Unix File Permissions

As many of you have noticed, Unix has a fairly complex schema for affecting the permissions of files. You can change permissions using the file manager or the chmod command.

• Defaults
• Categories of Users
• Types of Permissions
  • File Permissions
  • Directory Permissions
  • Some Tasks

Defaults

In the MathLAN, the default is for your files to be unreadable and unmodifiable by anyone except yourself. It is also the default that no one can see what files are in your directories.

Categories of Users

At times, you will need to give others access to your files. For example, you may want me to look at your files so that I can make a copy. At present, Unix only has three categories of people you can affect: yourself, you and other general users, and any user of our system. These are conveniently referred to as user, group, and other.

Types of Permissions

Both files and directories have three basic kinds of permissions: read, write, and execute.

File Permissions

When you give someone read permission to a file, it means that they can look at the contents of the file as long as they have appropriate access to the enclosing directories. When you give some write permission to a file, it means that they can modify the file as long as they have appropriate access to the enclosing directories. Don't worry about execute permission for files.

Directory Permissions

When you give some someone read permission to a directory, it means that they can list the contents of that directory as long as they have appropriate access to the enclosing directories. When you give someone write permission to a directory, it means that they can create and delete files in that directory as long as they have appropriate access to the enclosing directories.

What is appropriate access? It is execute access. Without execute access, there's not much anyone can do in or below a directory. I'd recommend that you make it a point to give execute access to any directories that others might use.

Some Tasks

I'd like other people to read a specific file, zebra, in /home/student/stuff/animals. They should not be able to tell what other files I have in that directory.

• All the directories you own should be executable by all.

  % chmod go+x /home/student
  % chmod go+x /home/student/stuff
  % chmod go+x /home/student/stuff/animals
  

• That file should be readable by all

  % chmod go+r /home/student/stuff/animals/zebra
  

• You want to make sure that animals is not readable.

  % chmod go-r /home/student/stuff/animals
  

I'd like to create a ``drop box'' where people can put files but can't see them once they're there.

• All the enclosing directories should be executable.
• That directory should be executable and writiable.

  % chmod go+wx /home/student/DropBox
  

• That directory should not be readable.

  % chmod go-r /home/student/DropBox
  

• Unfortunately, not only is it possible for people to put files in that directory but also remove files (as long as they can guess the names of those files).
  • A particularly malicious person could write a program that simply removed every file name from your directory.

I'd like to create a file, comments, that anyone can modify. No one else should be able to add, remove, or even see files in its directory which I've called restricted.

• All the enclosing directories should be executable.
• That directory should be only executable

  % chmod go-rw /home/student/restricted
  % chmod go+x /home/student/restricted
  

• The file should be readable and writable.

  % chmod go+rw /home/student/restricted/comments
  

History

Wednesday, 15 September 1999

• Created after an initial discussion in today's class.