6.6 File and Directory Permissions

6.6.1 File Access Permissions

The UNIX file system allows you to control read, write, and execute access to your files on the basis of user (owner), group, and other (everyone else).[27] In this section we will consider only the standard UNIX file permissions.

[Missing image]Note that in the AFS file system, file permissions are mediated by Access Control Lists (ACLs) that are set on a directory level. The standard UNIX file permissions don't apply in this case except for the owner permissions, which apply to all users. AFS file permissions are treated in section 7.6.

To determine the current permissions, use the long form of the ls command, ls -l. Referring to the example below, the nine characters immediately following the first field represent the one-bit flags known as the mode bits that control file access. A dash indicates a bit is not set, r stands for read access, w for write access, and x for execution access. The first set of three characters refer to owner permission, the middle three for group permission, and the last three for all other user classes.

total 251 
drwxr-xr-x 3 nicholls g020c 512   May 2  08:53 Tools 
drwxr-xr-x 2 nicholls g020c 512   May 2  09:01 bin 
-rw-r--r-- 1 nicholls g020c 446   May 4  14:09 defaults 
-rw-r--r-- 1 nicholls g020c 95418 May 1  17:42 intro.lpr 
-rw-r--r-- 1 nicholls g020c 0     May 10 17:51 lsout 
-rw-r--r-- 1 nicholls g020c 6683  May 1  16:46 man.lpr 

In the example, ignoring the directory files (which have a d in position 1), the owner has rw access to the files, whereas group and others have read (r) access only.

chmod

The chmod command, which stands for change mode, is used to change access permissions of a file or directory:

% chmod mode filename ...    

or

% chmod mode directory ... 

In the absolute form of the mode where the level of protection is specified in octal format, mode looks like 741 or 554, for example, where each of the three octal numbers represents the sum of the permissions granted to its class: user, group, and other, in that order. The three types of permission have the values:

read

4 (100 octal)

write

2 (010 octal)

execute

1 (001 octal)

For example, a mode of 741 means owner can read, write, and execute (4+2+1=7); group can read (4+0+0=4); and others can execute the file (0+0+1=1).

To give this permission to a file test, you would enter:

% chmod 741 test 

You can use an alternate form of mode in the chmod command in which mode is a three-character field specifying an action to be taken. The action is to add or subtract one or more permissions from one or more user classes. It takes the form:

who operator permission(s) 

These three positions within the field take the following characters:

who

represents the user class or classes; it takes any combination of u, g, o, and a for user (user is really the owner), group, other and all, respectively, where all includes the three individual classes

operator

+ or - for adding or subtracting permissions, or = for setting a specific permission and resetting all other permissions for the specified user class(es)

permission(s)

any combination of r, w, and x for read, write, and execute, indicating the permissions to be permitted, denied, or reset.

Examples of the chmod command:

• Remove group execute permission to the file progs:

% chmod g-x progs

• For the files out and out1, add group read and write, and deny write to other:

% chmod g+rw,o-w out out1 

• Set group read permission and reset all other group permissions to myfile:

% chmod g=r myfile 

[Missing image]Note that classes of users or levels of protection not specified in a command are not modified in this form of the command (with the exception that = resets other permissions).

umask

With the umask command you can specify a mask that the system uses to set access permissions when a file is created. In order to understand umask you need to know that access permission at file creation is application-dependent. Each command or application sets a file permission in its open command.[28] The system then "subtracts" any user-defined mask, resulting in the final access permission for the file. You can set a umask by this command:

% umask [ooo] 

where ooo stands for three octal digits. The user-specified "mask", ooo, has the same positional structure as described above for chmod, but specifies permissions that should be removed (disallowed).

For example, a mask of 022 removes no permissions from owner, and removes write permission from group and others. Thus a file normally created with 777 would become 755 (this would appear as rwxr-xr-x in the format put out by the command ls -l). The following command could be put in your .cshrc or .profile.

% umask 022 

The meaning of permissions applied to directories is described in Section 6.6.2.

6.6.2 Directory Permissions

[Missing image]See section 7.6 for AFS systems.

You can grant or deny permission for directories as well as files, and protection assigned to a directory file takes precedence over the permissions of individual files in the directory.

• Read permission for a directory allows you to read the names of the files contained in that directory with the ls command, but not to use them.
• Write permission for a directory allows you to create files in that directory or to delete any file in the directory, regardless of the file protection on the files themselves. It does not allow you to see the files or use them without r and x directory permission. In other words, write permission to a directory allows you to alter the contents of the directory itself, but not to alter, except to remove, files in the directory (which is controlled by the file's permissions).
• Execute permission allows you to list the contents of the directory.

File access permissions of directory files are changed with the chmod command (see section 6.6.1).

[Next] [Previous] [Up] [Top] [Contents] [Index]