Unix File Permissions

From DreamHost
(Redirected from CHMOD)
Jump to: navigation, search

Overview

This wiki is a brief summary of permissions that can be assigned to files and folders at DreamHost. If necessary, view the SSH article for instructions on how to log in to your server depending on your Operating System.

User and Group

Every file in a Unix system is assigned both a user and a group. The following sections detail the ownership of each.

User

Every file in Unix is assigned a user.

This user:

  • is the owner of the file.
  • has permission to change the group and mode of the file.

No one else (but the administrators) is able to make these changes, and only the administrators can change the owner of a file.

The command to change the owner is chown:

 $ chown exampleuser file.txt

The user named "exampleuser " now owns "file.txt". This only works if you’re the superuser.

The work-around to change the file owner for non-superusers is to copy the file(s) to a new location where, as the user, you wish to own the files. The files are owned by this user in the new location. It's not much of a work-around, but it's occasionally useful.

More information regarding the chown command can be found here.

Group

Every file in Unix is assigned a group. This is the "group owner" of the file. Unix groups allow you to grant access to a number of users. You can create Unix Groups in your panel on the (Panel > ‘Users’ > ‘Unix Groups’) page.

The command to modify the group is chgrp. You may only modify the group of files you own, and you can only set the group owner to the name of a group of which you are a member:

 $ chgrp  examplegroup file.txt

The group named " examplegroup" now owns "file.txt".

For more information on:

  • groups, please see Unix Groups.
  • what this command is and how it could be used, please see Chgrp.

Mode

Every file in Unix is assigned a mode. The mode determines the type of file being viewed, the access allowed to the file by different groups, and a few other things.

The command to modify the mode is chmod and users can only modify files they own.

The type of file

The first thing mode determines is the type of file. This part cannot be altered through chmod, though it could be seen when running a command to view files and folders within a directory such as “ls -l”:

$ ls -l
drwxrwsr-x    9 bob      webmasters   4096 Apr  4 19:44 dir
-rw-rw-r--    1 bob      webmasters   6121 Apr  4 19:44 file.txt
lrwxrwxrwx    1 bob      webmasters     11 Apr 11 14:08 link -> dir

To the far left of each file or directory name, there are ten characters which show the attributes and permissions of the file.

The first column indicates whether the entry is a:

  • directory (d),
  • a regular file (-), or
  • a symbolic link (l).

Permission groups

The other nine characters are organized into three groups of three:

(drwxr-xr-x) – The first group of three characters after the file type pertains to the owner permissions. (You are the owner of your files).
(drwxr-xr-x) – The second group of three characters after the file type pertains to group permissions. These permissions are shared by others users in your same group.
(drwxr-xr-x) – The third group of three characters after the file type pertains to anyone else (such as the public).

Permission types for files, directories, and links

The nine characters that follow the file type determine the permissions that each group has on a file or directory.

The following describe the permissions for a regular file:

    The “r” permission-
    Read ("r") means that the grantee has permission to open the file and look at its contents.
    The “w” permission-
    Write ("w") means that the grantee has permission to edit or delete the file.
    The “x” permission-
    Execute ("x") means that the grantee can run the file like a program (for example, for scripts).

The following describes permissions for a directory:

    The “r” permission-
    Read ("r") means that the grantee has permission to see what files and directories have been placed inside of that directory.
    The “w” permission-
    Write ("w") means that the grantee has permission to create new files within that directory and to delete the directory (when empty).
    The “x” permission-
    Execute ("x") means that the grantee can "cd" or change into the directory. (Without "x", the user can't actually read or write either.)
Note2 icon.png Note: For a link, the mode always gives all permissions. That is, since the symbolic link acts like the file or directory it points to (e.g., cd link above would change you into dir), the permissions of the destination are the permissions that are really in effect.


Special permissions

Special permissions can be added which allow you the special ability to automatically change users or group, or to specify a directory as a "temporary" directory.

The ‘s’ flag

An ‘s’ can be added to the owner or group ‘read’ permission. This indicates the setuid/setgid permission.

  • If set on the group read permission, it sets the setgid bit. This means that any user who changes into that directory suddenly performs all actions as if the owners group was their default group. This can be helpful if you want all files in that directory to be created/owned by that owner group.
  • If set on the owners read permission, it sets the setuid bit. This is not usually a good idea, so don't do it unless you really know what you're doing.

The ‘t’ flag

The t flag is basically the same thing as the "s" flag for a user or group, but is used when applied to all others. Here, the meaning is a little different. It means that anyone can create a file in the directory, but only the owner is allowed to remove the file, regardless of permissions set. This is the "temporary" directory permission and should also be avoided unless you really know what you're doing.

Review the following Linux article for further details:

chmod

There are a few ways that permissions could be set using chmod, the first is “Named Mode” which is a bit more simple to comprehend using the following information and a “Numeric Mode” which is a bit more on the technical side.

Named Mode

There are two sets of permissions to assign when using ‘Named Mode’, which are ‘who’ and ‘what’ permissions. For example:

    who permissions
    uchange the user bits
    gchange the group bits
    ochange the other bits
    achange the bits for everybody

    what permissions

    rgrant read access
    wgrant write access
    xgrant execute access
    sset the sticky bit

Using (“+”) and (“-”) with the information above, you’d combine permissions from the ‘who’ and ‘what’ groups to assign the exact permissions you desire.

Examples

The format to use chmod in the following commands is:

chmod “groups”+”access” file.example

Allows everybody to read file.txt. In the following example, ‘a’ is the bit for ‘everybody’ and the ‘r’ (read) permission is added:

 $ chmod a+r file.txt

Strips everybody of all permissions, except for the owner who retains any former permissions. In the following example, ‘g’ is group bit, ‘o’ is the ‘other users’ bit and the (“-”) sign is removing all permissions (rwx):

 $ chmod go-rwx file.txt

The file named script.cgi is now executable by the user and group. In the following example, ‘u’ is the user bit, ‘g’ is the ‘group’ bit, and the ‘x’ permission is added to both:

 $ chmod ug+x script.cgi

All files created in the directory somedir are owned by the group that owns somedir. In the following example, ‘g’ is the group bit and the ‘s’ flag is added to it:

 $ chmod g+s somedir

Numeric Mode

Using the numeric mode, you can assign numbers to each permission. For example:

4 = r
2 = w
1 = x

Then, you would add all three together in each set of permissions to get the full value. The following table illustrates this idea:

    7read, write, and execute ("rwx")4 + 2 + 1 = 7
    6read and write ("rw-")4 + 2 = 6
    5read and execute ("r-x")4 + 0 + 1 = 5
    4read only ("r--")4 + 0 + 0 = 4
    3write and execute (rare) ("-wx")0 + 2 + 1 = 3
    2write only (rare) ("-w-")0 + 2 + 0 = 2
    1execute only (rare) ("--x")0 + 0 + 1 = 1
    0no permissions ("---")0 + 0 + 0 = 0

Remember, there are three sets of permissions:

  • User
  • Group
  • Other

Thus, all three must now be added together to get the full value.

Examples

    Command Permissions
    $ chmod 600 file.txt

    -rw-------

    • Only the User has read and write permissions.
    $ chmod 700 dir

    drwx------

    • Only the Owner has read, write and execute permissions
    $ chmod 755 program

    -rwx-wx-wx

    • The User has read, write and execute permissions.
    • The Group only has write and execute permissions.
    • All others have write and execute permissions.
    $ chmod 644 file.txt

    -rw-r--r--

    • The User has read and write permissions.
    • The Group has read permissions.
    • Others have read permissions.
    $ chmod 664 file.txt

    -rw-rw-r--

    • The User has read and write permissions.
    • The Group has read and write permissions.
    • Others have only read permissions.
Note2 icon.png Note: While the above commands regarding chmod are useful, it can be understandable if a user doesn’t want to have to log in via SSH just to change permissions on a file. Fortunately, many FTP clients such as FileZilla have the ability to change permissions directly within the client.


See also