Permissions
Permissions
Each file on your system has associated with it a set of permissions which are used to protect files: a file's permissions determine which users may access that file, and what type of access they have to it.
There are three general classes of users:
- The user who owns the file ("User")
- Users belonging to the file's defined ownership group ("Group")
- Everyone else ("Other")
For each of these classes of user, there are three types of file access:
- The ability to look at the contents of the file ("Read")
- The ability to change the contents of the file ("Write")
- The ability to run the contents of the file as a program on the system ("Execute")
So, for each of the three classes of user, there are three types of access. Taken together, this information makes up the file's permissions.
Representation
There are two ways to represent a file's permissions: symbolically (using symbols like "r" for read, "w" for write, and "x" for execute) or with an octal numeric value.
For example, when you list the contents of a directory at the command line using the ls command as follows:
ls -l
You will see (among other information) the file permission information for each file. Here, it is represented symbolically, which will look like the following example:
-rwxr-xr--
There are ten symbols here. The first dash ("-") means that this is a "regular" file, in other words, not a directory (or a device, or any other special kind of file). The remaining nine symbols represent the permissions: rwxr-xr--. These nine symbols are actually three sets of three symbols each, and represent the respective specific permissions, from left to right:
symbols | meaning |
---|---|
rwx | the file's owner may read, write, or execute this file as a process on the system. |
r-x | anyone in the file's group may read or execute this file, but not write to it. |
r-- | anyone at all may read this file, but not write to it or execute its contents as a process. |
Symbols
The general symbolic form of a mask is as follows:
[user class symbol(s)][permissions operator][permission symbol(s)][,]...
permission symbol
is any combination of r (read),
w (write), or x (execute), as described above.
u | User (the owner of the file) |
g | Group (any member of the file's defined group) |
o | Other (anyone else) |
a | All (equivalent to ugo) |
permissions operator may be one of the following:
+ | allow the specified file permissions to be enabled for the specified user classes (permissions that are not specified are unchanged in the mask) |
- | prohibit the specified file permissions from being enabled for the specified user classes (permissions that are not specified are unchanged in the mask) |
= | allow the specified file permissions to be enabled for the specified user classes (permissions not specified will be prohibited by the mask during file creation) |
So, for example, the following umask command:
umask u+w
sets the mask so that when files are created, they will have permissions which allow write permission for the user (file owner). The rest of the file's permissions would be unchanged from the operating system default.
Multiple changes can be specified by separating multiple sets of symbolic notation with commas (but not spaces!). For example:
umask u-x,g=r,o+w
This command will set the mask so that when subsequent files are created, they will have permissions that:
- prohibit the execute permission from being set for the file's owner (user), while leaving the rest of the owner permissions unchanged;
- enable read permission for the group, while prohibiting write and execute permission for the group;
- enable write permission for others, while leaving the rest of the other permissions unchanged.
Note that if you use the equals operator ("="), any permissions not specified will be specifically prohibited. For example, the command:
umask a=
Will set the file creation mask so that new files are inaccessible to everyone.
Numbers
The file creation mask can also be represented numerically, using octal values (the digits from 0 to 7). When using octal numeric representation, certain numbers represent certain permissions, and these numbers are added or subtracted from each other to represent the final, combined permissions value. Specifically, the numbers 1, 2, and 4 represent the following permissions:
number | permission |
---|---|
4 | read |
2 | write |
1 | execute |
These numbers are used because any combination of these three numbers will be unique. The following table illustrates their unique combinations:
read value + | write value + | execute value = | combined value | symbolic equivalent |
---|---|---|---|---|
0 | 0 | 0 | 0 | |
0 | 0 | 1 | 1 | x |
0 | 2 | 0 | 2 | w |
0 | 2 | 1 | 3 | wx |
4 | 0 | 0 | 4 | r |
4 | 0 | 1 | 5 | rx |
4 | 2 | 0 | 6 | rw |
4 | 2 | 1 | 7 | rxw |
First Digit
In octal representations of file permissions, there are actually four digits. The three important digits we've discussed are the last three digits. The first digit is a special file permission indicator, and for the purposes of this discussion can be considered always to be zero. So from here on out, when we discuss file permission 777, it may also be referred to as 0777.