File Permissions from UNIX

Inheritance

Unlike the situation with Windows, when you create a file or directory on a Unix or Linux system, it does not inherit any permissions from the parent directory. Rather, it's your umask setting, your account name, and your current default group that set the properties of the created file or directory.

The only exception to this is if a directory has the setgid bit turned on via an appropriate chmod command (see below for more on this command). An example would be:

mkdir ~/web/groupware
chgrp nraoweb ~/web/groupware
chmod g+ws ~/web/groupware

This sequence of commands does the following:

1. Creates a new directory;
2. Sets the group on the directory to be nraoweb; and
3. Turns on group-write and setgid (set-group-id) mode on the directory.

If a directory has the setgid bit set on it (a ls -l listing will show drwxrwsr-x for such a directory; note the s), then all files created therein will have the same group id as the parent directory.

From the Command Line

The traditional permission scheme for Unix has been around for decades, predating even the existence of Windows and possibly DOS too. Each account (username, login) may have ownership of a file, and be a member of one or more groups. There's also "other" which translates to everyone. An account can have read, write, and/or execute access to a given file, as can a group or the world ("other"). Many of us are well used to the output of ls -l which may look something like this:

bash$ ls -l
total 8156
-rw-r--r-- 1 pmurphy aipspgmr 55482 Jan  9 1997 2.htm
-rw-r--r-- 1 pmurphy aipspgmr    40 Dec 14 1995 ab_tester_url
drwxrwxr-x 2 pmurphy aipspgmr  4096 Oct  1 2002 admin
-rw-r--r-- 1 pmurphy aipspgmr  4790 Sep 16 1996 AIPSHELP
drwxrwxr-x 3 pmurphy aipspgmr  4096 Oct  1 2002 alma
-r--r--r-- 1 pmurphy aipspgmr 27484 Feb 14 2002 annie-httpd.conf
-r--r--r-- 1 pmurphy aipspgmr 28338 Feb 14 2002 annie-httpd.conf,v
bash$

The leftmost column shows the permissions on each file; thereafter follows the number of (hard) links, the owner of the file (shown above in red), the group ownership thereof (in purple); the size in bytes, the date the file was most recently modified, and finally the name of the file or directory.

The permissions string is in the form of 10 characters, further broken down into four fields:

1. File Type: - for normal file, d for directory, l for symbolic link, and a few (mostly esoteric) keys;
2. The owner triad: (shown in green above) a set of three characters showing what access the owner has to the file: read (r), write (w), and/or execute (x). If the read or write or execute access is not allowed, a hyphen (-) is shown instead. So, rw- means read and write but no execute access. Binary programs and shell scripts usually have the execute access turned on. Execute access on a directory means permission to browse that directory (e.g., via cd and ls).
3. The group triad: (showin in orange above) as for owner, but these permissions apply to the group name attached to the file.
4. The other triad (also known as "world" and shown in blue above): as for owner and group, but these permissions apply to everyone. In almost all cases you only want to grant read and maybe execute world access to any file or directory you own, and in cases of sensitive information, you should perhaps disallow any world access to some files and directories.

There are actually more permission "bits" or modes that can be set on a file or directory (the "t" or sticky bit, the setuid or setgid bit, for example), but these are beyond the scope of this simple explanation. See the manual page on the chmod command (type man chmod) for the full details.

There are some useful commands you can use to manipulate permissions on a file or directory. These include:

chgrp: Change the group ownership of a file or directory. You can type "groups" to see what groups you are in, and "groups pmurphy" to see what groups someone else (the author!) is in. This can be handy if you want to give group write access to a shared area for common development.

chmod: Changes the permissions of a file or directory. It has two forms:

• chmod ug+rw file would, for example, add read and write permission to the owner (user, "u") and group of the file. Another example would be
  chmod o-rwx file to remove read, write and execute access on that file to "other" (the world). You can use "a" (all) as a shorthand for "ugo". The minus removes permissions, the plus adds them.

• chmod 0775 filename will apply an octal numeric bitmask to the filename indicated. Programmers tend to like this notation. The leading zero is for the extra ("t" and setuid/setgid) bit; the first 7 indicates read (4), write (2), and execute (1) access (4 + 2 + 1 = 7) for the user (owner); the second is the same thing for the group, and the last digit (5) applies read (4) and execute (1) permissions for "other"/world.

chown: Change ownership of a file; usually only "root" (the system account) can do this.

All three commands chown, chgrp, and chmod will accept a -R option if run on a directory; that forces the command to "recurse" down into the directory (and any subdirectories all the way down), modifying everything within it (and them). This can be very useful for large-scale changes.

From GNOME or KDE

Of course, there are many who prefer the graphical user interfaces that Linux offers to the command line, so this section is for them. The picture below shows the Nautilus file manager that is a part of Gnome (the KDE equivalent is very much similar). In this screen shot, the user has right-clicked on a file, revealing a menu of options for that file. Just like the windows counterpart, there's a "Properties" option at the bottom of the menu.

Once you select "Properties", you will see a dialog box similar to that shown on the left. This also has tabs at the top that allow specific details to be shown or actions to be performed on the file.

Finally, once the "Permissions" tab is selected, most of the actions that one normally uses chgrp and chmod for are accessible through a friendly graphical interface. Note that this interface has no equivalent to the -R recursion option available in command line mode.

Access Control Lists (ACLs)

The remote observer documentation for the NMASC and NAASC have good explanations for ACLs.