File Permissions¶
Linux, like other Unix-like operating systems, allows multiple users to work on the same server. However, sharing access to files poses a risk of exposing classified information or even causing data loss if other users access their files or directories. To address this, Unix added the file permission feature to specify how much control each user has over a given file or directory.
Every file (and directory) has an owner, an associated Unix group, and a set of permission flags that specify read, write, and execute permissions for the user (owner), group, and other users.
Group permissions apply to all users who belong to the group associated with the file, while permissions for other apply to all users who can log in to the system.
The command ls -l displays the permissions and associated group for
any file:
File permissions
drwx------ 2 user group 2048 Jun 12 2022 Desktop
drwxr-x--- 2 user group 2048 Oct 17 2021 Share
drwxr-xr-x 3 user group 2048 Nov 13 2021 Public
-rw------- 2 user group 1327 Apr 9 2022 private.out
-rwx------ 2 user group 12040 Apr 9 2022 private_exec.sh
The fields above represent, from left to right:
1. set of ten permission flags
2. link count
3. owner
4. associated Unix group
5. size
6. date of last modification
7. name of the file
The permission flags from left to right are:
| Permission | Meaning |
|---|---|
| 1 | "d" if a directory, "-" if a normal file |
| 2, 3, 4 | read, write, execute permission for user (owner) |
| 5, 6, 7 | read, write, execute permission for group |
| 8, 9, 10 | read, write, execute permission for other users |
and have the following meanings:
| Value | Meaning |
|---|---|
| - | Flag is not set |
| r | File is readable |
| w | File is writable. For directories, files may be created or removed. |
| x | File is executable. For directories, files may be listed or entered. |
| s | Set group ID (sgid). For directories, files created therein will be associated with the same group as the directory, rather than the default group of the user. Subdirectories created therein will not only have the same group, but will also inherit the sgid setting. |
Applying these to the previous example:
drwx------ 2 user group 2048 Jun 12 2022 Desktop
This is a directory named Desktop, owned by user user and associated with Unix group group. The directory has read, write, and execute permissions for the owner, and no permissions for any other user.
drwxr-x--- 2 user group 2048 Oct 17 2021 Share
This is a directory named Share, owned by user user and associated with group group. The owner can read and write the directory; all group members can list the contents of the directory. Presumably, this directory would contain files that also have group read permissions.
drwxr-xr-x 3 user group 2048 Nov 13 2021 Public
This is a directory named Public, owned by user user and associated with group group. The owner can read and write the directory; all other users can only read the contents of the directory. A directory such as this would most likely contain files that have world read permissions.
-rw------- 2 user group 1327 Apr 9 2022 private.out
This is a normal file named private.out, owned by user user and associated with group group. It is readable and writable by the owner but is not accessible to any other user.
-rwx------ 2 user group 12040 Apr 9 2022 private_exec.sh
Finally, this is a normal file named private_exec.sh, owned by user user and associated with group group. It is executable, as well as readable and writable, for the owner only.
Changing File Permissions¶
When a file is created, the permission flags are set according to the
file mode creation mask, which can be set using the umask
command.
The file mode creation mask is a three-digit octal value whose nine bits correspond to fields 2–10 of the permission flags. The resulting permissions are calculated via the bitwise AND of the unary complement of the argument (using bitwise NOT) and the default permissions specified by the shell (typically 666 for files and 777 for directories).
Common useful values are:
| Value | File permissions | Directory permissions |
|---|---|---|
| 002 | -rw-rw-r-- | drwxrwxr-x |
| 007 | -rw-rw---- | drwxrwx--- |
| 027 | -rw-r----- | drwxr-x--- |
| 077 | -rw------- | drwx------ |
Default umask on the Devana cluster is 002 and can be changed
in your ~/.bash_profile or ~/.bashrc configuration files if needed
by appending the following line:
umask XXX
The change mode command (chmod) can be used to change the
file/directory permissions of an existing object. The flag -R can be
used to apply the changes recursively.
The command can be invoked with octal values representing the permission flags, such as:
| Octal Digit | Binary representation (rwx) | Permission |
|---|---|---|
| 0 | 000 | none |
| 1 | 001 | execute |
| 2 | 010 | write |
| 3 | 011 | write and execute |
| 4 | 100 | read |
| 5 | 101 | read and execute |
| 6 | 110 | read and write |
| 7 | 111 | all |
Numerical mode change
login01:~ $ touch foo
login01:~ $ ls -l foo
-rw-rw-r-- 1 user group 0 Nov 16 05:58 foo
login01:~ $ chmod 744 foo
login01:~ $ ls -l foo
-rwxr--r-- 1 user group 0 Nov 16 05:58 foo
Alternatively, the chmod command can be invoked with symbolic values:
chmod [-R] [classes][operator][modes] file
where the classes determine the combination of user/group/other that the operation applies to, the operator specifies whether permissions are added or removed, and the modes specify the permissions.
Classes¶
| Letter | Class | Description |
|---|---|---|
| u | user | Owner of the file |
| g | group | Users who are members of a file group |
| o | others | Other users who are not an owner or members of a file group |
| a | all | All users |
Operators¶
| Operator | Description |
|---|---|
| + | Add the specified modes to the specified classes |
| - | Remove the specified modes from the specified classes |
| = | Set the specified modes as the exact permissions for the classes |
Modes¶
| Mode | Name | Description |
|---|---|---|
| r | read | Read a file or list a directory's contents |
| w | write | Write to a file or directory |
| x | execute | Execute a file or traverse a directory |
| X | special execute | Restrictive version of x applied mainly to directories |
| s | setgid | Causes new files in the directory to inherit the directory's group |
Sets of class/operator/mode may be separated by commas.
Using the above definitions, the previous example can also be performed symbolically:
Symbolical mode change
login01:~ $ touch foo
login01:~ $ ls -l foo
-rw-rw-r-- 1 user group 0 Nov 16 05:58 foo
login01:~ $ chmod u+rwx,go=r foo
login01:~ $ ls -l foo
-rwxr--r-- 1 user group 0 Nov 16 05:58 foo
UNIX Groups¶
Every user on a Unix system is a member of one or more Unix groups, including their default group (generally the same as the username).
The command groups <username> can be used to list the group
memberships for any user, or id <username> to view the groups together
with their numeric identifiers.
Every file (or directory) on the system has an owner and an associated group. When a user creates a file, the file's associated group will be the user's default group.
The user (owner) has the ability to change the associated group to any of the groups to which the user belongs using the change group command:
chgrp <group> file
This command is commonly used in collaborative directories where files must belong to a shared project group.