Note:to facilitate faster loading of EdCert documents, this page was borrowed from another sou rce (see ``File and Directory Permissions'').

File and Directory Permissions

It is important to protect your UNIX files against accidental (or intentional) removal or alteration by yourself or other users. The UNIX operating system maintains information, known as permissions, for every file and directory on the system. This section describes how to inspect and change these permissions.

UNIX was designed and implemented by computer scientists working on operating system research. Many of the fundamentals of UNIX reflect this origin in academia. A low concern for security is one of the hallmarks of UNIX operating systems. Therefore, unless you act to restrict access to your files, chances are high that other users can read them.

Every file or directory in a UNIX file system has three types of permissions (or protections) that define whether certain actions can be carried out. The permissions are:

read

write ( w ) A user who has write permission for a file can alter or remove the contents of that file. For a directory, the user can create and delete files in that directory.

execute ( x ) A user who has execute permission for a file can cause the contents of that file to be executed (provided that it is executable). For a directory, execute permission allows a user to change to that directory.

For each file and directory, the read, write, and execute permissions may be set separately for each of the following classes of users:

Group ( g ) Several users purposely lumped together so that they can share access to each other's files.

Others ( o ) The remainder of the authorized users of the system.

The primary command that displays information about files and directories is ls. The -l option will display the information in a long format. You can get information about a single UNIX file by using ls -l filename.

Each file or subdirectory entry in a directory listing obtained with the -l option consists of seven fields: permission mode, link count, owner name, group name, file size in bytes, time of last modification, and the filename (the group name appears only if the "g" flag is also specified, as in ls -lg).

The first 10 characters make up the mode field. If the first character is a "d" then the item listed is a directory; if it is a "-" then the item is a file; if it is an "l" then it is a link to another file. Characters 2 through 4 refer to the owner's permissions, characters 5 through 7 to the group's permissions (groups are defined by the system administrator), and the last three to the general public's permissions. (You can type id to verify your userid and group membership.) If a particular permission is set, the appropriate letter appears in the corresponding position; otherwise, a dash indicates that the permission is not given.

The second field in the output from ls -l is the number of links to the file. In most cases it is one, but other users may make links to your files, thus increasing the link count. A special warning to people using links to other people's files: your "copies" of their files can be counted against them by the file quota system available on certain UNIX variants. The third field gives the userid of the owner of the file. The group name follows in the fourth field (if the -g option is used in conjunction with -l). The next two fields give the size of the file (in bytes) and the date and time at which the file was last modified. The last field gives the name of the file.

ls -l myfile

-rw-r--r-- 1 owner 588 Jul 15 14:39 myfile

A file's owner can change any or all of the permissions with the chmod (change mode) command. The chmod command allows you to dictate the type of access permission that you want each file to have. In the previous example the current permissions for myfile are read for everybody, write for the owner, and execute by no one.

The arguments supplied to chmod are a symbolic specification of the changes required, followed by one or more filenames. The specification consists of whose permissions are to be changed: u for user (owner), g for group, o for others, or some combination thereof (a (all) has the same effect as ugo), how they are to be changed (+ adds a permission, - removes a permission, and = sets the specified permissions, removing the other ones) and which permission to add or remove (r for read, w for write, and x for execute). For example, to remove all the permissions from myfile:

---------- 1 owner 588 Jul 15 14:41 myfile

(Note: chmod a= myfile achieves the same effect.)

To allow read and write permissions for all users:

-rw-rw-rw- 1 owner 588 Jul 15 14:42 myfile

To remove write permission for your groups and other users:

-rw-r--r-- 1 owner 588 Jul 15 14:42 myfile

Finally, to allow only read permission to all users:

-r--r--r-- 1 owner 58 Jul 15 14:43 myfile

Now the file is protected by allowing only read access; it cannot be written to or executed by anyone, including you. Protecting a file against writing by its owner is a safeguard against accidental overwriting, although not against accidental deletion.

chmod will also accept a permission setting expressed as a 3-digit octal number. To determine this octal number, you first write a 1 if the permission is to be set and a 0 otherwise. This produces a binary number which can be converted into octal by grouping the digits in threes and replacing each group by the corresponding octal digit according to the table below.

TABLE 2. Symbolic to Octal Conversions

SYMBOLIC BINARY OCTAL --- 000 0 --x 001 1 -w- 010 2 -wx 011 3 r-- 100 4 r-x 101 5 rw- 110 6 rwx 111 7

Thus, if the setting you want is rw-r--r--, determine the octal number with the following method:

This shows that the octal equivalent of rw-r--r-- is 644. The following example illustrates that the permissions for myfile have been reset to the values with which we began.

chmod 644 myfile

ls -l myfile

-rw-r--r-- 1 owner 588 Jul 15 14:44 myfile

To change the permissions back to read only, you can execute chmod as follows:

chmod 444 myfile

ls -l myfile

-r--r--r-- 1 owner 588 Jul 15 14:45 myfile

As with files, directories may also have permissions assigned. When listing directories, you may use the -d option to keep from descending into the directories you list. Otherwise, the contents of the directories will be displayed as well as their names. Below is an example of permissions assigned to a directory:

ls -lgd home

drwxrwxr-x 1 owner masc223 588 Jul 15 9:45 home

The directory home and the files and directories under it may be read and executed by anyone, but written to only by the owner and users in the masc223 group. Assuming you are the owner of this directory, you may decide to change the permission to allow only yourself and the masc223 group to read and execute files in the home directory. You would set the permissions accordingly:

chmod o-rx home

ls -lgd home

drwxrwx--- 1 owner masc223 588Jul 15 9:46 home

You may decide that only you should be able to alter the contents of the directory. You must remove the write permission for the group.

chmod 750 home

ls -lgd home

drwxr-x--- 1 owner masc223 588 Jul 15 9:48 home

An alternative to the previous command is chmod g-w.

When you create a file the system gives it a default set of permissions. These are controlled by the system administrator and will vary from installation to installation. If you would like to change the default which is in effect for you, choose your own with the umask command. Note that the permission specified by the umask setting will be applied to the file, unlike that specified in the chmod command, which normally only adds or deletes (few people use the = operator to chmod).

First, issue the command without arguments to cause the current settings to be echoed as an octal number:

umask

022

If you convert these digits to binary, you will obtain a bit pattern of 1's and 0's. A 1 indicates that the corresponding permission is to be turned off, a 0, that it is to be turned on. (Notice that the bit patterns for chmod and umask are reversed.) Hence, the mask output above is 000010010, which produces a permission setting of rwxr-xr-x (i.e., write permission is turned off for group and other).

Suppose you decide that the default setting you prefer is rwxr-x---. This corresponds to the masking bit pattern 000010111, so the required mask is 027:

umask 27

Now, if you create a new file during this session, the permissions assigned to the file will be the ones allowed by the mask value.