File Permissions
Description¶
Linux, like other Unix-like operating systems, allows multiple users to work on the same server. However, sharing access to files pose a risk exposing classified information or even data loss if other users access their files or directories. To address this, Unix added the file permission feature to specify how much power each user has over a given file or directory.
Every file (and directory) has an owner, an associated Unix group, and a set of permission flags that specify read, write, and execute permissions for the user (owner), group, and other users. Group permissions apply to all users who belong to the group associated with the file, while permissions for other applies to all users who can login to the system. The command ls -l
displays the permissions and associated group for any file:
File permissions
drwx------ 2 user group 2048 Jun 12 2022 Desktop \
drwxr-x--- 2 user group 2048 Oct 17 2021 Share
drwxr-xr-x 3 user group 2048 Nov 13 2021 Public
-rw------- 2 user group 1327 Apr 9 2022 private.out
-rwx------ 2 user group 12040 Apr 9 2022 private_exec.sh
The fields above represent, from left to right:
- set of ten permission flags
- link count
- owner
- associated Unix group
- size
- data of last modification
- name of the file
The permission flags from left to right are:
Permission | Meaning |
---|---|
1 | "d" if a directory "-" if a normal file |
2, 3, 4 | read, write, execute permission for user (owner) |
5, 6, 7 | read, write, execute permission for other group |
8, 9, 10 | read, write, execute permission for other (world) |
and have the following meanings:
Value | Meaning |
---|---|
- | Flag is not set |
r | File is readable |
w | File is writable. For directories, files may be created or removed. |
x | File is exacutable. For directories, files may be listed. |
s | Set group ID (sgid). For directories, files created therein will be associated with the same group as the directory, rather than default group of the user. Subdirectories created therein will not only have the same group, but will also inherit the sgid setting. |
Applying these to previous example:
drwx------ 2 user group 2048 Jun 12 2022 Desktop
drwxr-x--- 2 user group 2048 Oct 17 2021 Share
drwxr-xr-x 3 user group 2048 Nov 13 2021 Public
-rw------- 2 user group 1327 Apr 9 2022 private.out
-rwx------ 2 user group 12040 Apr 9 2022 private_exec.sh
Changing File Permissions¶
When a file is created, the permission flags are set according to the file mode creation mask, which can be set using the umask
command. The file mode creation mask is a three-digit octal value whose nine bits correspond to fields 2-10 of the permission flags. The resulting permissions are calculated via the bitwise AND of the unary complement of the argument (using bitwise NOT) and the default permissions specified by the shell (typically 666 for files and 777 for directories). Common useful values are:
Value | File permissions | Directory permissions |
---|---|---|
002 | -rw-rw-r-- | drwxrwxr-x |
007 | -rw-rw---- | drwxrwx--- |
027 | -rw-r----- | drwxr-x--- |
077 | -rw------- | drwx------ |
Default umask on Devana cluster is 002 and can be changed in your ~/.bash_profile
or ~/.bashrc
configuration files if needed by appending the following line:
umask XXX
Command "change mode" (chmod
) can be used to change the file/directory permissions of an existing object. Flag -R
can be used to apply the changes recursively. The command can be invoked with octal values representing the permission flags, such as:
Octal Digit | Binary representation (rwx) | Permission |
---|---|---|
0 | 000 | none |
1 | 001 | execute |
2 | 010 | write |
3 | 011 | write and execute |
4 | 100 | read |
5 | 101 | read and execute |
6 | 110 | read and write |
7 | 111 | all |
Numerical mode change
login01:~ $ touch foo
login01:~ $ ls -l foo
login01:~ $ -rw-rw-r-- 1 user group 0 Nov 16 05:58 foo
login01:~ $ chmod 744 foo
login01:~ $ ls -l foo
login01:~ $ -rwxr--r-- 1 user group 0 Nov 16 05:58 foo
Alternatively, chmod
command can be invoked with symbolic links representing desired permissions as:
chmod [-R] [classes][operator][modes] file
where the classes determine the combination of user/group/other that the operation applies to, the operator specifies whether permissions are added or removed, and the modes specify the permissions.
Classes
Letter | Class | Description |
---|---|---|
u | user | Owner of the file |
g | group | Users who are members of a file group |
o | others | Other users who are not an owner or members of a file group |
a | all | All |
Operators
Operator | Description |
---|---|
+ | Add the specified modes to the specified classes |
- | Remove the specified modes from the specified classes |
= | The specified modes are made the exact modes for the specified classes |
Modes
Mode | Name | Description |
---|---|---|
r | read | Read a file or list a directory's contents |
w | write | Write to a file or directory |
x | execute | Execute a file or traverse a directory |
X | "special" execute | Restrictive version of "x" that applies execute permissions to directories in all cases, and to files only if at least one execute permission bit is already set. It can be used with the "+" operator and the "-R" option, to give group and/or other access to a large directory tree, without setting execute permissions on non-executable files. The command chmod -R go+rX bigdir would set read and execute permissions on every directory, and would set group and other read and execute permissions on files that were already executable by the owner. |
s | setgid | This setting is typically applied to directories resulting in any file created in that directory to be associated with the directory's group, rather than with the default file group of the owner. This is useful in setting up directories where many users share access. |
Sets of class/operator/mode may separated by commas. Using the above definitions, the previous example can be done symbolically:
Symbolical mode change
login01:~ $ touch foo
login01:~ $ ls -l foo
login01:~ $ -rw-rw-r-- 1 user group 0 Nov 16 05:58 foo
login01:~ $ chmod u+g,go=r foo
login01:~ $ ls -l foo
login01:~ $ -rwxr--r-- 1 user group 0 Nov 16 05:58 foo
UNIX groups¶
Every user on a Unix system is a member of one or more Unix groups, including their default group (generally same as username). Command groups <username>
can be used to list the group memberships for any user, or id <username>
to view the groups with their ids. Every file (or directory) on the system has an owner and an associated group. When a user creates a file, the file's associated group will be the user's default group. The user (owner) has the ability to change the associated group to any of the groups to which the user belongs with "change group" command as chgrp <group> file
.