There are three permissions on Unix:
r means you can read the file's contents. w means you can update the file's contents. x means you can attempt to execute the file as a program.
For each piece of data on the system, there are three sets of these permissions.
Users on a Unix system are divided into groups at the discretion of the system administrator. Traditionally, you were placed in a "work" group and this was used to share data with other members of the "work" group easily. Today, groups may be assigned by work group, by class in school, by job classification, etc, or even randomly.
Each user is in one or more groups. One of the groups is the "default" group
Each piece of data on the system has one group. When you create a piece of data, it is owned by you and placed in the default group.
For example, at CCSF, you are in a group for each one of your classes. The group names are created by the CRN number of the class. The groups change each semester. On linux, you are normally assigned to a new group as your default group, which is named the same as your login, and possibly to one group that is common amongst most users.
If you are the owner of the data, the u permission set applies.
If you are not the owner of the data, but are a member of the group the data is in, the g (group) permission set applies.
If you are neither the owner nor in the data's group, the o (other) permission set applies.
Exactly one of these three sets of permissions applies to each user on the system. You can see the three sets of permissions using a ls -l command. The permissions of a file are also called the file's mode. This is also why the command to change permissions is chmod or change mode.
Malak Samdi (msamdi0) is a student at CCSF. He is a member of three groups:
Malak comes across these three files on Unix:
-rw-r----- 1 gboyd c76036 48 Oct 3 16:03 homework1 -r--r-xrwx 1 msamdi0 users 2 Oct 3 16:03 password -rwxr-xr-- 1 marie c76131 0 Oct 3 16:07 submit_quiz
What permissions does he have for each?
Since hs is not the owner, but is in the file's group, he has the permissions r-- for homework 1
Since he is the owner, he has the permissions r-- for the file password. Notice that non-owners get more permissions for this file. Although unusual, this is legal.
Since he is in the file's group, Malak has the permissions r-x for submit_quiz
Suppose the group for the file password is changed to b20027. Would it alter his rights? No. he is still the owner
Suppose the owner of password is changed. Would it alter his access rights? Yes. Since hs is not in the group users, he now has the permissions of other or rwx
Suppose Malak dropped cs110a and was removed from the group c76036. Would his permissions to homework1 change? Yes. he now has the permissions of other, or no permissions.
For directories, the interpretation of r, w, and x changes. This is often misunderstood when we explain Unix permissions. While file permissions govern the content of a file, directory permissions govern the existence, name and location of (path to) the file.
Think of a directory as a table that contains file names. Then, the r and w permissions for a directory mean:
The x permission is a bit strange. It allows you to use the directory entries. Without x permission, you cannot access anything in the directory. x permission on a directory is also called search permission, because without it you cannot cd to (or through) the directory. For all practical purposes, deleting the x permission for a directory makes it unusable, and anything in it or in its subdirectories inaccessible.
The w permission is what confuses people so much. w permission to a directory governs whether you can remove or rename files. The ability to remove a file on Unix has nothing to do with the file's permissions
Let's re-examine the previous example:
$ ls -ld drwxr-x--- 2 gboyd cisdept 96 Oct 3 16:07 . $ ls -l total 4 -rw-r----- 1 gboyd c76036 48 Oct 3 16:03 homework1 -r--r-xrwx 1 msamdi0 users 2 Oct 3 16:03 password -rwxr-xr-- 1 marie c76131 0 Oct 3 16:07 submit_quiz $
In this directory, a few things are surprising
although msamdi0 owns a file in the directory, he has no access to it! This is because he does not have x permission to the directory. msamdi0 cannot even list the directory!
members of the group cisdept, other than gboyd, have permission to list the directory and to use the files in it (if they have permissions to the files), but cannot delete them. Thus if marie is in cisdept, she can update the contents of submit_quiz, but she cannot delete it!
although gboyd does not have permission to update the contents of submit_quiz, he can delete it, since he has write permission to the directory. This is so commonly misunderstood, that rm will ask for verification (an unusual thing on Unix):
$ rm submit_quiz submit_quiz: 754 mode ? (y/n)
This cryptic question is telling you that you are about to remove submit_quiz even though its permissions (754 here) indicate it is not writable by you. Unless you answer y, the file will not be removed.
This verification message can be a problem if the rm command is in a shell script. In this case, the hapless user will be presented with the verification question, possibly referring to a file that he or she doesn't even know exists. It can also be a problem when removing a structure recursively, as the verification message will appear for each object that is not writable but can be removed. To avoid these problems, add the -f option (force) to the rm command:
$ rm -f submit_quiz $ ls -l submit_quiz submit_quiz not found $
The owner of a piece of data can change its owner and group, although, depending on what system you are on, there may be restrictions. On System5-derived systems, the owner can change the owner and group without restrictions. On BSD-derived systems, such as linux, only root can use chown to change the owner, and a normal user can only change the group of her data between groups that she is a member of.
chown newowner files-and-directories
chgrp newgroup files-and-directories
Remember, by changing the owner of a piece of data you are transferring control of that data to someone else. While you still may be able to delete it (if you have write permission to the directory it is in), you can not change its owner or permissions again, as you no longer own it!Never change the owner of a directory!