Unix file permissions

Edit me

All files and directories on a Unix-like system are assigned an owner, a group, and a set of permission flags that specify the read, write, and execute permissions for the “user” (owner), “group”, and “other”. Group permissions apply to all users who belong to the group associated with the file. “Other” is also sometimes known as “world” permissions, and applies to all other users who can access the system.

Understanding ls -l output

The command “ls -l” displays the permissions and ownership information of any given file. Here is an example of the output of this command:

-rwxrw-r-- 1 jsmith student 365 Feb 22 15:31 lab1.c

The permission flags have the following meanings:

Symbol Meaning
- Indicates flag is not set.
r File is readable.
w File is writeable. For directories, files may be created or removed.
x File is executable. For directories, files may be listed.
s Set group ID (setgid). For directories, files created therein will be associated with the same group as the directory, rather than default group of the user. Subdirectories created therein will not only have the same group, but will also inherit the sgid setting.

These definitions can be used to interpret the example output of “ls -l” presented above:

-rwxrw-r-- 1 jsmith student 365 Feb 22 15:31 lab1.c

This is a normal file named “lab1.c”, owned by user jsmith and associated with the student group. The file is readable, writable, and executable by the owner, readable and writable by members in the student group, and only readable by all other users. Of cousre, there would be no point in actually trying to execute a .c file.

Using chmod

The chmod (“change mode”) command is used to change the permission flags on existing files. It can be applied recursively using the “-R” option. It can be invoked with either octal values representing the permission flags, or with symbolic representations of the flags. The octal values have the following meaning:

Octal Modes Representation

Oct Sym Permissions
0 --- None
1 --x Execute only
2 -w- Write only
3 -wx Execute and Write
4 r-- Read only
5 r-x Read and Execute
6 rw- Read and Write
7 rwx Read, Write, and Execute

For example, you could run chmod 755 foo to grant the owner user full permissions and everyone else only read and execute permissions on a file named foo:

# ls -l foo
-rw------- 1 elvis elvis 0 Nov 19 14:49 foo
# chmod 755 foo
# ls -l foo
-rwxr-xr-x 1 elvis elvis 0 Nov 19 14:49 foo

The basic syntax for chmod when using symbolic values is as follows:

chmod [-R] [classes][operator][modes] file ...

For example, the following command grants read and write permissions to the file’s owner user and group:

chmod ug+rw file

The classes determine to which combination of user/group/other the operation will apply, the operator specifies whether permissions are being added or removed, and the modes specify the permissions to be added or removed. Classes are formed by combining one or more of the following letters:

Letter Class Description
u user Owner of the file
g group Users who are members of the file’s group
o other Users who are not the owner or members of the file’s group
a all All of the above (equivalent to “ugo”)

The following operators are supported:

Operator Description
+ Add the specified modes to the specified classes.
- Remove the specified modes from the specified classes.
= The specified modes are made the exact modes for the specified classes.

The modes specify which permissions are to be added to or removed from the specified classes. There are three primary values which correspond to the basic permissions, and two less frequently-used values that are useful in specific circumstances:

Mode Name Description
r read Read a file or list a directory’s contents.
w write Write to a file or directory.
x execute Execute a file or traverse a directory.
X “special” execute This is a slightly more restrictive version of “x”. It applies execute permissions to directories in all cases, and to files only if at least one execute permission bit is already set. It is typically used with the “+” operator and the “-R” option, to give group and/or other access to a large directory tree, without setting execute permissions on normal (non-executable) files (e.g., text files). For example, chmod -R go+rx bigdir would recursively set read and execute permissions on all files (including text files) and directories in the “bigdir” directory for group and other. Whereas, the command chmod -R go+rX bigdir would set read and execute permissions on every directory, but only set group and other read and execute permissions on files that were already executable by the owner.
s setgid This setting is typically applied to directories. If set, any file created in that directory will be associated with the directory’s group, rather than with the default file group of the owner. This is useful in setting up directories where many users share access. This setting is sometimes referred to as the “sticky bit”, although that phrase has a historical meaning unrelated to this context.

Sets of class/operator/mode may separated by commas. Using the above definitions, the previous (octal notation) example can be done symbolically:

# ls -l foo
-rw-------  1 jsmith student 4870 Apr 14 14:49 foo
# chmod u+x,go+rx foo
# ls -l foo
-rwxr-xr-x  1 jsmith student 4870 Apr 14 14:49 foo