about


Scribe:

chrono

blog

Time

science!

book musings

gov

'punk

missle defense

jams

antiques

cultcha blog


Construct:

scripts & programs

on the town

snaps


Self:

creds (PDF)

key

missive


Linux: Understanding File Permissions

Unix is a multi-user system. As such, every process that runs and every file that is stored must have an owner, or user-account. Conversely, each time a user tries to interact with a program or file, Unix checks to see if the user has permission before letting him/her proceed with the action.

The owner of currently running programs can be checked through the ps command. At the command prompt type "ps-aux" and you'll get a list of programs currently running. The last two entries may look something like:

henry    32186  0.7  0.7   5604  3020 pts/0    Rs   06:58   0:00 -bash
henry   32202  0.0  0.2   2644  1012 pts/0    R+   06:58   0:00 ps -aux

The last two actions carried out were done by user "henry"--namely opening the shell (-bash) when logging in (an automatic procedure; the shell provides the command line), and the running of "ps -aux" itself.

For files and directories, user permissions can be found by typing in the list command, with the option to show details ("ls -l") at command prompt. You should get something like this:

-rw-r--r-- 1 henry henry  6 2009-03-29 22:10 test.txt
-rwxr--r-- 1 henry henry 32 2009-03-29 22:15 text.txt

In this listing, we see the information for two files ("test.txt" and "text.txt"), one on each line. The user permissions are on the left (the series of dashes & letters, or flags). Right after that is the file owner ("henry") and the name of the group that file belongs to (more on that later, maybe). The size of the file and when it was created is also included in that listing.

Deciphering the Permission Set

Each one of the 10 flags ("drwxrxwrxw") designates whether or not a designated party has a specific permission to do something with the file. The rest of this section will break down what each permission means.

To understand the full set of permissions, break them into four subsets, reading left to right:

Position 1: This indicates whether or not the file is a directory (if it is, then there is a "d"--if it is not a directory, then "-").

Positions 2-4: This is the set of permissions allotted to the owner of the file.

Positions 5-7: This is the set of permissions allotted to the group that owns the file.

Positions: 8-10:These are the permissions for everyone else who is not the owner of the file, nor belongs to the group that owns the files ("Others").

In recap, reading left to right (after the directory key), you are reading the read-write-execute permissions for owner-group-other. Summarily, the permission set runs from lesser to greater degrees of control of a file, and from specific to more general possible users of the file.

Each of these three sets of letters comes in the same format. Reading each block of three left to right, you could see, in this order:

r: The right to read the file.

w: The right to write to the file, meaning to make changes to the file.

x: The right to execute the file. If the file consists of code that can be executed by the machine, and if the "x" is present, then the individual can task the computer with executing the code within the file (or, rather, the file is the program).

If the letter is present in the designated spot, then that permissions is granted. if a blank ("-") is in the place, then there is no permission.

As an example, if a file has the permissions:

-rwxrw-r--

This means the owner of the file read, write, or execute the file. The group can read and write to the file, but not execute it. And everyone else can read to the file, but not execute it.


To change the permissions of a file, use the chmod command on the command line. chmod is an abbreviation for "change mode"

The basic format for chmod is this:

chmod [Changes to be made] [file]

For simplicity, I'm leaving out the ability to designate options and to concatenate the commands. See the manual page for more details.

The "Changes to be made" space above, you want to format the changes to be made in this way:

[who the changes will apply to] [The action to be carried out] [The new permissions]

Who the changes will apply to will be one of four groups

u: The owner of the file.

g: Other users in the file's group.

o: All other users.

a: Everyone (u and g and o)

Note that "other" users is not quite the same as all "users." It does not incorporate u or g. Also, remember "o" does NOT stand for "owner."

The second part of the statement, [The action to be carried out], will be either a "+" or "-" . "+" means you are adding these permissions, while "-" means you are removing them.

The third part of the statement are the permissions that are being changed. As from above they can be either read ("r"), written to ("w") or executed ("x").

Putting this all together in an example, say I would want to add a permission for others to write to a file, I would type this in at the command line:

chmod o+r [file to be changed]

Or to remove the permission for the group to execute a file:

chmod g-x [file to be changed]

I can add multiple permissions onto one change order. For instance, say I want to add read and execute permissions for the chief user of the file:

chmod u+rx [file to be changed]

For lovers of numeric abstraction and/or being closer to the metal, there is also a way to change permissions using numbers, I'll get to that approach (the octal approach) later, in a separate entry. Maybe. If I need to, In the mean time, read about it in the manual page.

While I won't delve into the details, I did want to point out one option, for recursion. This is the -R flag:

chmod -R u+x * [file to be changed]

This above command grants execute permission for all the file, not only in the working directory, but any subdirectories under it (Also, wildcards (*) do work with chmod, but be very sure about what you are changing before you hit that return key).

chmod never changes the values of symbolic links. Those permissions are the same as the file the link is connecting to. Symbolic links is another topic

This post just covers the mechanics, and the basic ones at that. Of course, there are a lot of implications that need to be articulated. Getting user permissions right is a matter of balancing security and ease of use: Granting permissions on an Internet-connected for everyone will ensure your system will be hacked. But keeping them too tight will cause the user aggravation and may hinder programs from working. I'll explore these topics in future posts.

Taken from various tutorials, Dartmouth Tutorial, and Unix in a Nutshell