As we noted in the introduction, permissions and ownership in Unix are two tightly related but different concepts. While each file (and each process) is owned by one user and one group , each file also has a set of permissions that define what can be done with that file by the three different categories: 1) the user who owns it, 2) the group that owns it, and 3) everyone else (all users who are neither the owning user nor members of the owning group).
The first step to understanding permissions and ownership is to learn how to determine the permissions and ownership of a file. If you have worked through Chapter 5, "Using Files and Directories," you have already learned to use the ls command with the -l option to get the long-format listing of files in a directory. Now you will learn exactly what the permission and ownership portions of those listings mean. (Review Chapter 2, "Using the Command Line," and Chapter 5 if the commands below are unfamiliar to you.)
To create a file and a directory to use as examples:
This ensures that you are in your home directory.
This creates a new directory called examples .
This changes your working directory so that your current directory is now ~/examples .
Create a directory and file inside the examples directory.
This creates a new directory called testdir .
date > testfile
Creates a new file called testfile , containing the current date and time.
The following task assumes that you have created the directories and files in the task above, and that your current directory is ~/examples .
To view the permissions and ownership of all files in the current directory:
localhost:~ vanilla$ ls -l drwxr-xr-x 2 vanilla staff 24 Jan 24 11:30 testdir -rw-r--r-- 1 vanilla staff 29 Jan 24 11:30 testfile localhost:~ vanilla$
Figure 8.8 shows what the different parts of the listing mean. Notice that there is a part of the listing that shows the permissions and a part that shows the ownership, and that ownership has two parts : user and group. We'll go into more detail about the permissions part a little later on (just a preview: r stands for read , w stands for write , x stands for execute , and - means no permission , in sets of three characters for each of theseuser, group, and all others). For more about ACLs (Access Control Lists) see "Using ACLs" later in this chapter.
To list permissions for specific files:
To see the permissions for a directory:
localhost:~ vanilla$ ls -l ~/examples total 8 drwxr-xr-x 2 vanilla staff 24 Jan 24 11:30 testdir -rw-rr 1 vanilla staff 29 Jan 24 11:30 testfile localhost:~ vanilla$ ls -ld ~/examples drwxr-xr-x 2 vanilla staff 92 Jan 24 11:29 /Users/vanilla/examples localhost:~ vanilla$
Compare with Aqua
In Aqua you can view (and set) some of the permissions for files by selecting a file (or directory) in the Finder and choosing Get Info from the File menu. Then click the Ownership & Permissions triangle, and then the Details triangle. In Figure 8.10 , you see the Get Info window displaying the permissions of the ~/examples directory used in Figure 8.8.
Figure 8.10. The Show Info window displaying the permissions of the ~/examples directory used in Figure 8.8.
The Aqua interface does not provide a way to list the permissions for several files together in one window, nor does it display the execute permission (described in the next section) or allow you to set all the possible permutations of permissions.
The permissions settings for a file in Unix pack a lot of information into only nine characters. Figure 8.11 shows how the permissions listing of nine characters is divided into three groups of three characters each for the owning user, group, and all others.
There are three kinds of file permission in Unix, and each kind may be different for each of the three categories of owners (owning user, owning group, and all others).
The three main kinds of permission, for both files and directories, are
In the nine characters of a permission listing, each set of three shows the read, write, and execute permission for the user, group, and others, respectively. Figure 8.12 shows how letters indicate that permission is granted and a hyphen ( - ) signifies that permission is not granted.
Each type of permission (read, write, execute) has a different meaning for files than for directories.
Read permission means that you can read the file. If you have read permission on a file, then you can see its contents with commands like cat and less , copy it with cp , and so on. You can view the file with an editor like vi , but you can't alter the file unless you also have write permission.
Write permission means that you can change the file. You need write permission to edit the file or rename it. Note that if you have read permission but not write permission, you can make a copy of the file, and because you own the copy, you can alter it.
Execute permission means that if a file is a script, or program, you need to have execute permission to actually run, or execute , the program. Type ls -l /bin and see how the user, group, and others all have execute permission on all of the programs in that directory (you'll see the ls program itself in there, too).
Read permission means that you can list the directory contents. Remember that a directory is actually a special kind of file whose content is a list of file and directory names.
Write permission means that you can change the directory name , and create and delete files inside the directory, and you can also change the permissions of files that you own inside the directory. Since a directory is really a special kind of file that contains a list of names, having permission to write to the directory means that you have permission to change the list, which includes changing filenames, and adding and removing files. See the sidebar "Deleting Files."
Execute permission means that you may cd into or through the directory. If you have read permission on a directory but not execute permission, then you can use ls to see the contents of the directory but cannot use cd to go into the directory.
You do not actually need write permission on a file to delete the file.
To create or delete a file, you need only have write permission for the directory containing the file. This is because when you delete a file, you are really deleting its name from the list of items in a directory, and that means you are altering (writing) the directory . Review the section "Using hard links" at the end of Chapter 5 for more on how filenames are actually entries in directories.
If you try to delete a file for which you do not have write permission but that is in a directory where you have write permission, you get a warning, but you are allowed to delete the file.
Looked at another way, if a user has write permission on a directory, he or she can delete every file inside that directory. There is a way to prevent that by setting the "sticky bit" in a directory. See man sticky .
Using a set of examples is a good way to increase your understanding of ownership and permissions.
Figure 8.13 shows a sample listing of eight files (three of which are directories). The explanations below all refer to Figure 8.13.
-rw-r--r-- 1 vanilla admin 21 Jan 24 15:21 file1 -rw-r---- 1 vanilla admin 21 Jan 24 15:22 file2 -rwxr-xr-x 1 vanilla admin 21 Jan 24 15:22 file3 -rw-r---- 1 vanilla losers 21 Jan 24 15:22 file4 -rw-rw-r-- 1 vanilla team1 21 Jan 24 15:22 file5 drwxr-xr-x 1 vanilla admin 21 Jan 24 15:22 directory1 drwxrwxr-x 1 vanilla admin 21 Jan 24 15:22 directory2 drwx------ 1 vanilla admin 21 Jan 24 15:22 directory3
In each of the examples, we tell you what the permission mode is on the file. The permission mode is a numerical representation of the permission settings on the filefor example, 644 or 755. We explain these numerical modes in great detail later in the section "Changing permissions with absolute modes."
file1 is the most common case. The user who owns the file (vanilla) has permission to read the file and write (or modify) it. Everyone else has permission to read it. The permission mode on this file is 644.
file2 is readable and writable by the owner, and readable by anyone in group "staff." No one else can read or write to the file. The mode on this one is 640.
file3 has the standard permissions for an executable program or script. The owner has read, write, and execute permissions; everyone else has read and execute permissions. Only the execute permission is needed to actually run the program/script; the read permission allows making copies of the file. The mode is 755.
file4 is an interesting case. The owner, vanilla, has read and write permission. Members of group "losers" have no permissions, and everyone else has read permission. What's going on here? When you try to use a file, the operating system checks permissions in this order: user, group, other. So if you are the user who owns the file, the user permissions are used. If not, the system checks to see if you are in the group that owns the file. If so, the group permissions are used, and if you are not the owner or in the group, the "other" permissions apply. Only one set of permissions is applied. So in the case of file4 , everybody has read permission except people in group losers. The mode is 604.
file5 has the most common permissions for a file that is part of a group project. The owner and any user in group "team1" have read and write permission; everyone else has read-only permission. The mode is 664.
directory1 has the standard permissions for nonprivate directories. The owner has read, write, and execute permissions; everybody else has read and execute permissions. Everyone can list the contents of the directory and can cd into it, but only the owner can create files inside it. The mode is 755.
directory2 has the most common permissions for a directory used in a group project. Permissions are the same as with directory1 except that any member of group staff also has write permission on the directory. The mode is 775.
directory3 has the standard permissions for a private directory. The owner has read, write, and execute permissions; everybody else (including people in group staff) has no permissionsthey cannot see anything in the directory or even cd into or through it. The mode is 700.
Be Careful with the Execute Bit
Be sure not to turn on execute permission for files that are not actually intended to be run as commands. Executing a file that was not created as a command file could cause undesirable results as the operating system attempts to read the file's contents as executable. Usually you simply get an error message, but if the file's contents happen to contain something that the system thinks is actually executable, you could lock up your Terminal window or lose data.