.

So, there are read/write/execute permissions for each of user/group/other. The read/write/execute modes are denoted by r/w/x. For each of the user, group, and other, these three modes can be on or off. If the mode is on, it is denoted by r, w, or x, and if it is off it is denoted by '-'. For example, rw- for the User denotes that the owner of the file can read and write to the file, but not execute. Likewise, r-x for Others means that anyone can read and execute the file, but not write to it.

As a shorthand, these three sets of permission are written one after another. For example, if a file is readable, writable, and executable by the user (rwx), readable and executable but not writable by the group (r-x), and only readable by others (r--), that would be denoted as rwxr-xr--. These permissions are show when you do a long listing using the -l flag to the ls command. For example:

    % ls -l
    total 2
    drwxr-xr-x   2 jstudent   students     512 Feb 28 17:58 somedirectory
    -rw-r--r--   1 jstudent   students    2342 Feb 28 17:57 somefile

In this example, we see that the directory named somedirectory is readable/writable/searchable by the owner, jstudent, but is only readable/searchable by the group and others. Remember that the x means searchable and not executable for directories. The file named somefile is readable/writable by the owner, jstudent, but is only readable by the group and others.

The extra character at the beginning of each line simply indicates what the item is. The 'd' indicates a directory and the '-' indicates a file.

Changing File Permissions - Gnome Nautilus File Manager

If you use Nautilus (the File Manager GUI under Gnome) to manipulate your files and directories (also called folders), then you can modify file permission from within Nautilus. Simply right click on the file or folder to highlight it and then select Properties from the menu. This will bring up a properties window where you can then click the Permissions tab.  From there, you can use the pulldowns to set the permissions.

This gives you the ability to control the basic file permissions of files and folders. However, it is worth mentioning that there are more advanced permission features that can only be manipulated using the command line. Read on for more information about using these command line utilities.

Changing File Permissions - The Command Line

In order to change the permissions on a file from the command line, you use the chmod command, which is short for "change mode". You specify the class of user (u/g/o) and the permission (r/w/x), separated by a + or - to turn the permission on or off. For example, to give the group read permission on a file named index.html, you would run:

chmod g+r index.html

You can also grant multiple permissions or specify multiple classes of user using a single chmod command. For example, if you want to give the group and others read access to index.html, you would run:

chmod go+r index.html

Similarly, if you wanted to give everyone read and search access to a directory named opendir, you could run:

chmod go+rx opendir

In order to take permissions away, you simply replace the + with a -. For example, to remove read and write permission for the group and other on the file named securefile, you would run:

chmod go-rw securefile

You can also use the -R (recursive) flag to chmod to change the permissions for a directory and all of its contents. For example, if you wanted to make the directory named privatestuff> and everything in it inaccessible by anyone else, you could run:

chmod -R go-rwx privatestuff

Numeric File Modes

In the previous section, file permissions were specified using a symbolic representation. For example, 'g' was used to represent the Group and 'o' was used to represent Others. You can also use the numeric representation of the file permissions (or modes).

In order to understand these numeric modes, you must first understand that these modes are actually represented by the system as three octal digits, one each for the user, the group, and others. Within each category, the Read/Write/eXecute bits are represented by the bits of an octal digit. The Read bit is in the 4s place, the Write bit is in the 2s place, and the eXecute bit is in the 1s place.

	USER	GROUP	OTHER
	r w x   r w x   r w x
        4 2 1   4 2 1   4 2 1

In order to determine the numeric code for a given set of permissions, you just add up the octal digits for the modes that are on. For example, if a file is readable and writable by the user and read-only for the group and others, the numeric mode would be 644, as illustrated below:

	USER	GROUP	OTHER
	r w -   r - -   r - -
        4+2     4       4

Similarly, a directory that has permissions 'rwxr-xr-x' would have an octal mode of 755. You can use this numeric mode to set permissions. For example,

chmod 644 somefile

sets the permission of the file to 'rw-r--r--'.

Permissions On Newly Created Files/Directories

When you create a new file or directory in the filesystem, the permissions that it will have are controlled by the umask command. You can run the umask command with no arguments to display your current umask. The two most common umasks in use are '022' and '077':

  • 022 - files/directories are created readable by others, but not writable.
  • 077 - files/directories are created unreadable and unwritable by others.

It is very likely that you have a umask command in one of your configuration files that sets this for you. For example, if you use the default shell (bash), your .bashrc file will probably contain a line like

umask 022

or

umask 077

You can set the umask for the level of privacy you prefer. However, If you use a umask of 022 you should be careful to ensure that files you wish to keep private are properly protected.

Higher Order Mode Bits (setuid, setgid, sticky)

In addition to the Read, Write, and eXecute bits that have been discussed, there are three other mode bits: Setuid, Setgid, and Sticky. See the chmod(2) manual page by running

man -s 2 chmod

for all the details. It is beyond the scope of this document to explain all the details of these extra permission bits. However, it is probably worth mentioning the semantics of the setgid bit for directories since it is used frequently. If you have a directory and you want files created within the directory to inherit the group ownership of the directory, you can set the setgid bit with:

chmod g+s directory_name

Using Access Control Lists (ACLs)

There is a more powerful mechanism available for controlling file and directory permissions called Access Control Lists (ACLs). See the ACL KB Page for more information about using ACLs.

  • No labels