CSL: File Permissions Primer

CSL: File Permissions Primer

This is a brief primer on how to view and set access permissions on directories and files in the C.S. Unix / Linux filesystems.

You may not be aware of the level of accessibility to others of your files in our Unix / Linux filesystems. This includes project and administrative areas, as well as home directories. We would like to provide you with a brief primer on what you should know, and what you can do.

Even briefer: For a few commands that you can run quickly, please see this copy of the e-mail on this topic that we may occasionally send to C.S. account holders.

Unix (the OS) has been around for a long time, and its permission system is fairly simple, but it's a bit terse and technical: it was designed for much slower CPUs and much smaller storage. For every directory and file, there are three groupings of users relative to that file, and three permissions for each of these. The user groupings are:

  • User / owner - the file owner
  • Group - a designated group, which may include zero to many users
  • Others - anyone else (usually implies they also have an account on the system, but with web servers and such, that's not absolute)

Then, for each of these user types, there are three types of permission:

  • Read - file is readable; directory is listable
  • Write - file is writable; items can be added to or removed from directory
  • eXecute - file is a program, and can be executed; directory can be accessed and traversed

So, via a terminal window, if you are in a directory and view a detailed listing via ls -l (ls list directory command, with -l long listing option), you might see lines like:

    drwx--x---  59 jeb  lab      98304 May  20 15:34 mail
    -rw-rw-r--   1 jeb  lab       6753 June 17 2016  note

Here, we will pay attention only to columns 1 - Mode bits (including permissions), 3 - User, 4 - Group, and 9 - File name (a directory is actually a file with special properties).

The first column, the mode, is composed of ten characters. The first is the file type, and the the remaining nine are permission triples for User, Group, and Others; each triple is Read, Write, and eXecute, each of those being on or off (allowed or disallowed).

In the first of the two lines, the initial d indicates that the file mail is actually a directory. The next three characters rwx correspond with User, so the user / owner jeb has full access to the directory: can list it (Read), cd (change directory) into it (eXecute), and can create and delete files in it (Write). The next three characters --x, corresponding to Group, means that the group lab (that is, users that are part of the lab group) can use the directory, but cannot list it, and cannot create or delete files there; the two dashes (-) indicate that Read and Write are turned off for Group. The final three characters ---, corresponding to Others, indicate that anyone else (anyone not the User and not in the Group) has no access whatsoever to the directory or its contents, and cannot pass through; that is, any other subdirectories of that directory, or their files, cannot be reached.

In the second line, the first character - indicates that note is a regular file. The lack of any x in the remaining characters indicates that it is probably not an eXecutable program. It can be Read or Written by the User jeb (the first rw-) and the Group lab (the next rw-), but can only be Read (the final three characters r--) by anyone else.

So, think Read-Write-eXecute, for User-Group-Others.

Now, what if the permissions (mode characters 2-10) of the mail directory above instead were rwxr-xr-x? Usually, email is considered very private. Permissions like in the mail example above, or probably more like rwx------, are considered normal. So, how to change (lock down) these permissions? Again from a terminal window, you would use the chmod (change mode) command.

So, you would type the command: chmod go-rx mail

which translates to: change the mode (update the permissions) for both of Group (g) and Others (o), subtracting (removing) Read and eXecute for them on the file (directory) mail. The result would then be rwx------.

To change the permissions on the file note such that anyone else can also modify it, you would use the command: chmod o+w note

And, of course, where the filename goes in the command, you can also use Unix wildcards. So, for instance, to remove all permissions for Others from all files in a directory, you might do:

    cd {some directory}
    chmod o-rwx *
or
    chmod o= *

For more information on the chmod command (again, from a terminal window), see the online reference manual page by typing: man chmod

We recommend that you keep permissions on your directories and files on the more restrictive side, and allow access when needed. This applies to your home directory, and any project areas where you are creating files. If you need help, please let us know.

Do note that you must be the owner of a file to change its permissions. For the more technically inclined, the permissions provided to the chmod command can also be given as an octal number, with three digits representing all nine individual permissions bits.

The permissions that are used by default when you create new directories and files are affected by the file mode creation mask (the umask) that is in effect, and the umask is changed via the umask command. Umask is a bit technical, but we are happy to help anyone to set their umask in whatever way meets their needs - though most people never alter their umask setting.

A note about paths: To get to a particular file or directory in a Unix filesystem, you need to pass through each directory in the path, starting at the top of the hierarchy ('/'). So, for each directory along the way, you need at least eXecute permission for your user-type relative to that directory. For example, if you are the owner (User) of a particular directory in the path, then at least u+x must be set for that directory for you to get to the rest of the path. Similarly, if you are not the owner, but are in the Group, then at least g+x must be set for that directory in order to pass through. If you're neither the owner nor in the Group, then at least o+x must be set. Otherwise, no matter how open the permissions on the final destination (the last item in the path), if you can't get through any one of the preceding directories, then the destination cannot be accessed.


If you have any questions, please contact the Lab Staff.