Difference between revisions of "UNIX file system permissions tutorial"

From assela Pathirana
Jump to navigationJump to search
Line 84: Line 84:
   drwx------ for directories.
   drwx------ for directories.


==umask Unmasked==
The following table gives the logic behind the umask values
The following table gives the logic behind the umask values
<pre>
<pre>
Line 98: Line 99:
Some common umask settings.
Some common umask settings.
<pre>
<pre>
umask Directory Files
umask Dir file dir    file
002 775 664 -rw-rw-r--
022 755 644 drwxr-xr-x -rw-r--r--
022 755 644 -rw-r--r--
027 750 640 drwxr-x--- -rw-r-----
027 750 640 -rw-r-----
002 775 664 drwxrwxr-x -rw-rw-r--
006 771 660 -rw-rw----
006 771 660 drwxrwx--x -rw-rw----
007 770 660 -rw-rw----
007 770 660 drwxrwx--- -rw-rw----
</pre>
</pre>

Revision as of 09:08, 23 March 2006

Note
This article has used sections from several outside sources.
  1. Computing at Dartmouth College].
  2. [linuxforms.

I have assumed that I am not violating a copyright by doing so. Please contact me if this is not the case.

Please use this e-mail address 3tv-assela@pathirana.net to contact me, if needed.
(Confused about the strange letters in the e-mail address? Wondering whether to put this address to your contact list? Please read Site FAQ)

Checking and Understanding Permissoins

Every user on a Unix system has a unique username, and is a member of at least one group (the primary group for that user). This group information is held in the password file (/etc/passwd). A user can also be a member of one or more other groups. The auxiliary group information is held in the file /etc/group. Only the administrator can create new groups or add/delete group members (one of the shortcomings of the system).

Every directory and file on the system has an owner, and also an associated group. It also has a set of permission flags which specify separate read, write and execute permissions for the 'user' (owner), 'group', and 'other' (everyone else with an account on the computer) The 'ls' command shows the permissions and group associated with files when used with the -l option. On some systems (e.g. Coos), the '-g' option is also needed to see the group information.

An example of the output produced by 'ls -l' is shown below. 

 drwx------ 2 richard staff  2048 Jan  2 1997  private
 drwxrws--- 2 richard staff  2048 Jan  2 1997  admin
 -rw-rw---- 2 richard staff 12040 Aug 20 1996  admin/userinfo
 drwxr-xr-x 3 richard user   2048 May 13 09:27 public

Understanding how to read this output is useful to all unix users, but especially people using group access permissions.

Field 1
a set of ten permission flags.
Field 2
link count (don't worry about this)
Field 3
owner of the file
Field 4
associated group for the file
Field 5
size in bytes
Field 6-8
date of last modification (format varies, but always 3 fields)
Field 9
name of file (possibly with path, depending on how ls was called)

The permission flags are read as follows (left to right)

position Meaning
1 directory flag, 'd' if a directory, '-' if a normal file, something else occasionally may appear here for special devices.
2,3,4 read, write, execute permission for User (Owner) of file
5,6,7 read, write, execute permission for Group
8,9,10 read, write, execute permission for Other
value Meaning
- in any position means that flag is not set
r file is readable by owner, group or other
w file is writeable. On a directory, write access means you can add or delete files
x file is executable (only for programs and shell scripts - not useful for data files). Execute permission on a directory means you can list the files in that directory
s in the place where 'x' would normally go is called the set-UID or set-groupID flag.

On an executable program with set-UID or set-groupID, that program runs with the effective permissions of its owner or group.

For a directory, the set-groupID flag means that all files created inside that directory will inherit the group of the directory. Without this flag, a file takes on the primary group of the user creating the file. This property is important to people trying to maintain a directory as group accessible. The subdirectories also inherit the set-groupID property.


umask -- The default file permissions

Each user has a default set of permissions which apply to all files created by that user, unless the software explicitly sets something else. This is often called the 'umask', after the command used to change it. It is either inherited from the login process, or set in the .bashrc file which configures an individual account, or it can be run manually.

Typically the default configuration is equivalent to typing 'umask 22' which produces permissions of: 

 -rw-r--r-- for regular files, or
 drwxr-xr-x for directories.

In other words, user has full access, everyone else (group and other) has read access to files, lookup access to directories.

When working with group-access files and directories, it is common to use 'umask 2' which produces permissions of: 

 -rw-rw-r-- for regular files, or
 drwxrwxr-x for directories.

For private work, use 'umask 77' which produces permissions: 

 -rw------- for regular files, or
 drwx------ for directories.

umask Unmasked

The following table gives the logic behind the umask values 

	umask	File	Directory
	0	6	7
	1	6	6
	2	4	5
	3	4	4
	4	2	3
	5	2	2
	6	0	1
	7	0	0

Some common umask settings. 

umask Dir file dir     file
022 755 644 drwxr-xr-x -rw-r--r--
027 750 640 drwxr-x--- -rw-r-----
002 775 664 drwxrwxr-x -rw-rw-r--
006 771 660 drwxrwx--x -rw-rw----
007 770 660 drwxrwx--- -rw-rw----
Retrieved from "https://assela.pathirana.net/index.php?title=UNIX_file_system_permissions_tutorial&oldid=1611"