17.7. Viewing and Changing File Permissions
Every Unix file (and directory) is governed by a set of permissions, which defines its access rights. The permissions associated with a file are:
-
r: read access to the file or directory -
w: write access to the file or directory -
x: execute access to the file or directory (for a directory, this means you cancdinto it, for a file it means you can execute it at the command line (e.g.,./filename). The compiler automatically sets the target executable file withxpermission for the owner.
Each file’s permissions also specifies three sets of users:
the file user/owner (u); users in the same group as the file’s
group (g); and other (o) or everybody else. By changing the file
permissions with a file, you can protect or share files
in different ways these different sets of users. For example, file
permission can be set to give the owner read and write access, users
in the file’s group read access, and everybody else no read or write access.
To list file permissions with files and directories use the -l
command line option of ls:
$ls -l
drwx------ 3 sam users 4096 Mar 26 12:49 classes/
drwx------ 2 sam users 4096 Mar 26 12:54 letters/
-rw-r----- 1 sam pals 78 Mar 26 12:51 notes
drwx------ 2 sam users 4096 Mar 26 12:48 projects/The output from ls -l is in the following format (showing
the listing of notes as an example):
type permissions links owner group size modification date name
u g o
- rw- r-- --- 1 sam pals 78 Mar 26 12:51 notes
d rwx --- --- 3 sam users 4096 Mar 26 12:49 classes/
The type is d for directories and - for regular files.
The file permission listings are in three groups of rwx specifying
permissions for the file user or owner (u), group (g), and others (o).
For example, the -rw-r----- associated with the notes file means that
the file owner sam has read and write access to the file (rw-), that the
file’s group, pals has read permission only (r--), and others
have no permissions to access the file (---). The other fields in
the listing show the username of the file owner (sam), the name of the
file’s group (pals), the size of the file in bytes (78), the last time
the file was modified (Mar 26 12:51) and the name of the file (notes).
Also listed are the number of hard links to the file (1), which is
the number of names in the directory structure that refer to this same file.
The listing for classes is drwx------, which means that classes is a
directory, the file owner sam has read, write, and execute permissions
(rwx), and that the directory’s group (users) and others have no access
permissions (---). In other words this is a private directory to the user
sam; no one else can access this directory. We note that a directory must
have execute (x) permission set in order to cd into it. Directories have
link sizes greater than 1 because both the directory name (e.g., classes)
and the name ./ in the directory (and the name ../ in any of its
subdirectories) refer to the same directory. Because classes has one
subdirectory, CS31, its link value is 3.
17.7.1. chmod
The chmod command changes the permissions on a file or directory.
It takes command line arguments that specify how to change the permissions
for the three sets of users associated with every file: user/owner,
group, and other.
One way to run chmod is to give a three digit number as a
command line argument that encodes how to set the permissions. The first
digit specifies the permissions for the file user/owner, the second digit
specifies the permissions for the file group, and the third for all other
users. For example, chmod 700 letters makes letters a private directory;
7 sets the user’s permissions to rwx, and 0 set permissions to ---
for group and others.
To understand what the digits mean, consider each digit represented as
a three bit binary number where a 1 means grant the permission and 0
means don’t grant it for the set rwx. Table 1 shows
some examples.
| Digit | Binary | Permission |
|---|---|---|
|
|
set rwx permissions |
|
|
set r x permissions only |
|
|
set r permission only |
|
|
set rw permissions only |
|
|
clear all permissions…no access |
For example, if sam wants to give read access to the notes file
with all other users and give himself read and write access,
he would run the following command:
$ chmod 644 notes
$ ls -l
drwx------ 3 sam users 4096 Mar 26 12:49 classes/
drwx------ 2 sam users 4096 Mar 26 12:54 letters/
-rw-r--r-- 1 sam pals 78 Mar 26 12:51 notes
drwx------ 2 sam users 4096 Mar 26 12:48 projects/The 644 sets the permissions on notes to -rw-r—r--: 6 gives the
file’s owner rw- access; 4 gives the file’s group r-- access;
and 4 gives other r-- access.
The chmod command can also use the [u,g,o][+,-][permissions]
setting format too. For example, if sam wants to give
the users group write
access to the projects directory, he can specify this permission
using g+w (add write permission to group), and if he wants to
remove read access from notes to others, he can specify o-r
(remove read permission from all):
$ chmod g+w projects
$ chmod o-r notes
$ ls -l
drwx------ 3 sam users 4096 Mar 26 12:49 classes/
drwx------ 2 sam users 4096 Mar 26 12:54 letters/
-rw-r----- 1 sam pals 78 Mar 26 12:51 notes
drwx-w---- 2 sam users 4096 Mar 26 12:48 projects/And when he realizes that giving the users group write access to his
projects directory was a terrible idea, he can remove it using g-w:
$ chmod g-w projects
$ ls -l projects
drwx------ 2 sam users 4096 Mar 26 12:48 projects/The chmod command has other command line options, including a
recursive flag to recursively change permissions on a full subdirectory’s
contents. See the man page for more details.
Linux also supports access control lists (ACLs), which allow a much richer
set of permissions to be associated with files and directories. The
man page for getfacl and setfacl contain information about ACLs, but
the details are beyond the scope of our coverage.
17.7.2. chgrp
The chgrp command can be used to change the group associated with a
file or directory. Unix groups typically need to be created by a
system administrator who has root access on the system (the root user
is the Unix superuser account that has access rights to the filesystem
that a regular user does not have).
If the user sam is part of a group named proj3 with two other users, sam
can change the group and set permissions on their projects directory to
give just this group elevated rights to the directory. For example:
$ chgrp proj3 projects # change the projects directory's group to proj3
$ ls -l
drwx------ 3 sam users 4096 Mar 26 12:49 classes/
drwx------ 2 sam users 4096 Mar 26 12:54 letters/
-rw-r----- 1 sam pals 78 Mar 26 12:51 notes
drwx------ 2 sam proj3 4096 Mar 26 12:48 projects/
$ chmod 750 projects # give proj3 group members r and x access to directory
$ ls -l
drwx------ 3 sam users 4096 Mar 26 12:49 classes/
drwx------ 2 sam users 4096 Mar 26 12:54 letters/
-rw-r----- 1 sam pals 78 Mar 26 12:51 notes
drwxr-x--- 2 sam proj3 4096 Mar 26 12:48 projects/Similarly, the chown command changes the owner of a file, but
you need to have root privileges to run it.
|
File group setting and default permissions
Each user has default permissions and a default group that will automatically
be associated with all new files and directories the user creates. Both of
these can be modified in your shell’s config file (e.g., Your default group is specified in the shell environment variable named
Your default file permission are configured from the A |
17.7.3. References
For more information see:
-
The man pages for these commands (e.g.,
man chmod) -
most used Unix commands from cheat-sheets.org
-
Bash Reference Manual from gnu.org.