Permissions on Unix are simple. There are just three: 

• r - read

• w - write

• x - execute

For a file, these mean just what you would think. r means you can read the file's contents. w means you can update the file's contents. x means you can attempt to execute the file as a program.

There are three sets of these three permissions for each piece of data on the system. Which set you get depends on who you are with respect to the data. Before we continue, we need to talk about groups:

Groups

Users on a Unix system are divided into groups at the discretion of the system administrator. Traditionally, you were placed in a group as a work group, and this was used to share data with other members of the group easily. Today groups may be assigned by work group, by class in school, by job classification, etc, or even randomly. 

Each user is in one or more groups. One of these groups is your default group. 

Each piece of data on the system has one group. When you create a piece of data, it is owned by you and placed in your default group.

(At CCSF, you are in one group for each of your classes. The group names are created by the CRN number of the class. These groups change each semester. Your default group is one of a handful, and you are assigned to it by random when the account is created. On linux you are normally assigned to a new group as your default group, which is named the same as your login, and possibly to one group that is common among most users.)

Your permissions for a piece of data

As we said, your permissions to access a piece of data depends on who you are with respect to it:

• If you are the owner of the data, the u (user) permissions set applies.

• if you are not the owner of the data, but are a member of the group the data is in, the g (group) permissions set applies.

• if you are neither the owner nor in the data's group, the o (other) permissions set applies.

Exactly one of these three sets of permissions applies to each user on the system. These three sets of three permissions each is shown in the permissions block of an ls -l listing. (The permissions of a file are also called the file's mode. That is why the command to change permissions is chmod, or change mode.)

Example:

Malak Samdi (msamdi0) is a student at CCSF. He is a member of three groups:

• his default group, b20027

• the group for cs160b, c76131

• the group for cs110, c76036

Malak comes across these three files on Unix:

-rw-r-----   1 gboyd      c76036          48 Oct  3 16:03 homework1
-r--r-xrwx   1 msamdi0    users            2 Oct  3 16:03 password
-rwxr-xr--   1 marie      c76131           0 Oct  3 16:07 submit_quiz

What permissions does he have for each?

• Since he is not the owner, but is in the file's group, he has the permissions r-- for homework1

• Since he is the owner, he has the permissions r-- for the file password. Notice that non-owners get more permissions for this file. Although unusual, this is legal.

• Since he is in the file's group, Malak has the permissions r-x for submit_quiz

Suppose the group of password is changed to b20027. Would it alter his access rights? (no. he is still the owner)

Suppose the owner of password was changed. Would it alter his access rights? Yes. Since he is not in the group users, he now has the permissions of other, or rwx.

Suppose Malak dropped cs110a and was removed from group c76036. Would his permissions to homework1 change? Yes. he now has the permissions of other, or no permissions.

Directory permissions

For directories, the interpretation of r, w, and x changes. This is the most often misunderstood part of Unix permissions. While file permissions govern the content of a file, directory permissions govern the existence, name, and location of (path to) the file.

Think of a directory as a table that contains file names. Then the r and w permissions for a directory mean:

r - you can examine the table. This means list the directory's contents

w - you can create, remove and change the names of entries in the directory (update the table)

The x permission is a bit strange: it allows you to use the directory entries. Without x permission, you cannot access anything in the directory. x permission on a directory is also called search permission, because without it you cannot cd to (or through) the directory. For all practical purposes, deleting the x permission for a directory makes it unusable, and anything in it or in its subdirectories inaccessible.

The w permission is what confuses people so much. w permission to a directory governs whether you can remove or rename files. The resulting rule is the focus of people's misunderstanding:

Let's reexamine our previous example:

$ ls -ld
drwxr-x---   2 gboyd      cisdept         96 Oct  3 16:07 .
$ ls -l
total 4
-rw-r-----   1 gboyd      c76036          48 Oct  3 16:03 homework1
-r--r-xrwx   1 msamdi0    users            2 Oct  3 16:03 password
-rwxr-xr--   1 marie      c76131           0 Oct  3 16:07 submit_quiz
$

In this directory, a few things are surprising:

• although msamdi0 owns a file in the directory, he has no access to it! This is because he does not have x permission to the directory. msamdi0 cannot even list the directory!

• members of the group cisdept, other than gboyd, have permission to list the directory and to use the files in it (if they have permissions to the files), but cannot delete them. Thus if marie is in cisdept, she can update the contents of submit_quiz, but she cannot delete it!

• although gboyd does not have permission to update the contents of submit_quiz, he can delete it, since he has write permission to the directory. This is so commonly misunderstood, that rm will ask for verification (an unusual thing on Unix):

This cryptic question is telling you that you are about to remove submit_quiz even though its permissions (754 here) indicate it is not writable by you. Unless you answer y, the file will not be removed.

This verification message can be a problem if the rm command is in a shell script. In this case, the hapless user will be presented with the verification question, possibly referring to a file that he or she doesn't even know exists. It can also be a problem when removing a structure recursively, as the verification message will appear for each object that is not writable but can be removed. To avoid these problems, add the -f option (force) to the rm command:

$ rm -f submit_quiz
$ ls -l submit_quiz
submit_quiz not found
$

Changing owner and group

The owner of a piece of data can change its owner and group, although, depending on what system you are on, there may be restrictions. On System5-derived systems, the owner can change the owner and group without restrictions. On BSD-derived systems, such as linux, only root can use chown to change the owner, and a normal user can only change the group of her data between groups that she is a member of.

chown newowner files-and-directories

chgrp newgroup files-and-directories

Remember, by changing the owner of a piece of data you are transferring control of that data to someone else. While you still may be able to delete it (if you have write permission to the directory it is in), you can not change its owner or permissions again, as you no longer own it!

Changing Permissions

If you are the owner of a piece of data you can change its permissions. The program to change permissions is chmod, which comes from change mode, since a file's permissions are also called its mode.

There are two ways to use chmod:

• if you want to set all the permissions for the data at once, use chmod absolute. This form uses a number to represent the permissions.

• if you want to modify certain permissions and leave others as they are, use chmod symbolic. This form uses letters to represent permissions and operators to indicate how to modify them.

chmod symbolic

Although less-often used, chmod symbolic is easier to understand. The syntax looks like

chmod [classes]opperms   files-and-directories

• where classes are a combination of u(user), g(group), o(other), or a for all (ugo). If no classes are indicated, the classes affected are those allowed by the user's umask (see below).

• op is one of + (add), - (delete), or = (set)

• perms is a combination of r, w and x in a string like rw or rx

There are no spaces allowed in this permissions string. Multiple strings may be combined in a single chmod command by using commas between them.

Let's look at some examples:

If the permissions changes in a chmod string overlap, they are applied from left to right:

chmod a=rw,g-w file1 means set the permissions to rw-rw-rw-, then delete w for group, resulting in rw-r--rw-

chmod also has an option -R to apply the chmod command recursively. This is of limited use, as you often want to change the permissions of files and directories separately.

The absolute form of chmod uses a three-digit octal number to represent all of the permissions. The first octal (base 8) digit represents the user's permissions, the middle, the group, and the last, other's permissions. Each octal number is the sum of read (4), write (2) and execute (1), where the value is added if the permission is set. (Each of 4,2,1 is a single binary digit, where a value of 1 is "on" and 0 is "off"). Thus

There are not any exercises to support chmod, as this is review. Practice with it yourself on some dummy files.

umask

When data is created its permissions are set. After that, the only way to modify the permissions is through chmod. The permissions are determined by taking the default permissions, then applying umask to deny certain permissions.

the default permissions are either

• the system default of all permissions that make sense. These are rw for everyone for files (666) and rwx for everyone for directories (777) OR

• the permissions of the original object, if copying. Thus, when you are copying a file, the default permissions for the copy are the same as the original.

umask is a setting in the user's process that acts as a filter to turn off (deny) permissions when data is created. Each bit set in umask denies that permission in the result. Thus, a umask value of 077 denies all permissions for group and other in the files being created.

-rw-r-----   1 gboyd      c76036          48 Oct  3 16:03 homework1
-r--r-xrwx   1 msamdi0    users            2 Oct  3 16:03 password
-rwxr-xr--   1 marie      c76131           0 Oct  3 16:07 submit_quiz

With a umask of 027, which is a common setting, what are the permissions resulting from the following commands:

cp homework1 homework2 - The permissions of the new file homework2 is the same as homework1 since the permissions that are denied by umask are already not set in homework1.

cp password password1 - The permissions 457 of password are modified by umask when copying to password1 as follows: user permissions are unchanged (umask digit 0 denies no permissions); group permissions are unchanged (umask digit 2 denies write permission, which is not set in password's group permissions (r-x=5)); other permissions (7) are completely denied by the umask digit 7. Result: 450.  It is important to notice here that umask calculations are not subtractions!

mkdir dir1 - The permissions of dir1 without umask would be set to all possible (777). umask modifies them to 750.

Using a different umask value of 143, which is unusual, lets try a few more:

cp submit_quiz submit_quiz1 - The permissions 754 of submit_quiz are modified as follows: user permissions are set to rw- because the x permission is denied by the umask digit of 1; group permissions are set to --x because the r permission is denied by the umask digit of 4; other permissions are not modified, since the umask digit of 3 denies write and exectute, and neither of these permissions are set.

cp password homework1 - Since the file homework1 already existed, its permissions are unaltered by the copy. Remember, permissions are only set when the data is created! If you overwrite an existing file, the permissions are unaltered!

querying umask

You can inquire about the current value of umask by just typing umask

-bash$ umask
0077
-bash$ 

Note that the umask value is indicated as four digits. There are actually 12 permissions bits, not nine (3 times rwx), but the most significant bits are only used in special cases. Thus, your umask value will always have this most significant digit 0. The umask values we have been discussing, e.g., 143 above, could also be written 0143. The umask value shown in this example (0077), is the same as 077, or, indeed, as 77.

Using umask with chmod symbolic

If you recall, we said that it is not necessary to specify a class when using chmod symbolic. In this case, the class is all classes indicated by umask. For example, if your umask is 077, the command

chmod +w file1

will add w permission only for the user, since umask indicates that w permission for group and other should be denied.

Preserving permissions

If you want to copy some data on a Unix system and want to preserve the permissions during the copy, you can take either the traditional approach of setting your umask to 0 first, or the more modern approach of adding the -p option to the copy command (cp).

Additional permissions

There are actually twelve permissions bits, rather than 9, and, when queried, umask will show four octal digits. The most significant bits of permissions (the most significant octal digit) are special permissions that are only used in special circumstances. These will be covered in a later section. 

Besides the traditional permissions, most linux filesystems support file attributes. If so, the file permissions block output by ls -l will have a trailing period. These filesystems can also usually support access control lists, which allow specific  permissions to be set for lists of users or groups. If a file or directory has an access control list, the trailing period to the right of the permissions block in the output of ls -l will be a + instead. Extended permissions and ACLs are covered in a later section.