Page tree

File Access Permisions

At first, unix file access permissions may look confusing or intimidating, but when they are broken down, they are not only simple to understand, they are also incredibly useful.

With a system like Linux, there are multiple users accessing the same file. To control and protect data, we can use access permissions to ensure that we don't lose hours of work, or potentially much more. 

As was mentioned above it does look confusing at first but by remembering a few key things, scope and permissions, you'll be able to read them with ease. 

File ownership can be split into three different scopes: Owner, group, and others. 

Owner

When a user creates a file, they become the owner of that file. However, files can be transferred to other users, so be aware that the current owner may not have created the file

This will be represented as yellow in the screenshot below

Group

The group is the project that the user who created the file belonged to at the time of its creation. Storage allocation for this file will also be taken from the project that owns the file.

This will be represented as red in the screenshot below

Others

Others refers to users who who don't own the file, nor are they associated with the project that owns the file.

This will be represented as blue in the screenshot below

NCI recommends that you do not share data with users outside of the project 

Permissions are split into three different parameters. 

Read

An 'r' in the permission line is short for read. This means that the file can be opened and read.

Write

'w' in the permission gives the ability to modify and save a file.

Execute

An 'x' in the permission line stands for execute. This gives the ability to execute and run programs. This can also be replaced with an 's' or 't', which we will go over below.


How to see file access permissions 

To see a long listing of a directory, run the command 'ls -la' and you will see something similar to this,




As you can see, our read, write, and execute, are represented by their abbreviated characters r,w,x. They are split into three different sections, or triads, owner, group, and other.

So in this example, the owner (yellow) of the file can read, write, and execute. The group (red) can read and execute, but not write, so they won't be able to save any changes to the file, and the same goes for the others (blue) group.  The 'd' at the beginning of beginning indicates the type of file, in this case a directory file. A 'l' would indicate that this is a symbolic link file, or a file that is designed to point at another file. '-' would tell us that this is a regular file. 

The space at the end of the line can be blank or filled with a '+' indicating that there are extended access controls outside of the regular unix permissions. If that is the case, run the command getfacl <filename> to see that file access control list.

In this example, we have a regular file that the owner can read and write, but there are no other permissions set. 

Setuid and setgid 

Replacing the 'x' in either the owner or group with an 's' will change the permissions to match those of the owner of the file. This is considered a security hazard and will have no effect when doing so under the user triad.

Doing so in the group triad will also be ignored for security reasons. When used on directories it forces new files and directories created within them to inherit their group ownership.

Sticky bits 

Sticky bit can be used as a form of deletion protection and is active when 'x' is replaced with a 't' in the others triad. This means that although the file will be able to be read and written, only the owner can rename or delete the file.

A permissions line of -rwxrwxrwt would ensure that the file couldn't be accidentally or maliciously deleted when sharing data with users outside of your project.


Changing file access permissions 

'chmod' is the command used when you want to alter the file access permissions. Again, while this command can look complicated at first, there is a few steps you can take to simplify the process. 

  1. Who are you changing permissions for? Owner 'u', group 'g', or others 'o'.
  2. What permission change will you be making? Adding '+', removing '-', or replacing '='. Replace will remove all other permissions and replace them with your command. 
  3. What permissions are you referring to? read 'r', write 'w', or execute 'x'.

The basic command for this utility is 'chmod <permissions> <filename>'

For example

  • $ chmod g+w testfile.sh would grant write access 'w' to the group 'g'. 
  • $ chmod o-rw testfile.sh would remove read and write from others.
  • $ chmod g=rws testfile.sh will delete the access that the group has and replace it with r,w,s.

 You can also use command xargs, or extended arguments, to add these commands to a search, for example: 

$ find /scratch/a00/aaa777 -type d | xargs chmod g=rws,o-rwx
 this searches for directories under /scratch/a00/aaa777 and then uses 'chmod' to give group permissions r,w,s, while removing r,w,x from others.

The permissions of these directories set for the file owner remain the same but can be modified. For example, to remove the owner's write permission, run

 $ chmod u-w test
Please do not set files in your home directory to be readable by everyone as this could result in anyone using Gadi to read your personal files.

To set the deletion protection on the directory in which you have to allow others to write, run

$ mkdir -p /scratch/public/$USER
$ chmod o=rwxt /scratch/public/$USER
so that it reserves the permission of deleting a file for the file owner and the owner of the parent directory only. 

Default file access Permissions 

While access permissions can be represented as symbols, like above, they can also be represented with a short string of numbers that make up a 'umask'. On gadi, 'umask 022' is used as default permission for newly created files in /home, and is set as the inverse umask on files. 

The position of these three numbers corresponds to the user scopes

  • 0→owner
  • 2→ group
  • 2→ other 

If you look at the inverse column on the table to the right, you can see that 0= rwx and 2 =r-x.

This means as default, owners will be given rwx permissions, and everyone else will be given r-x.

This is a fast and simple way to set and read permissions. Users can change the default of 022 by modifying their ~/.bashrc file. 

symbolic 

octal 

inverse

---

0

7

--x

1

6

-w-

2

5

-wx

3

4

r--

4

3

r-x

5

2

rw-

6

1

rwx

7

0

Authors: Yue Sun, Adam Huttner-Koros, Mohsin Ali, Andrew Johnston