Understanding Permissions and Ownership

As we noted in the introduction, permissions and ownership in Unix are two tightly related but different concepts. While each file (and each process) is owned by one user and one group , each file also has a set of permissions that define what can be done with that file by the three different categories: 1) the user who owns it, 2) the group that owns it, and 3) everyone else (all users who are neither the owning user nor members of the owning group).

The first step to understanding permissions and ownership is to learn how to determine the permissions and ownership of a file. If you have worked through Chapter 5, "Using Files and Directories," you have already learned to use the ls command with the -l option to get the long-format listing of files in a directory. Now you will learn exactly what the permission and ownership portions of those listings mean. (Review Chapter 2, "Using the Command Line," and Chapter 5 if the commands below are unfamiliar to you.)

To create a file and a directory to use as examples:

The following task assumes that you have created the directories and files in the task above, and that your current directory is ~/examples .

To view the permissions and ownership of all files in the current directory:

• ls -l
  
  This shows the long-form listing of all the files in the current directory ( Figure 8.7 ).
  
  

  Figure 8.7. Using ls -l to view the permissions and ownership of all the files in the current directory.

   localhost:~ vanilla$  ls -l  drwxr-xr-x      2 vanilla      staff     24 Jan 24 11:30 testdir -rw-r--r--      1 vanilla      staff     29 Jan 24 11:30 testfile localhost:~ vanilla$ 

  
  

Figure 8.8 shows what the different parts of the listing mean. Notice that there is a part of the listing that shows the permissions and a part that shows the ownership, and that ownership has two parts : user and group. We'll go into more detail about the permissions part a little later on (just a preview: r stands for read , w stands for write , x stands for execute , and - means no permission , in sets of three characters for each of theseuser, group, and all others). For more about ACLs (Access Control Lists) see "Using ACLs" later in this chapter.

Figure 8.8. Diagram showing which parts of the listing are the permissions and which parts are the ownership information.

To list permissions for specific files:

• Supply the filenames as arguments to
  
  ls -l.
  
  For example,
  
  ls -l testfile
  
  shows the permissions and ownership for only the file testfile. You may supply multiple file and directory names as arguments.
  
  If any of the arguments are directory names, then the contents of the directory are listed.
  
  

To see the permissions for a directory:

• Add the -d option to ls -l :
  
  ls -ld testdir
  
  Figure 8.9 compares the output of
  
  ls -l ~/examples
  
  with
  
  ls -ld ~/examples
  
  

  Figure 8.9. Comparing the output of ls -l and ls -ld when a directory is an argument.

   localhost:~ vanilla$  ls -l ~/examples  total 8 drwxr-xr-x     2 vanilla   staff    24 Jan 24 11:30 testdir -rw-rr       1 vanilla   staff    29 Jan 24 11:30 testfile localhost:~ vanilla$  ls -ld ~/examples  drwxr-xr-x     2 vanilla   staff    92 Jan 24 11:29 /Users/vanilla/examples localhost:~ vanilla$ 

  
  In the first case the directory's contents are listed. The addition of the -d option shows the permissions for the directory itself instead of its contents.
  
  

The types of permission

The permissions settings for a file in Unix pack a lot of information into only nine characters. Figure 8.11 shows how the permissions listing of nine characters is divided into three groups of three characters each for the owning user, group, and all others.

There are three kinds of file permission in Unix, and each kind may be different for each of the three categories of owners (owning user, owning group, and all others).

The three main kinds of permission, for both files and directories, are

• Read permission

• Write permission

• Execute permission

In the nine characters of a permission listing, each set of three shows the read, write, and execute permission for the user, group, and others, respectively. Figure 8.12 shows how letters indicate that permission is granted and a hyphen ( - ) signifies that permission is not granted.

Each type of permission (read, write, execute) has a different meaning for files than for directories.

What permissions mean for files

Read permission means that you can read the file. If you have read permission on a file, then you can see its contents with commands like cat and less , copy it with cp , and so on. You can view the file with an editor like vi , but you can't alter the file unless you also have write permission.

Write permission means that you can change the file. You need write permission to edit the file or rename it. Note that if you have read permission but not write permission, you can make a copy of the file, and because you own the copy, you can alter it.

Execute permission means that if a file is a script, or program, you need to have execute permission to actually run, or execute , the program. Type ls -l /bin and see how the user, group, and others all have execute permission on all of the programs in that directory (you'll see the ls program itself in there, too).

What Permissions Mean for Directories

Read permission means that you can list the directory contents. Remember that a directory is actually a special kind of file whose content is a list of file and directory names.

Write permission means that you can change the directory name , and create and delete files inside the directory, and you can also change the permissions of files that you own inside the directory. Since a directory is really a special kind of file that contains a list of names, having permission to write to the directory means that you have permission to change the list, which includes changing filenames, and adding and removing files. See the sidebar "Deleting Files."

Execute permission means that you may cd into or through the directory. If you have read permission on a directory but not execute permission, then you can use ls to see the contents of the directory but cannot use cd to go into the directory.

Examples of permissions

Using a set of examples is a good way to increase your understanding of ownership and permissions.

Figure 8.13 shows a sample listing of eight files (three of which are directories). The explanations below all refer to Figure 8.13.

Figure 8.13. Sample listing of eight files showing different permission modes.

 -rw-r--r--  1 vanilla  admin   21 Jan 24 15:21  file1  -rw-r----   1 vanilla  admin   21 Jan 24 15:22  file2  -rwxr-xr-x  1 vanilla  admin   21 Jan 24 15:22  file3  -rw-r----   1 vanilla  losers  21 Jan 24 15:22  file4  -rw-rw-r--  1 vanilla  team1   21 Jan 24 15:22  file5  drwxr-xr-x  1 vanilla  admin   21 Jan 24 15:22  directory1  drwxrwxr-x  1 vanilla  admin   21 Jan 24 15:22  directory2  drwx------  1 vanilla  admin   21 Jan 24 15:22  directory3  

In each of the examples, we tell you what the permission mode is on the file. The permission mode is a numerical representation of the permission settings on the filefor example, 644 or 755. We explain these numerical modes in great detail later in the section "Changing permissions with absolute modes."

file1 is the most common case. The user who owns the file (vanilla) has permission to read the file and write (or modify) it. Everyone else has permission to read it. The permission mode on this file is 644.

file2 is readable and writable by the owner, and readable by anyone in group "staff." No one else can read or write to the file. The mode on this one is 640.

file3 has the standard permissions for an executable program or script. The owner has read, write, and execute permissions; everyone else has read and execute permissions. Only the execute permission is needed to actually run the program/script; the read permission allows making copies of the file. The mode is 755.

file4 is an interesting case. The owner, vanilla, has read and write permission. Members of group "losers" have no permissions, and everyone else has read permission. What's going on here? When you try to use a file, the operating system checks permissions in this order: user, group, other. So if you are the user who owns the file, the user permissions are used. If not, the system checks to see if you are in the group that owns the file. If so, the group permissions are used, and if you are not the owner or in the group, the "other" permissions apply. Only one set of permissions is applied. So in the case of file4 , everybody has read permission except people in group losers. The mode is 604.

file5 has the most common permissions for a file that is part of a group project. The owner and any user in group "team1" have read and write permission; everyone else has read-only permission. The mode is 664.

directory1 has the standard permissions for nonprivate directories. The owner has read, write, and execute permissions; everybody else has read and execute permissions. Everyone can list the contents of the directory and can cd into it, but only the owner can create files inside it. The mode is 755.

directory2 has the most common permissions for a directory used in a group project. Permissions are the same as with directory1 except that any member of group staff also has write permission on the directory. The mode is 775.

directory3 has the standard permissions for a private directory. The owner has read, write, and execute permissions; everybody else (including people in group staff) has no permissionsthey cannot see anything in the directory or even cd into or through it. The mode is 700.