Beyond the Basics : File Permissions in Unix/Linux

A user’s ability to read from or write to files on a UNIX system depends on the permissions that have been granted for that file by the owner of the file or directory.

The user who creates a file is the owner of that file. Every file and directory comes with three types of permissions:
• Read: Lets you view the contents of the file only.
• Write: Lets you change the contents of the file. Write permission on a directory will let you create, modify, or delete files in that directory.
• Execute: Lets you execute (run) the file if the file contains an executable program (script).
Read permission is the most basic permission. Having the execute permission without the read permission is of no use,you can’t execute a file if you can’t read it in the first place.

Use the ls -al command to list the file permissions along with the filenames in a directory. For example, look at the (partial) output of the following command:

$ ls -al
-rwxrwxrwx 1 oracle dba 320 Jan 23 09:00 test.ksh
-rw-r—r- 1 oracle dba 152 Jul 18 13:38 updown.ksh
-rw-r—r- 1 oracle dba 70 Nov 22 01:30 tokill.ksh

You’ll notice that at the beginning of each line, each file has a combination of ten different letters and the blank sign (-).
The first letter could be a blank or the letter d. If it is the letter d, then it’s a directory. If it’s a blank, it’s a regular file.
The next nine spaces are grouped into three sets of the letters rwx. The rwx group refers to the read, write, and execute permissions on that file. The first set of rwx indicates the permissions assigned to the owner of the file. The second set lists the permissions assigned to the group the user belongs to. The last set lists the permissions on that file granted to all the other users of the system.

For example, consider the access permissions on the following file:
$ -rwxr-x–x 1 oracle dba Nov 11 2001 test.ksh

Because the first character is a hyphen (-), this is a file, not a directory. The next three characters, rwx, indicate that the owner of the file test.ksh has all three permissions (read, write, and execute) on the file. The next three characters, r-x, show that all the users who are in the same group as the owner have read and execute permissions, but not write permissions. In other words, they cannot change the contents of the file. The last set of characters, –x, indicates that all other users on the system can execute the file, but they cannot modify it.

Any file that you create will first have the permissions set to -rw-r–r–. That is, everybody has read permissions, and no user has permission to execute the file. If you put an executable program inside the file, you’ll want to grant someone permission to execute the file. You can set the permissions on the file by using the chmod command in one of two ways.
First, you can use the symbolic notation, with the letter o standing for owner, g for group, and u for other users on the system. You grant a group or users specific permissions by first specifying the entity along with a plus sign (+) followed by the appropriate symbol for the permission.

In the following example, the notation go+x means that both the group and others are assigned the execute (x) permission on the test.ksh shell script:

$ chmod go+x test.ksh

The next example shows how you can use symbolic notation to remove read and write permissions on a file from the group:

$ chmod g-rw test.ksh

Second, you can use the octal numbers method to change file permissions. Each permission carries different numeric “weights”: read carries a weight of 4, write a weight of 2, and execute a weight of 1. To determine a permission setting, just add the weights for the permissions you want to assign. The highest number that can be associated with each of the three different entities—owner,group, and all others—is 7, which is the same as having read, write, and execute permissions on the file.

For example, consider the following:

$ chmod 777 test.txt
$ ls
$ -rwxrwxrwx 1 oracle dba 102 Nov 11 15:20 test.txt

The file test.txt initially had its file permissions set to 644 (rw, r, r.) The command chmod 777 assigned full permissions (read, write, and execute) to all three entities: owner, group, and all others.
If you want to change this so that only the owner has complete rights and the others have no permissions at all, set the octal number to 700 (read, write, and execute permissions for the owner, and no permissions at all for the group or others) and use the chmod command as follows:

$ chmod 700 test.txt
$ ls -altr test.txt
-rwx—— 1 oracle dba 0 Mar 28 11:23 test.txt