File Permissions

Every file and directory on a Linux/Unix system has a set of access permissions associated with it. These include the owner of a file, the group a file is associated with, and who has read, write, and execute permission on that file. These permissions allow you to choose who can use your files, and control what they can do with them.

Using File Permissions

How to see what permissions are set on a file or directory

With the command ls you can see the contents of a directory:

[emcnabb@grape emcnabb]$ ls
accounts.txt backgrounds ChessClassDiagram  cs240 cs312

If you use ls -l you see extra information about each file:

[emcnabb@grape emcnabb]$ ls -l
-rw-r--r--    1 emcnabb  admin         107 Jan 10 10:06 accounts.txt
drwxr-xr-x    3 emcnabb  admin        4096 Mar 29  2002 backgrounds
-rw-r--r--    1 emcnabb  admin        2414 Apr  1 08:28 ChessClassDiagram
drwx------    5 emcnabb  admin        4096 Mar 14 14:25 cs240
drwxr-xr-x    6 emcnabb  admin        4096 Apr 16  2002 cs312

From left to right, these are the explanations of each field returned.

  • The permissions that are set on this file or directory. This is explained in more detail below.
  • The number of items within the file or directory. Only directories should have a value greater than 1.
  • The owner of the file. In this case, emcnabb.
  • The group the file is associated with. In this case, admin.
  • The size of the file in bytes. A directory is usually size 4096.
  • Last modification date: Month/Day/Year.
  • The file or directory's name.

Explanation of permissions

Permission attributes are the first field of output for ls -l. They are shown as ten characters where each character represents a specific attribute. If the first character on the left is a 'd', the item is a directory; if it is a '-' it is a file. The other nine attributes can be one of the following permissions.

  • r = read
  • w = write
  • x = execute
  • X = conditional execute
  • s = set id
  • t = sticky

r, w, and x are simple permissions which grant that type of access to the specified category of user. X, s, and t can be somewhat complicated and will not be discussed in this document. Consult the chmod man page for more information about any of these permissions.

Permissions can be granted to three different categories of users: user (u), group (g), and other (o). The user permissions pertain to the current owner of the file, which is normally who created it. The group permission pertain to users who are listed in the group to which the file is assigned. All other users belong to the other category. The other category is also often referred to as "world". Additionally, you can choose to grant a permission to all types of user (a).

Each category of user is described with three characters in ls -l's output: read, write, and execute. The first three (after the file/directory flag) describe user permissions, the second three pertain to the group, and the last three are world permissions. As an example, let's look at the permissions for the directory 'backgrounds'. They are broken up from left to right in four parts.

  • d This is a directory
  • rwx Owner Permissions: read, write, and execute permissions are set, so the owner can do anything he or she desires with the directory.
  • r-x Group Permissions: anyone who is a member of the group can read or access the directory, but not modify it (create new files).
  • r-x World Permissions: anyone who is a not the owner of the file or a member of the group can read or access the directory, but not modify it.

Setting permissions

Setting permissions on files and directories is done using the chmod command. This document presents a simple explanation of chmod for a detailed explanation check the man page using man chmod.

The basic syntax of chmod is chmod <permissions> <filename>. The permission mode is set using the one letter code for the user category, an operator such as + to add the permission and - to remove the permission, and the one letter code for the permission. If we want to add user execute permissions to the accounts.txt file, for example, we should use the command chmod u+x accounts.txt. The output from ls -l accounts.txt now reads:

-rwxr--r--    1 emcnabb  admin         107 Jan 10 10:06 accounts.txt

And now we can tell the operating system to execute this file. Of course, since this is a text file executing it can have strange effects.

If you want to change multiple permissions for multiple types of users, you can use the numeric representation of the permission modes. The numeric mode is really cool, and worth learning (After all, who doesn't want to practice converting from binary to octal in their head?), but will not be discussed here. For more information, read chmod's man page.

Setting Permissions Numerically

You can also set your permissions via a numeric system:

1           eXecute
2           Write
3           eXecute and Write (1 + 2 = 3)
4           Read
5           eXecute and Read (1 + 4 = 5)
6           Write and Read (2 + 4 = 6)
7           eXecture, Write, and Read (1 + 2 + 4 = 7)

For example: chmod 754 filename will give the owner rwx, the group r-x, and all users r--. This is another useful way to set permissions. I find it pretty easy to remember.

Defining Default Permissions

The command umask defines the default permissions that will be given to all new files created by a user. umask takes arguments in a manner similar to chmod, but the arguments represent permissions that will not be granted (they will be masked). These arguments can be presented in symbolic mode, or as octal numbers (such as chmod's numeric representation). Hence, a umask of og+w means that a newly created file will have permissions of -rw-rw-rw-, and a umask of 077 yields default permissions of -rw-------. The default umask on a system can usually be found in /etc/bashrc. If you want your files to have different permissions than the system default, you should set the umask in your .bashrc file using a line such as this:

umask 077

Note that umask does not affect the executable permissions of a file. Files will not have the executable bit set by default; that must be added with chmod. Directories will have the executable bit set by default, as this bit enables users to view inside them.

Important permissions to set

Prevent Unauthorized Access

To prevent others from accessing your home directory, you should make sure that your home directory is not world or group readable or writable. You do this with the command chmod go-wr . executed from your home directory.

Make sure that you do not grant world or group write permissions on your directories. Users can remove files that they do not own from a directory where they have write permission. World and group write permissions on you home directory allow other users to delete all of your files.

Setting Permissions for Webpages

For the webserver to correctly serve pages from your account, it needs permissions to access your public_html directory. For this reason you need to set the following permissions:

  • Home directory must be world executable.
  • public_html must be world readable and executable.
  • All html files that you want to be able to display should be world readable.
  • Any cgi scripts that you want to be able to run must be world executable.
  • None of your files should be world writable.

For more information on setting up a web page on your account, see the Website Setup and Configuration doc in the doc project.