Topics Map > University of Chicago > IT Services > Applications, Operating Systems, & Devices
Basic Unix - File and Directory Permissions
This article describes Unix file and directory permissions.
Unix is unusual in that, under default protection, anyone on the system may read any file (except for mail files), whether or not it is in their home directory, though only the actual owner of the file may alter it. Directories are also, as a rule, open: others may list the files in or connect to (though not alter) most directories.
(Don't forget that the best way to ensure the security of your files is to change your password regularly, using the 'passwd' command.)
Access privileges in Unix are divided into three kinds: "read," "write," and "execute." There's also three kinds of people: the owner (almost always yourself), people in one of your groups (groups are rarely used on the Server Cluster), and everyone else on the machine. So each file has nine areas to consider: the read, write, and execute privileges for you, the group, and everyone else.
If you use the "ls -l" command, these file and directory privileges are listed, in somewhat cryptic fashion. ("ls -la" also lists this for files whose names begin with "." -- usually preferences files.)
Listing file permissions
Here's a sample listing for the user "demo":
> ls -laF
drwx--x--x 9 demo 1024 Feb 2 16:30 ./
drwxr-xr-x1161 root 26112 Jan 21 07:15 /docs/
-rw-r--r-- 1 demo 517 Jul 10 1992 .article
-rw-r--r-- 1 demo 983 Jan 11 16:42 .cshrc
-rw-r--r-- 1 demo 401 Jan 22 1991 .login
-rw-r--r-- 1 demo 15 Apr 21 1992 .logout
-rw-r--r-- 1 demo 263 Apr 1 1992 .mailrc
-rw------- 1 demo 42 Jan 18 15:50 .mmfast
-rw------- 1 demo 241 Jan 18 15:50 .mminit
-rw------- 1 demo 241 Jan 18 15:50 .mminit~
-rw-r--r-- 1 demo 4 Feb 1 10:25 .msgsrc
-rw-r--r-- 1 demo 28289 Dec 1 13:19 .newsrc
-rw-r--r-- 1 demo 30 Jan 23 1992 .plan
-rw-r--r-- 1 demo 19 Jan 23 1992 .project
-rw-r--r-- 1 demo 33 Dec 1 13:18 .rnlast
-rw-r--r-- 1 demo 2974 Dec 1 13:19 .rnsoft
drwxr-xr-x 2 demo 512 Dec 1 13:16 News/
drwxr-xr-x 2 demo 512 Apr 21 1992 Test/
-rw-r--r-- 1 demo 611 Jan 23 1992 auto.groups
drwxr-xr-x 4 demo 512 Jan 11 16:08 bact/
-rw-r--r-- 1 demo 30 Jan 23 1992 catfile
drwxr-xr-x 2 demo 512 Jan 25 14:50 cr2/
-rw-r--r-- 1 demo 18 Jan 25 15:46 dog.sh
-rw------- 1 demo 892 Jul 31 1992 export.file
-rw-r--r-- 1 demo 817 Jan 23 1992 fbin
-rwx--x--x 1 demo 25 Jul 10 1992 filename*
-rw-r--r-- 1 demo 2797 Jul 17 1992 lsoutput
-rw------- 1 demo 1435932 Feb 2 11:22 mail.txt
-rw-r--r-- 1 demo 1687 Jan 25 15:47 monster
-rw-r--r-- 1 demo 4917 Jan 21 1992 network.info
-rw------- 1 demo 64417 Jan 18 16:44 old.mbox
-rw-r--r-- 1 demo 9829 Jan 21 1992 posting.rules
drwxr-xr-x 2 demo 512 Apr 14 1992 somedirectory/
-rw-r--r-- 1 demo 121 Jul 17 1992 somelittlefile
-rw-r--r-- 1 demo 4752 Jan 21 1992 style.hints
-rw-r--r-- 1 demo 501 Jan 25 16:13 typescript
-rw-r--r-- 1 demo 16200 Jan 21 1992 whats.Usenet
(Directories end with a / and executable files with a *, since the "-F" flag is added.)
It's easier to start from the right to explain this listing. On the far right is the name of the file or directory; note that the listing includes . and .. because of the "-a" flag.
The next column to the left is the date that the directory was last modified, and the size in bytes (512 bytes for empty directories; actual files show file size).
To the left of the file size is the column indicating who the files (in this case directories) belong to. Note that ".." (which is "/q2") is owned by "root", the system administrators. The "." directory is owned by demo.
The number to the left of the owner is the number of disk blocks, which isn't important for our uses.
Finally, the column of ten letters or -'s on the far left are the privileges information. A "d" in the far left indicates a directory. Files would have a "-" there instead. The next nine characters are the read (r), write (w), and execute (x) privileges for owner or "user" (first three), group (next three), and everyone else or "others" (last three):
- means that a file can be looked at and copied or, for a directory, the contents can be listed. (Usually, you use 'more filename' to view a text file one screen at a time; this does not work for compiled files.)
- means that a file can be edited, overwritten, deleted, moved, etc. For a directory, this means that files can be placed there, the directory can be moved, and so on.
- means that the file can be run (like a program). For directories, "execute" permission means that the directory can be opened. (Standard Unix commands, like 'ls', are just executable files somewhere, as are more complicated programs, like 'ftp'.)
So, for example, the file "filename" has -rwx--x--x privileges, which means the owner can read, write, and execute the file. Anyone else on the system can only execute (run) the file.
You own your own home directory, and, by default, this is set so that you can read, write, and execute it and everyone else can read and execute it. The default for files inside your home directory is for you to read and write them and everyone else to read them. If you want, you can use chmod to change the protection on your home directory so that "others" cannot read or execute your home directory, but this is not encouraged. It is better to change the protection on individual files. If you do change the protection on your home directory, you should maintain "execute" privilege for "others". This will not allow people to see the contents of your directory, but it will allow some utilities like finger to work properly.
The way to change the privileges setting on a file or directory is the "chmod" (change mode) command. There's two ways to do this, and the online manual pages talk about both of them in great detail.
In brief, the first way is numeric and the second is symbolic. In the numeric system, read privileges are given the value 4, write privileges are given 2, and execute privileges are given 1. These numbers are added together for the owner (user), your group, and others. So that, for example, "chmod 644 myfile" gives you read and write privileges for "myfile" (4+2) and your group and others only read privileges (4). To make the file executable, you can type "chmod 755 myfile"; so that now you can read, write and execute it (4+2+1) and everyone else can read and execute it (4+1).
The other way to use chmod is with the abbreviations "u" for user (you), "g" for group, and "o" for others; read, write, and execute are r, w, and x, just like in the "ls -l" listing. Thus, to add write privileges for members of your group to myfile, type "chmod g+w myfile"; to remove read privileges for others, type "chmod o-r myfile".
So if you want others to be able to read and copy or use a file but not alter it, give them read privileges (and execute, if it's an executable file). To allow others to list a directory, give them read privileges (and to connect to the directory, execute privileges).
You own your own home directory, and, by default, this is set so that you can read, write, and execute it and everyone else can read and execute it. The default for files inside your home directory is for you to read and write them and everyone else to read them. You might want to change the privileges of your home directory for others, or you might want to just protect certain files in your home directory.
To reset the level of privacy by changing the privileges on a file or directory, you'll need the 'chmod' (change mode) command, which you can use in two completely different ways. The easier way is using the abbreviations "u" for user (you), "g" for group, and "o" for others; read, write, and execute are "r", "w", and "x". Thus, to add write privileges for members of your group to myfile, type "chmod g+w
myfile"; to remove read privileges for others, type "chmod o-r myfile".
With any update of your system the command switches may change.
Use the manual pages command to verify the commands are valid for your system.
From the prompt issue man [command name]
For example to receive the Manual page for LS:
/h2/pers/dir/$ man ls
ls -- list directory contents
ls [-ABCFGHLOPRSTUW@abcdefghiklmnopqrstuwx1] [file ...]
For each operand that names a file of a type other than directory, ls displays its name as well as any requested, associated information. For each operand that names a file of type directory, ls displays the names of files contained within that directory, as well as any requested, associated information.If no operands are given, the contents of the current directory are displayed. If more than one operand is given, non-directory operands are displayed first; directory and non-directory operands are sorted separately and in lexicographical order.
The following options are available:
: <--- This is the "less" prompt. Press 'q' to quit or any other key to view the next page.