View file permissions and modify them using either symbolic or octal mode

Author: Ivan Voras IvanVoras FreeBSD

Reviewer: name contact BSD flavour

Reviewer: name contact BSD flavour


Concept

An administrator is expected to have a thorough understanding of traditional Unix permissions including: how to view and modify permissions (i.e. "mode bits"), why the sticky bit is important on /tmp and other shared directories, recognizing and using the SUID and SGID bits, and the difference between symbolic and octal mode. In addition, understand that a shell setting determines the default file and directory permissions and, given a umask value, be able to determine the default permission set.

Introduction

File ownerships and mode bits are the single most important file system security feature in unix systems. Each file and directory has three attributes attached:

  • User ID (uid)
  • Group ID (gid)
  • File mode bits

User and group IDs are simple numeric identifiers taken from /etc/passwd and /etc/group (but it's perfectly valid, though not useful, to use a uid or gid not present in the system). File mode bits describe what permissions the user and the members of this group have on a particular file. In addition to those, there are special additional bits describing permissions all other users on the system have. The set of permissions is:

  • r : read (user can read the file, or list a directory)
  • w : write (user can write to the file, or create entries in the directory)
  • x : execute (user can execute the file, or make the directory his current working directory(((cwd))))

Since the permissions form a bitmask, each has it's numerical value. To make using numerical values of mode bits easier, they are usually written in octal notation (hexadecimal is not used because the number of mode bits is low enough):

  • r : 04
  • w : 02
  • x : 01

Each of the above numbers is prefixed with 0 because that's how they are distinguished from decimal and hexadecimal numbers. To make a complex permissions these numbers are added together. For example, to form a rw permission (reading and writing is allowed), the correct number is 04+02=06.

To specify a compound permission which describes all mode bits for user, group and others, three digits are used (four with the 0 prefix). The first digit describes permission of the uid user, the second of the users in gid group and the third those of all other users. A common permission is 0644, which allows the owner to read and write the file, and enables all other users to just read the file.

The command to set mode bits is chmod(((chmod))).

TODO: mention discretionary control

Examples

Practice Exercises

More information

ls(1), chmod(1), umask(1) or umask(2)