Permissions

GNU and Unix systems are set up to allow many people to use the same computer, while keeping certain files private or keeping certain people from modifying certain files. You can verify this for yourself. Log in as yourself, i.e. NOT as root.

whoami

This verifies that you are not root. Then enter the following command:

rm /etc/resolv.conf

You should be told Permission denied. /etc/resolv.conf is an essential system configuration file; you aren't allowed to change or remove it unless you're root. This keeps you from accidentally messing up the system, and if the computer is a public one (such as at an office or school), it keeps users from messing up the system on purpose.

Now type ls -l /etc/resolv.conf.

This will give you output that looks something like this:

- rw-r-r- 1 root root 119 Feb 23 1997 /etc/resolv.conf

The -l option to ls requests all that additional information. The info on the right is easy: The size of the file is 119 bytes; the date the file was last changed is February 23, 1997; and the file's name is /etc/resolv.conf. On the left side of the screen, things are a little more complicated.

First, the brief, technical explanation: The -rw-r-r- is the mode of the file, the 1 is the number of hard links to this file (or the number of files in a directory), and the two roots are the user and group owning the file, respectively.

So that was cryptic. Let's go through it slowly.

File Ownership

Every file has two owners: a user and a group. The above case is a little confusing because there's a group called root in addition to the root user. Groups are just collections of users who are collectively permitted access to some part of the system. A good example is a games group. Just to be mean, you might create a group called games on your computer and then set up your system so that only people in a games group are allowed to play games.

Here's a more practical example. Consider a case in which you're setting up a computer for a school. You might want certain files to be accessible only to teachers, not students, so you put all the teachers in a single group. Then you can tell the system that certain files belong to members of the group teachers, and that no one else can access those files.

Let's explore groups on the system. First, you can use the groups command at the shell prompt. This will show you a list of the groups to which you belong. Here's an example:

$ groups

system-wide configuration!permissions!file ownershipusername dialout cdrom floppy audio

It's likely that you're a member of only one group, which is identical to your username. However, root can add you to other groups. The above example shows a person that is a member of five groups.

less /etc/group

This file lists the groups that exist on your system. Notice the root group (the only member of this group is the root user), and the group that corresponds to your username. There are also groups like dialout (users who are allowed to dial out on the modem) and floppy (users who can use the floppy drive). However, your system is probably not configured to make use of these groups. It's likely that only root can use the floppy or the modem right now. For details about this file, try reading man group.

ls -l /home

This command shows you that every user's directory is owned by that user and that user's personal group.

Tip: If you just installed Debian, you may be the only user. You can use the adduser command to add more users to the system.

Mode

In addition to being owned by one user and one group, every file and directory also has a mode, which determines who's allowed to read, write, and execute the file (and run it, if it's a program). There are a few other things also determined by the mode, but they're advanced topics so we'll skip them for now.

The mode looks like this in the ls output: -rw-r-r-. For now, we'll consider nine of these parts: those that control read, write, and execute permissions for the user owning the file, the group owning the file, and others (everyone on the system, sometimes called world).

In the mode line, the first ``element'' gives the file type. The - in this case means it's a regular file. If it was d, we'd be looking at a directory. There are also other possibilities too complex to go into here; for details, see section 13.2.2 on page .

The remaining nine elements are used to display the file's mode. The basic 9 bits (read, write, and execute for user, group, and other) are displayed as three blocks of rwx.

So if all permissions are turned on and this is a regular file, the mode will look like this: -rwxrwxrwx. If it was a directory with all permissions turned off for others and full permissions for user and group, it would be drwxrwx--.

Table 7.1: Permissions in Linux

Code Name Allows for Files Allows for Directories

r read Examine contents of file List contents of directory

w write Modify file Add or remove files in directory

x execute Run as a command Access files in directory

Table 7.1 describes the meaning of the read, write, and execute permissions for both files and directories.

Directory modes can be a little confusing, so here are some examples of the effects of various combinations:

r-

The user, group, or other with these permissions may list the contents of the directory, but can do nothing else. The files in the directory can't be read, changed, deleted, or manipulated in any way. The only permitted action is reading the directory itself, that is, seeing what files it contains.

rw-

Write permission has no effect in the absence of execute permission, so this mode behaves just like the above mode.

r-x

This mode permits the files in a directory to be listed and permits access to those files. However, files can't be created or deleted. Access means that you can view, change, or execute the files as permitted by the files' own permissions.

-x

Files in this directory can be accessed, but the contents of the directory can't be listed, so you have to know what filename you're looking for in advance (unless you're exceptionally good at guessing). Files can't be created or deleted.

rwx

You can do anything you want with the files in this directory, as long as it's permitted by the permissions on the files themselves.

Directory write permission determines whether you can delete files in a directory. A read-only file can be deleted if you have permission to write to the directory containing it. You can't delete a file from a read-only directory even if you're allowed to make changes to the file.

This also means that if you own a directory you can always delete files from it, even if those files belong to root.

Directory execute permission determines whether you have access to files - and thus whether file permissions come into play. If you have execute permissions to a directory, file permissions for that directory become relevant. Otherwise, file permissions just don't matter; you can't access the files anyway.

Permissions in Practice

This section goes through a short example session to demonstrate how permissions are used. To change permissions, we'll use the chmod command.

cd; touch myfile

There are a couple of new tricks here. First, you can use ; to put two commands on one line. You can type the above as:

$ cd 

$ touch myfile 

or as:

$ cd; touch myfile

Either way the same thing will end up happening.

Recall that cd by itself returns you to your home directory. touch is normally used to change the modification time of the file to the current time. But it has another interesting feature: If the file doesn't exist, touch creates the file. So you're using it to create a file to practice with. Use ls -l to confirm that the file has been created and notice the permissions mode:

$ ls -l 

-rw-r-r- 1 user user 0 Nov 18 22:04 myfile

Obviously the time and user/group names will be different when you try it. The size of the file is 0, because touch creates an empty file. -rw-r-r- is the default permissions mode on Debian.

chmod u+x myfile

This command means to add (+) execute (x) permissions for the user (u) who owns the file. Use ls -l to see the effects.

chmod go-r myfile

Here you've subtracted (-) read permission (r) from the group (g) owning the file and from everyone else (others, o). Again, use ls -l to verify the effects.

chmod ugo=rx myfile

Here you've set (=) user, group, and other permissions to read and execute. This sets permissions to exactly what you've specified and unsets any other permissions. So all rx should be set, and all w should be unset. Now, no one can write to the file.

chmod a-x myfile

a is a shortcut for ugo, or ``all.'' So all the x permissions should now be unset.

rm myfile

With this command, you're removing the file, but without write permissions. rm will ask if you're sure by displaying the following message:

rm: remove `myfile', overriding mode 0444?

You should respond by typing y and pressing Enter. This is a feature of rm, not a fact of permissions. Permission to delete a file comes from the directory permissions, and you have write permission in the directory. However, rm tries to be helpful, figuring that if you didn't want to change the file (and thus remove write permission), you don't want to delete it either, so it asks you.

What was that 0444 business in the question from rm? The permissions mode is a twelve-digit binary number, like this: 000100100100. 0444 is this binary number represented as an octal (base 8) number, which is the conventional way to write a mode. So you can type chmod 444 myfile instead of chmod ugo=r myfile.