UNIX file system permissions tutorial
Checking and Understanding PermissionsAccess permissions of every file and folder in a UNIX system is controlled by a system based on two identification numbers: user-identification number (UID) and group identification number (UID). Every file or folder should belong to a UID and GID. In practice is it hard to remember these numbers, so the accepted way is to map a user-name and a group-name to each number. In a typical stand-aloone, UNIX computer, all UIDs along with these mappings are listed in the UNIX file /etc/passwd. A typical entry of passwd file is like the following:
alex:x:503:100:Dr. Alexander the Great:/home/alex:/bin/bashThe fields of this entry (seperated by colons, :), relevant to this discussion are:
- alex: username (a short name to identify the user, which is normally used in place of UID). Typically a lowercase, single word.
- 503 : UID
- 100 : GID of the primary group the user belongs to.
- Dr. Alexander the Great : A descriptive name
root:x:0:0:root:/root:/bin/bashThere is another file, /etc/group, lising all the GIDs with their descriptive names. A typical entry is like:
kings:x:100:alex,ramses,menes. The important fields are:
- kings : The name of the group (A lowercase word)
- 100 : GID
- alex,ramses,menes : users that are members of this group
It is possible for a user to belong to more than one group. However, there is only one primary group for a user.
Unless specific steps are taken beforehand, any files or directories created by a user belong to that ueser and that users primary group.
The ls -l command lists files with a number of details in UNIX systems. Following is an example of the output of the command
drwx------ 2 alex kings 4096 Feb 21 13:47 backup -rw-rw-r-- 1 alex kings 4010 Mar 22 16:55 backup.tar.gz -rwx------ 1 alex kings 20372 Mar 14 14:04 battle-plans drwxrwxr-x 2 alex kings 4096 Mar 23 11:46 GMTstore drwxrwsr-x 2 alex greeks 4096 Apr 4 14:00 hands lrwxrwxrwx 1 alex kings 27 Feb 20 14:32 images -> /opt/images -rwxr--r-- 1 root root 45458 Mar 23 11:55 install_gmt
Following is a description of the fields relevent to the present discussion.
- permission string.
- owning user
- owning group
The permission flag is a set of ten positions each describing an aspect of the file's permissions.
|1||d : This is a directory. - : this is a normal file. (Occationaly some other things can appear)|
|2||r : owner is permitted read this file. - : He/she can't|
|3||w : owner is permitted to overwrite/append to this file. - : can't|
|4||x : owner is permitted to execute (run) this file, by calling it by its name. - : can't. (See the examples as well)|
|5-7||: Permissions for group members (meaning same as above).|
|8-10||: Permissions for all others (Not owner, not group members).|
- To access a directory (to change directory by cd command or to list it's contents by ls -l <directory-name>) the execution flag (x) should be set.
- drwx------ (backup) : This is a directory, user can read, write and execute (since this is a directory this is needed to access the directory) , group (kings) can't do anything, others can't do anything.
- -rwx------ (battle-plans) : This is a regular file. Only user has access.
- drwxrwxr-x (GMTstore) : This directory can be accessed, changed by members of group (kings), but others can not change it.
- -rwxr--r-- (install_gmt): Evrybody can read. But only owner can write. Owner can also execute this by calling it by filename. e.g.
./install_gmt #at bash prompt
- drwxrwsr-x (hands): This directory is said to be GID-set, which is done by
chmod u+s handsand indicated by the presence of s at the permission flag. This means, whatever files created in this folder by anybody (of course they should be permitted to do that, in this case that means 1. owner, 2. group members and 3. root) belongs to the group greeks.
- lrwxrwxrwx (images) : See the right-most end of the row.
images -> /opt/imagesindicates this is a symbolic link. These are special 'files' which can not be set permissions. Instead 'target' of the link (images in /opt folder in this case) should have desired permissions.
Setting permissions chmod
chmod command is used to change the ownership of exising files. There are two ways of using the command.
chmod g+rx READEME.infoHere, the members of the group(g) is granted(+) read(r) and execute(x) permissoins.
Permissions of each class (user, group or others) are handled by an Octal Number. Three ocatal numbers written togather (e.g. 644) fully specify the file permissions of a file.
Each of these digits is the sum of its component bits (see also this article). As a result, specific bits add to the sum as it is represented by a numeral:
- The read bit adds 4 to its total,
- The write bit adds 2 to its total, and
- The execute bit adds 1 to its total.
These values never produce ambiguous combinations; each sum represents a specific set of permissions.
These are the examples from the Symbolic notation section given in octal notation:
- "-rwxr-xr-x" would be represented as 755 in three-digit octal.
- "-rw-rw-r--" would be represented as 664 in three-digit octal.
- "-r-x------" would be represented as 500 in three-digit octal.
- "-rw-------" would be represented as 600 in three-digit octal.
chmod 644 README.infoHere, the permissions of the file is set, so that
- owner has read, write permissions
- group and others have read permissions.
- Meaning of symbolic mode numbers are described
- Note that numeric permissions are absolute (i.e. They dictate all the permission settings) whereas symbolic settings are cumulative (i.e. They manage certain permissions while leaving others as they are).
Setting default file permissions
When a user creates a file or a directory, the initial permissoins of those are determined by the 'uname' value which is set by
- uname command
- user's initialization file
- system-wide initialization file
Typically the default configuration is equivalent to typing 'umask 22' which produces permissions of:
-rw-r--r-- for regular files, or drwxr-xr-x for directories.
In other words, user has full access, everyone else (group and other) has read access to files, lookup access to directories.
When working with group-access files and directories, it is common to use 'umask 2' which produces permissions of:
-rw-rw-r-- for regular files, or drwxrwxr-x for directories.
For private work, use 'umask 77' which produces permissions:
-rw------- for regular files, or drwx------ for directories.
Never take the umask command lightly! If you accidentally set umask 002, every single file you (or any of your programs!) create after that will be writable by everybody in your group!!
umask File Directory 0 6 7 1 6 6 2 4 5 3 4 4 4 2 3 5 2 2 6 0 1 7 0 0Some common umask settings in a more understandable way.
umask dirs files files dirs 022 759 648 -rw-r--r-- drwxr-xr-x 027 754 643 -rw-r----- drwxr-x--- 002 775 664 -rw-rw-r-- drwxrwxr-x 006 771 660 -rw-rw---- drwxrwx--x 007 770 659 -rw-rw---- drwxrwx--- 077 714 603 -rw------- drwx------
Checking umaskThe umask command can be used to check the current umask values. There are two ways to use this. Either
umask -pto get the numeric umask value or
to get a more human readable output. The results of these commands are like,
$ ls -l / |grep tmp drwxrwxrwt 9 root root 4096 May 19 08:35 tmp
Note the 't' in the last position instead of familiar x or -. This is called sticky bit. Over time, the use of this tools has changed quite a bit. We shall only deal with its modern use, i.e. use in conjunction with directories here.When sticky bit is set for a directory by
#chmod +t /bar #Note: Usually root does thisAny file created in that folder can be removed or moved only by creator, even if others have write permission in the folder.
This is quite useful in setting up shared folders like /tmp (Operating system needs to write many files to /tmp as many users. However, other users should not be allowed to delete them at will.)
Changing permissions of a while directory tree
The -R option used together with chmod can change permissions of a whole directory tree. This can be useful for example when a user wants to grant read access to a whole folder to a group member. This can be achieved by
chmod g+rx <foldername>
But, the problem would be, the execute permission. Directories need x</t>, otherwise they can not be accessed. But, it is not valid to set executable bit (<tt>x) of a file, unless it is an executable file (e.g. a script, compiled program , etc.). In such situations X notation can be useful:
chmod g+rX foo
It applies execute permissions to the directory foo and all its sub-directories regardless of their current permissions and applies execute permissions to the file under foo if only they already have at least 1 execute permission (user, group or others) bit already set.
This article was inspired by several outside sources. Certain portions of those articles have been incoroporated in above text.