File/Directory Permissions

Each file and directory has a 3 levels of permissions.  Each of those levels
has 3 types of permissions.  The 3 levels are
        Owner
        Group
        Others

The 3 types are
        Read 
        Write
        Execute

The meaning of the 3 "types" varies depending upon whether it refers to a file
or a directory.  

Permission      File                    Directory
--------------------------------------------------------------
read            Can look at the         Can "see" the names of
                contents of the file    of files in the directory.
                Ex. cat /etc/motd       Ex.  ls /usr

write           Can change the          Can create new files,
                contents of the file    remove files, and move 
                                        files within the directory.
                Ex.  vi .login          Ex. rm trash
                                            mv stuff /tmp/stuff
                                            cp /vmunix vmunix

Execute         Can use that filename   Can "get into" the 
                as a shell command.     directory.
                Ex.  run.me             Ex.  cd /usr/spool
                                             ls -l /usr/var

Use the "-l" option to the "ls" command to see what permissions are on a file.
ls -l /etc/passwd
-rw-r--r--  1 root          553 Mar 20 16:49 /etc/passwd

Use the "-l" and "-d" options to look at the permissions of a directory.
ls -ld /
drwxr-xr-x 14 root          512 Mar  9 14:12 /

The permissions are listed on the left.

Break down of permissions.
- r w x r w x r w x
| ----- ----- -----
|   |     |     |
|   |     |    Others (world)
|   |    Group
|  Owner
File Type (not really a permission).    Some file types are -="regular" file,
d=directory, l=link, c=character device, b=block device, s=socket.

Typically the Owner has "read" and "write" access to their files.  Since they
own them they should be able to read them and modify them.  They also
"usually" have "execute" access to their directories.  This allows them to
"get into" their directories.

Use The "chmod" command to set permissions on a file.  The "chmod" command has
2 forms.  I prefer the "octal value" form.  This form uses the premise that
each of the types has a given value in the "octal" numbering scheme.  

r w x  r w x  r w x
- - -  - - -  - - -
| | |  | | |  | | |
4 2 1  4 2 1  4 2 1

Read has the value 4, write has the value 2, and execute has the value 1. 
You add up the permissions for each level.  Say you want to be the only one
who can read and write your file "mumble"  This means you need "read" and
"write" access at the owner level and nothing at the group and others levels.
Since read gets the value 4 and write gets 2, we need 4 + 2 = 6 for the owner.

chmod 600 mumble

Now you want to allow everyone to read but not modify your .login file.  Also,
you want to be able to modify the file.  So, the owner level gets 4 + 2 = 6.
The group level will get read, 4, and the others level will get 4.

chmod 644 .login

To be certain that others can actually read the file, you need to make sure 
that they can "get into" the directory.  This means that they need to have the
permission to get into the directory that contains ".login" as well as all
directories above that.  So, all those directories need to have the execute
permission set.  Remember, execute on a directory lets you "get into" it.

Assume .login was in /home/cartoon/bugs, and the permissions look like this.
ls -ld / /home /home/cartoon /home/cartoon/bugs
drwxr-xr-x 14 root          512 Mar  9 14:12 /
drwxr-xr-x 12 root          512 Dec  7 14:05 /home
drwxr-xr-x  8 root          512 Nov  3  1993 /home/cartoon
drwxr-xr-x 44 bugs         6144 Mar 21 17:13 /home/cartoon/bugs
         |
        Note that the execute permission is set at the "others" level.  So, in 
        fact everyone can read the file .login

Now let's say you have several files that you don't want others to read or
modify.  You could use "chmod" to set the permissions on all those files to
600 (rw-------).  Or, you could create a subdirectory,
/home/cartoon/bugs/private and put all your "private" stuff in it.  Then all
you have to do is set the permissions on the directory so that others can't
get into it.  We need read + write + execute for the owner, 4 + 2 + 1 = 7.
Nothing for the group or others.

chmod 700 /home/cartoon/bugs/private

Then put your "private" files in it.  Now, it doesn't matter what the
permissions are on the files within /home/cartoon/bugs/private, because only
you can get into the directory.


You should review the table of permissions above and in particular note that
"to change the contents of a file" you must have "write" access to the file.
To "delete a file" you need "write" access to the directory that contains the
file (assuming the sticky bit is not set - but we'll hold off describing it).


Note.  The "root" user can do anything, so you can't prevent "root" from
accessing your files or directories.

Have a Unix Problem
Do you have a UNIX Question?

Unix Books :-
UNIX Programming, Certification, System Administration, Performance Tuning Reference Books

Return to : - Unix System Administration Hints and Tips