As with most aspects of Unix (and life in general), file permissions are simple once you understand them. Understanding them is usually not very easy though.
After reading this document you should have a good enough grasp to handle common problems and to understand why having file permissions of 666 isn't a good thing.
Why do you need to know this?
From being on Netsoc's support service I can tell you that the most common cause of users' websites not working is incorrect file permissions. Incorrect file permissions can lead to others being able to steal your files or passwords, and alter or delete your files in the worst case. In the best case things just don't work, as with websites above.
- 1 Why do you need to know this?
- 2 Read, Write and Execute
- 3 User, Group and World
- 4 Permissions in Practice
- 5 See Also
Read, Write and Execute
The basic permissions (or 'modes') are read, write and execute. These have different meanings for files and directories.
Everything in Unix is a file, even directories (although they have different rules or 'semantics').
- Read - file can be read
- Write - file can be written
- Execute - file is executable i.e. it can be run
All shell scripts (more specifically any executable using #!) require both read and execute permissions to be run. Other executables only require execute permissions.
An entry can be any file (including other directories).
* Read - entries can be read * Write - entries can be added and deleted * Execute - directory can be entered and accessed (needed for read and write)
In order to access a directory you must be able to access all of its parent directories. For example to access /home/bbrazil/www you must have execute permissions on each of '/', '/home', '/home/bbrazil' and '/home/bbrazil/www'. However you do not read permissions for '/home/bbrazil' to read '/home/bbrazil/www'. Only read permissions for '/home/bbrazil/www' are required.
There are two common ways to represent read, write and execute permissions.
In this representation file modes are shown by three characters. A '-' indicates a lack of a permission. The characters go in the order 'rwx'. 'rw-' would indicate only read an write permissions, '-w-' is write only and '---' is no access.
Note:'x' may be replaced by 's', 'S', 't' or 'T' in ls output. This is to do with special permissions. Briefly a small letter means 'x' is set, while a capital letter means execute is disabled.
In this representation file mode is indicated by an octal number. If the file has read permission you add '4'. Write adds '2' and execute adds '1'. '6' means read and write, '7' is read, write, execute and '0' is no access.
This makes more sense if you think in binary.
User, Group and World
Note:In this section the term file is taken to mean all types of files including directories.
All files are owned by both a user and group. For instance:
$ ls -l -rw-r----- 1 bbrazil bbrazil 496 Jun 15 21:36 data -rw-r--r-- 1 test1 staff 253 Dec 27 16:27 other
Here we can see two files. 'data' has both user and group 'bbrazil' while 'other' has user 'test' and group 'staff'.
For 'data' the user permissions are 'rw-', the group permissions are 'r--' while the other permissions are '---'. This is 640 in numeric form, which is a lot shorter. The initial '-' means that 'data' is a regular file.
In Unix a computer system has multiple users, each with a unique username - mine is 'bbrazil'. Each username has a numeric UID which the operating system uses internally. Information on users is generally stored in /etc/passwd but other users' details may be available through NIS or LDAP.
There is one special user in Unix - root. This user has UID 0 and has powers normal users don't. These include ignoring file permissions and binding to low (<1024) ports. The root account should only be used for system maintenance.
In Unix there are also groups of users. All users are members of at least one group (the Primary Group). Groups allow several users to change the same files. For example membership of the 'www' group on Matrix allows a user to change the main Netsoc website. Group information is generally stored in /etc/group.
World means all users of a system. It is also known as 'other'.
When you try to access a file the following procedure will determine if you succeed:
- If you are the file owner apply user permissions
- Otherwise, if you are in the file's group apply group permissions
- Otherwise, apply other (world) permissions
Accordingly if a file had user and group 'bbrazil' and mode 044 ('---r--r--') I would be unable to read it, despite the file being group- and world-readable. This rarely occurs in practice.
A file which is readable by its owner is referred to as 'user-readable'. Similarly a 'group-writable' file is writable be any member of the file's group. Finally a file is 'world-executable' if anyone can execute it.
Permissions in Practice
What is my UID and GIDs?
There are a few ways to obtain user and group infromation.
* id is the most powerful. It will show all of your user and group information. * whoami will tell you your username * groups will list all the groups you are a member of
id and groups will also allow you to view the group information of other.
The command used to list permission as well as ownership is ls -l. Here is sample output from my home directory on Matrix:
$ ls -l drwxr-x--- 1 bbrazil council 512 Jun 15 21:36 council_only drwxr-xr-x 1 bbrazil bbrazil 512 Jun 15 21:36 www -rwxr-xr-x 1 bbrazil bbrazil 253 Dec 27 16:27 run_me -rw-r--r-- 1 bbrazil bbrazil 1264 Dec 27 16:27 all_read -rw------- 1 bbrazil bbrazil 1264 Dec 27 16:27 private
From this you can see that
- council_only is a directory only accessible by other members of 'council'. Only the user 'bbrazil' can add and remove files to it.
- www (my website directory) is world readable and executable
- run_me is an executable which anyone can run
- all_read is a file which anyone can view but only I can change
- private is a file only I can look at or change
Permission changes are made using chmod.
chmod 644 file #Change mode of file to 644 chmod u+w file #Add write permissions for user chmod o-w file #Remove world-writable chmod g=rw file #Group has exactly permissions read, write chmod og= file #Remove group and other permissions chmod a+x file #Add execute permissions for user, group and other chmod a+X file #Add execute permissions to file #only if at least one execute bit is set chmod -R u=rwx,og= directory #Recursively set permissions to 700
Multiple files can be specified. Only the owner of a file (or root) can change its permissions.
chgrp bbrazil file #Change 'file's group to bbrazil chown bbrazil file #Change ownership of file to bbrazil chown user.group file #Change ownership of file to user 'user' # and group 'group' chown .group file #Equivalent to 'chgrp group file'
Only root can change the ownership of files (not true for all Unixes). You can only change the group of files which you own to a group of which you are a member.