File Access Permisions
At first, unix file access permissions may look confusing or intimidating, but when they are broken down, they are not only simple to understand, they are also incredibly useful.
With a system like Linux, there are multiple users accessing the same file. To control and protect data, we can use access permissions to ensure that we don't lose hours of work, or potentially much more.
As was mentioned above it does look confusing at first but by remembering a few key things, scope and permissions, you'll be able to read them with ease.
File ownership can be split into three different scopes: Owner, group, and others.
Owner
When a user creates a file, they become the owner of that file. However, files can be transferred to other users, so be aware that the current owner may not have created the file
This will be represented as yellow in the screenshot below
Group
The group is the project that the user who created the file belonged to at the time of its creation. Storage allocation for this file will also be taken from the project that owns the file.
This will be represented as red in the screenshot below
Others
Others refers to users who who don't own the file, nor are they associated with the project that owns the file.
This will be represented as blue in the screenshot below
NCI recommends that you do not share data with users outside of the project
Permissions are split into three different parameters.
Read
An 'r' in the permission line is short for read. This means that the file can be opened and read.
Write
'w' in the permission gives the ability to modify and save a file.
Execute
An 'x' in the permission line stands for execute. This gives the ability to execute and run programs. This can also be replaced with an 's' or 't', which we will go over below.
How to see file access permissions
To see a long listing of a directory, run the command 'ls -la' and you will see something similar to this,
As you can see, our read, write, and execute, are represented by their abbreviated characters r,w,x. They are split into three different sections, or triads, owner, group, and other.
So in this example, the owner (yellow) of the file can read, write, and execute. The group (red) can read and execute, but not write, so they won't be able to save any changes to the file, and the same goes for the others (blue) group. The 'd' at the beginning of beginning indicates the type of file, in this case a directory file. A 'l' would indicate that this is a symbolic link file, or a file that is designed to point at another file. '-' would tell us that this is a regular file.
The space at the end of the line can be blank or filled with a '+' indicating that there are extended access controls outside of the regular unix permissions. If that is the case, run the command getfacl <filename> to see that file access control list.
In this example, we have a regular file that the owner can read and write, but there are no other permissions set.
Setuid and setgid
Replacing the 'x' in either the owner or group with an 's' will change the permissions to match those of the owner of the file. This is considered a security hazard and will have no effect when doing so under the user triad.
Doing so in the group triad will also be ignored for security reasons. When used on directories it forces new files and directories created within them to inherit their group ownership.
Sticky bits
Sticky bit can be used as a form of deletion protection and is active when 'x' is replaced with a 't' in the others triad. This means that although the file will be able to be read and written, only the owner can rename or delete the file.
A permissions line of -rwxrwxrwt would ensure that the file couldn't be accidentally or maliciously deleted when sharing data with users outside of your project.
Changing file access permissions
'chmod' is the command used when you want to alter the file access permissions. Again, while this command can look complicated at first, there is a few steps you can take to simplify the process.
- Who are you changing permissions for? Owner '
u', group 'g', or others 'o'. - What permission change will you be making? Adding '
+', removing '-', or replacing '='. Replace will remove all other permissions and replace them with your command. - What permissions are you referring to? read '
r', write 'w', or execute 'x'.
The basic command for this utility is 'chmod <permissions> <filename>'
For example
$ chmod g+w testfile.shwould grant write access 'w' to the group 'g'.$ chmod o-rw testfile.shwould remove read and write from others.$ chmod g=rws testfile.shwill delete the access that the group has and replace it withr,w,s.
You can also use command xargs, or extended arguments, to add these commands to a search, for example:
$ find /scratch/a00/aaa777 -type d | xargs chmod g=rws,o-rwx
/scratch/a00/aaa777 and then uses 'chmod' to give group permissions r,w,s, while removing r,w,x from others.The permissions of these directories set for the file owner remain the same but can be modified. For example, to remove the owner's write permission, run
$ chmod u-w test
To set the deletion protection on the directory in which you have to allow others to write, run
$ mkdir -p /scratch/public/$USER $ chmod o=rwxt /scratch/public/$USER
Authors: Yue Sun, Adam Huttner-Koros, Mohsin Ali, Andrew Johnston
Overview
Content Tools