|
|
|
Every file or folder in UNIX has access permissions. There are three types of permissions (what allowed to do with a file):
Permissions are defined for three types of users:
Thus, UNIX file permissions are nine bits of information (3 types x 3 type of users), each of them may have just one of two values: allowed or denied.
Simply put, for each file it can be specified who can read or write from/to the file. For programs or scripts it also can be set if they are allowed to be executed.
It is used in UNIX long directory listings. It consists of 10 characters. The first character shows the file type. Next 9 characters are permissions, consisting of three groups: owner, group, others. Each group consists of three symbols: rwx (in this order), if some permission is denied, then a dash "-" is used instead. Example:
-rwxr--r-- 0123456789
r | Read access is allowed |
w | Write access is allowed |
x | Execute access is allowed |
- | Replaces "r", "w" or "x" if according access type is denied |
-rwxr-xr-x | File, owner has read, write, execute permissions, group: only read and execute permissions, others: only read and execute permissions. |
dr-x------ | Directory, owner has read and execute access, group and others have no access |
If a numeric representation is used (like in chmod command, for example), then it is in the octal format (with the base of 8), and digits involved are 0 to 7. Octal format is used for the simplicity of understanding: every octal digit combines read, write and execute permissions together. Respective access rights for owner, group and others (in this order) are the last three digits of the numeric file permissions representation. Example: "0644". Here the second digit ("6" in the example) stands for rights of the owner, the third digit ("4" in the example) stands for rights of the group, the fourth digit ("4" in the example) stands for rights of others.
This table shows what numeric values mean:
Octal digit | Text equivalent | Binary value | Meaning |
---|---|---|---|
0 | --- | 000 | All types of access are denied |
1 | --x | 001 | Execute access is allowed only |
2 | -w- | 010 | Write access is allowed only |
3 | -wx | 011 | Write and execute access are allowed |
4 | r-- | 100 | Read access is allowed only |
5 | r-x | 101 | Read and execute access are allowed |
6 | rw- | 110 | Read and write access are allowed |
7 | rwx | 111 | Everything is allowed |
We see that "1" stands for execute only, "2" stands for write only, "4" stands for read only. To combine the permissions you can simply add 1, 2 and 4 to get a needed combination. For instance, to get read and write permissions, you add 4 (read) and 2 (write), thus getting 6 (read and write). To get read and execute permissions, you add 4 (read) and 1 (execute), thus getting 5 (read and execute).
644 |
owner: read and write permissions, group: only read permissions, others: only read permissions. |
755 |
owner: read, write and execute permissions, group: read and execute permissions, others: read and execute permissions. |
In programming, for instance, in C language, leading zero means that the value is in the octal format. Basically, it can be omitted. Owner, group and others rights are the last three digits of the permissions.
There are cases when you may come across four non-zero digits, in this case the first meaningful (non-zero) digit combines the following bits (in this order, high to low): SUID, SGID, sticky bit. We also know that the last three are for owner, group and others.
See this table for more information about SUID and so on.
Access permissions for files and folders mean different things from the user standpoint. The table below shows the difference.
Access type | File | Folder |
---|---|---|
Read | If the file contents can be read | If the directory listing can be obtained |
Write | If user or process can write to the file (change its contents) | If user or process can change directory contents somehow: create new or delete existing files in the directory or rename files. |
Execute | If the file can be executed | If user or process can access the directory, that is, go to it (make it to be the current working directory) |
Web server assigns the rights of the web-server-specific user, typically user "nobody", to the connected web client, as if "nobody" is connected to the web server. "Nobody" doesn't belong to your group and thus it inherits permissions that "others" have to your files.
When you upload files to your web hosting accounts, you become the owner of the files. Usually, by default files get 644 permissions, and depending on provider's FTP server configuration they may get different permissions in different situations. You also can change the file permissions with FTP client or by executing a chmod command in telnet.
In addition to the basic permissions discussed above, there are also three bits of information defined for files in UNIX:
Octal digit | Binary value | Meaning |
---|---|---|
0 | 000 | setuid, setgid, sticky bits are cleared |
1 | 001 | sticky bit is set |
2 | 010 | setgid bit is set |
3 | 011 | setgid and sticky bits are set |
4 | 100 | setuid bit is set |
5 | 101 | setuid and sticky bits are set |
6 | 110 | setuid and setgid bits are set |
7 | 111 | setuid, setgid, sticky bits are set |
SUID | If set, then replaces "x" in the owner permissions to
"s", if owner has execute permissions, or to "S"
otherwise. Examples: -rws------ both owner execute and SUID are set -r-S------ SUID is set, but owner execute is not set |
SGID | If set, then replaces "x" in the group permissions to
"s", if group has execute permissions, or to "S"
otherwise. Examples: -rwxrws--- both group execute and SGID are set -rwxr-S--- SGID is set, but group execute is not set |
Sticky | If set, then replaces "x" in the others permissions to
"t", if others have execute permissions, or to "T"
otherwise. Examples: -rwxrwxrwt both others execute and sticky bit are set -rwxrwxr-T sticky bit is set, but others execute is not set |
© 1999-2016 ZZEE, Terms of use |