File permissions on Unix and Linux are one of the most ubiquitous stumbling blocks for even regular users of those operating systems. The intricate structure of which users on a system are allowed to do what is one of the foundations of Unix, providing security and interoperability, but at times it can make working with the system a pain. Here’s a look at how permissions work and how to work with them.
How to read a directory listing
When you run “ls -l” from the Unix command line, the resulting file listing shows data about each file:
-rwxr-xr-x 1 root root 31660 Jan 30 13:51 touch
We’re interested in that first column, which shows the permissions set on the file or directory. It consists of 10 characters.
The first one indicates the type of entity it is. In the example, “-” means it’s an ordinary file. “d” would indicate a directory, “l” a symbolic link, and so on.
The subsequent nine characters show the permissions; they’re divided into three hunks of three, representing the owner, the group, and everyone else. Every file and directory has an owner, who is a user on the computer where the file exists. It also has a primary group, which is granted its own set of permissions. For instance, on a Debian system, only members of the
cdrom group (as well as root, of course), have access to the CD drive.
We can look at the above example as
rwx r-x r-x The three characters within each hunk represent Read, Write, and eXecute permission for that user; each permission is either on or off. In
rwx r-x r-x, the first hunk has all three permissions turned on, and the second two hunks each have Read and eXecute permissions on, but Write permission off. This means that the file’s owner has full permission, but members of the file’s user group, and everyone else on the system, lack Write permission for the file.
A user with read permission can view the contents of a text file, or list the contents of a directory. Without write permission, though, the user can’t modify the file, or create, rename, move, or delete files within the directory on which the permission is set. Execute permission on a directory allows the permitted users to enter that directory with
cd; execute permission on a file — a shell script, perhaps — means the user can run the file as a program. These permissions can be held in combination or separately.
Modifying permissions and ownership
The owner of a file or directory can change the file or directory’s permissions. This is done from the command line with the
chmod command, which stands for “change mode.” There are two different syntaxes that can be used with chmod. The easiest is class-operator-mode syntax, in which you specify, respectively, whose permissions you want to change, what change you want to make, and which kind of permissions will be effected. The class is represented by one or more of u, g, o, and a, meaning the User (owner), the Group, the Others (everyone else), and All of the above. The permissions are the now-familiar r, w, and x. The two are joined by an operator, +, -, or =, which respectively add the specified permission to the user class, remove it, or allow the class exactly the permissions, no more and no less.
chmod u+x filename – adds execute permission for the owner of the file
chmod a+x filename – adds execute permission for all users
chmod a-x filename – removes execute permission for all users
chmod g-x filename – removes execute permission for the file’s group
chmod a=x filename – gives all users execute permission, nothing more or less
chmod o=rx filename – sets other users’ permissions to read and execute, not write
chmod ug+x filename – adds execute permission for the owner and the group
The other syntax that can be used with chmod involves an octal bitmask to represent each possible set of permissions. This is less intuitive but worth understanding. In the octal representation, a three-digit number is used to express the permissions on a file.
Each digit is the sum of three bits, with 4 representing read permission, 2 representing write permission, and 1 representing execute permission. The bits are added together to give a unique total: read plus write = 6; read plus execute = 5; all three together = 7. So 755 is the same as rwxr-xr-x.
This syntax can be used interchangeably with the other in chmod.
chmod 111 filename – gives all users execute permission, nothing more or less
chmod 754 filename – owner has full permission; group can’t write; others can only read
chown command can be used to change the ownership of a file.
chown root filename – changes the owner to root
chown wendy:admin filename – changes the owner to wendy and the group to admin
chgrp changes just the group ownership of a file:
chgrp users filename – changes the file’s primary group to users
Only the owner of a file — or root, who is exempt from all permissions — can change the ownership and group ownership of the file.
Other Webmonkey tutorials on using the Linux/Unix command line: