Greg Hinkel's UNIX Tip of the Week for March 17, 1996

File/Directory Permissions

Each file and directory has a 3 levels of permissions.  Each of those levels
has 3 types of permissions.  The 3 levels are
	Owner
	Group
	Others

The 3 types are
	Read 
	Write
	Execute

The meaning of the 3 "types" varies depending upon whether it refers to a file
or a directory.  

Permission	File			Directory
--------------------------------------------------------------
read		Can look at the		Can "see" the names of
		contents of the file    of files in the directory.
		Ex. cat /etc/motd	Ex.  ls /usr

write		Can change the		Can create new files,
		contents of the file    remove files, and move 
					files within the directory.
		Ex.  vi .login		Ex. rm trash
					    mv stuff /tmp/stuff
					    cp /vmunix vmunix

Execute		Can use that filename	Can "get into" the 
		as a shell command.	directory.
		Ex.  run.me		Ex.  cd /usr/spool
					     ls -l /usr/var

Use the "-l" option to the "ls" command to see what permissions are on a file.
ls -l /etc/passwd
-rw-r--r--  1 root          553 Mar 20 16:49 /etc/passwd

Use the "-l" and "-d" options to look at the permissions of a directory.
ls -ld /
drwxr-xr-x 14 root          512 Mar  9 14:12 /

The permissions are listed on the left.

Break down of permissions.
- r w x r w x r w x
| ----- ----- -----
|   |     |     |
|   |     |    Others (world)
|   |    Group
|  Owner
File Type (not really a permission).    Some file types are -="regular" file,
d=directory, l=link, c=character device, b=block device, s=socket.

Typically the Owner has "read" and "write" access to their files.  Since they
own them they should be able to read them and modify them.  They also
"usually" have "execute" access to their directories.  This allows them to
"get into" their directories.

Use The "chmod" command to set permissions on a file.  The "chmod" command has
2 forms.  I prefer the "octal value" form.  This form uses the premise that
each of the types has a given value in the "octal" numbering scheme.  

r w x  r w x  r w x
- - -  - - -  - - -
| | |  | | |  | | |
4 2 1  4 2 1  4 2 1

Read has the value 4, write has the value 2, and execute has the value 1. 
You add up the permissions for each level.  Say you want to be the only one
who can read and write your file "mumble"  This means you need "read" and
"write" access at the owner level and nothing at the group and others levels.
Since read gets the value 4 and write gets 2, we need 4 + 2 = 6 for the owner.

chmod 600 mumble

Now you want to allow everyone to read but not modify your .login file.  Also,
you want to be able to modify the file.  So, the owner level gets 4 + 2 = 6.
The group level will get read, 4, and the others level will get 4.

chmod 644 .login

To be certain that others can actually read the file, you need to make sure 
that they can "get into" the directory.  This means that they need to have the
permission to get into the directory that contains ".login" as well as all
directories above that.  So, all those directories need to have the execute
permission set.  Remember, execute on a directory lets you "get into" it.

Assume .login was in /home/cartoon/bugs, and the permissions look like this.
ls -ld / /home /home/cartoon /home/cartoon/bugs
drwxr-xr-x 14 root          512 Mar  9 14:12 /
drwxr-xr-x 12 root          512 Dec  7 14:05 /home
drwxr-xr-x  8 root          512 Nov  3  1993 /home/cartoon
drwxr-xr-x 44 bugs         6144 Mar 21 17:13 /home/cartoon/bugs
         |
	Note that the execute permission is set at the "others" level.  So, in 
	fact everyone can read the file .login

Now let's say you have several files that you don't want others to read or
modify.  You could use "chmod" to set the permissions on all those files to
600 (rw-------).  Or, you could create a subdirectory,
/home/cartoon/bugs/private and put all your "private" stuff in it.  Then all
you have to do is set the permissions on the directory so that others can't
get into it.  We need read + write + execute for the owner, 4 + 2 + 1 = 7.
Nothing for the group or others.

chmod 700 /home/cartoon/bugs/private

Then put your "private" files in it.  Now, it doesn't matter what the
permissions are on the files within /home/cartoon/bugs/private, because only
you can get into the directory.


You should review the table of permissions above and in particular note that
"to change the contents of a file" you must have "write" access to the file.
To "delete a file" you need "write" access to the directory that contains the
file (assuming the sticky bit is not set - but we'll hold off describing it).


Note.  The "root" user can do anything, so you can't prevent "root" from
accessing your files or directories.
Previous Tip of the Week · Next Tip of the Week · Index
Greg's Home Page
Greg Hinkel's UNIX Tip of the Week for March 17, 1996

Greg Hinkel / (hinkelgc AT ornl.gov) Last Modified: Friday, 02-Sep-2005 12:52:00 EDT Visitors: 5380 since March 18, 1996

Greg Hinkel / (hinkelgc AT ornl.gov)
Last Modified: Friday, 02-Sep-2005 12:52:00 EDT
Visitors: 5380 since March 18, 1996
