A brief summary on Unix permissions
Here’s a quick overview of Unix permissions:
- A file, or directory, has associated permissions for an owner, a group and for all other users.
- Each of those three categories, owner, group or world, can have permissions for being able to read, write, and execute a file or directory on the system. Each is set to either 1 (true, able to do so) or 0 (false, not able to do so)
- The state of these permissions are represented by a single number, which, viewed in binary, correlates to each of the three permissions. Your final permission is represented by adding together all of the bits for each user. With all three bits set to true, the number would be 7; with none set, the number is 0.
- In total, there are 9 possible permissions that can be set; the read, write and execture ability for the owner, a group and all other users in relation to a file or directory.
If you look at the diagram below, permissions can be added up in each of the columns to give you the final permission for that particular category.
So a permission of 6 doesn’t necessarily grant any more than than a permission of 5 would; it is simply a combination of different permissions; a 6 means you can write to a file or directory instead of execute it, which 5 would allow you to do. The next example might explain that further;
This example of permissions set to 766 allows everybody to do anything, but only the owner can execute files. It is probably best advised that you only allow the owner and the group to have the write bit set, unless you want anyone at all to be able to change files!
If you want to set the permissions to a file or folder in Linux, you can type the following, which will set the new permissions for a file or directory;
chmod 766 filename
To see the permissions of any files, you can list the files in a directory with the switch -l
Here you can see that the file hello.txt can be read and written only by the owner, but everyone else can still read it. Similarly, both the owner and group of the public-resources folder can read, write and execute it, but anyone else can only view and execute it. You can also see the group and owner association of the file or directory.
Note also that there is an additional bit at the start, which sometimes says “d” – this indicates that it is a directory. It is important to mention is that in order to browse a directory, to “open” it, you have to execute it. In this way, you can allow or deny access to being able to view the contents of a directory by removing the execute bit. It is probably advisable, if you want folders.
Default permissions; Umask, Fmask and Dmask
One addition to the above post is masks. What are the default permissions for files and folders?
- Fmask is the file mask. This is 666 by default.
- Dmask is the directory mask. This is 777 by default.
- The Umask is what will restrict these two masks simultaneously, by binary AND logic (in other words, subtracting itself from the other two masks)
Notice that, although the dmask is not restricted in any way, the fmask doesn’t allow execution by default. You can manually make the file executable with chmod +x, however. To display your current mask (per user), simply type in umask – it will likely be 0002 or 0022 – meaning that groups and other users have their write permission disabled by default. You can set it by typing the new mask you want in, e.g. umask 0062, which will now restrict group members from being able to do anything (there are times this might be useful!).
As for why you can’t have execute set on files by default? Security I guess; to stop people accidentally creating executable files that should just be text. Here’s a good look at what actually happens when a file is created; its apparent that this limit is hard coded (so even Linux caters for users who might accidentally mess things up!).