Unix File Permissions

Users and Groups

Every unix file or directory is associated with a user and a group. You can find out a file's user and group by entering the -l option of the ls command. Typing ls -l on a Unix system should produce something like this:

-rw-r--r--   1 davidson users      29747 Sep  2 00:03 trmptel.zip

The file's user, in this case davidson, is listed in the third column. The file's group, in this case users, is listed in the fourth column.

If you use the ls -l command on a directory, it will list all the files and subdirectories of the directory. If you only want information about the directory itself, use the ls -ld command.

Setting the user of a file or directory

When you create a file or directory, it is owned by you. Only the system operator, aka root, can change its user.

Setting the group of a file or directory

Every user of the Unix operation system can belong to one or more groups. Groups are created by the system operator. To see your groups, type the following cryptic command

On most systems here at UNCA, you will find that you belong to only one group. On bulldog, users are generally associated with either the group facstaff or the group students. On the Computer Science workstations, users are usually associated with group users. If you are a member of only one group, you just as well skip on to the next section.

If you wish to change the group associated with a file or directory to one of your other groups, simply use the command chgrp, as in:

Verify that you successfully made the change by using the ls -ld command, as in:

Types of access

Unix distinguishes between three types of file access: read, write, and execute. For normal files, not directories, the meaning of these methods of access is straightforward

read Read contents of file
write Write or modify contents of file
execute Execute the file as a program

Since very few files are programs, the execute permission is generally not used for regular files.

These three types of access have related, though slightly different, meanings for directories.

read List the files within a directory
write Add and delete files within a directory
execute Access files within a directory

For directories, the distinction between read and execute access is subtle. We'll look at these in more detail in a bit.

Types of accessors

Since every file and directory has an user and group, this creates three classes of potential file accessors

user User of the file
group Group associated with the file
other Others -- neither user or group

The matrix of control

So, we have three types of potential accessors and three types of potential access. That gives us nine potential kinds of file access. When you type the ls -l command, the first column gives the permissions associated with a file or directory in a ten-character string.

%woodfin ls -l
total 1541
drwxr-xr-x    3 brock    root         8192 Jun 13  2000 cgiplay
-rw-r--r--    1 brock    root        23316 Jun 27 13:48 characters.html
drwxr-xr-x   34 brock    man          8192 Jul 21 14:31 classes
drwxr-xr-x    2 brock    root         8192 Mar 10  2001 comparch
drwxr-xr-x    2 brock    man          8192 Mar 27  2001 compeng

Let's look at the first two ten-character permission strings: drwxr-xr-x and -rw-r--r--. The first character, in our examples 'd' and '-, give the type of the file or directory. 'd' is for directories and '-' is "regular" files. There are several other infrequently occuring types that we don't discuss here.

The remaining nine characters of the ten-character permission string are broken down into three three-character set strings. For example, rwxr-xr-x is decomposed into rwx, r-x, and another r-x. The three groups correspond, in order, to the three potential types of file accessors: user, group members, and others. The three letters within each group correspond to the three potential type of file access: read, write, and execute (for files) or search (for directories).

Permission drwxr-xr-x is attached to a directory that can be read (listed) and executed (searched) by everyone but can be written only by its user. Permission -rw-r--r-- is attached to a file than can be read by everyone, written only by its users, and executed by no one.

Finally, there are rare times when you will see a 's', 'S', or 't' in the execute position. Consult a reference on Unix system administration if you want to find out more about these cases.

Changing file permission

The chmod, change mode, command is used to set the permission of a file or directory. You can either add or remove permissions associated with a file. If you wanted to add write access to a file for members of the file's group, you would execute a command similar to:

To remove read access to a file for everyone but your self, execute:

To remove write access to a file for everyone including self, execute:

Hopefully, you get the idea by now. Use '+' to add access and '-' to remove access. The letters before the '+' or '-' are the folks to whom the action is being applied: 'u' for the user, 'g' for the group, and 'o' for others. The letters after the '+' or '-' are our usual 'r', 'w', and 'x'. And, finally, always use "ls -l" to see if you got it right!