Penguin
Note: You are viewing an old revision of this page. View the current version.

Here's a directory listing as produced by ls -l:

-rw-r--r--   1 mythtv users    1706 2005-10-13 14:01 release.keys

Here, the various columns mean the following:

 -rw-r--r--   File permissions 
 1   number of links 
 mythtv   file owner 
 users   file-owning group 
 1706   file size 
 2005-10-13 14:01   creation time 
 release.keys   filename 

This page concentrates on the first bit: the file permissions.

UNIX file permissions are made up of three groups: the user who owns the file, the group that the file belongs to, and other people. These letters are important as you can use them to instruct chmod(1) change the permission of the file.

For each part, you have read, write, and execute access. These are displayed as rwx.

Typically, system data files as well files served from a WebServer or such have -rw-r--r--, ie. they're readable for everyone but writable only for their owner; files with private data have -rw-------: readable and writeable only for their owner and noone else. Directories and executable files generally have -rwxr-xr-x: they're readable and executable for everyone but writable only for their owl The executable permission on directories means that it may be used as part of a path; f.ex., if user bob does not have execute permission for /var/queue/joe, he will not be able to read /var/queue/joe/msg.371, even if he has read permission on the file itself. If /var/queue/joe has the execute permission set, but not the read permission, then bob will not be able to get a directory listing. However, if he knows the name of a file in that directory, eg. he knows that /var/queue/joe/msg.371 exists, then he can still reach it to read it (assuming he has read permission for that file).

Files

  • r - This tells us that the file can be read.
  • w - This tells us that the file can be written to.
  • x - This tells us that the file may be executed.

Directories

Here are some examples of the effects of various combinations
  • r--

    The user, group, or other with these permissions may list the contents of the directory, but nothing else. The files in the directory can't be read, changed, deleted, or manipulated in any way. The only permitted action is reading the directory itself, that is, seeing what files it contains.

  • rw-

    Write permission has no effect in the absence of execute permission, so this mode behaves just like the above mode.

  • r-x

    This mode permits the files in a directory to be listed, and permits access to those files. However, files can't be created or deleted. Access means that you can view, change, or execute the files as permitted by the files' own permissions.

  • --x

    Files in this directory can be accessed, but the contents of the directory can't be listed, so you have to know what filename you're looking for in advance (unless you're a good guesser). Files can't be created or deleted.

  • rwx

    You can do anything you want with the files in this directory, as long as it's permitted by the permissions on the files themselves.

Permissions are altered on the Shell using chmod(1). (Missing here is an explanation of the 4=r, 2=w, 1=x mapping. Feel free to AddToMe.)

Generally, the fewer permissions you grant, the better. Most importantly, there's almost never a good reason to grant write permission to "other people".

Sticky and setuid

There are actually two more permissions that are almost never useful outside of system files (so if you're not in this to learn how UNIX works, you can skip this part).

The setuid bit is shown with an s in directory listings. It specifies that when you execute the file, you assume the identity of the owner of the file. For example, if a file is owned by root and has the setuid permission set, it will run as root when you execute it, regardless of what your identity is. This is a way to allow regular users to do priviledged things; however it can easily lead to gaping security holes.

The sticky bit is shown with a t in directory listings is used for some widely shared system directories. It specifies that only the owner of a file can delete it. Normally, anyone who can create a file in a directory can delete any file in that directory. (To be precise, the owner of a directory with the sticky bit set can also delete any of the files in it.)

Recursive chmod(1)

chmod(1) has a potentially very convenient switch: -R, which, as you'll suspect if you've used other UNIX tools, means "recurse into directories and apply the change to the entire directory tree." However, because directories need to be executable before you can refer to any of the files inside them, it would sometimes seem that this convenient switch cannot be used. F.ex., saying chmod -R a-x ./foo/ isn't very useful because that will make everything inside foo non-executable, including directories, which means you can't access any of it.

However, modern chmod(1)s understand a special pseudo-permission, called X (eg. uppercase X as opposed to x). It means "executable, but only when operating on a directory; no change otherwise". That way, you can say chmod -R a-x,a+X ./foo/, which will make chmod(1) remove the executable bit from every file but then also set the executable bit if it's a directory.

Before this, it was sometimes necessary to go through inconvenient contortions involing find(1) in order to operate only on files or only on directories. While that's still occasionally necessary, those occasions are now much rarer.

See also


CategoryBeginners