Unix was created to be a multi-user operating system. The intention was not for everybody to have full access to all files, but to allow file owners to specify which users should have what kind of access.
A Unix file system allows users to assign to files (including directories: "In Unix, Everything Is a File.") they own any combination of three permission types (r, w, x) to three classes of users (u, g, o). When a user requests access to a file, Unix first determines the requester's user class relative to the target file, then checks if the permission type requested has been assigned to that user class.
The effect of the three permission types varies depending on whether they apply to a file or a directory.
|Type||On file||On directory|
|r||Read file contents.||List name, size, modification date, etc. of files in directory.1|
|w||Change (write) file contents.||Add or remove files from directory.2|
|x||Shell will attempt to execute file if file name entered by itself on command line.||Access (read or write) the directory3 or any files in the directory or its subtree, or make the directory the user's working directory.|
Unlike some other file systems, such as NTFS, neither r nor w directory permission have any influence on r or w permission for subdirectories or files anywhere in the directory's subtree. r or w permission is determined by what has been assigned to your user class for the directory in question without considering r and w permission for directories higher in the file system tree.
However, directory x permission does affect permissions for subdirectories and files farther down the directory subtree. To access a file, a user must have x permission on every directory in the file's path. In other words, lack of x permission for a directory effectively prevents access to any files in the directory's subtree.
For a given file, the Unix file system divides users into three classes:
|u||User. The current owner of the file.|
|g||Group. Members of the user group to which the file has been assigned.|
|o||Others. Users not in either of the above classes. This is the user class that SDF's web server uses when a web browser requests a file from your web site.1|
File permission information can be obtained with the long listing option of the ls command: ls -l
|drwxr-xr-x||2||papa||arpa||512||Sep 29 01:02||arpastuff|
|-rwxr-x---||1||papa||arpa||11402||Sep 29 01:02||hello|
|-rw-r-----||1||papa||arpa||13||Sep 29 01:02||hello.txt|
Field a is the file mode, a string of ten one-character flags that indicate the file's permissions and other information. The following is a list of mode flags in character order with a partial list of possible flag values for each:
Field b is the user ID of the file owner. Field c is user group the file has been assigned to.
So for the three files in the ls listing above:
In general, the above discussion also applies to hard and symbolic file links. The files system automatically maintains links to keep the same effective permissions as the target file. (For symbolic links, the ls command displays a file mode with all permission types assigned for all user classes, but when file access is requested with the link, the permissions of the target file are applied.)
However, it is possible for hard links to avoid directory x permission restrictions in some configurations. Suppose a user has access to a file ./d1/f1 to which there is a hard link outside directory d1's subtree, ./h1. If the use loses x permission for d1, he will not be able to access ./d1/f1, but he will still be able to access the same file with his original permissions by using the hard link ./h1.
Permissions are changed with the command chmod:
chmod permission-mode file-name
Let's take a look at this example,
chmod 644 index.html
What does that number, 644, stand for?
The permission-mode is a numeric representation of the nine file mode permission flags. As mentioned earlier, there are three permission types of and three user classes. Each digit represents the permission types assigned to a user class.
The permission code for each use class is calculated by summing the values corresponding to the permission types assigned to the user class: 4 for r permission , 2 for w permission, 1 for x permission.
In the above example, I want file index.html to be readable by all users but writable by only me. Therefore permission codes would be as follows:
|User class||Permission types||Permission code|
|u (myself)||r (4), w (2)||4 + 2 = 6|
|g (group)||r (4)||4|
|o (others)||r (4)||4|
chmod 644 index.html
chmod supports an alternate syntax for specifying permission modes that is more convenient for changing one or a few permissions at a time and is slightly easier to remember than the numeric mode coding above.
Therefore the command:
chmod u=rw,go=r index.html
would have the same effect as the example command:
chmod 644 index.html
If I later wanted to give w permission to members of the file's user group, I could use the command:
chmod g+w index.html
In addition to the file permissions we've already discussed, we also have file flags. File flags add additional security and control over files, but not directories. File flags are altered using the chflags(1) utility.
% chflags uunlnk foo
would be used to set the user undelete flag, and to disable that flag, simply add "no" in front of the option (in this example, uunlnk), like so:
chflags nouunlnk foo