Linux and UNIX File Permissions Explained

The Linux and UNIX operating systems use file permissions to manage access to content stored on the computer. File permissions provide security for the files, preventing unauthorized access or changes.

It may help you to think of the computer's hard drive as a series of file cabinets. File permissions are like keys to the cabinets, controlling who can open the drawers and work with the files. The directories on the computer are like the individual drawers and folders in the cabinets. If you have many people who need to use the files in the cabinets, you can set aside individual areas for specific people, and you may also have areas shared by several people. To help avoid mistakes, and to prevent anyone from seeing things they shouldn't, each person could be only given keys to cabinets he or she needs to be able to access.

In Linux and UNIX, anything stored on the computer's hard drive counts as a file, whether it's a program, a directory, or a regular file. Each file has its own file permissions which are used to tell the operating system what type of file it is, as well as who can access or modify it.1

This document includes the following sections providing more information on file permissions:

  1. Permissions in Detail
  2. Permissions and Programs
  3. Changing File Permissions

Permissions in Detail

There are three classes of file permissions which control the degree of access for each file. The first class is the owner, meaning the user account to which the file belongs.2 The second class is the group, which makes it possible for specific other users on the system to have access to the file. The final class is for everyone with a user account on the system.

For each class, the owner of the file can specify three levels of access rights for the file. The first is read permission, the ability to see the contents of the file. Second is write permission, the ability to modify the contents of the file. The final level is the execute permission, which is used to control the ability to run a program file.

The following is an example of a directory listing displaying file permissions on a typical Linux system (run ls -al from a command prompt):

drwxrwxr--    5 apache      apache         4096 Feb 28 15:19 .
drwxrwxr--    3 myusername  myusername     4096 Feb 28 15:17 ..
-rw-rw-r--    1 apache      apache        33298 Feb 28 15:49 index.html
drwxrwxr--    7 apache      apache         4096 Feb 28 15:32 media
-rwxr-xr--    1 myusername  myusername      178 Feb 28 15:21 rmversion

Each row in the example displays information about the file identified in the final column.3 The file permissions are displayed in a format called file mode in the first column. The third column displays the name of the user account that owns the file, and the fourth column displays the name of the group the file belongs to.

The file mode contains 10 characters which indicate the file type and permissions for each of the three classes. The file permissions for each class are indicated in sets of three characters, starting with the second one4. The first set indicates permissions for the owner of the file, the second set for the group, and the third set for everyone. The first character of each set will be an r if read permission is granted. The second character in the set uses a w to indicate write permission has been granted. The third character in the set uses an x to indicate that execute permission has been granted. If a - (dash) appears in any position, the permission that position indicates is not granted.

In the example above, you can see that the mode for index.html is -rw-rw-r--. The user permissions (positions 2, 3, and 4) are rw-, indicating the user has read and write permissions, but not execute. The group permissions (positions 5, 6, and 7) are the same as the user. The permissions for everyone (positions 8, 9, and 10) are r-- meaning that only read access is allowed.

Permissions and Programs

Because a program is a file, it is subject to the file permissions granted to it. In order to run a program, a user must have permission to read and execute the program file. If the user does not own the file, but is a member of the group the file belongs to, the file must have group read and execute permissions. To run a file that does not belong to the user, or to a group the user is a member of, the file must have read and execute permissions for everyone.

A running program is owned by the user who ran the program (not the user who owns the program file), and has the same rights that user has. This means that the program has permission to read, write, or execute the same files as the user who ran the program. A running program belongs to the group the program file belongs to.

A server is a type of program designed to grant remote users the ability to access files on the computer over the internet. Just as with any other program, the access a server has is limited by the file permissions granted the user the server is running as. A wise system administrator will create special user accounts to run servers in order to restrict what files the server can access.

Web servers can provide the general public access to files on the computer the server is running on. This can be useful for providing information and services such as an online store, but requires special care to avoid allowing people to access files they should not.5 In order to view an HTML page in a Web browser, the special account used to run the Web server (common names include apache, web, or nobody) must have permission to read that file. The safest way to give the Web server access to a file is for the file to belong to the same special user account and group that runs the Web server and restrict what permissions the file allows. Read access should be granted to the user and group, and may be granted to everyone. Write access should only be granted to the user and group if the file will be modified by the Web server or a program (such as a CGI) run by the Web server. Execute permission should be granted to the user and group if the file is a program, such as a CGI, or a directory. It is generally not a good idea to grant write or execute permissions for everyone.

Changing File Permissions

The owner of a file can change permissions for that file. The file owner can also assign the file to any group to which the user belongs. In order to change the owner of a file, the user must have administrative (super-user) access on the system.6

Changing the Mode

The chmod command can be used to change the file mode, granting or revoking read, write, or execute permissions for any of the classes:

chmod permissions filename

The permissions can be indicated in different ways. The standard way to do this is by using a three-digit number to specify the desired file permissions by using one digit for each of the permission classes. The numbers one through seven are used for each digit to indicate which permissions to set on the file:

1 - execute (--x)
2 : write (-w-)
3 : 1 + 2 (-wx)
4 : read (r--)
5 : 4 + 1 (r-x)
6 : 4 + 2 (rw-)
7 : 4 + 2 + 1 (rwx)

Using this system, you can set absolute permissions for the file, meaning the permissions are changed to whatever you indicated, regardless of what they were before. For example, if you ran chmod 775 myfile, the file myfile would have the mode -rwxrwxr-x.

While it is quick and uncomplicated to use, the standard system to specify file permissions has two significant limitations. The primary one is that it's not intuitive or easy to remember. The second is that you can only do absolute permission changes. There is a second system which, while it requires more keystrokes, is easier to remember and can be used to make relative file permission changes. The advantage of relative changes is that you only change the permissions you want to, leaving anything else the way it was.

To use the second system to specify file permissions, you simply have to remember the three types of classes and the three types of permissions. For each class and permission, there is a one-character mnemnonic code:

u : user class
g : group class
o : other (everyone) class
r : read permission
w : write permission
x : execute permission

In addition to the codes, there are three operators:

+ : add permissions
- : remove permissions
= : set to specified permissions

Using this system, you indicate which classes to change (if you do not specify a class, all will be changed), how to change them, and what permissions to change. For example, you could run chmod +r myfile to add read permissions for all classes to myfile, or you could run chmod u=rw myfile to give the owner of myfile read and write permissions, but not execute. You could also run chmod ug+rw,o-wx myfile to add read and write permissions for the user and group, and remove write and execute permissions for everyone. This system is especially useful when using wildcards7 to change permissions on multiple files at a time.

Changing the Owner

The chown command changes the file owner:

chown username filename

The username must be a valid user account on the system. You can use wildcards7 in the filename to change multiple files at once. Only a user with administrative access6 can change the owner of a file.

Changing the Group

The chgrp command changes the group the file belongs to.

chgrp groupname filename

The groupname must be the name of a valid group on the system to which the user running the command belongs. You can use wildcards7 in the filename to change multiple files at once. A user with administrative access6 does not have to be a member of the target group.


Footnotes:

1. When a user accesses a file, it is done through a program, such as FTP or a shell. The program, not the user, is actually what has access based on the user account the program is running as.

2. Ownership of files is similar to employee ownership within a company. The files actually belong to the computer, but the user account has the rights and responsibility for using the file.

3. The ls -al command outputs seven columns of information for each file listed. The name of the information in each column is listed above the column in the example below:

mode        nodes owner       group          size   modified time  filename
drwxrwxr--  3     myusername  myusername     4096   Feb 28 15:17   ..

The mode, owner, and group are discussed above. The nodes column displays the number of files in a directory. The size is the file size, usually in bytes. The modified date is the time and date of the last time the file was changed. Finally, the filename is the name of the file.

4. The first character in the mode is used to indicate the type of file. A - (dash) indicates a normal file, a d indicates a directory. There are also other less common characters for other special file types.

5. Web servers can provide unauthenticated access, meaning anyone with a Web browser and an internet connection can access Web content without identification. While this is desirable for some things, allowing an anonymous user the ability to change system files, such as the Web server settings or user passwords, invites disaster. While the practice of managing file permissions and using restricted user accounts may be inconvenient, the protection it provides is well worth the effort.

6. To manage a server properly, there needs to be a special administrative user account with the ability to override any permission settings. This special user account is often called the superuser or root. Only a superuser has the ability to change the owner of a file. Contact your hosting provider or system administrator for help changing file ownership or handling other administrative tasks.

7. Wildcards are special characters used to represent a range of possible characters. For example, if you want to change the group of every file in a directory, you may want to use a wildcard to indicate every file instead of having to specify each individual filename.

There are two wildcards you will probably want to use, * (asterisk) and ? (question mark). The ? can be used to represent any single character in a string. The * can be used to represent any number of characters in a string. For example, chgrp web * would change the group for all files in the current directory, chgrp web *.html would change the group for all files with a name ending with .html. If you had .html and .htm files, you could use chgrp web *.htm*, but that would also change myfile.html.old. A better way might be to use chgrp web *.htm?. Another occasion to use the ? might be if you use a number to indicate the version of a file, such as myfile.version1.html and myfile.version2.html. You could use the command chgrp web myfile.version?.html to change only files with a version number less than 10.