Filesystem permissions of Unix-like systems are defined for three categories of affected users.
ls -l shows permissions as a 10 character string, for example -rw-r--r--. The characters can be interpreted as TUUUGGGOOO where:
T Type UUU Rights for the user who owns the file GGG Rights for users in the group which the file belongs to OOO Rights for others, not listed above
(These are perhaps poor choices of letters since O could be confused with 'owner' and U seems to suggest 'user' whoever *that* is, but it's always been that way and won't change)
T is one of: - file d directory c character device b block device l symbolic link
Character and block devices are usually in /dev
The permissions on a symbolic link are always lrwxrwxrwx. This means that anyone can
see where the link points. Who can read, write, or execute the file (or directory
or device) the link points to is determined by the permissions on the file itself, not the
link.
The permission information is stored as four octal digits, each specifying a
different set of permissions. There are owner permissions, group permissions, and
other (world) permissions. The fourth octal digit is used to store special information
such as set user ID, set group ID, and the sticky bit. The octal values assigned
to the permission modes are (they also have letters associated with them that are
displayed by programs such as ls and can be used by chmod):
Octal Permission Values Permission Type Octal Value Letter Value "sticky" bit 1 t set user ID 4 s set group ID 2 s read 4 r write 2 w execute 1 x
bash's default permissions are:
-rwxr-xr-x 1 root root 477692 Mar 21 19:57 /bin/bash
The first dash would be replaced with a d if this was a directory. The three
permission groups (owner, group, and other) are displayed next. We see that the
owner has read, write, and execute permissions (rwx). The group has only read
and execute (r-x). And everyone else has only read and execute (r-x).
To set the permissions on a file or directory add the octal numbers for the
permissions you want. For the owner to have read, write, and execute, we
would have a value of 7. Read and execute would have 5. Run those together
and pass them to chmod like this:
chmod 755 /tmp/example
Execute permissions on a directory means you can cd to and through it.
To set special permissions, add the numbers together and place them in the first
column. For example, to make it set user ID and set group ID, we use 6 as the
first column:
chmod 6755 /tmp/example
-rwsr-sr-x 1 david users 0 Apr 19 11:21 /tmp/example
You can also use letters with chmod.
chmod a+rx /tmp/example - all(a) can(+) read(r) and execute(x) chmod u+w /tmp/example - owner(u) can(+) write(w) chmod ug+s /tmp/example - owner(u) and group(g) set(+) sticky(s) - i.e. setuid, setgid chmod o-w /tmp/example - remove write permission for others
The permission groups are represented as:
Owner u Group g Other o All of the above a
Using octal digits with chmod is total; all permissions (and special information - setuid, setgid, sticky - if 4 digits are used) is changed based on the bits. Using letters, by contrast, is cumulative. Only the intended permissions are changed; the others are left as they were.
Normally when you run a program, it is operating under your user account. That is, it has all the permissions that you as a user have. The same is true for the group. When you run a program, it executes under your current group. With set user ID permissions, you can force the program to always run as the program owner (such as root). Set group ID is the same, but for the group. This is shown by having an 's' rather than 'x'. setgid for a directory is explained below.
Unix directory access permissions say that if a user has write permission on a directory, she can rename or remove files there–even files that don't belong to her. Many newer versions of Unix have a way to stop that. The owner of a directory can set its sticky bit. The only people who can rename or remove any file in that directory are the file's owner, the directory's owner, and the superuser. The sticky bit is shown as a 't' instead of an 'x' in the 'other' permissions. If the directory is not executable by others, the sticky bit is shown as 'T' instead of 't'.
chmod +t directory Set the sticky bit on a directory chmod -t directory Remove the sticky bit from a directory
Assigning group and permissions when a file or directory is first created.
The group is an issue because users can be members of multiple groups, but one of them
(specified in the user's /etc/passwd entry) is the user's default group and will normally
own files created by the user.
The story with initial permission bits is a little more complicated. A program that creates
a file will normally specify the permissions it is to start with. But these will be modified
by a variable in the user's environment called the umask. The logical not of your umask is
used as the default permission for files or directories created by you. In other words, the
umask specifies which permission bits to turn off when creating a file; the most common value,
and the default on most systems, is -------w- or 002, which turns off the world-write bit.
Be sure to make root's umask 077, which will disable read, write, and execute permission
for other users, unless explicitly changed using chmod. In this case, newly-created
directories would have 744 permissions, obtained by subtracting 033 from 777.
Newly-created files using the 033 umask would have permissions of 644.
If you are using Red Hat, and adhere to their user and group ID creation scheme
(User Private Groups), it is only necessary to use 002 for a umask. This is due
to the fact that the default configuration is one user per group.
See the documentation of the umask command on your shell's manual page for details. On RedHat,
the umask is set in /etc/profile and is 002 for users, 022 for root. To find out your umask,
type the command
umask
To set your umask, type the command
umask nnn
where nnn are the desired octal digits
Initial directory group is a bit complicated. On some Unixes a new directory gets the
default group of the creating user (this in the System V convention); on others, it gets
the owning group of the parent directory in which it's created (this is the BSD convention).
On some modern Unixes, including Linux, the latter behavior can be selected by setting the
set-group-ID on the directory (chmod g+s). Set gid on a directory means that all new files
and directories created in that directory will have the same group as the parent
(The BSD way). When set gid is not set on a directory then the group used for new
files and directories is the default group for that user (The System V way).
Directories with the set-user-id bit set will force all files and
sub-directories created in them to be owned by the directory owner and not
by the uid of the creating process, if the underlying file system supports
this feature.
The attributes are
A When a file with the 'A' attribute set is modified, its atime record is not modified. This avoids a certain amount of disk I/O for laptop systems. (not yet implemented) a A file with the 'a' attribute set can only be open in append mode for writing. Only the superuser can set or clear this attribute. c A file with the 'c' attribute set is automatically com- pressed on the disk by the kernel. A read from this file returns uncompressed data. A write to this file compresses data before storing them on the disk. (not yet implemented) d A file with the 'd' attribute set is not a candidate for backup when the dump(8) program is run. i A file with the 'i' attribute cannot be modified: it can- not be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser can set or clear this attribute. s When a file with the 's' attribute set is deleted, its blocks are zeroed and written back to the disk. S When a file with the 'S' attribute set is modified, the changes are written synchronously on the disk; this is equivalent to the 'sync' mount option applied to a subset of the files. u When a file with the 'u' attribute set is deleted, its contents are saved. This allows the user to ask for its undeletion. (not yet implemented)
The attributes are set with the
chattr command
and can be viewed with the
lsattr command
Check the man pages for additional options.
Defined in /etc/group
audio:x:29:kim,jason
The columns in /etc/group are:
1. Group name, eg audio
2. Encrypted group password, or 'x' if the password hash is
stored in /etc/gshadow
3. Group number (gid), eg 29
4. List of user name for people who are members of this group
 |
This site best viewed with a browser |
| Warning: This is a Debian centric site | |
| Many thanks to Debra and Ian Murdock for making Debian possible | |
| First created Apr 22, 2008 ~ Last revised August 23, 2010 |
