This is easiest to understand if you log into a Linux system and type some commands. Or open Terminal on your Macintosh.
The "ls" command with the options -l and -a (same as -la) is the best way to review existing files and directories.
$ ls -al total 362240 drwxr-xr-x 50 pauljohn crmda_users 12288 Sep 3 17:15 . drwxr-xr-x 107 pauljohn crmda_users 12288 Sep 4 09:13 .. -rw-r--r-- 1 pauljohn hippa_team 2001 Nov 20 2013 00-README.txt drwxr-xr-x 8 pauljohn hippa_team 4096 Jul 27 2014 02.01-calculus
To summarize, these pieces are
permissions #of_elements owner group size date_modified filename
The permission part at the beginning indicates if the thing is a directory (d) or a file (-). Next there are 3 triplets, using symbols
w permission turned on, or "-" if it is turned off x executable permission turned on, or "-" if it is turned off r read permission turned on, or "-" if it is turned off
There are 3 triplets because the permissions of the file owner, the group that owns the file, and other users can be specified differently. A permission string like this means we have a directory that is available only to the owner:
In comparison, here is a file where the owner can write and read, but the group and others can only read.
These permissions are triplets, 3 for the owner, 3 for the group, 3 for other users in the system.
In the user home folder, there will be quite a few "hidden" files. These are used for configuration. Any file or directory name that begins with a period (literally, ".") can be considered hidden. These files don't show in the ordinary file listing from "ls", but if we run "ls -la", we see entries like this:
-rw-r--r-- 1 pauljohn pauljohn 5206 Jan 24 2015 .bashrc
The owner is pauljohn, and the group is pauljohn. There's nobody else in the pauljohn group except for pauljohn.
Note that in these examples, the files often DO NOT HAVE the executable flag turned on. This is a security precaution. It is one of the reasons that Linux is inherently more secure than MS Windows, where files are executable by default.
Now consider the files under the CRMDA shared space, which will be found under /crmda. Change to the share folder
$ cd /crmda
Lets check permissions. As of September, 2015:
$ ls -la total 976 drwxrwsr-x 11 root crmda_admin 4096 Aug 31 15:37 . dr-xr-xr-x 20 root root 4096 Jul 23 16:39 .. drwxr-sr-x 4 pauljohn crmda_admin 4096 Dec 16 2014 archive drwxrwsr-x 14 pauljohn crmda_admin 4096 Jun 6 2014 courses drwxrwsr-x 10 pauljohn crmda_admin 4096 Aug 27 14:57 procedures drwxrwsr-x 6 pauljohn crmda_users 4096 Jul 17 16:53 programs drwxrwsr-x 38 pauljohn crmda_users 8192 Sep 1 13:37 projects drwxrwsr-x 3 pauljohn crmda_users 4096 Sep 17 2012 rtools lrwxrwxrwx 1 root root 9 Jul 7 07:38 SNAPSHOT -> .snapshot drwxrwsr-x 5 pauljohn crmda_admin 4096 Jul 15 09:43 tools drwxrwxr-x 89 pauljohn crmda_admin 65536 Aug 3 11:00 users drwxrwsr-x 33 pauljohn crmda_admin 8192 May 13 09:56 workgroups
"root" is the administrator, it owns both the current directory "." and the one above, "..". The members of the crmda_admin group have write privileges in ".", which means they can create directories or files.
$ cd users
I've abbreviated the output to show just a few users.
$ ls -la | more total 6016 drwxrwxr-x 89 pauljohn crmda_admin 65536 Aug 3 11:00 . drwxrwsr-x 11 root crmda_admin 4096 Aug 31 15:37 .. drwxr-x--- 2 a238t878 a238t878 4096 Jan 14 2015 a238t878 drwxr-x--x 2 a402c286 a402c286 4096 Nov 27 2012 a402c286 drwxr-x--x 2 a692q929 a692q929 4096 Oct 4 2013 a692q929 drwxr-x--x 2 adkunkel adkunkel 4096 Dec 16 2010 adkunkel drwxr-x--- 2 b007r871 b007r871 4096 Jan 14 2015 b007r871 drwxr-x--- 8 b087k169 b087k169 4096 Jun 24 11:41 b087k169 drwxr-x--x 2 b739r350 b739r350 4096 Oct 15 2012 b739r350 drwxr-x--x 16 bcmc1290 bcmc1290 8192 Jul 17 09:52 bcmc1290
The current default is to assign the owner and group as the same user. And no permissions are available for the others. Note, for example, that user a238t878 is both owner and group on his/her directory, and the permissions for other users are set --- (no read, write, execute). Effectively, that means that the directory "a238t878" is a238t878's private stuff, and nobody can see it, run it, etc. In this example, we do see some users that give execute permission to other users.
The program "chown" can be used to re-assign file ownership from one user to another. However, for security reasons, that program is only allowed for the root administrator on the system. (If you find outdated documentation in our website encouraging users to run "chown", let us know).
Users have 2 ways to alter permissions.
If a person owns a file,
-rw-r--r-- 1 pauljohn pauljohn 2001 Nov 20 2013 00-README.txt
and if pauljohn is in a group named "hippa_team", then the user can re-assign group ownership.
$ chgrp hippa_team 00-README.txt
A whole directory "teamproject" can have ownership reassigned recursively by inserting the flag -R
$ chgrp -R hippa_team teamproject
There are two ways to do this, the easier method uses a pair of mnemonic sortcuts
- Designate the user ("u"), the group ("g") and the other users ("o")
- Designate the desired permissions ("x"), ("w"), ("r")
and then run commands using those letters in a recipe. A few examples will do better than a 1000 words on this one:
|chmod -R g+w teamproject||Make all files in "teamproject" writable by the group. Runs Recursively, throughout all directories under "teamproject"|
|chmod u+x afile.sh||Make afile.sh executable for the user|
|chmod g-x afile.sh||Turn off execute permission on afile.sh for the group|
|chmod o+r afile.sh||Add read permission to others for afile.sh|
|chmod g+rwx afile.sh||For the group, add x, r, and w permissions|
About the Octal 755 Style
If you search the Internet for instructions, you may find a computer jockey who recommends the octal notation instead. This is a more powerful notation because it does not require us to write 3 separate letters for "x", "w", and "r", we instead use a number.
|Permission To||Abbreviation||Numeric value if permission is allowed||Numeric value if permission is NOT allowed|
If one adds up the legal combinations of x, w, and r, we find that they sum up to unique totals. For example, the total of 7 can be obtained ONLY IF all three permissions are turned on. A total of 5 can be obtained ONLY IF the permissions are x-r, meaning something is not writable, but it is readable. Permissions can ONLY BE 1 if a thing has permissions x--.
Using that numeric shortcut, we can specify the permission of the owner, the group, and others by a 3 number triplet like "755", to mean the owner has rwx, but the group and others have only read and execute permissions. If one is needing to make a lot of changes in permissions, this "octal notation" is definitely more concise.
But if we are doing just a few files or directories, perhaps the u g o +/- r w x style is easier to remember. If we begin with these permissions
These achieve the same result
$ chmod -R g+w adirectory
$ chmod -R 770 adirectory
Permissions of "770" means to "rwxrwx---". So the following are equivalent, they add permissions for group members.
$ chmod -R 770 adirectory
$ chmod -R g+xrw adirectory
The key thing about the octal notation is that it specifies permissions for all 3 types of users, for all 3 types of access, in one concise three character block.
There are some times where the u g o +/- r w x notation is more expeditious. If we want to remove all permissions from users in the other category (not the owner, not in the group), this is the right way to go about it.
$ chmod -R o-rwx adirectory
where username is your named folder. "o" stands for others
You can also deny group members, with
$ chmod -R g-rwx username
Using a GUI
If we are logged in with a graphical interface, it is likely that the file manager program will make this a point-and-click exercise if we just want to change a few files. If we have to change more than one or two, the command line use of chmod is preferred.
Some file transfer software programs like Filezilla or WinSCP are able to adjust permissions from a remote system. As of November, 2010, Filezilla is not able to change the owner or the group vales, but it can adjust the "x", "w" "r" part. WinSCP, however, is a bit more sophisticated because, if the connection is started with the SCP protocol, then ownership can be changed.