Unix File Permissions

Unix File Permissions

Unix File Permissions Unix, as a multi-user system, has security measures built in. Files contain information such as the owner of the file and which groups are allowed access, the file size, the last date of modification, etc. The reason for permissions is to limit the scope of what can be done with a file and by who. It would not be a good idea for everyone to be able to delete your files or create executable programs in your private directories. You can examine the permissions of a file by typing: ls -l filename. This command will show you the permissions, the ownership, the size, and the modification date of the file. ex. ls -l testfile.txt will return something like this:   -rw-rw-rw   1username   username   3425   Jan 23 08:55   testfile.txt This file has read/write permission for the owner, the group, and others (everyone). This is known as a world writable file. (Remember, write also means delete!) Unless you specifically need everyone to be able to write to your file, like a CGI guestbook, this should be avoided. You want to give your files the minimum permissions that they require for best security. To change a file's permissions you use the chmod program. We can tighten up the permissions on testfile.txt by typing: chmod 664 testfile.txt. What does is allows others to read the file but denies them write permission. Owner and group are given read/write permission. Now testfile.txt looks like this:   -rw-rw-r--   1username   username   3425   Jan 23 08:55   testfile.txt Here are the settings that can be used for file permissions Number Letters Permissions 0 ---   no permissions 1 --x   executable only 2 -w-   write only 3 -wx   write/execute 4 r--   read only 5 r-x   read/execute 6 rw-   read/write 7 rwx   read/write/execute As you can see there are three numbers in the chmod 665 command. They correspond to the owner, group, and others. Here are some common examples: chmod 666 - read/write for the owner, group, and everyone. (Common for a guestbook type text file) chmod 644 - read/write for the owner, read only for group and everyone. chmod 755 - read/write/execute for the owner, read/execute for group and everyone (common for CGI scripts) chmod 622 - read/write for owner, writable for group and everyone (perhaps a log file or questionnaire) chmod 711 - read/write/execute for owner, execute only for group and everyone (allows webserver to execute but only the owner can read/write - no snoops) Unix treats everything as a file. Directories also use the same permission scheme. A little more information about using numbers for permissions: The number scheme actually uses Octal numbers. These numbers are added together to construct the number which corresponds to the table above. No Permissions: 0 Execute is: 1 Write is: 2 Read is: 4 By adding up these three numbers you get the permissions above. Read/Write permission = 6 (2 + 4) Read/Execute permission = 5 (1 + 4) Read/Write/Execute permission = 7 (1 + 2 + 4) etc. Another method of setting permissions In addition to using the Octal system for setting permissions, you can use letters combined with the (+, -, =) operators. For this system you identify owner as u (user), group as g, and other as o. To set permissions you can add a permission +, subtract a permission -, or declare a permission with =. Here are some examples: chmod u+rwx,g+rx,o+x filename.txt  (owner read/write/execute group read/execute others execute only) chmod u+rwx,g-rx,o-x filename.txt  (owner unchanged, group remove read/execute others remove execute) chmod u=rwx filename.txt  (The owner can read/write/execute, others remain with what they had.) chmod u=rw,g=r,o=r filename.txt  (owner can read/write, group and other read only.) The method you use is up to you. The results are the same, however, to me it seems clearer to use the Octal system since each time you use it you are reseting all of the permissions so you won't accidentally overlook anything. That concludes this discussion of file permissions. You can find out more information by researching the ls and the chmod programs.