Who Goes There? Understanding Permissions in UNIX
Unlike some operating systems, UNIX was designed from the beginning to be used by more than one person. Like all multiuser systems, UNIX keeps track of who owns what file and who can do what with each file. Permissions attached to each file and directory determine who can use them.
Permissions come in three types:
- Read permission: Enables you to look at a file or directory. You can use cat or a text editor to see what's in a file that has read permission. You also can copy this type of file. Read permission for a directory enables you to list the directory's contents.
- Write permission: Enables you to make changes to a file. Even if you can write (change) a file, you can't necessarily delete it or rename it; for those actions, you must be able to write in the directory in which the file resides. If you have write permission in a directory, you can create new files in the directory and delete files from it.
- Execute permission: Enables you to run the program contained in the file. The program can be a real program or a shell script. If the file doesn't contain a program, execute permission doesn't do you much good and can provoke the shell to complain bitterly as it tries (from its rather dim point of view) to make sense of your file. For a directory, execute permission enables you to open files in the directory and use cd to get to the directory to make it your working directory.
Rock groups, pop groups, and UNIX groups
Every UNIX user is a member of a group. When the system administrator created your username, she assigned you to a group. To see which group you're in, type id.
You see something like this:
uid=113(margy) gid=102(guest) groups=102(guest),101(book), 103(cheese)
Groups usually indicate the kind of work you do. UNIX uses groups to give a bunch of people (the accounting department, for example) the same permissions to use a set of files. All the people who work on a particular project are usually in the same group so that they can look at and perhaps change each other's files.
In Linux and BSD, you can be in several groups at a time, which is handy if you're working on several projects. To find out what groups you're in, type groups.
Every file and directory has an owner and a group owner. The owner is usually the person who made the file or directory, although the owner can sometimes change the ownership of the file to someone else. The group owner is usually the group to which the owner belongs, although the owner can change a file's group owner to another group.
Who can do what?
To see who can do what to a file, use the ls command with the -l option. Type this line:
ls -l myfile
You see something like this:
-rw-r--r-- 1 margy staff 335 Jan 22 13:23 myfile
If you don't specify a filename (in this case, myfile), UNIX lists all the files in the directory, which is often more useful. For every file, this listing shows all the following information:
- Whether it's a file, symbolic link, or directory. The first character in the line is a hyphen (-) if it's a file, an l if it's a symbolic link, and a d if it's a directory.
- Whether the owner can read, write, or execute it (as shown by the next three characters, 2 through 4, on the line). The first character is an r if the owner has read permission or a hyphen (-) if not. The second character is a w if the owner has write permission or a hyphen (-) if not. The third character is an x (or sometimes an s) if the owner has execute permission or a hyphen (-) if not.
- Whether the members of the group owner can read, write, or execute the file or directory (as indicated by the next three characters, 5 through 7). An r, w, or x appears if that permission is granted; a hyphen (-) appears if that permission is not granted.
- Whether everyone else can read, write, or execute the file or directory (as indicated by the next three characters, 8 through 10). An r, w, or x appears if that permission is granted; a hyphen (-) appears if that permission is not granted.
- The link count, that is, how many links (names) this file has. For directories, this number is the number of subdirectories the directory contains plus 2 (don't ask).
- The owner of the file or directory.
- The group to which the file or directory belongs (group owner).
- The size of the file in bytes (characters).
- The date and time the file was last modified.
- The filename — at last!
Permissions by number
It's not too difficult to figure out which permissions a file has by looking at the collection of rs, ws, and xs in the file listing. Sometimes permissions are written another way, however: with numbers. Only UNIX programmers could have thought of this method. (It's an example of lazy typists at their finest.) Numbered permissions are sometimes called absolute permissions (perhaps because they are absolutely impossible to remember).
When permissions are expressed as a number, it's a 3-digit number. The first digit is the owner's permissions, the second digit is the group's permissions, and the third digit is everyone else's permissions. Every digit is a number from 0 to 7. Table 1 lists what the digits mean.
Table 1: Absolute Permissions Decoded
Write and execute
Read and execute
Read and write
Read, write, and execute