Permissions (basic)

From Netsoc Wiki
Jump to: navigation, search

Template:Tutorial


As with most aspects of Unix (and life in general), file permissions are simple once you understand them. Understanding them is usually not very easy though.

After reading this document you should have a good enough grasp to handle common problems and to understand why having file permissions of 666 isn't a good thing.

Why do you need to know this?

From being on Netsoc's support service I can tell you that the most common cause of users' websites not working is incorrect file permissions. Incorrect file permissions can lead to others being able to steal your files or passwords, and alter or delete your files in the worst case. In the best case things just don't work, as with websites above.

Read, Write and Execute

The basic permissions (or 'modes') are read, write and execute. These have different meanings for files and directories.

Files

Everything in Unix is a file, even directories (although they have different rules or 'semantics').

  • Read - file can be read
  • Write - file can be written
  • Execute - file is executable i.e. it can be run

All shell scripts (more specifically any executable using #!) require both read and execute permissions to be run. Other executables only require execute permissions.

Directories

An entry can be any file (including other directories).

   * Read - entries can be read
   * Write - entries can be added and deleted
   * Execute - directory can be entered and accessed (needed for read and write)

In order to access a directory you must be able to access all of its parent directories. For example to access /home/bbrazil/www you must have execute permissions on each of '/', '/home', '/home/bbrazil' and '/home/bbrazil/www'. However you do not read permissions for '/home/bbrazil' to read '/home/bbrazil/www'. Only read permissions for '/home/bbrazil/www' are required.

Representation

There are two common ways to represent read, write and execute permissions.

Symbolic

In this representation file modes are shown by three characters. A '-' indicates a lack of a permission. The characters go in the order 'rwx'. 'rw-' would indicate only read an write permissions, '-w-' is write only and '---' is no access.

Note:'x' may be replaced by 's', 'S', 't' or 'T' in ls output. This is to do with special permissions. Briefly a small letter means 'x' is set, while a capital letter means execute is disabled.

Numerically

In this representation file mode is indicated by an octal number. If the file has read permission you add '4'. Write adds '2' and execute adds '1'. '6' means read and write, '7' is read, write, execute and '0' is no access.

This makes more sense if you think in binary.

User, Group and World

Note:In this section the term file is taken to mean all types of files including directories.

File Ownership

All files are owned by both a user and group. For instance:

$ ls -l
-rw-r-----    1 bbrazil  bbrazil       496 Jun 15 21:36 data
-rw-r--r--    1 test1    staff         253 Dec 27 16:27 other

Here we can see two files. 'data' has both user and group 'bbrazil' while 'other' has user 'test' and group 'staff'.

For 'data' the user permissions are 'rw-', the group permissions are 'r--' while the other permissions are '---'. This is 640 in numeric form, which is a lot shorter. The initial '-' means that 'data' is a regular file.

Users

In Unix a computer system has multiple users, each with a unique username - mine is 'bbrazil'. Each username has a numeric UID which the operating system uses internally. Information on users is generally stored in /etc/passwd but other users' details may be available through NIS or LDAP.

There is one special user in Unix - root. This user has UID 0 and has powers normal users don't. These include ignoring file permissions and binding to low (<1024) ports. The root account should only be used for system maintenance.

Groups

In Unix there are also groups of users. All users are members of at least one group (the Primary Group). Groups allow several users to change the same files. For example membership of the 'www' group on Matrix allows a user to change the main Netsoc website. Group information is generally stored in /etc/group.

On Spoon and Matrix all users have their own group. Mine is (unsurprisingly) called 'bbrazil' and I am the only member. This is not the case with all Unix systems.

World

World means all users of a system. It is also known as 'other'.

Resolving Requests

When you try to access a file the following procedure will determine if you succeed:

  1. If you are the file owner apply user permissions
  2. Otherwise, if you are in the file's group apply group permissions
  3. Otherwise, apply other (world) permissions

Accordingly if a file had user and group 'bbrazil' and mode 044 ('---r--r--') I would be unable to read it, despite the file being group- and world-readable. This rarely occurs in practice.

Terminology

A file which is readable by its owner is referred to as 'user-readable'. Similarly a 'group-writable' file is writable be any member of the file's group. Finally a file is 'world-executable' if anyone can execute it.

The terms 'other-readable', 'other-writable' and 'other-executable' are not used, in contrast 'world-readable' and 'world-writable' are quite common.

Permissions in Practice

What is my UID and GIDs?

There are a few ways to obtain user and group infromation.

   * id is the most powerful. It will show all of your user and group information.
   * whoami will tell you your username
   * groups will list all the groups you are a member of

id and groups will also allow you to view the group information of other.

Viewing permissions

The command used to list permission as well as ownership is ls -l. Here is sample output from my home directory on Matrix:

$ ls -l
drwxr-x---    1 bbrazil  council         512 Jun 15 21:36 council_only
drwxr-xr-x    1 bbrazil  bbrazil         512 Jun 15 21:36 www
-rwxr-xr-x    1 bbrazil  bbrazil         253 Dec 27 16:27 run_me
-rw-r--r--    1 bbrazil  bbrazil        1264 Dec 27 16:27 all_read
-rw-------    1 bbrazil  bbrazil        1264 Dec 27 16:27 private

From this you can see that

  • council_only is a directory only accessible by other members of 'council'. Only the user 'bbrazil' can add and remove files to it.
  • www (my website directory) is world readable and executable
  • run_me is an executable which anyone can run
  • all_read is a file which anyone can view but only I can change
  • private is a file only I can look at or change

Changing Permissions

Permission changes are made using chmod.

chmod 644  file		#Change mode of file to 644
chmod u+w  file		#Add write permissions for user
chmod o-w  file		#Remove world-writable
chmod g=rw file		#Group has exactly permissions read, write
chmod og=  file 	#Remove group and other permissions
chmod a+x  file		#Add execute permissions for user, group and other
chmod a+X  file		#Add execute permissions to file 
			#only if at least one execute bit is set
			
chmod -R u=rwx,og= directory	#Recursively set permissions to 700

Multiple files can be specified. Only the owner of a file (or root) can change its permissions.

Changing Ownership

chown and chgrp are the tools here.

chgrp bbrazil    file		#Change 'file's group to bbrazil

chown bbrazil    file		#Change ownership of file to bbrazil
chown user.group file		#Change ownership of file to user 'user'
				# and group 'group'
chown .group     file		#Equivalent to 'chgrp group file'

Only root can change the ownership of files (not true for all Unixes). You can only change the group of files which you own to a group of which you are a member.

See Also