File Permissions

This is easiest to understand if you log into a Linux system and type some commands. Or open Terminal on your Macintosh.

The "ls" command with the options -l and -a (same as -la) is the best way to review existing files and directories.

 

$ ls -al
total 362240
drwxr-xr-x  50 pauljohn crmda_users     12288 Sep  3 17:15 .
drwxr-xr-x 107 pauljohn crmda_users     12288 Sep  4 09:13 ..
-rw-r--r--   1 pauljohn hippa_team      2001 Nov 20  2013 00-README.txt
drwxr-xr-x   8 pauljohn hippa_team      4096 Jul 27  2014 02.01-calculus

 

To summarize, these pieces are

permissions    #of_elements  owner group         size              date_modified      filename

The permission part at the beginning indicates if the thing is a directory (d) or a file (-). Next there are 3 triplets, using symbols

w permission turned on, or "-" if it is turned off

x  executable permission turned on, or "-" if it is turned off

r  read permission turned on, or "-" if it is turned off

There are 3 triplets because the permissions of the file owner, the group that owns the file, and other users can be specified differently.  A permission string like this means we have a directory that is available only to the owner:

dxwr------.

In comparison, here is a file where the owner can write and read, but the group and others can only read.

-x-r--r--r

These permissions are triplets, 3 for the owner, 3 for the group, 3 for other users in the system.

In the user home folder, there will be quite a few "hidden" files. These are used for configuration. Any file or directory name that begins with a period (literally, ".") can be considered hidden. These files don't show in the ordinary file listing from "ls", but if we run "ls -la", we see entries like this:

-rw-r--r--   1 pauljohn pauljohn       5206 Jan 24  2015 .bashrc

The owner is pauljohn, and the group is pauljohn.  There's nobody else in the pauljohn group except for pauljohn.

Note that in these examples, the files often DO NOT HAVE the executable flag turned on.  This is a security precaution.  It is one of the reasons that Linux is inherently more secure than MS Windows, where files are executable by default. 

Now consider the files under the CRMDA shared space, which will be found under /crmda. Change to the share folder

$ cd /crmda

Lets check permissions. As of September,  2015:

$ ls -la
total 976
drwxrwsr-x 11 root     crmda_admin  4096 Aug 31 15:37 .
dr-xr-xr-x 20 root     root         4096 Jul 23 16:39 ..
drwxr-sr-x  4 pauljohn crmda_admin  4096 Dec 16  2014 archive
drwxrwsr-x 14 pauljohn crmda_admin  4096 Jun  6  2014 courses
drwxrwsr-x 10 pauljohn crmda_admin  4096 Aug 27 14:57 procedures
drwxrwsr-x  6 pauljohn crmda_users  4096 Jul 17 16:53 programs
drwxrwsr-x 38 pauljohn crmda_users  8192 Sep  1 13:37 projects
drwxrwsr-x  3 pauljohn crmda_users  4096 Sep 17  2012 rtools
lrwxrwxrwx  1 root     root            9 Jul  7 07:38 SNAPSHOT -> .snapshot
drwxrwsr-x  5 pauljohn crmda_admin  4096 Jul 15 09:43 tools
drwxrwxr-x 89 pauljohn crmda_admin 65536 Aug  3 11:00 users
drwxrwsr-x 33 pauljohn crmda_admin  8192 May 13 09:56 workgroups

"root" is the administrator, it owns both the current directory "." and the one above, "..".  The members of the crmda_admin group have write privileges in ".", which means they can create directories or files.

$ cd users

I've abbreviated the output to show just a few users.

$ ls -la | more
total 6016
drwxrwxr-x 89 pauljohn       crmda_admin    65536 Aug  3 11:00 .
drwxrwsr-x 11 root           crmda_admin     4096 Aug 31 15:37 ..
drwxr-x---  2 a238t878       a238t878        4096 Jan 14  2015 a238t878
drwxr-x--x  2 a402c286       a402c286        4096 Nov 27  2012 a402c286
drwxr-x--x  2 a692q929       a692q929        4096 Oct  4  2013 a692q929
drwxr-x--x  2 adkunkel       adkunkel        4096 Dec 16  2010 adkunkel
drwxr-x---  2 b007r871       b007r871        4096 Jan 14  2015 b007r871
drwxr-x---  8 b087k169       b087k169        4096 Jun 24 11:41 b087k169
drwxr-x--x  2 b739r350       b739r350        4096 Oct 15  2012 b739r350
drwxr-x--x 16 bcmc1290       bcmc1290        8192 Jul 17 09:52 bcmc1290

The current default is to assign the owner and group as the same user. And no permissions are available for the others. Note, for example, that user a238t878 is both owner and group on his/her directory, and the permissions for other users are set --- (no read, write, execute).  Effectively, that means that the directory "a238t878" is a238t878's private stuff, and nobody can see it, run it, etc. In this example, we do see some users that give execute permission to other users.

Changing Permissions

The program "chown" can be used to re-assign file ownership from one user to another.  However, for security reasons, that program is only allowed for the root administrator on the system.  (If you find outdated documentation in our website encouraging users to run "chown", let us know). 

Users have 2 ways to alter permissions.

1. chgrp

If a person owns a file,

-rw-r--r--   1 pauljohn pauljohn      2001 Nov 20  2013 00-README.txt

and if pauljohn is in a group named "hippa_team", then the user can re-assign group ownership.

$ chgrp hippa_team 00-README.txt

A whole directory "teamproject" can have ownership reassigned recursively by inserting the flag -R

$ chgrp -R hippa_team  teamproject

2. chmod

There are two ways to do this, the easier method uses a pair of mnemonic sortcuts

  1. Designate the user ("u"), the group ("g") and the other users ("o")
  2. Designate the desired permissions ("x"), ("w"), ("r")

and then run commands using those letters in a recipe. A few examples will do better than a 1000 words on this one:

Run This Result
chmod -R g+w  teamproject Make all files in "teamproject" writable by the group. Runs Recursively, throughout all directories under "teamproject"
chmod u+x afile.sh Make afile.sh executable for the user
chmod g-x afile.sh Turn off execute permission on afile.sh for the group
chmod o+r afile.sh Add read permission to others for afile.sh
chmod g+rwx afile.sh For the group, add x, r, and w permissions
About the Octal 755 Style

If you search the Internet for instructions, you may find a computer jockey who recommends the octal notation instead. This is a more powerful notation because it does not require us to write 3 separate letters for "x", "w", and "r", we instead use a number. 

Permission To Abbreviation Numeric value if permission is allowed Numeric value if permission is NOT allowed
Execute x 1 0
Write w 2 0
Read r 4 0

If one adds up the legal combinations of x, w, and r, we find that they sum up to unique totals. For example, the total of 7 can be obtained ONLY IF all three permissions are turned on. A total of 5 can be obtained ONLY IF the permissions are x-r, meaning something is not writable, but it is readable. Permissions can ONLY BE 1 if a thing has permissions x--.

Using that numeric shortcut, we can specify the permission of the owner, the group, and others by a 3 number triplet like "755", to mean the owner has rwx, but the group and others have only read and execute permissions. If one is needing to make a lot of changes in permissions, this "octal notation" is definitely more concise.

But if we are doing just a few files or directories, perhaps the u g o +/- r w x style is easier to remember.  If we begin with these permissions

-xrw------

These achieve the same result

$ chmod -R g+w adirectory
$ chmod -R 770 adirectory

Permissions of "770" means to "rwxrwx---".  So the following are equivalent, they add permissions for group members.

$ chmod -R 770 adirectory
$ chmod -R g+xrw adirectory

The key thing about the octal notation is that it specifies permissions for all 3 types of users, for all 3 types of access, in one concise three character block.

There are some times where the u g o +/- r w x notation is more expeditious.  If we want to remove all permissions from users in the other category (not the owner, not in the group), this is the right way to go about it.


$ chmod -R o-rwx adirectory

where username is your named folder. "o" stands for others

You can also deny group members, with

$ chmod -R g-rwx  username

Using a GUI

If we are logged in with a graphical interface, it is likely that the file manager program will make this a point-and-click exercise if we just want to change a few files. If we have to change more than one or two, the command line use of chmod is preferred.

Some file transfer software programs like Filezilla or WinSCP are able to adjust permissions from a remote system. As of November, 2010, Filezilla is not able to change the owner or the group vales, but it can adjust the "x", "w" "r" part. WinSCP, however, is a bit more sophisticated because, if the connection is started with the SCP protocol, then ownership can be changed.


CRMDA Calendar

Like us on Facebook
One of 34 U.S. public institutions in the prestigious Association of American Universities
44 nationally ranked graduate programs.
—U.S. News & World Report
Top 50 nationwide for size of library collection.
—ALA
23rd nationwide for service to veterans —"Best for Vets," Military Times
Equity & Diversity Calendar

KU Today