Unix File Permissions

Unix file permissions control who can access or modify files on DreamHost's servers. CHMOD is a command for controlling Unix File Permissions. It lets you tell the system how much (or little) access it should permit to a file. There are really only three fields to worry about on each file: user, group, and mode.

User
Every file in Unix is assigned a user. This user is the owner of the file. This user has permission to change the group and mode of the file. No one else (but the administrators) is able to make these changes. Only the administrators can change the owner of a file (there is a work around to this too, though).

This doesn't make much difference on DreamHost, but if you happen to have administrative access elsewhere, this can be useful knowledge. The command to modify the owner is chown.

$ chown bob file.txt

The user named "bob" now owns "file.txt" (that is, if you're the superuser, otherwise, this will fail).

The "work-around" to change file owner for non-superusers is to copy the file(s) to a new location as the user you want to own the files. The files will be owned by this user in the new location. It's not much of a work-around, but it's occasionally useful.

Group
Every file in Unix is assigned a group. This is the "group owner" of the file. Unix groups (you can create them through the DreamHost panel) allow you to grant access to a limited number of users. The group affects every member of the group.

The command to modify the group is chgrp. You may only modify the group of files you own. You may only set the group owner to the name of a group you are a member of:

$ chgrp webmasters file.txt

The group named "webmasters" now owns "file.txt".

For more information on groups, please see Unix Groups.

Mode
Every file in Unix is assigned a mode. This is the most complicated piece of all. It determines what kind of file you are looking at, what kind of access the user and group and all others have to the file, and determines a couple other extra features about the file.

The command to modify the mode is chmod. You may only modify the mode of files you own. The use of this command requires a more detailed explanation of what mode is.

What kind of file?
The first thing mode determines is the kind of file. This part you can't mess with through chmod, but you'll notice it if you run ls -l:

$ ls -l drwxrwsr-x   9 bob      webmasters   4096 Apr  4 19:44 dir -rw-rw-r--   1 bob      webmasters   6121 Apr  4 19:44 file.txt lrwxrwxrwx   1 bob      webmasters     11 Apr 11 14:08 link -> dir

In this listing we can see that the mode of dir shows that it is a directory (the first "d"). The mode of file.txt is a regular file (as indicated by the "-"). The final one, "link", is a symbolic link, as noted by the "l".

To the far left of each file or directory name there are ten characters which show the attributes. The first column indicates whether the entry is a directory (d) or not (-</tt>). The other nine characters are organized into three groups of the three. (d rwx r-xr-x) </tt>The first group pertains to the owner (that would be you for your files). (drwx r-x r-x) </tt>The second group pertains to people in your group. (drwxr-x r-x ) </tt>The third group pertains to everyone else.

What kind of access?
If you look back at the listing in the previous section, we see the access permissions too. Those are set by all those rwx's. An "r" indicates that read access is being granted. A "w" indicates that write access is being granted. And an "x" indicates that execute access is being granted. (We'll worry about the "s" in the next section.)

For a regular file, read ("r") means that the grantee has permission to open the file and look at it's contents. Write ("w") means that the grantee has permission to edit or delete the file. Execute ("x") means that the grantee can run the file like a program (for example, for scripts).

For a directory, read ("r") means that the grantee has permission to see what files and directories have been placed inside of that directory. Write ("w") means that the grantee has permission to create new files within that directory and to delete the directory (when empty). Execute ("x") means that the grantee can "cd" or change into the directory. (Without "x", the user can't actually read or write either.)

For a link, the mode always gives all permissions. That is, since the symbolic link acts like the file or directory it points to (e.g., cd link</tt> above would change you into dir</tt>), the permissions of the destination are the permissions that are really in effect.

Now, why repeat rwx three times? The first time is for the user, the second for the group, and the third is for every body else. Thus, for dir</tt> above, the user and group have "r", "w", and "x" so they can do anything with or to the directory. However, any user that doesn't match the owner or group can only change into it and read the list of files in it.

The file.txt</tt> is similar. The user and group can read and write the file, but everyone else can only read it.

Special features?
Basically, the "special feature" is the ability to give the user the special ability to automatically change users or group, or to specify a directory as a "temporary" directory.

The "s" above for the group (middle) settings shows that the "sticky" or "setgid" bit is set. This means that any user who changes into that directory suddenly performs all actions as if the "webmasters" group was their default group. This can be helpful if you want all files in that directory to be created owned by that webmasters group.

The "s" flag can also be set for the user, which makes the user "sticky" or "setuid". This is not usually a good idea, so don't do it unless you really know what you're doing.

The "t" flag is basically the same thing as the "s" flag for user or group, but is used when applied to all others. Here, the meaning is a little different. It means that anyone can create a file in the directory, but only the owner is allowed to remove the file, regardless of permissions set. This is the "temporary" directory permission and should also be avoided unless you really know what you're doing.

Back to chmod</tt>
Now, to make things more complicated, chmod</tt> actually has a couple ways to be used. There's a "named mode" which is a little easier to comprehend and there's a "numeric mode" which exposes a little more of the guts.

Named Mode
Here we give names to all the involved parties. They come in two parts, a "who" and a "what."

who

what

Then, we use one or more from the first group combined with one or more from the second group and use a plus ("+") or minus ("-") to glue them together to do what you want.

Examples
$ chmod a+r file.txt This will allow everybody to read file.txt</tt>.

$ chmod go-rwx file.txt This strips everybody of all permissions, except for the owner (who retains whatever permissions she had before).

$ chmod ug+x script.cgi The file named script.cgi</tt> is now executable by the user and group.

$ chmod g+s somedir Now, all files created in the directory somedir</tt> will by owned by the group that owns somedir</tt>.

Numeric Mode
To understand numeric mode fully, you need to understand a bit about octal, that is, base-8 numbers. (Binary is base 2. Decimal is base 10. Get it? If not, you can probably understand this without.) Basically, the "rwx" settings for each of user, group, and other can be represented by a single octal digit each. The names are assigned to numbers, "r" to 4, "w" to 2, and "x" to 1. Adding them together will get you the digit you need to set. The first digit (the "hundreds") is used for user permissions. The second digit (the "tens") is used for group permissions. The third digit (the "ones") is used for other permissions.

Thus:

More examples:

$ chmod 600 file.txt

Only the user is allowed to read file.txt</tt>

$ chmod 700 dir

Only the user is allowed to change into and work with the contents of the dir</tt> directory.

$ chmod 755 program

All users allowed to read the contents and execute the program <tt>program</tt>, but only the owner is allowed to modify it.

$ chmod 644 file.txt

All users allowed to read the contents of <tt>file.txt</tt>, but only the user can write.

$ chmod 664 file.txt

All users allowed to read the contents of <tt>file.txt</tt>, but only the user and group can write.

Sticky and Numeric Mode
Yes, you can set the sticky bits too with the numeric mode. The fourth digit (in the "thousands" place) can be used such that 1 sets stickyness for everybody (temporary directory), 2 for group, and 4 for the user. Again, do not do this unless you are really sure you know what you're doing.

Other Resources

 * Unix account setup
 * UNIX commands
 * CHMOD
 * SSH
 * Shell
 * Unix File Permissions Cookbook
 * Unix Groups