Protecting your files with chmod
Every file has nine access modes associated with it. The modes can be switched on and off by using the "chmod" mode changing program. The nine access modes are divisible into three sets of three switches.
Each set of three switches corresponds to a class of people:
- user
- the person who created the file
- group
- people in a selected group
- other
- everyone else on the system
- read
- ability to see the contents of the file
- write
- ability to change the contents of the file
- execute
- ability to execute the contents of the file
% ls -l
total 161
-rw-r--r-- 1 fred 49487 Jan 26 12:36 all
-rw-r--r-- 1 fred 3235 Jan 26 16:46 cs320
-rw------- 1 fred 64 Jan 26 20:14 diary
%
Permitting access to files and directories
Here is a sample directory listing, showing the permission
fields and the people associated with each permission:
:<------------special flag to indicate type of file
: [e.g. d : directory, - : file]
: u<--------------three permissions for USER
:|||
:||| g<--------------three permissions for GROUP
:|||:::
:|||::: o<---------------three permissions for OTHER
:|||:::|||
drwxrwxrwx 2 fred 1024 Jan 26 12:26 stuff
-rw------- 2 fred 1024 Jan 26 12:26 more-stuff
-rwxr-xr-x 2 fred 1024 Jan 26 12:26 yet-more
The hyphen indicates that the permission is disabled. An
enabled permission is shown by the appropriate letter, 'r'
'w' or 'x.'
The permission fields for directories are interpreted a little differently than those for a file. The three fields (user, group, other) remain the same as those for a file but the three permissions mean:
r(ead): can look for a file name in this directory
w(rite): can create or delete files in this directory
x(ecute): can search into this directory
In other words, directory permissions protect files rather
than the contents of files. For example, if someone only has
execute permission on a directory they can list or run a
file in that directory but they can't get a listing of all
the files in that directory. For that they would have to
know the exact names in advance. It is necessary to have
execute permission on a directory to change (chdir) to it.
Controlling access with chmod
In order to control the access users may have to your file
or directory, use the 'change mode' program, chmod.
The chmod command allows changing of permissions by names, in a format similar to the way that they are printed on the screen after issuing the 'ls -l' command. For example, to turn off other's write permission you can issue the command:
chmod o-w filename
(you might translate "o-w" as "for others, take away write
permission".)
To turn write permission back on you would say:
chmod o+w filename
(similarly, "for others, add write permission".)
You can group changes together with commas. For example, in order to make a file readable by the public but writable by your group, you might use the command:
chmod g+rw,o+r filename
To remove write permission from your group later on, you
could issue the command:
chmod g-w filename
Another way to achieve the same result would be to use the
command
chmod g=r filename
The = operator assigns the permission explicitly (all other
bits for that category (owner, group, or others) will be
reset, i.e., g=r would remove all permission from the group
except read, and explicitly set read if not set already.
(NOTE: It is unlikely that you would ever want to give the
public write permission to your files or directories.)
If you wish to grant access to a directory to others,
without risking changes to the directory's files, give 'r'
AND 'x' permissions (the execute flag is important for
access along with the read flag). If you wish to keep the
directory private, then remove permissions from the 'other'
fields. NOTE: it is possible to delete a file in a directory,
even without having read or write access to that file,
merely by having write access to the file's directory.
Changing access to multiple files
The chmod -R option can be specified to recursively descend
through directory arguments, setting the mode for each file
as specified. When symbolic links are encountered, their
mode is not changed and they are not traversed.
Using octal values to change access
Protection fields can also be interpreted as octal values.
The following table shows the most commonly used modes.
Private Public
Directory 700 755
Text file 600 644
To change the mode of the protection fields, use the command
% chmod 700 directory
% ls -ld directory
drwx------ 2 fred 1024 Jan 6 18:32 directory
% chmod 755 directory
% ls -ld directory
drwxr-xr-x 2 fred 1024 Jan 6 18:32 directory
% chmod 600 filename
% ls -l filename
drw------- 2 fred 3234 Jan 6 18:34 filename
% chmod 644 filename
% ls -l filename
drwxr-xr-x 2 fred 3234 Jan 6 18:34 filename
Finally, you can chmod a file so that you can't read, write,
or execute it even though you own it. There may be circumstances in which you will want to turn
off write
permission to yourself, so that you don't accidentally change the
file. You will be able to use chmod again at any time,
changing the permissions to whatever settings you prefer.
You can never get yourself into very much trouble with this
feature, but some people are upset when the system refuses
to let them read or write their own files.
References
For further information, see the chmod, ls, and umask online
manual pages or one of the many general books on using the
UNIX file system. Information Technology sponsors tutorials
on UNIX and other subjects during the academic year, and
distributes printed handouts on related subjects.
