I’m writing this because people sometimes seems to have trouble understanding the permissions under unix and get confused with setting permissions like 777 or 555.
Basically every file and directory has a username and group associated with it. It then has 3 sets of permissions for owner and group and other.
root user and the owner of the file have full control as to what permissions can be set, owner can for instance can remove roots permissions to read it but this can be overridden by root. But it is important to remember that by default root would be blocked for accessing the file until it is overridden so things like auto cleaning scripts to remove files from a directory could be bypassed if they aren’t coded to correctly ignore permissions, this can be an advantage if you want to allow users to be able do so.
The 3 sets of permissions each consist of 3 settings, Read, Write and eXecute which being binary are either on or off.
For files what each of these does is fairly obvious:
Directories are a little bit different:
On older Unix systems, the sticky bit caused executable files to be
hoarded in swap space. This feature is not useful on modern VM sys‐
tems, and the Linux kernel ignores the sticky bit on files. Other ker‐
nels may use the sticky bit on files for system-defined purposes. On
some systems, only the superuser can set the sticky bit on files.
When the sticky bit is set on a directory, files in that directory may
be unlinked or renamed only by the directory owner as well as by root
or the file owner. Without the sticky bit, anyone able to write to the
directory can delete or rename files. The sticky bit is commonly found
on directories, such as /tmp, that are world-writable.
Permissions as shown in a ls:
U G O ref user grp size date time name
drwxrwxrwt 13 root root 16K 2007-04-17 23:09 tmp
The ‘d’ stands for directory, for normal files this will be a ‘-‘. Next we have the 3 permissions for owning user (root) ‘rwx’, then the 3 for group (root) ‘rwx’ and then the 3 for other users ‘rwt’. So root and owner have full permissions (in this case the owner is also root) but all other users have almost full permissions but cannot modify the directory itself.
Then there is a counter, this isn’t important to under stand by it counts how many times that file/directory is referenced when it is 0 the file system will consider that space to be free space and it will be used for any new files created, for normal files this is normally 1, unless that file has been hard linked. for directors this changes depending on the number of subdirectories it contains, since each sub directory has a link back to the parent directory in the form of ‘..’, a directory without sub directories has 2, one for the parent directories link and another for the directories link to itself.
We then have the username (root) which is associated with the owner permissions and then the group (also root) associated with the groups permissions. Then the time and date.
Users have a primary group but can belong to multiple supplemental groups. This is defined in the /etc/group file. This was its possible to have a file that one user can modify as their own, people in the same group as the file can read but not modify and everyone else is completely blocked. You can also use ‘usermod’ to change which groups a user belongs in. You can see what groups you are in with ‘id’
usermod -ag newgroup username
The -a tells usermod to append the groups, without it any groups the user is in would be removed if they weren’t specified. -g is for secondary groups, normally these are all you only need to change.
It is a good idea to have no permissions enabled for unmounted mount points such as /mnt/cdrom, you can then set another set of permissions for when it is mounted which will automatically be applied each time that file system is mounted. If you want regular uses to be able to mount something that is set in /etc/fstab not on the mount point permissions. Doing this will give users a permission denied error if they try to access an unmounted directory, rather than just getting an empty directory.
letter mode vs octal letter permissions
Often you will see chmod commands with number such as ‘chmod 750 /tmp/somefile’ these are permissions in octal mode (octal because there are 8 choices, 0-7), there is one number is for user,group and other. The numbers are a combination of the different permissions, each permission type is assigned a value, Execute is 1, write is 2 and read is 4, these numbers can them be added together to get a permission, such as 5 which is read and execute, or 7 which is full permissions. Sometimes there is a 4th number than is for the extra bits such as sticky and sudo. ‘man chmod’ for more information.
If you don’t like the number system you can use the easier to remember letter system.
Such as ‘chmod ugo+rwx’ which gives user, group and other full permissions.
Setting permissions en mass
You might want to set all files in a directory to one set of permissions such as 644, to allow user read and write, but everyone else read only. This can be done with ‘chmod -R 644 /directory’ but it has a problem, if you have sub directories and set these permissions the sub directories users will not be able to enter them because they need execute access. You can fix this with the command ‘chmod -R ugo+X /directory’, the capital X tells chmod to only apply executable bit on directories.