4.5.3 File and directory access permissions
File and directory access permissions are defined separately for the following
three categories of affected users:
-
the user who owns the file (u),
-
other users in the group which the file belongs to (g), and
-
all other users (o).
For a file, each corresponding permission allows:
-
read (r): to examine contents of the file,
-
write (w): to modify the file, and
-
execute (x): to run the file as a command.
For a directory, each corresponding permission allows:
-
read (r): to list contents of the directory,
-
write (w): to add or remove files in the directory, and
-
execute (x): to access files in the directory.
Here, execute permission on the directory means not only to
allow reading of files in its directory but also to allow viewing their
attributes, such as the size and the modification time.
To display permission information (and more) for files and directories,
ls
is used. See ls(1)
. When ls
invoked
with the -l option, it displays the following information in the
order given:
-
the type of file (first character)
-
-: normal file
-
d: directory
-
l: symlink
-
c: character device node
-
b: block device node
-
p: named pipe
-
s: socket
-
the file's access permissions (the next nine characters,
consisting of three characters each for user, group, and other in this order)
-
the number of hard links to the file
-
the name of the user who owns the file
-
the name of the group which the file belongs to
-
the size of the file in characters (bytes)
-
the date and time of the file (mtime)
-
the name of the file.
To change the owner of the file, chown
is used from the root
account. To change the group of the file, chgrp
is used from the
file's owner or root account. To change file and directory access permissions,
chmod
is used from the file's owner or root account. Basic syntax
to manipulate foo
file is:
# chown newowner foo
# chgrp newgroup foo
# chmod [ugoa][+-=][rwx][,...] foo
See chown(1)
, chgrp(1)
, and chmod(1)
for
the detail.
For example, in order to make a directory tree to be owned by a user
foo and shared by a group bar, issue the following
commands from the root account:
# cd /some/location/
# chown -R foo:bar .
# chmod -R ug+rwX,o=rX .
There are three more special permission bits:
-
set user ID (s or S instead of user's x),
-
set group ID (s or S instead of group's x), and
-
sticky bit (t or T instead of other's x).
Here the output of ls -l
for these bits is capitalized if
execution bits hidden by these outputs are unset.
Setting set user ID on an executable file allows a user to
execute the executable file with the owner ID of the file (for example
root). Similarly, setting set group ID on an
executable file allows a user to execute the executable file with the group ID
of the file (for example root). Because these settings can
cause security risks, enabling them requires extra caution.
Setting set group ID on a directory enables the BSD-like file
creation scheme where all files created in the directory belong to the
group of the directory.
Setting the sticky bit on a directory prevents a file in the
directory from being removed by a user who is not the owner of the file. In
order to secure the contents of a file in world-writable directories such as
/tmp
or in group-writable directories, one must not only set
write permission off for the file but also set the
sticky bit on the directory. Otherwise, the file can be
removed and a new file can be created with the same name by any user who has
write access to the directory.
Here are a few interesting examples of the file permissions.
$ ls -l /etc/passwd /etc/shadow /dev/ppp /usr/sbin/pppd
crw-rw---- 1 root dip 108, 0 Jan 18 13:32 /dev/ppp
-rw-r--r-- 1 root root 1051 Jan 26 08:29 /etc/passwd
-rw-r----- 1 root shadow 746 Jan 26 08:29 /etc/shadow
-rwsr-xr-- 1 root dip 234504 Nov 24 03:58 /usr/sbin/pppd
$ ls -ld /tmp /var/tmp /usr/local /var/mail /usr/src
drwxrwxrwt 4 root root 4096 Feb 9 16:35 /tmp
drwxrwsr-x 10 root staff 4096 Jan 18 13:31 /usr/local
drwxrwsr-x 3 root src 4096 Jan 19 08:36 /usr/src
drwxrwsr-x 2 root mail 4096 Feb 2 22:19 /var/mail
drwxrwxrwt 3 root root 4096 Jan 25 02:48 /var/tmp
There is an alternative numeric mode to describe file permissions in
chmod(1)
commands. This numeric mode uses 3 to 4 digit wide octal
(radix=8) numbers. Each digit corresponds to:
-
1st optional digit: sum of set user ID (=4), set group
ID (=2), and sticky bit (=1)
-
2nd digit: sum of read (=4), write (=2), and
execute (=1) permissions for user
-
3rd digit: ditto for group
-
4th digit: ditto for other
This sounds complicated but it is actually quite simple. If you look at the
first few (2-10) columns from ls -l command output and read it as
a binary (radix=2) representation of file permissions ("-" being
"0" and "rwx" being "1"), this numeric mode value
should make sense as an octal (radix=8) representation of file permissions to
you. [
33] For example, try:
$ touch foo bar
$ chmod u=rw,go=r foo
$ chmod 644 bar
$ ls -l foo bar
-rw-r--r-- 1 penguin penguin 0 Nov 3 23:30 foo
-rw-r--r-- 1 penguin penguin 0 Nov 3 23:30 bar
The default file permission mask can be set by using the umask
shell built-in command. See builtins(7)
.