Unix File Permissions
Part 1

by Kurt Keller

Regular readers of my columns will know that I'm a Unix guy. One aspect of Unix many beginners find complicated at first, is file permissions. But even experienced users often start scratching their head over these bits and flags when it gets down to more detailed settings. I take up the challenge of explaining what all these settings mean, starting out in part 1 with some basics and related necessary information, covering the more common and easy settings in part 2 and showing advanced settings and other things to consider in part 3. Depending on how familiar you already are with Unix file permissions, you might want to skip over some of the sections. Especially the whole of part 1 is entry level, but already part 2 contains information which sometimes even advanced Unix users don't know all that well.

Learning by doing is the best approach I know. If you would like to try out what is being explained but don't have a Unix system at hand, you might want to have a look at Knoppix, available from http://www.knoppix.org/. This is a complete Linux system on a bootable CD, which does not do anything to your harddisk. You put it in your CDROM drive, boot up the computer from the CD and have a fully working Linux workstation with tons of utilities right at your fingertips. All without any installation hassles and without any changes to your computer or the software installed on it.

Before we begin...

...do we need to introduce the most important commands used to display and change permissions on files and directories. If you've been hacking Unix on the command line level for ages, this will be second nature to you and you'll be using the commands without even thinking about it. But less experienced readers might be grateful for a short overview.

Please note that the commands explained here might not work on all files and directories, depending on the permissions you already have on the files and on their parent directories. After you have read part 2, such cases should be clearer, though.

list files

To list the files in a directory on Unix you use the command ls (list), which is the equivalent of the dir command in the Windows/DOS world. ls takes various options, which are all specified with a single dash in front of them. After the options, zero or more files or directories to list can be specified, with or without regular expressions. If no files or directories are given, the contents of the current directory are listed.

Please note that some Unix installations setup environments to automatically use some options with ls, even though they are not typed. Possibly you should first issue the command
unalias ls
to get rid of this automatism.

command	output
`ls`	contents of the current directory in short format
`ls a*`	everything in the current directory which starts with the lowercase letter a, displayed in short format
`ls -l`	contents of the current directory in long format
`ls -R`	contents of the current directory and any directories below it (recusively) in short format
`ls -lR`	contents of the current directory and any directories below it (recusively) in long format
`ls /etc`	if /etc is a directory (which it is), contents of /etc in short format if /etc is a file, /etc in short format
`ls -l /etc`	if /etc is a directory (which it is), contents of /etc in long format if /etc is a file, /etc in long format
`ls -ld /etc`	long format of the directory /etc itself, rather than the contents of the directory

I think the examples in table 1 should suffice for the moment. If you want to know all the details about the ls command, you can always do a
man ls
on your Unix system and read what options your version of ls supports and what the options do.

change permissions

To change the mode of a file, or in other words, the permissions different users have for the file, the command chmod (change mode) is being used, possibly followed by options, followed by the permissions and terminated with a list of one or more files and/or directories of which you want to change permissions.

change owner and/or group

In Unix, every file, directory, device, etc., for short: everything in the filesystem, does have a user owning it and a group owning it. There can't be any file which is not owned by a user and a group. (However, it can be owned by a user and/or group which is not defined on your particular system.)

The command chgrp (change group) can be used to make the file owned by a different group. For example
chgrp nobody myfile
changes the owning group of the file myfile to the group called nobody. The same syntax is being used for changing the group on a directory.

For changing the owning user of a file or directory, chown (change ownership) is being used.
chown alice myfile
chown alice:hergroup myfile
If there is a userID alice on your system, the first command will change the owning user of myfile to alice. If there's a group hergroup on your system, the second command will change both, the owning user and group of myfile; the user to alice and the group to hergroup. On some systems you might have to use a dot (.) instead of the colon (:) to separate the user from the group in the seccond command. chown, just like chgrp, works on files and directories alike.

sample long listing

When typing
ls -l
in any given directory, you are presented with a list of all the files, directories, links, devices etc. residing in this particular directory except for those starting with a period, which are considered hidden. To see the hidden ones as well, the option -a must be specified as well. You can see a sample listing in figure 1. As it is a long listing (option -l), the mode of the files, often called their permissions, is displayed as the first field of each line. The third and fourth field show the owner and the owning group of the file. The remaining fields are the number of links (second field), the size (fifth), the date and time the file was last changed and finally, in the last field, the name of the file. File names, by the way, are always case sensitive in Unix.

**Figure 1:** sample long listing
$\begin{figure}\begin{verbatim}drwx------ 2 kurt mygrp 512 Jan 15 00:08 Calend... ... latex -rw------- 1 kurt mygrp 35266 May 3 21:55 mbox\end{verbatim}\end{figure}$

users and groups

On a Unix system, each user has a unique numeric userID. Humans usaully are much better at remembering names and thus we normally use a mapping for these numeric userID's to usernames. Most of the commands will use this mapping to make our lifes a bit easier.

The third field of the long file listing is the owning user, also called the owner of the file. If there is a number instead of a username, this simply means the system could not find a mapping for the userID to a username. Whenever a user creates a new file in a normal directory, (s)he will be the owner of that file. For security reasons, most systems will not allow the owner to be changed to a different user, unless the superuser, which is called root on Unix, is making the change. This kind of change is called a file giveaway.

Well then, what can you do if you are in a team, working on a certain project, and all of the team members should be able to view and possibly even update the documentation and other files related to this project? All the members of the team, but not everybody else on the system? This is exactly what groups are for. Every user on the system does not only have a unique userID, but each user is also member of one or more groups. The system administrator can create a special group for your project team and add every team member to that group. You can now make the owning group of all the project files to be this special project group and everbody who is a member of this group can access these files, provided the file permissions are correctly set. In figure 1, most of the files are owned by group mygrp, but a few files are owned by group projgrp. As with file owners, most systems will not allow a normal user to change the owning group of a file to a group that particular user is not himself a member of. And also here, if the group displayed in the long file listing is a number, the system was unable to map the groupID to a groupname.

filetype

As you can see in figure 1, the first field of the long listing is 10 characters wide. The character in the first position of this field tells us what type of file it is. Most of the time you'll see - for regular files and d for directories. l can be found sometimes as well and stands for symbolic links. The remaining possible values usually are only found in special system directories. For a list of possible values and their meaning see table 2.

Table 2: first character in the filemode

character	filetype
b	block special file
c	character special file
d	directory
l	symbolic link
s	socket link
p	pipe (FIFO)
-	regular file

next time

We haven't talked about the actual file permissions yet. But in part 2 we will be talking about permissions on files and directories exclusively and in great detail. We haven't talked about the actual file permissions yet, that's right. Up to now we only have seen the most important commands to show and change file permissions and got some info on how to read a long file listing. Next time, however, in part 2, we'll talk about permissions on files and directories exclusively and in great detail.

References

Knoppix		`http://www.knoppix.org/`
PINBOARD		`http://www.pinboard.com/`
HighTechSamurai		`http://kurt.www.pinboard.com/`

Unix File Permissions Part 1

Unix File Permissions
Part 1