Header left.png

Unix Permissions

From Systems Group
Jump to: navigation, search

Not every file on the system should be readable by everyone. Likewise, some files that everyone needs (such as the executables for commands like cp, mv, etc.) should not be subject to accidental deletion or alteration by ordinary users. This is where file permissions come into play. This page will help you understand Unix file permissions, and how you can use them to your advantage for extra security.

What They Are

Unix allows three forms of access to any file: read, write, and execute. For an ordinary file, if you have read (r) permission, you can use that file as input to any command/program. If you have write (w) permission, you can make changes to that file. If you have execute (x) permission, you can ask the shell to run that file as a program.

The owner of a file can decide to give any, all, or none of these permissions to each of three classes of people: To the owner of the file him/herself To members of a designated .group. established by the systems staff. Groups are generally set up for people who will be working together on a project and need to share files among the group members. To anyone else in the world. These three classes are abbreviated .u. , .g. , and .o. , respectively. The .u. is for .user. , .g. for .group. , and .o. is for .others. . Until you actually join a project that needs its own group, you will mainly be concerned with .u. and .o. classes.

The ls -l command will show the permissions granted to each class. For example, if you said
ls -l ~/playing you might see the response

-rwxrwx--- 1 johndoe student 311296 Jul 21 09:17 a.out

-rw-rw---- 1 johndoe student 82 Jul 21 09:12 hello.c

-rw-rw---- 1 johndoe student 92 Jul 21 09:13 hello.cpp

-rw-rw---- 1 johndoe student 85 Jul 20 15:27 hello.wc

On the far right, you see the actual file names. In front of that you are shown the date and time on which that file was last modified. In front of the date is the size of the file (in bytes). The two columns near the middle that contain names indicating the owner of the file (in this case, the owner has login name johndoe) and the group to which that file is assigned (in this case, the group student). Some typical groups are .wheel. , .faculty. , .gradstud. , and .student. . .Wheel. has no members, but groups like .student. and .gradstud. have very broad membership, as their names imply.19

Finally, look at the pattern of hyphens and letters at the far left of the ls output. The first character will be a .d. if the file is a directory, .-. if it is not. Obviously, none of these are directories. The next 3 positions indicate the owner's (u) permissions. By default, you get read and write permission for your own files, so each file has an .r. and a .w. . a.out is an executable program, so the compiler makes sure that you get execute (x) permission on it. The other files can't be executed, so they get no .x. . This way the shell will not even try to let you use hello.c or any of the other source code files as a program.

The next three character positions indicate the group permissions. In this case, the group permissions are the same as the student owner's permissions - all members of the student group can read or write these files and can execute the a.out program.

The final three character positions indicate the permissions given to the world (others). Note that in this case, people other than the owner or members of the same group cannot read, write, or execute any of these files.

Directories also can get the same rwx permissions, though the meaning is slightly different. If you have read permission on a directory, you can see the list of files in the directory via ls or other commands. If you have execute permission on a directory, then you can use that directory inside a file name to get at the files it contains. So, if you have execute permission but not read permission on a directory, you can use those files in the directory whose names you already know, but you cannot look to see what other files are in there. If you have write permission on a directory, you can change the contents of that directory (i.e., you can add or delete files).

To see what groups you yourself are a member of, give the command groups

If you are a member of more than one group, you can assign your files to any one of those groups. The Unix command chgrp ( .change group. ) is used for this purpose. (back)

chmod

The chmod command changes the permissions on files. The general pattern is chmod class+permissions files, or chmod class-permissions files.

Use + to add a permission, - to remove it. For example, chmod o+x a.out gives everyone permission to execute a.out. chmod g-rwx hello.* denies members of your group permission to do anything at all with the hello program source code files.

You can also add a -R option to chmod to make it recursive (i.e., when applied to any directories, it also applies to all files in the directory (and if any of those are directories, to the files inside them, and if.). For example, if I discovered that I really did not want the group to have permission to write or execute my files in ~/playing, I could say:

chmod -R g-wx ~/playing

umask

Suppose you never use the chmod command. What would be the protection levels on any files you created?

The answer depends upon the value of umask. Look in your ~/.cshrc file for a command by that name, and note the number that follows it. If you don't have one, just give the command umask and note the number that it prints.

The umask number is a 3 digit (base 8) number, similar to the numeric form of the permissions in the chmod command. The first digit describes the default permissions for the owner (you), the second digit describes the default permissions for the group, and the final digit describes the default permissions for others. Each of these three numbers is, in turn, formed as a 3-digit binary number where the first digit is the read permission, the second is the write permission, and the thrid digit is the execute permission.

Unlike the chmod command, however, in each binary digit of the umask, a 0 indicates that the permission is given, a 1 that the permission is denied.

So if my umask is 027, that means that I (the owner) have 000 --- permission to read, write and execute my own files. The group to which a file belongs has 010, permission to read, no permission to write, and permission to execute that file. The rest of the world has 111, no permission to read, write or execute. Of course, these permissions can be changed for individual files via the chmod command. The umask only sets the default permissions for cases where you don't say chmod.

If you want to change your default permissions, you do it via the umask command by giving it the appropriate 3-digit octal number for the new default permissions. Some common forms are:

umask 022

Owner has all permissions. Everyone else can read and execute, but not write.

umask 077

Owner has all permissions. Everyone else is prohibited from reading, writing, or executing. Since the point of the umask command is to establish the default behavior for all your files, this command is normally placed within your .cshrc file.

Planning for Protection

At the very least, you will want to make sure that files that you are preparing to turn in for class assignments are protected from prying eyes. You need to do a little bit of planning to prepare for this. There are two plausible approaches: Use a stringent enough umask (e.g., umask 077) so that everything is protected by default. The only disadvantage is that files that you want to share (e.g., the files that make up your personal Web page) must be explicitly made world-readable (chmod go r files).

Use a more relaxed umask (e.g., umask 022) so that your files are readable by default, but establish certain directories in which you carry out all your private work and protect those directories so that no one can access the files within them. For example, you might do

cd ~

mkdir Assignments

chmod go-rwx Assignments

Now you can put anything you want inside ~/Assignments, including subdirectories for specific courses, specific projects, etc. Even if the files inside ~/Assignments are themselves unprotected, other people will be unable to get into ~/Assignments to get at those files. The one disadvantage to this approach is that it calls for discipline on your part. If you forget, and place your private files in another directory outside of ~/Assignments, then the relaxed umask means that those files will be readable by everyone!