Setting File and Directory Permissions
How can I stop other people from seeing my files, or only allow certain people to see them?
About Unix permissions
Permissions are the way that Unix controls who can do what with files and directories. Since all the Institute computers are linked together, it would be potentially possible for everyone to have access to everyone else's files as well as their own. Obviously, this isn't an ideal situation, as it could lead to other people reading your private email, or deleting your thesis, or putting files in your home directory and using up all your quota! To overcome this problem, every file and directory on the system has an owner, a group and a set of permissions (the set of permissions is often called the mode), which between them control access to the file or directory.
To find out what permissions something has, use the -l flag to the ls command, e.g,
torbernite% ls -l thesis.tex -rw-r--r-- 1 bloggs pg_1999 54600 Aug 18 10:18 thesis.tex
This gives a lot of information about the file:
- the mode (
-rw-r--r--
) - the number of hard links to the file [only those who understand what this means need be concerned by it]
- the file's owner (bloggs)
- the file's group (pg_1999)
- the size of the file in bytes (54,600)
- the last time the file was modified (18 August at 10:18am)
- the name of the file (thesis.tex)
Generally, the owner of a file will be the user who created it, and the group of a file will be the main group that that user belongs to (usually something like pg_1999
, staff
or visitor
).
The equivalent listing for a directory (note that to list the information for a directory itself rather than its contents, you must use the -d flag to ls) will look something like
torbernite% ls -ld latexdir drwxr-xr-x 2 bloggs pg_1999 1024 Aug 18 10:18 latexdir
The main difference is that the mode begins with a "d" rather than a dash ("-"), to show that this file is a directory rather than a normal file. [More experienced users will note that the number of hard links to a directory is at least 2, since it can be referred to as the current directory (".") as well as by its full pathname.]
What the permissions mean
The 10 characters that make up the mode are organised as a group of 1, and then three groups of 3. The single character at the beginning tells you whether something is a directory (d
), a normal file (-
), or something else. The first group of 3 gives the permissions for the file's owner; the next for the people in the file's group, and the final one for anyone else with access to the Institute computers. The three types of permissions are r
for "read", w
for "write" and x
for "execute".
Read permission for a file lets you look at the contents of the file. For a directory, read permission lets you list the files in that directory.
Write permission for a file allows you to alter the contents of the file. Write permission for a directory allows you to create and delete files in that directory (so note it may be possible for a user to be given permission to alter the contents of a file, but not to delete it).
Execute permission on a file allows you to try to execute the file (this may fail if the file is not designed for execution, however!), while execute permission on a directory allows you to cd to that directory and also to access files in the directory. If you do not have execute permission on a directory, then you won't be able to look at or alter the contents of its files, even if you have the necessary permissions on those files. To access a file, you actually need execute permission on all the directories above it in the filesystem, as well as the directory it actually lives in; for example, if dir2 is a subdirectory of dir1, and you have execute permission on dir2 but not dir1, then you can't access files in dir2.
Changing the permissions
The command for changing the permissions of a file is called chmod (for "change mode"). Its syntax is chmod new_mode files (but see man chmod for other flags and options to the command).
You can specify new_mode either as a numeric code, or as a variant on ugo+-=rwx. Some people find the numbers easier, others like to use the letters. Using the numbers can be quicker once you get used to it; also once you understand the numeric method it is much easier to understand the concept of a umask. However, the letters method can do everything that the numeric code method can.
For the numeric code method, new_mode is specified as a three-digit number, where each of the digits is a sum of one or more of the numbers 1, 2 and 4. The first digit gives the owner's permissions; the second the group's permissions; and the third gives permissions for everyone else. 1 stands for execute, 2 for write and 4 for read; the permissions are worked out by adding up the relevant digits.
For example, to set the permissions on myprogram so everyone can read and execute it, but only the owner can write to it (i.e, to set the mode to -rwxr-xr-x
), use
torbernite% chmod 755 myprogram
To protect myfile so only the owner can read or write to it (i.e, to set the mode to -rw-------
), use
torbernite% chmod 600 myfile
To use the letters method, you need to use the codes for the file's owner (u
for "user"), the file's group (g
) and everyone else (o
for "others"). You can specify new_mode as a succession of instructions, which alter or set the current mode of the file. Each instruction begins with one or more of the user codes u
, g
or o
; followed by either +
to add a permission, -
to remove a permission or =
to remove all old permissions and set this as the new one; and finally one or more of the permission codes r
, w
or x
.
For example, if the mode of myprogram is -rwxr-xr-x
, as set above, and we decide that we don't want anyone outside the group to be able to read or execute it, but we are happy now for members of the group to be able to alter it (for example, if the program is being developed by a team), we can use
torbernite% chmod o-rx g+w myprogram
to change the mode to -rwxrwx---
.
Those who are interested in this kind of thing may notice that the numeric method and the letters methods are related - essentially the numeric modes are octal representations of the bits in the mode.