Permissions - Intro

If you are just getting into linux and upto now have only been using MS Windows operating systems you might find file permissions a bit of a nightmare. Hopefully this page will explain them for you.
Permissions apply to all users on a system apart from the "root" user (the superuser), this is one of the main reasons why you should not log in as "root" apart from when doing system maintenance.

UNIX file permissions are split into the three main following sections:

  • User (owner of the file).
  • Group (everyone with the same group name as the owner).
  • Others (anyone else on the system).
When a new user is created they are given a user name (what they log in with) and a group name to belong to. These groups are usually self-explantatory and aids system administration among other things.

Within these three sections you can specify the following options shown in the table below
(in "ls -l" display order).

For the owner of the file:
For the owner's group:
For all others not in the owner's group:

Here is a typical directory listing using the "ls -l" command, with a file's permissions indicated on the left.

ls -al output showing permissions

If we take one of the file's permissions and split it up into it's different sections as shown in the diagram below:

the different permission sections

As you can see, each section has the space for the three options show in the table above. Where there are "-" characters show that the specific permission is not set.
So, the above set of permissions read:

  • Read and write permissions for the user who owns the file ("mark" in this case).
  • Read permissions for other users in the same group as the owner ("users" in this case).
  • Read permissions for everyone else on the system.

File permissions also apply to directories in the same way, but the options have a slightly different meaning.

  • Read access allows users to view a directory's contents.
  • Write access allows users to create files in the directory.
  • Execute allows users to change into the directory.

Permissions - Changing

Firstly, normal users can only change the permissions of a file (or directory) if they own it. The owner of a file can be found by again using the "ls -l" command as shown below.

ls -al output showing file owner

Changing a files permissions is done by using the "chmod" (change mode) command. This command is used in two ways, either using numbers or letters.

Using letters (symbolic codes)

First you have do decide what section of the permissions to set, this is done by specifying the first letter of the section, eg. "g" for group permissions. More than one section can given in a single command eg. typing "ug" will set the permissions for the file's owner and all users thier group. Not specifying a section will be that all section's permissions will be changed.

Next you need to give the actual permissions you want to set. using a "+" in front of a permission bit will set it and using a "-" will unset it. For example "+w" will grant write access to the file. More than one permission bit can be given in a command along with different signs.

Here are some examples, that show make things clearer:

Current permissionsCommand issuedNew permissions
-rw-r--r--chmod +x filename-rwxr-xr-x
-rw-r--r--chmod u+x filename-rwxr--r--
-rwxrwxrwxchmod go-wx filename-rwxr--r--

Using numbers (octal)

Most UNIX users find this method the quickest. All you need to do is refer to the first table on this page and look at the numbers for each permission bit. Then add together the values for the permissions you want the file to have. For example:

Start at 0 as old permissions get overwritten.
Add 400 for read access to the file's owner (you).
Add 200 for write access to the file's owner.
Add 40 for read access to all other user's in the owner's group
Add 4 for read access to everyone else.
Total = 0644 (it is best to always use four digits).
This number is then used in the "chmod" command like this; "ls 0644 filename". This file will will then have the permissions of "-rw-r--r--" under the "ls -l" output.

Permissions - Advanced

There are three extra permissions that can be set shown in the table below, these can be set and unset in the same way as the other permissions shown above.
Note: These permissions only effect executable files.

Special permissions:
s4000Set user ID on execution (SETUID)
s2000Set group ID on execution (SETGUID)
t1000Save text image on swap device

The first two in the list are used when the file involved is a program or script, as when a program is run it normally runs as the user who ran it, eg. if user "bob" executed the file then the file will run under the "bob" user. If you set the "SETUID" bit then the file will run under the file's owner whichever user executes it.
The same applies to the "SETGUID" option but dealing with groups instead.

The last option saves the program onto the system's swap device to speed up execution and run time.

In order to set these special permissions using the symbolic mode (letter) method you must use the following commands. Note how the section (u,g,o) is defined in each.

Setting Special permissions:
chmod u+s filenameMake file SETUID
chmod g+s filenamemake file SETGUID
chmod o+t filenameKeep file permently on swap device

If you want to use the octal way of setting these options, refer to the instructions for standard permissions.