go to navigation
Introduction to Permissions
File permissions, the combination of ownership and access, are the very basis of Unix security. Every Unix file has three attributes—the file owner/user (u), group association (g), and everyone else, or the others (o). Under the strictest security settings, a file's owner is the only non-root user who is allowed to change a file's permissions, or even read the file. However, each of these attributes can then be configured to allow or deny access using the read (r), write (w), and execute (x) filemodes. Read and write access is fairly self-explanatory. The execute mode is used to run a normal text file (such as a Perl script) as a program. You can see all of this information at any time by typing ls -l at the command line. The output will look something like this:
-rw-r--r-- 1 demo bunch 0 13 Mar 12:46 foo
This file (foo) is owned by user demo, who has both read and write access. Members of the bunch group can read the file, as can the rest of the world.

Under most circumstances, you'll want to deny world access. A safer setting would be

-rw--r---- 1 demo bunch 0 13 Mar 12:46 foo
or even
-rw------- 1 demo bunch 0 13 Mar 12:46 foo
In the last example, only the file's owner can look at or edit the file.
Directory Permissions
Directory permissions are slightly different than regular file permissions. Let's start with the ls -l output:
drwxr-xr-x 4 demo bunch 136 13 Mar 12:46 tmp
The d at the beginning of the permission string indicates that the listed file is actually a directory. Note that the execute mode is set for all attributes. This means that any of these groups can read the directory.

Unlike a regular file, a directory must be executable in order to access it via the cd (Change Directory) command. If the read mode is set, you can still see the files in the directory, but you will not be able to access them. For example: 

prompt:~ demo$ ls -ld tmp
dr--r--r--  4 demo  bunch  136 13 Mar 12:46 tmp
prompt:~ demo$ ls tmp
bar     foo
prompt:~ demo$ cd tmp
-bash: cd: tmp: Permission denied
prompt:~ demo$ more tmp/foo
tmp/foo: Permission denied

In this case, by typing ls tmp, we can see that the directory contains two files, foo and bar, but we get a Permission Denied error when we try to view the files directory.

CITES welcomes comments about our services, comments about our web site, or suggestions for content regarding security.
Return to the top of this page.
Last modified January 10, 2005.
The University of Illinois at Urbana-Champaign