File permissions

File Permissions

This document provides an introduction to UNIX file permissions. You should also read Secure File Permissions for information on sensible permission settings.

What are file permissions?

File permissions control who can access your files. It is important to keep permissions in mind so that others can't view private files, or worse, edit or delete them. Every file and directory has permissions. You can view them by using the -l flag on the ls command. For example: $ ls -l file -rwxr-x--- 1 jsmith jsmith 1918 Mar 5 08:36 file The fields on this line are (bold being the interesting ones):
  1. The file permissions
  2. The number of hard links to the file (you can generally ignore this)
  3. The owner of the file
  4. The group-owner of the file
  5. The size of the file
  6. The date the file was last modified
  7. The file name.
The permissions field is what we're mainly interested in, but the owner and group-owner are also worth being aware of. Permissions are displayed in a special form using 9 characters. You'll actually see 10 in the field, but the first one is used to give the file type ("-" for regular file, "d" for directory, "l" (letter L) for symlink, and some more). So, in our example, these characters are = rwxr-x---. The 9 characters are actually three groups of three. Each group of three represents permissions for a certain class. There are three classes, displayed from left to right: user, group, and other. The user is you, the owner of the file. By default, group is the same as user, but if you are in a group project group will be set to the name of that group. other is absolutely everybody else, including people from outside CSE! Within each class there are three flags (bits): read, write, and execute. These have slightly different meanings with files and directories: For a file, if the type of access is:
  • read - The file can be viewed by a person, or read by a program
  • write - The file can be changed by a person, or written-to by a program. A person with write access can add to a file, or completely blank it.
  • execute - The file can be executed as a command. Note that this is usually only set if it is a binary program or script.
For a directory, if the type of access is: * read - The directory contents can be listed. The ls command will show its contents - a person can see the names and attributes of files within the directory. * write - The directory contents can be changed. A person or program can add or delete a file in that directory (regardless of whether they have write access to the actual file!). * execute - A program can access files within this directory. For example, you can only use the cd command to change into a directory if you have execute permissions. Symbolic links (symlinks) are another special type of file, but these are just pointers to another file. You can't change permissions on a symlink in Linux, but the permissions on the file it points to still apply. Generally a symlink looks like this: lrwxrwxrwx and is the only file you should see with full permissions, unless you're absolutely sure of what you're doing. So, lets quickly break this down for our example:
User/owner Group Other/world
rwx r-x ---
The owner of the file can read, write or execute this file. The group-owner of the file can read or execute the file, but they can't modify it. Anyone else has no access to the file - they can't read, write or execute it.
This is good, as the general public can't access the file.

Setting File Permissions

Be sure to read the Secure File Permissions FAQ entry! File permissions can be changed using the chmod command. For a full description of its usage, have a read of the chmod man page. The primer also contains a good description of using chmod, and standard representations for permissions - see sections 2.2.15 and 2.2.16. It is definitely a recommended read with this document. There is an online copy of the primer available in the help documentation pages.
Last edited by Computing Support Group 28/10/2010

Tags for this page:

file, permissions