Permissions - Intro
If you are just getting into linux and upto now have only been using MS Windows operating systems
you might find file permissions a bit of a nightmare. Hopefully this page will explain them for you.
Permissions apply to all users on a system apart from the "root" user (the superuser), this is
one of the main reasons why you should not log in as "root" apart from when doing system
maintenance.
UNIX file permissions are split into the three main following sections:
- User (owner of the file).
- Group (everyone with the same group name as the owner).
- Others (anyone else on the system).
Within these three sections you can specify the following options shown in the table below
(in "ls -l" display order).
| For the owner of the file: | ||
|---|---|---|
| Char | Value | Permission |
| r | 400 | Read |
| w | 200 | Write |
| x | 100 | Execute |
| For the owner's group: | ||
| Char | Value | Permission |
| r | 40 | Read |
| w | 20 | Write |
| x | 10 | Execute |
| For all others not in the owner's group: | ||
| Char | Value | Permission |
| r | 4 | Read |
| w | 2 | Write |
| x | 1 | Execute |
Here is a typical directory listing using the "ls -l" command, with a file's permissions indicated on the left.
If we take one of the file's permissions and split it up into it's different sections as shown in the diagram below:
As you can see, each section has the space for the three options show in the table above.
Where there are "-" characters show that the specific permission is not set.
So, the above set of permissions read:
- Read and write permissions for the user who owns the file ("mark" in this case).
- Read permissions for other users in the same group as the owner ("users" in this case).
- Read permissions for everyone else on the system.
File permissions also apply to directories in the same way, but the options have a slightly different meaning.
- Read access allows users to view a directory's contents.
- Write access allows users to create files in the directory.
- Execute allows users to change into the directory.
Permissions - Changing
Firstly, normal users can only change the permissions of a file (or directory) if they own it. The owner of a file can be found by again using the "ls -l" command as shown below.
Changing a files permissions is done by using the "chmod" (change mode) command. This command is used in two ways, either using numbers or letters.
Using letters (symbolic codes)
First you have do decide what section of the permissions to set, this is done by specifying the first letter of the section, eg. "g" for group permissions. More than one section can given in a single command eg. typing "ug" will set the permissions for the file's owner and all users thier group. Not specifying a section will be that all section's permissions will be changed.
Next you need to give the actual permissions you want to set. using a "+" in front of a permission bit will set it and using a "-" will unset it. For example "+w" will grant write access to the file. More than one permission bit can be given in a command along with different signs.
Here are some examples, that show make things clearer:
| Current permissions | Command issued | New permissions |
|---|---|---|
| -rw-r--r-- | chmod +x filename | -rwxr-xr-x |
| -rw-r--r-- | chmod u+x filename | -rwxr--r-- |
| -rwxrwxrwx | chmod go-wx filename | -rwxr--r-- |
Using numbers (octal)
Most UNIX users find this method the quickest. All you need to do is refer to the first table on this
page and look at the numbers for each permission bit. Then add together the values for the permissions
you want the file to have. For example:
Add 400 for read access to the file's owner (you).
Add 200 for write access to the file's owner.
Add 40 for read access to all other user's in the owner's group
Add 4 for read access to everyone else.
Total = 0644 (it is best to always use four digits).
Permissions - Advanced
There are three extra permissions that can be set shown in the table below, these can
be set and unset in the same way as the other permissions shown above.
Note: These permissions only effect executable files.
| Special permissions: | ||
|---|---|---|
| Char | Value | Permission |
| s | 4000 | Set user ID on execution (SETUID) |
| s | 2000 | Set group ID on execution (SETGUID) |
| t | 1000 | Save text image on swap device |
The first two in the list are used when the file involved is a program or script, as
when a program is run it normally runs as the user who ran it, eg. if user "bob"
executed the file then the file will run under the "bob" user. If you
set the "SETUID" bit then the file will run under the file's owner whichever user
executes it.
The same applies to the "SETGUID" option but dealing with groups instead.
The last option saves the program onto the system's swap device to speed up execution and run time.
In order to set these special permissions using the symbolic mode (letter) method you must use the following commands. Note how the section (u,g,o) is defined in each.
| Setting Special permissions: | ||
|---|---|---|
| Command | Permission | |
| chmod u+s filename | Make file SETUID | |
| chmod g+s filename | make file SETGUID | |
| chmod o+t filename | Keep file permently on swap device | |
If you want to use the octal way of setting these options, refer to the instructions for standard permissions.