Skip to content

File Permissions

Description

Linux, like other Unix-like operating systems, allows multiple users to work on the same server. However, sharing access to files pose a risk exposing classified information or even data loss if other users access their files or directories. To address this, Unix added the file permission feature to specify how much power each user has over a given file or directory.

Every file (and directory) has an owner, an associated Unix group, and a set of permission flags that specify read, write, and execute permissions for the user (owner), group, and other users. Group permissions apply to all users who belong to the group associated with the file, while permissions for other applies to all users who can login to the system. The command ls -l displays the permissions and associated group for any file:

File permissions

drwx------ 2 user group  2048 Jun 12 2022  Desktop  \
drwxr-x--- 2 user group  2048 Oct 17 2021  Share
drwxr-xr-x 3 user group  2048 Nov 13 2021  Public
-rw------- 2 user group  1327 Apr  9 2022  private.out
-rwx------ 2 user group 12040 Apr  9 2022  private_exec.sh

The fields above represent, from left to right:

  1. set of ten permission flags
  2. link count
  3. owner
  4. associated Unix group
  5. size
  6. data of last modification
  7. name of the file

The permission flags from left to right are:

Permission Meaning
1 "d" if a directory "-" if a normal file
2, 3, 4 read, write, execute permission for user (owner)
5, 6, 7 read, write, execute permission for other group
8, 9, 10 read, write, execute permission for other (world)

and have the following meanings:

Value Meaning
- Flag is not set
r File is readable
w File is writable. For directories, files may be created or removed.
x File is exacutable. For directories, files may be listed.
s Set group ID (sgid). For directories, files created therein will be associated with the same group as the directory, rather than default group of the user. Subdirectories created therein will not only have the same group, but will also inherit the sgid setting.

Applying these to previous example:

drwx------ 2 user group  2048 Jun 12 2022  Desktop
This is a directory named "Desktop", owned by user user and associated with Unix group group. The directory has read, write, and execute permissions for the owner, and no permissions for any other user.

drwxr-x--- 2 user group  2048 Oct 17 2021  Share
This is a directory named "Share", owned by user user and associated with group group. The owner can read and write the directory; all group members can list and the contents of the directory. Presumably, this directory would contain files that also have "group read" permissions.

drwxr-xr-x 3 user group  2048 Nov 13 2021  Public
This is a directory named "Public", owned by user user and associated with group group. The owner can read and write the directory; all other users can only read the contents of the directory. A directory such as this would most likely contain files that have "world read" permissions.

-rw------- 2 user group  1327 Apr  9 2022  private.out
This is a normal file named "private.out", owned by user user and associated with group group. It is readable and writable by the owner, but is not accessible to any other user.

-rwx------ 2 user group 12040 Apr  9 2022  private_exec.sh
Finally, this is a normal file named "private_exec.sh", owned by user user and associated with group group. It is executable, as well as readable and writable, for the owner only.

Changing File Permissions

When a file is created, the permission flags are set according to the file mode creation mask, which can be set using the umask command. The file mode creation mask is a three-digit octal value whose nine bits correspond to fields 2-10 of the permission flags. The resulting permissions are calculated via the bitwise AND of the unary complement of the argument (using bitwise NOT) and the default permissions specified by the shell (typically 666 for files and 777 for directories). Common useful values are:

Value File permissions Directory permissions
002 -rw-rw-r-- drwxrwxr-x
007 -rw-rw---- drwxrwx---
027 -rw-r----- drwxr-x---
077 -rw------- drwx------

Default umask on Devana cluster is 002 and can be changed in your ~/.bash_profile or ~/.bashrc configuration files if needed by appending the following line:

umask XXX

Command "change mode" (chmod) can be used to change the file/directory permissions of an existing object. Flag -R can be used to apply the changes recursively. The command can be invoked with octal values representing the permission flags, such as:

Octal Digit Binary representation (rwx) Permission
0 000 none
1 001 execute
2 010 write
3 011 write and execute
4 100 read
5 101 read and execute
6 110 read and write
7 111 all

Numerical mode change

login01:~ $ touch foo
login01:~ $ ls -l foo
login01:~ $ -rw-rw-r--  1 user group        0 Nov 16 05:58 foo
login01:~ $ chmod 744 foo
login01:~ $ ls -l foo
login01:~ $ -rwxr--r--  1 user group        0 Nov 16 05:58 foo

Alternatively, chmod command can be invoked with symbolic links representing desired permissions as: 

chmod [-R] [classes][operator][modes] file

where the classes determine the combination of user/group/other that the operation applies to, the operator specifies whether permissions are added or removed, and the modes specify the permissions.

Classes

Letter Class Description
u user Owner of the file
g group Users who are members of a file group
o others Other users who are not an owner or members of a file group
a all All

Operators

Operator Description
+ Add the specified modes to the specified classes
- Remove the specified modes from the specified classes
= The specified modes are made the exact modes for the specified classes

Modes

Mode Name Description
r read Read a file or list a directory's contents
w write Write to a file or directory
x execute Execute a file or traverse a directory
X "special" execute Restrictive version of "x" that applies execute permissions to directories in all cases, and to files only if at least one execute permission bit is already set. It can be used with the "+" operator and the "-R" option, to give group and/or other access to a large directory tree, without setting execute permissions on non-executable files. The command chmod -R go+rX bigdir would set read and execute permissions on every directory, and would set group and other read and execute permissions on files that were already executable by the owner.
s setgid This setting is typically applied to directories resulting in any file created in that directory to be associated with the directory's group, rather than with the default file group of the owner. This is useful in setting up directories where many users share access.

Sets of class/operator/mode may separated by commas. Using the above definitions, the previous example can be done symbolically:

Symbolical mode change

login01:~ $ touch foo
login01:~ $ ls -l foo
login01:~ $ -rw-rw-r--  1 user group        0 Nov 16 05:58 foo
login01:~ $ chmod u+g,go=r foo
login01:~ $ ls -l foo
login01:~ $ -rwxr--r--  1 user group        0 Nov 16 05:58 foo

UNIX groups

Every user on a Unix system is a member of one or more Unix groups, including their default group (generally same as username). Command groups <username> can be used to list the group memberships for any user, or id <username> to view the groups with their ids. Every file (or directory) on the system has an owner and an associated group. When a user creates a file, the file's associated group will be the user's default group. The user (owner) has the ability to change the associated group to any of the groups to which the user belongs with "change group" command as chgrp <group> file.

Created by: marek.steklac