File and Directory Security
File permissions help to protect files and directories from unauthorized reading and writing. Often you will have files you want to allow others to read but not change. In other situations, you might want to share executable files or programs. File permissions enable you to control access to your files.
The following list describes the three basic file and directory permission types.
-
r – read permission. A file must be readable in order for you to examine or copy it. A directory must be readable in order for you to list its contents.
-
w – write permission. A file must be writable in order for you to modify it, remove it, or rename it. A directory must be writable in order for you to add or delete files in it.
-
x – execute permission. A file with executable permissions is one you can run, such as a program. A directory must be executable in order for you to gain access to any of its subdirectories.
You can set permissions for three categories of users.
-
Group – Other users within the same group as the user, such as all staff members of a particular division. The system administrator establishes and maintains groups.
Displaying Permissions and Status (ls -l)
Use the -l with the ls command to display a long listing of files and directories in alphabetical order.
Figure 3–2 Displaying Permissions and Status
The first character on the line indicates the file type. A dash (-) indicates an ordinary file, a d indicates a directory, and other characters can indicate other special file types.
The next nine characters indicate the permissions for the file or directory. The nine characters consist of three groups of three, showing the permissions for the owner, the owner's group, and the world, respectively. The permissions for emptyfile are rw-r--r--, indicating that the owner can read and write this file, everyone can read it, and no one can execute it. The permissions for the directory veggies2 are rwxr-xr-x, indicating that everyone has read and execute permissions, but only the owner can write to it.
In addition to file permissions, the display shows the following information:
-
Number of links to this file or directory
-
Name of the owner (user2 in this case)
-
Name of the group owner (users in this case)
-
Date and time the file or directory was last updated
-
Name of the file or directory
Use the cd command to move to your home directory, and try the ls -l command.
Now type the following command, where dirname is the name of an actual directory in your file system.
$ ls -l dirname
When you give the name of a directory, the ls -l command prints information on all the files and directories in that directory.
Listing Hidden Files (ls -a)
Some files are not listed by the ls command. These files have names that begin with the character . (called “dot”), such as .cshrc, .login and .profile. Use the ls -a command to list these dot files:
$ ls -a . .. .cshrc .login .profile emptyfile |
Notice that the files beginning with . are listed before the other files. The file . is the reference for the current directory, and the file .. is the reference for the parent directory.
In general, system utilities use files that begin with . and the user cannot modify these files. Some exceptions to this rule do exist.
Changing Permissions (chmod)
Use the chmod command to change permissions for a file or directory. You must be the owner of a file or directory, or have root access, to change its permissions. The general form of the chmod command is:
chmod permissions name |
In this example, permissions indicates the permissions to be changed and name is the name of the affected file or directory.
You can specify the permissions in several ways. Here is one of the forms that is easy to use:
-
Use one or more letters to indicate the type of users.
-
u (for the user)
-
g (for group)
-
o (for others)
-
a (for all three of the previous categories.))
-
-
Indicate whether the permissions are to be added (+) or removed (-).
-
Use one or more letters to indicate the permissions.
In the following example, write permission is added to the directory carrots for users who belong to the same group (thus, permissions is g+w and name is carrots).
$ cd veggies2 $ ls -l drwxr-xr-x 2 user2 users 512 Nov 1 09:11 carrots $ chmod g+w carrots $ ls -l drwxrwxr-x 2 user2 users 512 Nov 1 09:11 carrots $ |
The chmod g+w carrots command in the previous example gives the group write permission on the file carrots. The hyphen (-) in the set of permissions for group is changed to a w.
To make this same directory unreadable and unexecutable by other users outside your group type the following commands.
$ ls -l drwxrwxr-x 2 user2 users 512 Nov 1 09:11 carrots $ chmod o-rx carrots $ ls -l drwxrwx--- 2 user2 users 512 Nov 1 09:11 carrots $ |
Now, the r (for read) and the x (for execute) in the set of permissions for other users are both changed to hyphens (-).
When you create a new file, the system automatically assigns the following permissions.
-rw-r--r--
When you create a new directory, the system automatically assigns the following permissions.
drwxr-xr-x
For example, to make a new file turnip executable by its owner (user2), type the following command.
$ ls -l turnip -rw-r--r-- 1 user2 users 124 Nov 1 09:14 turnip $ chmod u+x turnip $ ls -l turnip -rwxr--r-- 1 user2 users 124 Nov 1 09:14 turnip $ |
If you want to change permissions for all categories of users, use the -a option of the ls command. To make a new file garlic executable by everyone, type the following command.
$ ls -l garlic -rw-r--r-- 1 user2 users 704 Nov 1 09:16 garlic $ chmod a+x garlic $ ls -l garlic -rwxr-xr-x 1 user2 users 704 Nov 1 09:16 garlic $ |
The x in the output of the ls -l command indicates garlic is executable by everyone.
You can also use the * wildcard character to change permissions for groups of files and directories. For example, to change the permissions for all the files in the current directory veggies so that the files can be written by you alone, type the following command.
$ pwd /home/user2/veggies $ ls -l -rwxrwxrwx 1 user2 users 5618 Nov 1 09:18 beets -rwxrwxrwx 1 user2 users 1777 Nov 1 09:18 corn -rwxrwxrwx 1 user2 users 3424 Nov 1 09:18 garlic -rwxrwxrwx 1 user2 users 65536 Nov 1 09:18 onions $ chmod go-w * $ ls -l total 152 -rwxr-xr-x 1 user2 users 5618 Nov 1 09:18 beets -rwxr-xr-x 1 user2 users 1777 Nov 1 09:18 corn -rwxr-xr-x 1 user2 users 3424 Nov 1 09:18 garlic -rwxr-xr-x 1 user2 users 65536 Nov 1 09:18 onions $ |
Note –
Perform this chmod operation on the current directory only.
Setting Absolute Permissions
In the previous section, you used the chmod command to change file permissions relative to their current settings. You can also set the permissions for a file or directory absolutely by using numeric codes with the chmod command.
The syntax for this usage of the chmod command is:
chmod numcode name
In this example, numcode is the numeric code and name is the name of the file or directory for which you are changing permissions.
The complete numeric code consists of three numbers. One number is used for each of the three categories: user, group, and others. For example, the following command sets absolute read, write, and execute permissions for the user and the group, and execute permissions only for others.
$ chmod 771 garlic |
Table 3–2 illustrates how the the code 771 describes the permissions for garlic.
Table 3–2 Permissions for garlic|
Permission |
User |
Group |
Others |
|---|---|---|---|
|
Read |
4 |
4 |
0 |
|
Write |
2 |
2 |
0 |
|
Execute |
1 |
1 |
1 |
|
Total |
7 |
7 |
1 |
Each of the columns in Table 3–2 represents one of the categories: user, group, and others. To set read permissions, add 4 to the appropriate column. To set write permissions, add 2. To add execute permissions, add 1. The total in all three columns in the last row of the table is the complete numeric code.
The following is another example of using numeric codes to set absolute permissions, with the inclusion of the ls -l command to demonstrate the results.
$ ls -l onions -rwxr-xr-x 1 user2 users 65536 Nov 1 09:18 onions $ chmod 755 onions $ ls -l onions -rwxr-xr-x 1 user2 users 65536 Nov 1 09:18 onions $ |
The chmod 755 onions command sets the permissions for the file onions so that the user can read, write, and execute, group members can read and execute, and others can read and execute. Table 3–3 describes the numeric code that is used to set the permissions for onions.
Table 3–3 Permissions for onions|
Permission |
User |
Group |
Others |
|---|---|---|---|
|
Read |
4 |
4 |
4 |
|
Write |
2 |
0 |
0 |
|
Execute |
1 |
1 |
1 |
|
Total |
7 |
5 |
5 |
To provide read, write, and execute permissions for the file cabbage to yourself, your group, and all other users, type the following command.
$ ls -l cabbage -rw-r--r-- 1 user2 users 75 Nov 1 09:28 cabbage $ chmod 777 cabbage $ ls -l cabbage -rwxrwxrwx 1 user2 users 75 Nov 1 09:28 cabbage $ |
Table 3–4 describes the numeric code that is used to set permissions in the previous example.
Table 3–4 Permissions for cabbage|
Permission |
User |
Group |
Others |
|---|---|---|---|
|
Read |
4 |
4 |
4 |
|
Write |
2 |
2 |
2 |
|
Execute |
1 |
1 |
1 |
|
Total |
7 |
7 |
7 |
The numeric code 777 represents the maximum level of permissions you can provide.
Similar to changing relative permissions, you can also use the wildcard character * to set absolute permissions for all in the files in the current directory. For example, suppose you want to set absolute permissions for all files in the current directory as follows:
-
Owner – Read, write, and execute permissions
-
Group – Read and write permissions
-
Others – Execute permissions
To set these permissions, type the following commands.
$ pwd /home/user2/veggies $ ls -l -rwxrwxrwx 1 user2 users 5618 Nov 1 09:18 beets -rwxrwxrwx 1 user2 users 1777 Nov 1 09:18 corn -rwxrwxrwx 1 user2 users 3424 Nov 1 09:18 garlic -rwxrwxrwx 1 user2 users 65536 Nov 1 09:18 onions $ chmod 751 * $ ls -l -rwxr-x--x 1 user2 users 5618 Nov 1 09:18 beets -rwxr-x--x 1 user2 users 1777 Nov 1 09:18 corn -rwxr-x--x 1 user2 users 3424 Nov 1 09:18 garlic -rwxr-x--x 1 user2 users 65536 Nov 1 09:18 onions $ |
The pwd command is included in this example to illustrate that the directory on which you perform this operation must be the current directory. The ls -l command is shown only to illustrate the changes in permissions. When setting absolute permissions, you do not need to know what the permissions are currently.
For more information on the chmod(1) command, refer to the man Pages(1): User Commands.
- © 2010, Oracle Corporation and/or its affiliates