Skip to Content

A Brief Introduction to Unix Permissions

Unix systems use permissions to control who has access to files and directories. There are three basic sets of permissions: owner, group, and others; for each of these sets, you can set permissions to read, write, and execute (for scripts or binaries) a file.

Basic Permissions

For files, read permission will allow members of the set to read (and copy) the file. Write permission allows set members to write to (change or append to) the file. Execute permission allows set members to execute, or “run”, the file, assuming that it's a script or executable (compiled) binary.

Directories are much the same, except that the permissions affect the files inside them—write permission on a directory allows set members to delete files in the directory (assuming they have the appropriate permissions on the files). Directories have the execute bit set to allow various sets to “see” their contents.

What They Look Like

You can check the permissions on a file or directory by using the -l flag to the ls command. You will see a listing similar to

unix% ls -l
drwxr-xr-x   3 you students  4096 Mar  4 16:02 foo
-rw-r--r--   1 you students   346 Mar  4 16:09 bar
-rwxr-xr-x   1 you students 17992 Mar  4 16:02 baz

foo is a directory (the permissions block starts with a d. You can read, write, and see inside foo. Other members of the students group can also see inside the directory (although they cannot delete files there). Others—people not you and not in the students group—can do the same.

bar is a file. Its permissions allow you to read it and write to it; members of students and other users on the system can read the file (and make copies), but not change it.

baz is another file. Its permissions indicate that it's some sort of executable—a shell script or compiled program. Anyone (you, members of students, and others on the system) can “run” this program, but only you can make changes to it thanks to the write bit being set.

Setting Permissions

You might want to set specific permissions on various files and directories that you create—maybe you have a secret note you don't want anyone else to see, or you have a file you'd like other people to be able to modify (because you're all working on a project together).

The chmod command allows you to change modes (or permissions) on files and directories.

Octal Permissions

Before I tell you how to use chmod we need to have a brief discussion about permissions are set. Unix systems use octal (base-8) numbers to specify the various permission bits. These correspond to human-readable permissions as follows:

Octal NumberHuman-ReadableLetter
4readr
2writew
1executex
0none

These permissions are additive—that is, by adding up the numbers corresponding to the permissions that you want to grant, you end up with the number that you should use to set the permissions on a file or directory.

So full permissions—read, write, and execute—are equivalent to 4 + 2 + 1, or 7. Read/write permissions are just 4 + 2, or 6. And so on.

By combining these octal permissions, you get a complete set of permissions. Recalling our first example,

unix% ls -l
drwxr-xr-x   3 you students  4096 Mar  4 16:02 foo
-rw-r--r--   1 you students   346 Mar  4 16:09 bar
-rwxr-xr-x   1 you students 17992 Mar  4 16:02 baz

foo has the permissions 755; bar has permissions 644; and baz has the permissions 755.

Using chmod

You can use these octal codes to quickly set permissions on a file or directory.

unix% touch xyzzy
unix% ll xyzzy
-rw-r--r--    1 you  students        0 Aug 21 13:32 xyzzy
unix% chmod 755 xyzzy
unix% ll xyzzy
-rwxr-xr-x    1 you  students        0 Aug 21 13:32 xyzzy*
unix% chmod 600 xyzzy
unix% ll xyzzy
-rw-------    1 you  students        0 Aug 21 13:32 xyzzy

And so on.

The “Friendly” Method

If your head is spinning from all those base-8 numbers, you'll be glad to know that there's another way to set permissions on files and directories that might be a bit more obvious.

Instead of using octal numbers, you can use combinations of the familiar r, w, and x letters to set permissions.

To specify which set of users you're modifying permissions for, there are three letters:

SetAbbreviation
Useru
Groupg
Otherso
Alla

You use the plus sign + and the minus sign - to add or subtract permissions, respectively, and the equals sign = to set them explicitly.

And you can apply more than one change at once by using a comma (,) to combine the sets.

Let's see some examples!

unix% touch billybong
unix% ll billybong 
-rw-r--r--    1 you  students        0 Aug 21 14:21 billybong
unix% chmod g-r billybong
unix% ll billybong
-rw----r--    1 you  students        0 Aug 21 14:21 billybong
unix% chmod o+x billybong 
unix% ll billybong 
-rw----r-x    1 you  students        0 Aug 21 14:21 billybong*
unix% chmod a+w billybong 
unix% ll billybong 
-rw--w-rwx    1 you  students        0 Aug 21 14:21 billybong*
unix% chmod u+rwx,g+r billybong 
unix% ll billybong 
-rwxrw-rwx    1 you  students        0 Aug 21 14:21 billybong*
unix% chmod u=rwx,g=r,o= billybong
unix% ll billybong
-rwxr-----    1 you  students        0 Aug 21 14:21 billybong*

The If-Already-Executable Option

One place that the friendly method really shines is when you're changing permissions recursively (i.e., on everything below a certain level of your directory structure). It provides the X permission, which works if-and-only-if the file or directory already has execute permission set.

This option is handy when you don't want to mess up directory access or scripts in the directories below the one you're working with.

Suppose we have the following files and directories that we need to modify:

unix% ll -R
.:
total 8
-rw-r--r--    1 you  students        0 Aug 21 14:38 bar
-rwxr-xr-x    1 you  students        0 Aug 21 14:38 baz*
drwxr-xr-x    2 you  students     4096 Aug 21 14:38 foo/
drwxr-xr-x    2 you  students     4096 Aug 21 14:39 subby/

./foo:
total 0

./subby:
total 0
-rw-r--r--    1 you  students        0 Aug 21 14:39 readme
-rwxr-xr-x    1 you  students        0 Aug 21 14:39 script*

If we want to change the permissions here so that the owner can do everything (read, write, and execute); people in the students group can only read our text files, but can read and execute our scripts; and everyone else can't do anything with the files, we could run

unix% chmod -R g+rX,o= *

which would give us

unix% ll -R
.:
total 8
-rw-r-----    1 you  students        0 Aug 21 14:38 bar
-rwxr-x---    1 you  students        0 Aug 21 14:38 baz*
drwxr-x---    2 you  students     4096 Aug 21 14:38 foo/
drwxr-x---    2 you  students     4096 Aug 21 14:39 subby/

./foo:
total 0

./subby:
total 0
-rw-r-----    1 you  students        0 Aug 21 14:39 readme
-rwxr-x---    1 you  students        0 Aug 21 14:39 script*

Recursive Changes with the Octal Method

You can do recursive changes with the octal method, as well, but because the octal method sets permissions explicitly, you'll lose access to directories if you were to simply run chmod -R 600 * in a directory.

Thus, recursive changes with the octal method are a bit more difficult to do. You need to use the find command to help out, as in

unix% find . -type f -exec chmod 644 {} \;
unix% find . -type d -exec chmod 755 {} \;

which sets all files below the current directory (.) to 644 (rw-r--r--) and all directories below the current directory to 755 (drwxr-xr-x). (These are the permissions you'll generally use for your website.)

You can implement the functionality of the X permission setting from the friendly method of chmod, but it's a wee bit more complex:

unix% find . -\( -type f -and -\( -\( -perm +111 -exec chmod 750 {} \; -\) -or -exec chmod 640 {} \; -\) -\) -or -\( -type d -exec chmod 750 {} \; -\)

This command is equivalent to the chmod -R g+rX,o= * command we used earlier.

Default Permissions and the umask

The permissions shown in our first example are those granted by default on our system. Your umask determines what permissions a file or directory will have on creation. As its name suggests, it is a mask that is used to filter the default permissions to create the final permissions for a file or directory.

If you type the command

unix% umask

you should see a three-digit number; each digit will be one of 0, 1, 2, 4, 6, and 7. Assuming you haven't made any changes to your startup files, you will probably see 022.

Back to the umask

Now that you know how to set permissions, you could change the permissions on every file or directory that you create right after you create it, but that gets old fast. The umask provides you with a way to set the default permissions for files and directories that you create, allowing you to only modify the permissions on the ones that should be different.

The umask is a mask—an octal number that is subtracted from the maximally open permission set (i.e., 777) to give the default permission set that will be used.

You may recall that I mentioned that your umask is set to 022. Subtracting 022 from 777 gives you 755, which is the default permission set for directories that you create (remember, that translates to drwxr-xr-x). Files have an additional mask of 111 applied, so the default file permission set is 644 (rw-r--r--).

Changing Your umask

By now, you know that everyone on the system can read files you create. You might prefer to be a bit more circumspect.

Changing your default file permissions is as easily as setting your umask. Not surprisingly, you can set the mask with the same command you use to check it:

unix% umask
22
unix% touch billybong
unix% ll billybong
-rw-r--r--    1 you  students        0 Aug 21 13:44 billybong
unix% rm billybong 
unix% umask 077
unix% touch billybong
unix% ll billybong 
-rw-------    1 you  students        0 Aug 21 13:44 billybong

You'll recall that the mask is subtracted from the maximal permission set. So 777 minus 077 gives you 700 for directories, and 600 for files.

With this permission set, only you (and root) can see your files and directories. It's about as paranoid as you can get on a shared system!

Making the Change Permanent

To make the change permanent, you need to add the umask command to your shell startup file. Unless you've changed your shell, you're using the tcsh, so the startup file you should modify is in your home directory and is called .tcshrc. You can edit it with

unix% emacs ~/.tcshrc

If you haven't changed it, the contents of the file probably look like

source ~setup/global.tcshrc

Add your umask command any where after that line, and it will override the setting in the global.tcshrc file.

Cleaning Up the Old Files

You now know how to use the -R flag to chmod to change files and directories recursively. If you want to quickly fix everything so that no one but you can read it,

unix% cd
unix% chmod -R u=rwX,g=,o= *

should do the trick!

Learning More

There's more to know about Unix permissions, if you're curious. Type man chmod or info chmod at a shell prompt to read the manual page and the info page for chmod, respectively.

Probably the most interesting material not covered here is “the sticky bit”, which allows you to tell a directory to force everything in it to be created with the same group as the parent directory. The sticky bit is especially useful when you're working with other people on a shared set of files where you all need to be able to access them. You'll still have to set your umask appropriately (to something like 007) to avoid others having access while ensuring that others in your group can both read and write, but the sticky bit will allow you to at least get the group right.