Table of Contents
Unix Permissions
Access to files and directories in Unix are controlled by permissions and ownership.
When you create a file or directory, by default you are the owner. No one else can enter the directory or read the file unless you explicitly give them permissions to do so.
In addition to the user who owns a file or directory, the file or directory is also owned by a group. This allows certain people to collaborate together by working on the same set of files and directories without opening up those files and directories to everyone.
Therefore, the ownership of a file or directory can be broken up into three parts: user, group, and other. Where the user is the owner who created the file or directory; the group is a set of specified users who are allowed access to the file or directory in order to collaborate; and “other” is, well, everyone else – not the owning user, and not members of the owning group.
Required Reading
Discovering and Interpreting Ownership
To find out who owns a file you can use the ls -ald command. For example:
$ ls -ald /home/groups/* drwxrwx--- 2 root director 4096 2010-01-06 09:54 /home/groups/director drwxrwx--- 2 root evaluation 4096 2010-01-06 09:55 /home/groups/evaluation drwxrwx--- 3 root everybody 4096 2010-01-06 10:34 /home/groups/everybody drwxrwx--- 2 root postdoc 4096 2010-01-06 09:55 /home/groups/postdoc drwxrwx--- 2 root nimbiods 4096 2010-01-06 10:04 /home/groups/staff drwxrwx--- 2 root student 4096 2010-01-06 09:55 /home/groups/student drwxrwx--- 2 root visitor 4096 2010-01-06 09:55 /home/groups/visitor
To break this down quickly and easily, let's look only at the /home/groups/director listing.
d | r w x | r w x | - - - | 2 | root | director | 4096 | 20010-01-06 09:54 | /home/groups/director |
|---|
This set of characters lists the permissions for user ownership.
The way to read this is:
- “r” = read permission, “-” = no read permission
- “w” = write permission, “-” = no read permission
- “x” = execute permission, “-” = no execute parmission
(for files, an “x” means that the file can be executed as a command, for directories, an “x” means that the directory can be entered with the cd command and read with the ls command)
d | r w x | r w x | - - - | 2 | root | director | 4096 | 20010-01-06 09:54 | /home/groups/director |
|---|
This set of characters lists the permissions for group ownership.
d | r w x | r w x | - - - | 2 | root | director | 4096 | 20010-01-06 09:54 | /home/groups/director |
|---|
This set of characters lists the permissions for everyone else.
d | r w x | r w x | - - - | 2 | root | director | 4096 | 20010-01-06 09:54 | /home/groups/director |
|---|
This column lists the owning user.
d | r w x | r w x | - - - | 2 | root | director | 4096 | 20010-01-06 09:54 | /home/groups/director |
|---|
This column lists the owning group.
What does this mean? Well for /home/groups/director, it means that if you are the user “root”, or if you are in the group “director”, then you can enter the /home/groups/director directory and muck about. Otherwise you're out of luck.
Changing Ownership
You cannot change ownership of a file or directory you do not own (duh!). You also cannot transfer ownership of a file you own to someone else. You can change which group owns a file or directory, but only for groups that you are a part of. Clear as mud? Good.
Changing group ownership is done with the chgrp command:
$ chgrp <group> <file-or-directory>
For example:
$ chgrp postdoc /home/groups/postdoc/file1
The above command changes the group ownership of /home/groups/postdoc/file1 to the “postdoc” group.
Q: What if I don't want any group to own my file or directory? A: Then change it's group ownership to the same group as your username. For example, if Jane Comiskey wanted to be sure that a file was only owned by her, and no one else had ownership, then she would type:
$ chgrp ecomiske file
Changing Permissions
Permissions are changed with the chmod command. Changing permissions is a little more complicated, as you have to specify which of the three owning entities you want to affect: “user”, “group”, or “other”. Here are some examples:
| Command | Effect |
|---|---|
chmod u+r file | Give read permissions to the owning user. |
chmod u-r file | Remove read permissions from the owning user. |
chmod u+rwx file | Give read, write, and execute permissions to the owning user. |
chmod u-wx file | Remove write and execute permissions from the owning user (make the file read-only for the user). |
chmod g+r file | Give read permissions to the owning group. |
chmod g-w file | Remove write permissions from the owning group. |
chmod o+rwx file | Give read, write, and execute permissions to others. |
chmod o-wx file | Remove write and execute permissions from others. |
Advanced usage
It is often useful to be able to specify exactly what the permissions should be in only a single step, with a single command. Each of the three sets of permissions can be set using an octal code from the table below:
| Octal | Permissions |
|---|---|
| 0 | - - - |
| 1 | - - x |
| 2 | - w - |
| 3 | - w x |
| 4 | r - - |
| 5 | r - x |
| 6 | r w - |
| 7 | r w x |
For anyone who's taken some computer classes before this should look familiar – the values in the table are merely counting up from 0 to 7 in binary.
Example Usage:
| Command | Effect |
|---|---|
chmod 000 file | Set permissions of file to “- - - - - - - - -” |
chmod 500 file | Set permissions of file to “r - x - - - - - -” |
chmod 755 file | Set permissions of file to “r w x r - x r - x” |
chmod 644 file | Set permissions of file to “r w - r - - r - -” |
