Skip to content

Unix Permissions


Understanding Unix File Permissions

Unix-based operating systems provide a robust mechanism to control access to files and directories. This is crucial for protecting your data from unauthorized viewing, modification, or execution. This guide will help you understand these permissions and how to manage them effectively.


What Are Unix Permissions?

Core Permission Types

At its heart, Unix file access is governed by three fundamental permission types:

  • Read (r):
    • For files: Allows viewing the contents of the file.
    • For directories: Allows listing the contents of the directory (e.g., seeing filenames).
  • Write (w):
    • For files: Allows modifying or deleting the content of the file.
    • For directories: Allows creating, deleting, or renaming files within the directory (requires execute permission as well).
  • Execute (x):
    • For files: Allows running the file as a program or script.
    • For directories: Allows accessing files within the directory (i.e., "entering" or cd-ing into it).

Permission Classes (Who Gets Access?)

These permissions (r, w, x) can be granted or denied to three distinct classes of users:

  1. User/Owner (u): The person who created or owns the file/directory.
  2. Group (g): A collection of users. If a file belongs to a group, members of that group get these permissions.
  3. Others (o): Everyone else on the system who is not the owner and not in the group.

Viewing Permissions with ls -l

The ls -l command is used to display a detailed listing of files and directories, including their permissions.

If you run ls -l in a directory, you might see output similar to this:

-rwxrwx--- 1 johndoe student 311296 Jul 21 09:17 a.out
-rw-rw---- 1 johndoe student     82 Jul 21 09:12 hello.c
drwxr-x--- 2 johndoe student   4096 Aug 01 10:30 my_project

Let's break down the first line (-rwxrwx---) for the file a.out:

File Type Owner Permissions Group Permissions Others Permissions Links Owner Group Size Last Modified Name
- rwx rwx --- 1 johndoe student 311296 Jul 21 09:17 a.out
  • File Type (1st character):

    • -: Regular file
    • d: Directory
    • l: Symbolic link
    • (and others for special file types)
  • Owner Permissions (Next 3 characters): rwx means the owner (johndoe) can read, write, and execute a.out.

  • Group Permissions (Next 3 characters): rwx means members of the student group can read, write, and execute a.out.
  • Others Permissions (Last 3 characters): --- means others have no permissions on a.out.

Directory Permissions Inheritance (Default Behavior)

Permissions set on a directory control access to the directory itself (e.g., listing its contents, creating files within it). Newly created files within a directory typically inherit some default permissions based on system settings and the user's umask (see below), not directly from the parent directory's permissions in a strict sense for all attributes.


Modifying Permissions with chmod (Change Mode)

The chmod command is used to change the permissions of files and directories.

Using chmod with Symbolic Notation

This is often the most intuitive way to use chmod.

Syntax: chmod <class(es)><operator><permission(s)> <file_or_directory>

  • <class(es)>:
    • u: User/Owner
    • g: Group
    • o: Others
    • a: All (u, g, and o) - this is often the default if no class is specified.
  • <operator>:
    • +: Add permission(s)
    • -: Remove permission(s)
    • =: Set permission(s) exactly (and remove others for the specified class)
  • <permission(s)>:
    • r: Read
    • w: Write
    • x: Execute

chmod Examples (Symbolic)

  • Give the owner execute permission: chmod u+x myfile.sh
  • Remove write permission for the group and others: chmod go-w important_data.txt
  • Set permissions for others to read-only (removes any existing w or x for others): chmod o=r public_info
  • Allow everyone to read and write, but only the owner to execute: chmod a+rw,u+x script.pl
Recursive chmod for Directories (-R)

To change permissions for a directory AND all files and subdirectories within it, use the -R (recursive) option. Use with caution! chmod -R u+w my_project_folder/

This would add write permission for the owner to my_project_folder and everything inside it.

Using Octal Notation with chmod

chmod also accepts octal numbers directly to set permissions. Here, you add the weights for the permissions you want to grant for each class (owner, group, others).

Syntax: chmod <octal_mode> <file_or_directory>

chmod Examples (Octal)

  • Set permissions to rwxr-xr-x (owner: rwx, group: r-x, others: r-x): Owner: 4+2+1 = 7 Group: 4+0+1 = 5 Others: 4+0+1 = 5 Command: chmod 755 my_script.sh

  • Set permissions to rw-r----- (owner: rw-, group: r--, others: ---): Owner: 4+2+0 = 6 Group: 4+0+0 = 4 Others: 0+0+0 = 0 Command: chmod 640 sensitive_data.doc


Setting Default Permissions with umask (User Mask)

The umask command controls the default permissions that are set when new files and directories are created. It specifies which permissions should be removed from the system's default maximum permissions.

Understanding umask and Octal Notation

umask uses a three-digit octal (base-8) number. Each digit corresponds to owner, group, and others, respectively. The value of each digit represents the permissions to be masked out (removed).

Permission Weights (for calculating octal values):

Permission Read (r) Write (w) Execute (x)
Weight: 4 2 1

How umask Works: * System default for new files is often 666 (rw-rw-rw-). * System default for new directories is often 777 (rwxrwxrwx). * The umask value is subtracted from these defaults.

Example: If umask is 022: * For new files: 666 - 022 = 644 (rw-r--r--) * For new directories: 777 - 022 = 755 (rwxr-xr-x)

Setting the umask: umask <octal_value> For example, to set umask so new files are rw-r----- (640) and directories are rwxr-x--- (750), you'd want to mask out 027: umask 027

  • 0 for owner (mask nothing out: rwx for dirs, rw- for files remains)
  • 2 for group (mask out write: r-x for dirs, r-- for files remains)
  • 7 for others (mask out read, write, execute: --- for dirs and files remains)

You typically set umask in your shell startup files (e.g., .bashrc, .zshrc) to have it apply to all your sessions.