This guide assumes the reader has a basic familiarity with a UNIX shell.
When you start seeing terms such as octal, binary, sticky bits, set UID, set GID, and ACLs, learning how UNIX file permissions work may sound confusing. Its not so bad after a bit of practice. In my opinion, it is easier than Windows permissions. You don’t need to understand octal and binary. It could possibly make things a bit more intuitive, but it isn’t necessary to understand the concepts.
Before getting started, you will sometimes see file permissions referred to as file mode. When it comes to Linux and UNIX, the terms file mode and permissions are synonymous.
Every file on a UNIX like system is owned by a user and has a group. The owning user and group along with the permissions are used to determine who can do what with a file.
Every user on a UNIX like system has at least one group they are a member of, called their primary group. A user can be a member of additional groups, called supplementary groups. These groups are used for determining access to files and folders.
Open a terminal and run the command ls -l. Here is the output of ls -l on one of my machines:
drwxr-xr-x 2 nobody tyler 4096 Aug 18 05:16 dir1
-rw-r--r-- 1 tyler root 0 Aug 18 05:16 file1
-rw-r--r-- 1 root games 0 Aug 18 05:16 file2
The highlighted portions show what is relevant to permissions, the rest can be ignored. The highlighted columns are the permissions, user, group, and file name, respectively. In the example above, dir1 is owned by the user nobody and group tyler. Permission strings usually have four parts, special, user, group, and other. You may see a . or a + in the permission string on your system. This means that the file has an SELinux label and/or an ACL can affect who can do what with a file.
The permissions string for dir1 in the example above is ‘drwxr-xr-x’. Lets break this down into its individual parts:
|drwxr-xr-x||The first position shows the file type.|
|drwxr-xr-x||The permissions that apply to the file’s owner.|
|drwxr-xr-x||The permissions that apply to the file’s group.|
|drwxr-xr-x||The permissions that apply to everyone else.|
Lets start with file type. In this case it is d, which means this file is a directory. Directories, along with regular files are the most common types of file you will encounter. Regular files are represented with a ‘-‘. Review your operating system’s documentation for a complete listing of all types.
Notice that there are three sets of three characters making up the rest of the permission string. These represent the four (no, that is not a typo) sets of permissions.
The owner section is rwx, group is r-x, and everyone else is also r-x. The positions in each set of characters matters. The left character indicates whether the file can be read or not, the center indicates if it is writable, and the right if it is executable. In each set, a letter indicates that something is allowed, and a ‘-‘ if it is not allowed. For instance, the ‘w’ in the owner’s string of rwx means that the owner is allowed to write to the file. The ‘-‘ in middle position of the group and everyone strings tell us that members of the file’s group and everyone else are not allowed to write to the file.
The execute permission tells you whether or not you are allowed to run a program or script, or use a directory. Generally if you have execute set, you will want read set. There are corner cases where you would want execute but not read set. For example, you may want a user to be able to get to a directory, but don’t want them to see the contents of one or more directories in the path.
You are probably wondering where the fourth, special set is. In the output of ls, the execute positions are replaced with an ‘s’, ‘S’, ‘t’, or ‘T’. A capital letter means that the special permission is on, but the execute permission isn’t. A lower case letter means that the special permission and execute permissions are both on.
The special permissions are set user id (setuid), set group id (setgid), and the sticky bit. Setuid lets you execute a file as the owner instead of the user you are logged in as. The same applies to setgid. The sticky bit prevents users from deleting things in a directory, even if they have write access to the directory. Setgid on directories will set the group of all files created in the directory to the group of directory. Setuid CAN do the same thing with the owner, but most operating systems don’t do this.
You don’t need to know octal and binary to understand this. You just need to be able to add at a first grade level. You will often see permissions represented as a number such as 755 or 0755. The numbers represent the four sets of permissions mentioned: special, owner, group, and others, respectively. If no special permissions are on, it can be omitted. Each permission is given a number. The table below shows the number assignments.
|Set User ID||4|
|Set Group ID||2|
The numeric version is calculated by adding together the positions that are on for each set and concatetating them. Let’s say we have a permission string rw-r–r–. No special permissions are set, the first number is 0. The owner set has read and write on. Since read is 4 and write is 2, 4+2 = 6. This leaves with 06 so far. The group and everyone else sets only have read, so they are both 4. Now we have 0644. Not so bad, right?
rwS-w-r-t is a complicated example with special permissions that you will probably never see in practice. The setuid and the sticky bit are set, which are 4 and 1. The special permissions of this file are 5. Since the ‘S’ is capital, the owner has only read and write, which add up to 6, resulting in 56 so far. The group only has write, so now we are at 562. The t is lowercase, meaning that everyone else has execute turned on. 4 + 1 is 5, so we finally arrive at a mode of 5625.
Three commands are commonly used to control ownership and permissions. They are chmod, chown, and chgrp. At the bottom of this section, there is a table with examples of how to use these commands to supplement the explanations.
The chgrp command is very simple. You simply type chrgp, optionally some options, the name of the group you want to change the group to, followed by filename, in that order.
chgrp newgroup filename<
The chown command is almost identicle. The only difference is that chown can also change the group as well. You use the format user:group to change the group. If you omit the user, and just specify a group with :group, only the group will be changed.
chown newowner filename
The chmod command is used to change a files permissions. Chmod can either use symbols representing the changes to be made, or the numeric version described earlier. Which one you use is entirely preference. The numeric version is self explanatory. You just type chmod, optionally some options, the number representing what you want the permissions to be, and then the file name, in that order.
chmod 644 filename
The symbolic way follows the same order, but instead of the mode you specify the changes to be made. You specify which set you want the permission to apply to, ‘+’ or ‘-‘ to indicate whether you want to grant or revoke the permission, then which permission(s) to change.
- Permission Set
- a – all sets
- u – user (owner)
- g – group
- o – other
- r – read
- w – write
- x – execute
- s – setuid/setgid
- t – sticky bit
Recursively Changing Permissions
Suppose you want to change the permissions of a directory and all files in it. If there are a lot of files and/or subdirectories, this would be tedious to do by hand. All three of the commands covered have a -R option that do this for you. BE CAREFUL with this. On some systems a chown/chmod/chgrp .* will expand have .. as part of the glob expansion, meaning that the command will go up a directory and then make the changes there as well. For example if you are in /tmp, and do a chown -R tasha .*, chown will go up a level and change the owner of every file on your system and depending on share settings, NFS shares to tasha! Again, be careful with the -R.
Command Reference with Examples
|chmod||Changes a file’s permissions.||chmod 755 file1
chmod g+w file2
|chown||Changes a file’s owner. It can also change a file’s group||chown bob myfile
chown -R bob:group1 file2
chown :newgroup somefile
|chgrp||Changes a file’s group.||chgrp biggroup bigfile|
When you create a new file or directory, you may be wondering what the permissions will be or where they come from. The umask answers both of those questions. To find out what your umask is, run the command umask. Subtract that number from 777. If you are creating a directory, the mode will be 777 minus the umask. If you are creating a regular file, the permissions will be 777 minus the umask, with execution permission off.
tyler@desktop:~/umask$ mkdir dir1
tyler@desktop:~/umask$ touch file1
tyler@desktop:~/umask$ ls -l
drwxr-xr-x 2 tyler tyler 4096 Aug 25 05:02 dir1
-rw-r--r-- 1 tyler tyler 0 Aug 25 05:02 file1
My umask is 0022. Subtract it from 777 and you get 755. Notice that the mode of the newly created dir1 is 755. The mode of file1 is 644. Remember, when regular files are created, the execute permission is off.
You can change your umask. To change your umask, run the umask command followed by what you want it to be. A lot of people like to put this in their shell’s startup scripts.
I highly recommend experimenting with file and directory permissions. A little bit of practice, especially with the special permissions, will go a long way. Create a directory and some files in that directory. Change permissions, owners (requires root), and groups. Switch users and try accessing them. After playing around with permissions and the commands used to manage them for a bit, you should have a good grasp on how they work.
I recommend learning access control lists (ACLs). ACLs are basically giving a user or group their own set of permissions on top of the ones you see with ls -l. Your operating system may have some kind of mandatory access control (MAC) system such as Linux’s SELinux and Solaris’s trusted extensions. If your system has any kind of MAC, I would at minimum be aware of it. MAC settings and ACLs are a good place to look if you run into permission related behavior that doesn’t make sense. If you use FreeBSD, be aware that file flags can affect file behavior.