Read Only Files and How to Change Them

Terminal modified: Friday November 27 09:44:55 2022

Likewise see my Unix Folio for more tutorials on Unix

Table of Contents

• Basic File Attributes - Read, Write and Execute
• Basic Directory Attributes - Read, Write and Search
• User, Grouping and World
• Typical Permissions
• Using Permissions in Piece of work Groups
• The umask command
• Which group is which?
• The other 3 bits
• Changing special permissions
• Examining the permissions
• Conditional modification
• Conclusion

Copyright 1995 Bruce Barnett and General Electric Visitor

Copyright 2001, 2013 Bruce Barnett

All rights reserved

Yous are allowed to print copies of this tutorial for your personal use, and link to this page, but you are not allowed to make electronic copies, or redistribute this tutorial in whatever form without permission.

Original version written in 1995 and published in the Sun Observer

How to limit admission to your files. How to make files read-only, executable, and then on. How to forestall others from deleting files in your directories. How to foreclose others from fifty-fifty looking at your directories. "Special-purpose" access modes for executable files.

In this tutorial, I'll get into particular over file permissions, and discuss some of the more subtle aspects. Unfortunately I have become cover the nuts, so I'll try to be brief. I utilize aliases below. These are tcsh aliases, not bash aliases.

Basic File Attributes - Read, Write and Execute

There are three basic attributes for plain file permissions: read, write, and execute.

Read Permission of a file

If yous take read permission of a file, y'all tin can see the contents. That means you tin can use more(1), true cat(one), etc.

Write Permission of a file

If you take write permission of a file, you can alter the file. This means you can add to a file, or overwrite a file. You lot can empty a file chosen "yourfile" past copying the empty (/dev/null) file on top of it

cat /dev/zilch yourfile        

Execute Permission of a file

If the file has execute permission, then you can inquire the operating organization to run the file as if it were a plan. If it'southward a binary file/program, y'all can execute it similar any other plan. In other words, of there is a file called "xyz", and information technology is in your searchpath, and the file is executable, all you need to do to run the program is blazon

xyz        

If the file is a shell script, then the execute attribute says you can treat it equally if it were a programme. To put it another mode, you can create a file using your favorite editor, add the execute attribute to it, and it "becomes" a program. Even so, since a shell has to read the file, a beat script has to be readable and executable. A compiled program does non need to be readable.

The bones permission characters, "r", "due west", and "x"

r means read w means write, and x means eXecute.

Elementary, eh?

Using chmod to modify permissions

The chmod(i) control is used to modify permission. The simplist style to utilise the chmod command is to add or decrease the permission to a file. A simple plus or minus is used to add or sumtract the permission.

You may want to prevent yourself from changing an important file. Remove the write permission of the file "myfile" with the command

chmod -due west myfile        

If you want to brand file "myscript" executable, type

chmod +x myscript        

Y'all tin add or remove more than than i of these attributes at a time

chmod -rwx file chmod +wx file        

You can also use the "=" to set the permission to an exact combination This command removes the write and execute permisison, while adding the read permission:

chmod =r myfile        

Note that you can change permissons of files y'all ain. That is, you lot tin remove all permissions of a file, and then add them back again. You lot can make a file "read only" to protect it. Even so, making a file read just does not prevent you from deleting the file. That's considering the file is in a directory, and directories too have read, write and execute permission. And the rules are unlike. Read on.

Bones Directory Attributes - Read, Write and Search

Directories apply these same permissions, only they have a different meaning. Yes, very dissimilar meanings. This is classic Unix: terse, flexible and very subtle. Okay - let's cover the basic directory permissions.

Read permission on a directory

If a directory has read permission, you can meet what files are in the directory. That is, yous tin can practise an "ls" command and run across the files inside the directory. However, read permission of a directory does not mean you lot can read the contents of files in the directory.

Write permission on a directory

Write permission means you tin add a new file to the directory. Information technology likewise means yous tin rename or motion files in the directory.

Execute permission on a directory

Execute allows you lot to use the directory name when accessing files inside that directory. The "x" permission means the directory is "searchable" when searching for executables. If it's a program, you tin execute the programme.

Let's examine all this a bit closer.

This makes sense when you realise that directories are files also. The file is not stored "within" a directory. Files are stored in data blocks scattered alll over the disk partition. The directory is a special file that contains admission data nigh all of the files references "inside" the directory.

Suppose you have read admission to a directory, just y'all practice not have read access to the files in the directory. You can still read the directory, or more corectly, the condition information for that file, as returned by the stat() organisation call. That is, y'all can see the file's name, permissions, size, access times, possessor and grouping, and number of links because you have admission to the directory. The file itself is stored elsewhere on the disk (this spot is identified past the i-node number.) The "ls -i" control shows the i-node number for a file.

Write permission in a directory allows you to change the contents of a directory. Because the name of the file is stored in the directory, and not in the file, write permission in a directory allows renaming or deletion of files and does not require write permission of the file. To exist specific, if someone has write permission to your dwelling house directory, they can rename or delete your .login file and put a new file in its place. The permissions of your .login file do not affair. Someone can rename a file fifty-fifty if they can't read the contents of a file.

Execute permission on a directory is sometimes called search permission. If you found a directory that gave you execute permission, but not read permission, y'all could use any file in that directory. However, you lot must know the name. You cannot await within the directory to find out the names of the files. Call back of this type of directory equally a black box. You lot can throw filenames at this directory, and sometimes yous find a file, sometimes you don't.

User, Grouping and World

and then far I accept treated permissions every bit either your permission or not your permission. The read, write and execute permissions are stored in three different places, chosen user (u), group (g) or globe or other (o).

When you execute

chmod =r myfile        

information technology changes the permissions in 3 places. When you list this file with "ls -l" you will see

-r--r--r--    1 grymoire  admin         0 Feb  1 19:30 myfile        

Notation that there are three "r"'s for the three unlike types of permissions.

All files have an owner and group associated with them. There are iii sets of read/write/execute permissions: one set up for the user of the file, one fix for the group of the file, and one set up for everyone else (other). These permissions are adamant by 9 bits in the i-node information, and are represented by the characters "rwxrwxrwx." The first three characters specify the user, the heart three the group, and the last three the world. If the permission is not truthful, a nuance is used to betoken lack of privilege. If you wanted to have a data file that you could read or write, only don't desire any ane else to see, the permission would be "rw-------."

Anybody belongs to at to the lowest degree i group in a Unix system. Some people belong to more than one group. If the estimator is only used by ane person, then groups aren't that useful except for set group-id programs, simply that comes later.

Let's presume you have several people using a computer, and you want to allow people in a group to have access to a directory. Let's also say they vest to the same grouping every bit you. Assume the file is in a grouping directory, with the group "admin", and you wanted to permit them to read and You can create a directory that has read, write and execute permission for the grouping. Simply you desire to forbid people outside of the group from reading or changing the file. Y'all want the file to accept the permission "rw-rw----" for user and group=read and write, and others take none. The chmod command tin exercise this. You should recollect that the command

chmod =rw myfile        

volition create the permission "rw-rw-rw-" which ways user, group and other accept read and write. So how can you change it to "rw-rw----"?

The chmod command has options, of course. using "=", "-" or "=" changes user (u), group (g)and other (o) permissons. You lot can explicitly specify u, g or o in the chmod command:

chmod u=rw myfile chmod chiliad=rw myfile chmod ug=rw myfile        

This is handy, but the iii commands to a higher place do non alter the "other" permission. They but modify what is specified. To remove read and write permission for other, y'all can instead type

chmod o= myfile chmod o-rw myfile        

The showtime sets the permission to nothing, and the second removes the read and write permission.

If you lot desire to modify the group permission, utilize "1000" instead of "o":

chmod m+r myfile chmod grand-westward myfile        

These comands will add read and remove write permission. Y'all tin can combine these two commands

chmod thou+r-w myfile        

if y'all desire to combine an operaiton on group, and other, you tin put a comma between the permissions:

chmod thou+r-w,o=rwx myfile        

Too "u", "g" or "o", y'all tin can use "a" to mean all three. The following commands practise the same thing

chmod a=rw myfile chmod =rw myfile        

An easier way to specify these 9 bits is with iii octal digits instead of 9 characters. The octal representative of the read, write and execute $.25, "rwx" are

Read 4 Write two Execute 1        

Octal representation is pure geek talk, and was the only form that worked in the early on versions of Unix. The gild is the same as the "rwx", then read/write permission, or "rw-" can be described the the octal number six. However, nosotros have to limited the permission of all iii parts, and then the permission "rw-------" (read/write for the user, and group and world go zero) is b00. The first number specifies the file owner's permission. The second number specifies the group permissions. The concluding number specifies permissions to everyone who is not the owner or not in the group of the file.

Permit's review the different combinations. I will prove the letter of the alphabet representaiton, the octal representaiton, and the meaning

+-----+---+--------------------------+ | rwx | vii | Read, write and execute  | | rw- | 6 | Read, write              | | r-ten | five | Read, and execute        | | r-- | 4 | Read,                    | | -wx | 3 | Write and execute        | | -w- | two | Write                    | | --x | ane | Execute                  | | --- | 0 | no permissions           | +------------------------------------+        

Y'all tin can use the octal annotation, where the three digits stand for to the user, then grouping, then other.

Perhaps this might help

+------------+------+-------+ | Permission | Octal| Field | +------------+------+-------+ | rwx------  | 700  | User  | | ---rwx---  | 070  | Group | | ------rwx  | 007  | Other | +------------+------+-------+        

let's put this all together. I will listing some chmod commands in both character and octal representaion.

+------------------------+-----------+ | chmod u=rwx,one thousand=rwx,o=rx | chmod 775 | For world executables files | chmod u=rwx,m=rx,o=    | chmod 750 | For executables by group only | chmod u=rw,g=r,o=r     | chmod 644 | For earth readable files | chmod u=rw,one thousand=r,o=      | chmod 640 | For grouping readable files | chmod u=rw,become=         | chmod 600 | For individual readable files | chmod u=rwx,go=        | chmod 700 | For private executables +------------------------+-----------+        

Permit's as well review the aforementioned permissions for directories

+------------------------+-----------+ | chmod u=rwx,g=rwx,o=rx | chmod 775 | For world readable directories |                        |           |   Members of group can change files | chmod u=rwx,k=rx,o=    | chmod 750 | For group readable directories |                        |           |   Members of group can change files | chmod u=rwx,get=        | chmod 700 | For individual direcories +------------------------+-----------+        

The importance of social club in Unix Permissions

This final point is subtle. When testing for permissions, the system looks at the groups in order. When Unix checks permissions, the order is this

• If the file is owned by the user, the user permissions determine the admission.
• If the grouping of the file is the same as the user'southward grouping, the group permisson determien the access.
• If the user is not the file owner, and is not in the grouping, then the other permission is used.

If you are denied permission, Unix does not examine the side by side grouping. Consider the instance of a file that is owned by user jo, is in the group guests, and has the permissions -----xrwx or 017 in octal. It would be listed as

------xrwx    1 jo  guests         0 Feb  1 20:47 myfile        

Let's presume the directory has the permission 775 (earth readable and searchable). When because this file, the exact permissions above mean:

• jo cannot use the file.
• Anyone in group guests tin can execute the program.
• Everyone else likewise jo and the members of the guests group can read, write, and execute the programme.

This is not a very mutual set of permissions. Simply there are means information technology can be used. Nonetheless, to really understand information technology, we have to consider the permission of the directory. Think, as I said, if jo of any one in the invitee group has write permission of the directory, then they tin can rename or delete the file.

Permit's say the directory /testme is endemic by the superuser, and has the permission 711. What does this mean? Starting time of all, notice that the directory does not accept grouping and earth read or write - just search.

This ways that users cannot meet what files are in this directory. It as well ways they have to know the proper noun of the file to execute information technology.

Whatever user tin type

/testme/myfile        

and because the directory is world searchable, the programme can be executed.

At present let's return to Jo and the Guests (Hmm. sounds similar a 60's popular rock grouping). If the file "/testme/myfile" has the permission 017 then Jo cannot execute the program. Anyone in group Guests can, but only if the file is a compiled program (and non a beat script). ANd the remainder of the globe can execute the program. However, they have to know the name of the file. They cannot list the contents of the directory.

people apply a similar mechanism to deny one group of users from accessing or using a file. In the higher up example, jo cannot read or write the file she owns. She could use the chmod control to grant herself permission to read the file. Still, if the file was in a directory owned by someone else (root), and the directory did non give Jo read or search permission, she would not be able to notice the file to change its permission.

Another example - using chmod 510 on a directory to provide group access

Permit's change the situation effectually a bit. Let's make the directory manner 510. Let'southward as well make the file "myfile" and the directory "/testme" owned by Jo. Allow'due south likewise assume the program "myfile" is a compiled program, and has the permission 711.

Anyone in group "guests" tin can execute the program. Nevertheless, if the administrator removed someone from the group, they tin can no longer execute the program. They practice need to log off and log on once more, and group permission is granted at logon time.

Typical Permissions

Most of the time permissions fall into three cases:

1. The information is personal. Many people take a directory or two they store information they do not wish to be public. Mail should probably be confidential, and all of your mailbox files should exist in a directory with permission of 700, denying everyone but yourself and the system administrator read access to your messages.
2. The data is not personal, even so no one should be able to modify the information. Most of my directories are prepare up this way, with the permission of 755.
3. The files are managed by a team of people. This means group write permission, or directories with the manner 775.

You could just create a directory with the proper permission, and put the files within the directory, hoping the permissions of the directory will "protect" the files in the directory.

Using Permissions in Work Groups

This is not adequate. Suppose yous had a directory with permission 755 and a file with permission 666 inside the directory. Anyone could change the contents of this file because the world has search access on the directory and write access to the file.

The umask command

What is needed is a mechanism to preclude any new file from having world write admission. This machinery exists with the umask command. If you consider a new directory would go permissions of 777, and new files get permissions of 666, the umask command specifies permissions to take away from all new files. To "subtract" world write permission from a file, 666 must accept 002 "subtracted" from the default value to go 664. To subtract group and world write, 666 must take 022 removed to exit 644 as the permission of the file. These 2 values of umask as so mutual information technology is useful to has some tcsh aliases defined:

alias open umask 002 allonym shut umask 022        

With these two values of umask, new directories will have permissions of 775 or 755. Most people have a umask value of i of these two values.

In a friendly work grouping, people tend to utilize the umask of 002, which allows others in your group make changes to your files. Someone who uses the mask of 022 will cause grief to others working on a project. Trying to compile a program is frustrating when someone else owns files that you lot must delete but can't. Y'all can rename files if this is the case, or ask the system administrator for help.

Members of a team who normally utilize a default umask of 022 should find a ways to alter the mask value when working on the project. (Or else risk flames from your fellow workers!) Too the open up alias to a higher place, some people have an alias that changes directories and sets the mask to group write permission:

alias proj "cd /usr/projects/proj;umask 002"        

This isn't perfect, because people forget to utilize aliases. You could take a individual beat file in each project directory called .dir that contains the line

umask 002        

If you had the following alias

allonym cd 'chdir !*; if ( -f .dir && -o .dir ) source .dir '        

You would automatically prepare your mask value when to change to the project directory. Other people could have similar files in the projection directory with a different name. Still another method is to run detect three times a day and search for files endemic past you in the projection directory that have the wrong permission:

find /usr/projects -user $USER ! -perm -020 -print | \ xargs chmod g+west        

You tin use the command crontab -east to define when to run this command.

Which group is which?

Since group write permission is then important in a squad projection, yous might be wondering how the group of a new file determined? The answer depends on several factors. Before I cover these, you should note that Berkeley and AT&T based systems would use different mechanisms to determine the default group. These two variations were merged by Sun, and Linux has inherited the Sun approach.

Originally Unix required you to specify a new group with the newgrp command. If there was a password for this group in the /etc/group file, and yous were not listed equally 1 of the members of the grouping, you had to type the password to change your grouping.

Berkeley based versions of Unix would employ the electric current directory to make up one's mind the group of the new file. That is, if the current directory has cad every bit the group of the directory, any file created in that directory would exist in the same group. To alter the default group, just alter to a different directory.

Both mechanisms had their good points and bad points. The Berkeley based mechanism made information technology convenient to change groups automatically. Still, there is a fixed limit of groups 1 could belong to, which was 8 groups. SunOS 4 inverse this to a limit of 16 groups.

Sun supports both mechanisms for backwards compability. The entire disk can be mounted with either the AT&T or Berkeley mechanism. If it is necessary to command this on a directory by directory basis, a special bit in the file permissions are used. If a disk partition is mounted without the Berkeley group mechanism, then a directory with this special flake volition make new files accept the same grouping equally the directory, Without the special bit, the group of all new files depends on the current group of the user.

The other iii bits

Besides the 9 bits that specify read, write, and execute (or search) permissions for the owner, group and globe, there are three other bits that have special characteristics. The nearly famous bit is the set uid or gear up user identification flake. Any person who executes a plan with this bit set has their user identification changed to exist the same equally the possessor of the file. With this unproblematic ability, Unix allows users to gain special priviledges in a controlled, temporary fashion.

Another similar bit is the set gid or set group identification chip, which changes the group instead of the user. This is the permission bit that can be applied to a directory to strength information technology to follow the Berkeley grouping semantics.

The final chip is called the viscid chip. It is used to reduce the start upwards time when executing a program. Earlier versions of Unix would proceed a "gluey" plan in the swapping expanse of the disk. The second fourth dimension a pasty programme is executed, the system doesn't accept to search for the file in the file system. Withal, with diskless workstations, and kernels that cache recent files in memory, this isn't every bit much a benefit every bit before. In fact, SunOS used it to indicate special files used for diskless clients.

When a directory is made viscid, it adds a special security feature. It prevents someone from deleting or renaming files in a directory unless they own the file. This is called the "append-only" mode for a directory. The /tmp directory is a skillful example where this is needed. The directory must exist earth writable to exist useful to others. By calculation the gluey chip to this directory, you foreclose someone from replacing a file owned my another user.

Changing special permissions

The octal value of the fix uid chip is 4000. the ready gid chip is 2000, and the gummy fleck is 1000. These foreign octal values aren't shown when you list them. Instead, the graphic symbol representation is used. When using the chmod control

chmod u+s myfile        

adds the setuid bit. The set grouping iD bit can be set using

chmod g+south myfile        

To make a program set up uid using the octal representaiton,the command would exist

chmod 4755 plan        

Alternately, you could utilise the symbolic form:

chmod u+s,k=rx,o=rx program        

To make a set gid program, utilise one of the post-obit:

chmod 2755 plan chmod g+south program        

If the file is a directory, you must apply the symbolic form. Sticky files and directories can be created using 1 of these two forms:

chmod 1755 file chmod u+t file        

Examining the permissions

Besides using find to search for these permissions bits, ls displays the permissions when the -l flag is used. If a programme is set uid, the "x" in the user area is displayed equally a "due south" A sticky file or directory is indicated with the last "x" displayed equally a "t." If the respective execute bit is non set up, the letter is capitalized. The capitalization of the letter is a flag that an unusal combination was chosen.

Conditional Irresolute

Linux supports the +Ten option.

For example, this way:

chmod     a+X *        

gives all users permission to execute files (or search directories) if anyone could before.

Determination

Here is a chart of the permissions displayed by ls and the corresponding octal values:

+------------------+ |rwxrwxrwx     777 | all permissions granted |rwxr-xr-x     755 | Grouping and world readbale/eecutable |rwx------     700 | Individual |rwsr-xr-10    4755 | fix UID |rwxr-sr-x    2755 | set GID |rwxr-xr-t    1755 | Sticky chip |rwSw-xr-10    4655 | setUID only non executable by user |rwxr-Sr-ten    2745 | getGID, but non executable by group members |rwxr-xr-T    1754 | Viscid bit, but non world executable +------------------+        

This document was translated by troff2html v0.21 on September 22, 2001.

woodprourturce1966.blogspot.com

Source: https://www.grymoire.com/Unix/Permissions.html

Share this post