Skip to end of metadata
Go to start of metadata

1. Introduction

The UNIX filesystem is built with a system of permissions which defines user-level access for every file and directory. These permissions can be tailored to restrict or allow whatever access rights are desired.

There are three types of access permissions, with different implications for files and directories:

Access Right Files Directories
Read allow opening the file for reading allow listing of the contents of a directory
Write allow edits and deletion allow modification of the contents in a directory (delete, create, rename)
Execute allow executing the file as a program allow navigation into the directory

And there are three defined realms of users:

User Realm Description
user any individual UNIX account
group a defined set of users with common rights as a group
other all other users who are not the user or group owner. a.k.a. world

2. Understanding Permissions Notation on the Command Line

Example: using the long list command on a theoretical directory /home/bob/:

command output
ls -l /home/bob -rwxr-xr-x 1 bob bobsgroup 1093 Nov 21 12:14 file.txt

There are 10 symbols in the left column describing permissions: -rwxr-xr-x

Using positions 0123456789 for -rwxr-xr-x , here’s how it breaks down:

symbol character description
0 - describes the type of file. - is a plain file. d is a directory. There are other types, as well.
1 r user read enabled
2 w user write enabled
3 x user execute enabled
4 r group read enabled
5 - group write disabled
6 x group execute enabled
7 r other read enabled
8 - other write disabled
9 x other execute enabled

To sum up, a file with permissions -rwxr-xr-x is a plain file with the following permission bits set:
read/write/execute for user read/execute for group read/execute for other

3. Octal (numeric) Permissions Notation

The read/write/execute permissions can also be described using an octal numeric method:

number binary value character permissions
0 000 --- all disabled
1 001 --x execute
2 010 -w- write
3 011 -wx write,execute
4 100 r-- read
5 101 r-x read,execute
6 110 rw- read,write
7 111 rwx read,write,execute

With 3 sets of rwx for user/group/other, this translates to a single 3-digit number. So, using the earlier example, a file with permissions -rwxr-xr-x would be: 755

number character permissions
755 rwxr-xr-x user: read,write,execute group: read,execute other: read,execute

4. Setuid, Setgid, and the Sticky Bit

Definitions

Access Right Files Directories
setuid executed with the rights of the file’s owner, not the user starting the job does not apply does not apply
setgid executed with the rights of the group owner, not the group of the user starting the job Files created within setgid directories inherit that directory’s group ownership (GID).
sticky bit does not apply In a “sticky” directory, users can only delete files they own, regardless of group/other permissions settings on the directory

Actually, the 3-digit number representing permissions in the previous section is a bit of a hoax. It’s really a 4-digit number, with an implied 0 at the beginning. So, 755 is actually 0755. Huh?

This prefix number refers to special permissions bits for setuid, setgid, and the sticky bit. These are disabled by default (hence the default 0), but can be enabled in the same manner as the rwx bits.

Octal/Symbolic representation

number character permissions
0000 --------- all disabled
1000 --------t sticky
2000 -----s--- setgid
3000 -----s--t setgid,sticky
4000 --s------ setuid
5000 --s-----t setuid.sticky
6000 --s--s--- setuid,setgid
7000 --s--s--t setuid,setgid,sticky

Notice how the symbloic s and t take the place of X in the character description. Because of this, the state is the execute bit is hidden, but there is a convention built in to help with this. Whenever the s/t bit is in lower-case that implies that the execute bit is turned ON. When capitalized, execute is OFF.

Examples

number character permissions
4755 -rwsr-xr-x setuid is ON, and user execute is ON
2760 drwxrwS--- setgid is ON, and group execute is OFF
1777 drwxrwxrwT sticky is ON, and other execute is OFF

5. Using the chmod command

Usage

chmod [-R] changes filename(s)

  • The -R option performs recursive changes down through the filesystem tree.

Symbol Reference Table

Symbol Meaning
u user
g group
o other
a all
+ adds a permission
- removes a permission
= assigns an absolute permission
r read
w write
x execute
s,S setuid / setgid
t,T sticky bit

Examples

chmod command syntax new permissions
chmod 755 file.txt rwxr-xr-x
chmod a=rwx work rwxrwxrwx
chmod 1777 work rwxrwxrwt (sticky bit set)
chmod ug+x,o-w file.txt e.g. from rw-rw-rw-, to rwxrwxr--
chmod u+s,o-rwx file.txt e.g. from rw-r-xrwx, to rwSr-x---
chmod -R 700 work changes work and everything beneath to rwx------

6. umask

umask is a command to set the default mask for new files, which means disabling specified permission bits.

  • The umask DOES NOT ENABLE any permissions!

  • Note that different types of applications (compilers, text editors) will create new files with different default permissions settings. umask is typically defined in the acount’s startup file (e.g. .profile .cshrc .bash_profile). Note that running a umask command will not change the permissions of any existing files, only how permissions are set in the creation of new files.

Syntax

umask [mask]

Examples

default setting umask command new permissions
rwxr-xr-x umask 077 rwx------
rw-rw-rw- umask 022 rw-r--r--
rwxrwxrwt umask 002 rwxrwxr-t
rwxr-x-w- umask 777 ---------

7. Recommended settings for a shared directory

When a group is sharing a directory, setting permissions properly will allow multiple users to work in the same space effectively, but also securely.

Note: This example below will have all rights disabled for other to make things easier to look at. When setting up a shared directory, write access for other should be disabled, but read/execute may be enabled depending upon who needs access to the directory.

Example:

There are three user accounts named:

  • arnie
  • brenna
  • cathy

who all belong to a defined UNIX group:

  • support

and use a common directory:

  • /users/project/

The goal is for all members of the group support to have write access to /users/project and to have all new files they create in that directory be automatically writable by the group.

Now, let’s say that each user’s default group is NOT support. Typically in Linux, for example, each user is assigned a unique default group for better security (e.g. user: arnie, default group: arnie ). This convention of Single User Group is the topic for another discussion, however.

/users/support/: to setgid or not to setgid…

property setgid OFF setgid ON
permissions on /users/project/ drwxrwx--- drwxrws---
octal 0770 2770
ownership of new files created in /users/project/ (e.g. by arnie) user: arnie, group: arnie user: arnie, group: support

Having root own /users/project is not required. It could realistically be owned by any of the 3 users, but a privileged user like root is often more appropriate (e.g. If the arnie account is removed, it’s awkward if arnie also owns the shared directory).

To sum up the chart above, all new files created by arnie in /users/project will be owned by the group support when setgid is on (note: enabling default group write depends on the umask setting). By default, in other directories without setgid, arnie can create files and retain exclusive ownership. So, setgid is a convenient tool for enabling group sharing, though it should still be used carefully.

  • No labels