At first, unix file access permissions may look confusing or intimidating, but when they are broken down, they are not only simple to understand, they are also incredibly useful.
With a system like Linux, there are multiple users accessing the same file. To control and protect data, we can use access permissions to ensure that we don't lose hours of work, or potentially much more.
As was mentioned above it does look confusing at first but by remembering a few key things, scope and permissions, you'll be able to read them with ease.
When a user creates a file, they become the owner of that file. However, files can be transferred to other users, so be aware that the current owner may not have created the file
This will be represented as yellow in the screenshot below
The group is the project that the user who created the file belonged to at the time of its creation. Storage allocation for this file will also be taken from the project that owns the file.
This will be represented as red in the screenshot below
Others refers to users who who don't own the file, nor are they associated with the project that owns the file.
This will be represented as blue in the screenshot below
An 'r
' in the permission line is short for read. This means that the file can be opened and read.
'w
' in the permission gives the ability to modify and save a file.
An 'x'
in the permission line stands for execute. This gives the ability to execute and run programs. This can also be replaced with an 's'
or 't'
, which we will go over below.
To see a long listing of a directory, run the command 'ls -la
' and you will see something similar to this,
As you can see, our read, write, and execute, are represented by their abbreviated characters r,w,x
. They are split into three different sections, or triads, owner, group, and other.
So in this example, the owner (yellow) of the file can read, write, and execute. The group (red) can read and execute, but not write, so they won't be able to save any changes to the file, and the same goes for the others (blue) group. The 'd'
at the beginning of beginning indicates the type of file, in this case a directory file. A 'l'
would indicate that this is a symbolic link file, or a file that is designed to point at another file. '-'
would tell us that this is a regular file.
The space at the end of the line can be blank or filled with a '+
' indicating that there are extended access controls outside of the regular unix permissions. If that is the case, run the command getfacl <filename>
to see that file access control list.
In this example, we have a regular file that the owner can read and write, but there are no other permissions set.
Setuid and setgid
Replacing the 'x' in either the owner or group with an 's' in an executable binary will make it launch as the owning user, or group, regardless of who invokes it. This is considered a security hazard and all user-writable locations on Gadi have this disabled.
Doing so in the group triad will also be ignored for security reasons. When used on directories it forces new files and directories created within them to inherit their group ownership.
Sticky bits
Sticky bit can be used as a form of deletion protection and is active when 'x'
is replaced with a 't'
in the others triad. This means that although the file will be able to be read and written, only the owner can rename or delete the file.
A permissions line of -rwxrwxrwt
would ensure that the file couldn't be accidentally or maliciously deleted when sharing data with users outside of your project.
'chmod'
is the command used when you want to alter the file access permissions. Again, while this command can look complicated at first, there is a few steps you can take to simplify the process.
u
', group 'g
', or others 'o
'.+
', removing '-
', or replacing '=
'. Replace will remove all other permissions and replace them with your command. r
', write 'w
', or execute 'x
'.The basic command for this utility is 'chmod <permissions> <filename>
'
For example
$ chmod g+w testfile.sh
would grant write access 'w
' to the group 'g
'. $ chmod o-rw testfile.sh
would remove read and write from others.$ chmod g=rws testfile.sh
will delete the access that the group has and replace it with r,w,s.
You can also find each directory and its subdirectory and pass them to chmod to update the permissions, for example:
find /scratch/a00/aaa777 -type d -exec chmod g=rws,o-rwx {} +
/scratch/a00/aaa777
and then uses 'chmod
' to give group
permissions r,w,s
, while removing r,w,x
from others
.The permissions of these directories set for the file owner remain the same but can be modified. For example, to remove the owner's write permission, run
$ chmod u-w test
To set the deletion protection on the directory in which you have to allow others to write, run
$ mkdir -p /scratch/public/$USER $ chmod o=rwxt /scratch/public/$USER