1 Concepts of file permissions.

Because there is typically more than one user on a Linux system, Linux provides a mechanism known as file permissions , which protect user files from tampering by other users. This mechanism lets files and directories be ``owned'' by a particular user. For example, because Larry created the files in his home directory, Larry owns those files and has access to them.

Linux also lets files be shared between users and groups of users. If Larry desired, he could cut off access to his files so that no other user could access them. However, on most systems the default is to allow other users to read your files but not modify or delete them in any way.

Every file is owned by a particular user. However, files are also owned by a particular group , which is a defined group of users of the system. Every user is placed into at least one group when that user's account is created. However, the system administrator may grant the user access to more than one group.

 Groups are usually defined by the type of users who access the machine. For example, on a university Linux system users may be placed into the groups student , staff , faculty or guest . There are also a few system-defined groups (like bin and admin ) which are used by the system itself to control access to resources--very rarely do actual users belong to these system groups.

Permissions fall into three main divisions: read, write, and execute. These permissions may be granted to three classes of users: the owner of the file, the group to which the file belongs, and to all users, regardless of group.

Read permission lets a user read the contents of the file, or in the case of directories, list the contents of the directory (using ls ). Write permission lets the user write to and modify the file. For directories, write permission lets the user create new files or delete files within that directory. Finally, execute permission lets the user run the file as a program or shell script (if the file is a program or shell script). For directories, having execute permission lets the user cd into the directory in question.

2 Interpreting file permissions.

The first field in the listing represents the file permissions. The third field is the owner of the file ( larry ) and the fourth field is the group to which the file belongs ( users ). Obviously, the last field is the name of the file ( stuff ). We'll cover the other fields later.

This file is owned by larry , and belongs to the group users . The string -rw-r-r- lists, in order, the permissions granted to the file's owner, the file's group, and everybody else.

The first character of the permissions string (`` - '') represents the type of file. A `` - '' means that this is a regular file (as opposed to a directory or device driver). The next three characters (`` rw- '') represent the permissions granted to the file's owner, larry . The `` r '' stands for ``read'' and the `` w '' stands for ``write''. Thus, larry has read and write permission to the file stuff .

As mentioned, besides read and write permission, there is also ``execute'' permission--represented by an `` x ''. However, a `` - '' is listed here in place of an `` x '', so Larry doesn't have execute permission on this file. This is fine, as the file stuff isn't a program of any kind. Of course, because Larry owns the file, he may grant himself execute permission for the file if he so desires. (This will be covered shortly.)

The next three characters, (`` r- ''), represent the group's permissions on the file. The group that owns this file is users . Because only an `` r '' appears here, any user who belongs to the group users may read this file.

The last three characters, also (`` r- ''), represent the permissions granted to every other user on the system (other than the owner of the file and those in the group users ). Again, because only an `` r '' is present, other users may read the file, but not write to it or execute it.

3 Permissions Dependencies.

The permissions granted to a file also depend on the permissions of the directory in which the file is located. For example, even if a file is set to -rwxrwxrwx , other users cannot access the file unless they have read and execute access to the directory in which the file is located. For example, if Larry wanted to restrict access to all of his files, he could set the permissions to his home directory /home/larry to -rwx--- . In this way, no other user has access to his directory, and all files and directories within it. Larry doesn't need to worry about the individual permissions on each of his files.

In other words, to access a file at all, you must have execute access to all directories along the file's pathname, and read (or execute) access to the file itself.

Typically, users on a Linux system are very open with their files. The usual set of permissions given to files is -rw-r-r- , which lets other users read the file but not change it in any way. The usual set of permissions given to directories is -rwxr-xr-x , which lets other users look through your directories, but not create or delete files within them.

However, many users wish to keep other users out of their files. Setting the permissions of a file to -rw---- will prevent any other user from accessing the file. Likewise, setting the permissions of a directory to -rwx--- keeps other users out of the directory in question.

4 Changing permissions.

The command chmod is used to set the permissions on a file. Only the owner of a file may change the permissions on that file. The syntax of chmod is

Briefly, you supply one or more of a ll, u ser, g roup, or o ther. Then you specify whether you are adding rights ( + ) or taking them away ( - ). Finally, you specify one or more of r ead, w rite, and e x ecute.