Most people who deal with *nix systems occasionally get confused about file and directory permissions. Sometimes it’s the order of the read, write, and execute bits. Other times it’s the octal notation, or maybe how to decipher the setuid and sticky bit trickery.
My goal is for this page to serve as an instant UNIX/Linux permissions refresher and/or primer for those who either 1) never quite got it in the first place, or 2) sometimes get tripped up on the details.
Let’s start some output from ls:
# ls -lah // my favorite ls options
-rwxr-xr-- 1 daniel consultants 5K Mar 10 06:55 scanner.rb -rwxr-xr-x 1 sarah teachers 18M Jul 30 10:07 papers.tar.bz2
Three Sets Of Three (blue)Since we’re looking at a file and not a directory, the first character we see starts the nine (9) character string defining three (3) types of permissions for three (3) different access levels (3 x 3 = 9). Remember to count the dashes.
UGO (Like the car)(blue)The way the three sets break down is according to the following order: User, Group, Other. UGO. So the first set of rwx‘s is for the user, the second is for the group, and the third is for everyone else.
See Who Owns The File (red)You can always see the user and group owners of a file but never the "other". That’s because "other" permissions simply apply to those who are not one of the other two.
Quite a few people get tripped up when they see the permissions listed as a set of three numbers. There’s no cause for alarm. Just remember that this number is simply three binary placeholders, each one holding the number that corresponds to the access level in r, w, x order. Observe the chart:
Also remember that permissions are different on directories than they are on files. On files they’re pretty much like you’d expect them: read the file, write/delete the file, and execute the file. But for directories it’s a bit less intuitive.
Read means you can get a directory listing.
Write says you can create or delete contents within the directory.
Execute means you are able to enter the directory, i.e. cd into it.
This is one of the bits (it’s British for parts, lol) that gives people the most trouble. No worries.
Setuid was designed to solve a very basic problem: user’s not having enough permission to run certain programs. The answer was to add an option within files to say, "Regardless of who runs this program, run it as the user who owns it, not the user that executes it."
In today’s world this is a lot like getting poked in the eye with a stick. It’s just not cool, so don’t partake. Here’s the way it looks, though, in case you come across it in the wild:
-rwsr-xr-- 1 daniel consultants 5K Mar 10 06:55 scanner.rb
You see that little "s" in there? It stands for Satan. Notice that it resides where the "x" (execute) would have been for the user: that’s because it’s setUID, and it relates to execution. Also, it’s a lowercase "s" in this example because both the setuid bit and the execute bit are set. If only the setuid bit is set (and the user doesn’t have execute permissions himself) it shows up as a capital "S".
[ Note: This capitalization issue applies to all of the "special" permission bits. The general rule is this: If it’s lowercase, that user HAS execute. If it’s uppercase, the user DOESN’Thave execute. ]
Setguid isn’t used nearly as much, but it’s the same exact concept applied to the group that the file belongs to instead of the user. Here’s how it looks:
-rwxr-Sr-x 1 bjones principals 101K Aug 16 04:01 grades.xml
Notice that this time the "s" is in the group’s set instead of the user’s. Also notice that it’s a capital "S" instead of a lowercase one. Again, that means that the group (principals in this case) doesn’t have execute permissions themselves, but when the program is executed by either bjones or any random user with access to the file, it’ll run with the rights of the principles group.
The sticky bit had a funky purpose originally, but it’s now used to keep people from modifying or deleting the contents of directories that the user or group owns. You can apply it to files as well, but it’s usually employed on directories.
An example application of the sticky bit is a school assignment in which you have shared space on a server, with each student having a directory. Using the sticky bit, the administrator could ensure that once a given student created content in their respective folder, no other student could come in and delete it.
Here’s how it looks:
drwxr-xr-t 1 alice alice 4.4K 2007-01-01 09:21 Alice
Remember that if "everyone" (other) doesn’t have execute permissions on the directory it’ll be a capital T instead of lowercase.
To change permissions you use the chmod command and simply lay out what you want the permissions to look like on the file directory.
Change the permissions on your web directory to 755.
Get a weekly breakdown of what's happening in security and tech—and why it matters.
chmod 755 web_directory
Change the permissions on your grocery list to 644.
chmod 644 grocery_list.txt
You can also assign the special properties to a file or directory using chmod.
Set setuid on a script
chmod 4644 script.rb
Set guid on a script
chmod 2644 script.rb
Set the sticky bit on a directory
chmod 1644 myfiles
Well, hopefully this was able to refresh you on the basic permissions and/or the special bits. If you have any comments, corrections, or any suggestions for how I could improve this document, please let me know.