What are permissions?
On a UNIX web server, every single file and folder stored on the hard drive has a set of permissions associated with it, which says who is allowed to do what with the file. Every file (and folder) also has an “owner” and a “group” associated with it. If you created the file, then you are usually the owner of that file, and your group, or the group associated with the folder you created the file in, will usually be associated with that file.
Who can do stuff?
There are three types of people that can do stuff to files – the Owner of the file, anyone in the Group that the file belongs to, and Others (everyone else). In UNIX, these 3 types of people are referred to using the letters U (for Owner, or User in UNIX-speak!), G (for Group), and O (for Others).
What stuff can you do?
There are three basic things that can be done to files or folders:
- You can read the file. For folders, this means listing the contents of the folder.
- You can write to (change) the file. For folders, this means creating and deleting files in the folder.
- You can execute (run) the file, if it’s a program or script. For folders, this means accessing files in the folder.
What do all these funny letters and numbers mean?!
That’s the basics of permissions covered. As you can see, there’s not much to them really!
The confusion often occurs when you have to start actually setting permissions on your file server. CGI scripts will tell you to do things like “chmod 755″ or “Check that the file is executable”. Also, when you use FTP or SSH, you’ll see lots of funny letters next to the files (such as rwxrw-rw-). We’ll now explain what all these hieroglyphics mean!
When you FTP to your web server, you’ll probably see something like this next to every file and folder:
This string of letters, drwxrwxrwx, represents the permissions that are set for this folder. (Note that these are often called attributes by FTP programs.) Let’s explain what each of these letters means:
| d | r | w | x | r | w | x | r | w | x |
|---|---|---|---|---|---|---|---|---|---|
| Owner | Group | Other | |||||||
| Directory | Read | Write | Execute | Read | Write | Execute | Read | Write | Execute |
As you can see, the string of letters breaks down into 3 sections of 3 letters each, representing each of the types of users (the owner, members of the group, and everyone else). There is also a “d” attribute on the left, which tells us if this is a file or a directory (folder).
If any of these letters is replaced with a hyphen (-), it means that permission is not granted. For example:
drwxr-xr-x- A folder which has read, write and execute permissions for the owner, but only read and execute permissions for the group and for other users.
-rw-rw-rw-- A file that can be read and written by anyone, but not executed at all.
-rw-r--r--- A file that can be read and written by the user, but only read by the group and everyone else.
Using numbers instead of letters
As we said earlier, you’ll often be asked to do things using numbers, such as “set 755 permissions”. What do those numbers mean?
Well, each of the three numbers corresponds to each of the three sections of letters we referred to earlier. In other words, the first number determines the owner permissions, the second number determines the group permissions, and the third number determines the other permissions.
Each number can have one of eight values ranging from 0 to 7. Each value corresponds to a certain setting of the read, write and execute permissions, as explained in this table:
Read: 4
Write: 2
Execute: 1
So, for example:
rwxrwxrwx755 is the same as rwxr-xr-x666 is the same as rw-rw-rw-
744 is the same as rwxr--r--
Setting permissions using number notation
To set permissions with numbers, use the following syntax:
chmod nnn filename
where nnn is the 3-digit number representing the permissions, and filename is the file you want to change. For example:
chmod 755 formmail.cgi
will assign read, write and execute permission to the owner, and just read and execute permission to everyone else, on the script called formmail.cgi.
Setting permissions using letter notation
You can use the letters u (owner/user), g (group) and o (other) to set permissions for each of the user types, and r (read), w (write) and x (execute) to represent the permissions to set.
You can also use a instead of u, g, and o, to mean all users (u,g,o).
You assign permissions using either the plus sign (+), which means “add these permissions”, the minus sign (-), which means “remove these permissions”, or the equals sign (=), which means “change the permissions to exactly these”.
For example:
chmod a+x formmail.cgi adds execute permissions for all users to the file formmail.cgi (in other words, makes the file executable).
chmod u=rwx formmail.cgi sets read, write and execute permission just for the owner (the permissions for the group and for others remain unchanged).
chmod go-w formmail.cgi removes write permission for the group and for others, leaving the permissions for the owner unchanged.
Checking your permissions
You can check the permissions on all files and folders in the current directory by using the command:
ls -l
This will show you the permissions for every file and folder, in the same way as your FTP program does.
chmod by the number
Up to this point, we’ve been setting the mode with letters. It turns out that you can also set the mode numerically. Here’s how it works:
- Write the permissions you want the file to have. To make your life easier, write the permissions grouped into sets of three letters. For example, let’s say you want file
info.shto have these permissions- rwx r-x r-- info.sh
- Under each letter, write a digit 1; under each dash write a digit zero. Ignore the dash at the very beginning that tells you whether it’s a file or directory. This gives you three binary numbers.
- rwx r-x r-- info.sh 111 101 100
- Now convert each set of three digits to a single digit using this table:
Binary Becomes 0000001101020113Binary Becomes 1004101511061117From our example, the
111 101 100translates to the number754. - Now use that number in a
chmodcommand to set your desired permissions on the file:chmod 754 info.sh
