The Unix file permissions model doesn’t seem to get explained very clearly, very often. It’s really quite simple, though some of the more advanced stuff isn’t so widely known. The key commands are
ls -l and
chmod has two ways of working; we’ll deal with the easy one first.
When you look at a file, there are lots of fields. (I’m using Linux with an ext3 filesystem for these examples, but it’s the same across the board for Unix and Linux, and just about any filesystem.)
$ ls -l myfile.txt -rw-r--r-- 1 steve users 4 2007-01-25 20:37 myfile.txt $
So what does it all mean? Going through the fields in order, it’s:
-rw-r--r-- 1 steve users 4 2007-01-25 20:37 myfile.txt permission links owner group size last-modified filename
We’re dealing with the permission stuff here, but I’ll quickly run through the others. “Links” tells you how many “hard links” there are to the file. That’s probably for another post, but if you type “
ln myfile.txt yourfile.txt“, then the link count will go up from 1 to 2. “owner” tells you what user owns the file, and “group” tells you what group is associated with the file. “size” is pretty obvious; it’s in bytes, (this file’s 4 bytes are “f”, “o”, “o” and a newline character). “last-modified” tells you when the file was last changed (not necessarily when it was created), and finally, the filename.
For our purposes, the important stuff is the permission, owner and group. That’s “-rw-r–r–“, “steve” and “users” in this example.
Looking at the “-rw-r–r–“, it seems almost random. Once you know the structure, it’s very informative. There are 10 characters, or fields, grouped with the first character by itself, then three sets of three, like so:
The initial “-” for File Type, tells you what kind of file it is. In this case, “-” means it’s a regular file. “d” indicates a directory, “c” means a character-special device, and “b” means a block-special device. Run “
ls -l /dev” to see some “c” and “b” files. They’re device drivers; a character-device (eg, /dev/lp0, the printer) is accessed with characters; you tend to chuck text at it. A block-device (eg, /dev/hda1, the hard disk) is accessed in blocks, not single characters. We’re not kernel developers, so we don’t need to worry about that too much.
The Meat Of It
The main part of the -rw-r–r– information is the three sets of three characters: “rw-“, “r–” and “r–” in this example. Of the block, the first character is either “r” to indicate that you can Read the file, or “-” to indicate that you can’t read it. The second is “w” if you can Write to the file, and “-” if you can’t. The third is usually “x” if you can eXecute (run) the file, or “-” if you can’t. (the third can also be “t” or “s”; we’ll come to that in a minute).
So in this case, the file’s owner (“steve”) can read and write, but not execute (rw-). Members of the group (“users”) can read the file, but can’t change it or run it (r–). Anybody who’s not “steve” and not in the “user” group can do the same in this example (r–).
Common sets of permissions are:
|600||-rw——-||I can read and write it, but nobody else can. (Private files)|
|640||-rw-r—–||I can read and write it, my group can only read it. Others can do nothing. (Semi-shared files)|
|755||-rwxr-xr-x||I can read, write, execute; everyone else can read and execute it, but not change it. (Shared programs)|
|644||-rw-r–r–||I can read and write it, the rest of the world can read it (Shared files)|
What’s that left-hand column I threw in there? That’s the other way of thinking about permissions. if “r” is 4, “w” is 2, and “x” is 1, then “rwx” is “4+2+1=7″, “r–” is 4, “rw-” is 4+2=6, and so on. It’s a kind of shorthand.
We set permissions with the
chmod command. The first set of three is “u” for “User”, the second is “g” for “Group”, and the last is “o” for “Other”. There’s also “a” for “All”. So “
chmod g+rwx” means “add rwx to the second block”, while “
chmod a-x” means “take off the x flags for everybody”.
This is easiest to show with examples:
$ ls -l myfile.txt -rw-r--r-- 1 steve steve 4 2007-01-25 20:39 myfile.txt # Allow me to eXecute the file: User + eXecute = u+x: $ chmod u+x myfile.txt $ ls -l myfile.txt -rwxr--r-- 1 steve steve 4 2007-01-25 20:39 myfile.txt # Don't let Others Read the file: Others - Read = o-r: $ chmod o-r myfile.txt $ ls -l myfile.txt -rwxr----- 1 steve steve 4 2007-01-25 20:39 myfile.txt # Don't the Group Read the file: Group - Read = g-r: $ chmod g-r myfile.txt $ ls -l myfile.txt -rwx------ 1 steve steve 4 2007-01-25 20:39 myfile.txt # Be specific with numbers: 600 = -rw------- $ chmod 600 myfile.txt $ ls -l myfile.txt -rw------- 1 steve steve 4 2007-01-25 20:39 myfile.txt # Be specific with numbers: 755 = rwxr-xr-x $ chmod 755 myfile.txt $ ls -l myfile.txt -rwxr-xr-x 1 steve steve 4 2007-01-25 20:39 myfile.txt