File permissions

The permission mask is used to determine what, if any access each level or class of user has to each file on a Unix system. The permission mask is one of the data elements stored in the inode table entry for the file.

Every file has protection or permission attributes for 3 classifications or levels of system user, i.e.

These permissions are displayed using the
ls -l command.

- rwx r-x r-x 1 bin 114688 Jun 23 1987 /bin/csh
  <->     <->
 User    Other

The permission mask is divided into three areas, also called levels of permission. The left most group of three permissions are those permissions that apply to the user, or individual who owns the file. (We refer to this individual as the "user" rather than the "owner" because the third field, "other" starts with the letter "o", and we don't want to get confused.)
In this case, ownership is determined by the user identification number assigned when the file is created. Don't worry about the user identification number at this point, we'll look closely at it when we look at how your user record is created and stored. This number is the UID or "User Identification Number", the third field in /etc/passwd.

The second three permissions are those assigned to all the individuals who share the same group identification number as the user. This is the fourth field in /etc/passwd.

The third set of three permissions are those assigned to the "other" users. Anyone who has a valid login ID on the system, but is not the user of the file, nor in the users group is considered "other". In other words, the nine bit permission mask is divided into three, three bit permission sub masks one for user, one for group, and one for everyone else other.

Each permission sub mask, or level of permission, is divided into three different individual permissions. The left most permission r allows the file to be read, the center permission w allows the file to be written, and the right most permission in each level x allows the file to be executed.

The actual meaning of the write and execute permissions have slightly different meaning depending on whether the file is a regular file or a directory. In the case of a regular file writing simply means that the contents of the file can be modified. Executing a regular file means that the command line interpreter will attempt to run the text contained within the file as if it were instructions.

In the case of a directory file, writing means that the contents of the directory can be changed, files added or deleted. Execute permission on a directory file allows the use of file matching meta- characters to search within the directory. If you think about it, writing is actually the same for a directory or regular file because both are simply ASCII files.

The figure below shows the permissions mask:

  8 7 6  5 4 3    2 1 0
| r w x | r w x | r w x|

There are two different methods a user may employ to alter the permission mask on a file.

  1. The owner of a file may change the permission bits using an octal representation of the required permissions. If you choose this method remember that you must specify the whole permissions mask, (all 9 bits), not just one individual permission.

    You will need to use the octal representation for each of the three different levels of permission. That means the permission mask you will specify will be 3 octal numbers.

    Since each octal number can be represented by 3 bits, each bit can represent one permission. Each bit position corresponds to one permission value. A three bit number has the following positional values:

    4 2 1
    read write execute

    The following table shows each of the 7 possible permission combinations for one of the three levels of permissions. Remember, you will need to use three (3) octal numbers.
    0000no permissions
    3011write + execute
    5101read + execute
    6110read + write
    7111read + write + execute

    The code example below shows how the octal values can be used to modify the permissions mask on a file. For this example, please note that both ringo and lennon are in the same group.

    ringo % chmod 710 /usr/ringo
    ringo % ls -lg /usr/ringo
    drwx--x--- 1 ringo beatles 512 Nov 24 18:00 /ringo
    ringo % chmod 740 /usr/ringo/help
    ringo % ls -lg /usr/ringo/help
    -rwxr----- 1 ringo beatles 1511 Nov 24 18:21 /usr/ringo/help
    lennon % cp ~ringo/help .
    lennon %

    Refer to the table above to interpet the octal values.
    The first command gives full permission to the directories owner (ringo), execute permission to the group and no permissions to anyone not a member of the owners group (beatles). Members of the owners group may access a directory (usually for a known filename) but may not list the files in owners directory.

    The second command gives full permission to the directories owner (ringo)allows group members (e.g. lennon) and the owner to read the file but denys any access to "other".

  2. Alternatively symbolic notation may be used, e.g. to grant or deny read, write, or execute permission to the user, group and others permission masks.
    Usually this method is used to modify only one (1) permission, for one level. For example, giving execute permission to the owner of a file, or removing read permission from the group.

    The table below shows the three levels of permission, and the three permissions for each level.

    Level Permissions
    u - user r - read   w - write   e - execute
    g - group r - read   w - write   e - execute
    o - other r - read   w - write   e - execute

    In the following code snippet, the first line grants read permission for other, to the file john/sgtpepper
    The second line removes write access from both the group and other for the same file.
    lennon % chmod o+r john/sgtpepper
    lennon % chmod go-w john/sgtpepper

    Notice that in each case, the remaining permissions for the file were not changed. Normally, you would use this second method to alter one or two permissions, and the first method, octal, to change several permissions at one time.

Security of file contents (as opposed to access) can be achieved using the crypt program or other encryption tools like pgp or the Unix crypt command. (Consult your system documentation man crypt

[ Back ]