Intro to Reading and Modifying UNIX Permissions

A unix or unix-like operating system is a multi-user operating system with a sophisticated file permission system.

In this intro article, I will cover permissions from two angles: reading permissions and changing permissions.

Reading Permissions

First, you need to know how to get file permission information.

The unix command ls -l lists files in a directory in long form (which includes permissions information).

Here’s the output when I run ls -l in a directory containing three files, one of which is a directory (env):

> ls -l
drwxrwxr-x 6 alin admin 4096 Jan 15 11:12 env
-rw-rw-r-- 1 alin admin   15 Oct 15  2019 __init__.py
-rw-rw-r-- 1 alin admin   88 Oct 11  2019 main.py

Lets use the directory env as an example.

From left to right, there are seven groups of information displayed:

  1. Permissions (drwxrwxr-x)
  2. Number of links (6)
  3. User owner name (alin)
  4. Group owner name (admin)
  5. Size (4096)
  6. Datetime of last modification (Jan 15 11:12)
  7. File name (env)

The permissions group (for example, drwxrwxr-x for the directory env) has 10 columns.

When a file is a directory, the first column will show the letter d. If it’s a regular file, the column will just contain a dash -.

The remaining 9 columns represent the read, write, and execute permissions on the file.

Read, write, execute!

There’s three permission types on files: read, write, and execute.

These permissions are set for for 3 sets of users:

  1. The owner of the file. This is typically the user that created the file.
  2. The group owner of the file. This is typically the primary group of the user who created the file.
  3. Everyone else (other)

r represents read access, w represents write access, and x represents execute access.

These permission flags (rwx) are also known as “mode bits”. They’re either on or off. You could say that for the env directory, the (r)ead mode bit is on for all three sets of users.

Using the permissions of __init__.py above as an example:

-rw-rw-r-- 1 alin admin   15 Oct 15  2019 __init__.py

If we just focus on the permissions information, we can learn the following:

  • The first mode bit is off (-) because __init__.py is not a directory
  • The next 3 columns represent the read, write, execute permissions for the owner. You see rw-. This means the owner has read and write access, but no execute access.
  • The next 3 columns are for the group owner. You see rw-, which is identical to the user owner permissions. The group owner has read and write access, but no execute access.
  • The final 3 columns are permissions for other (everyone else). You see r--. This means everyone else has read access only.

Cool, but what do these mode bits tell us about what users (owner, group owner, and other) can actually do?

If the file is a regular file:

  • Read access = user can read / view contents of the file
  • Write access = user can change contents of the file
  • Execute access = user can run the file as a program

If the file is a directory:

  • Read access = user can view the files in the directory
  • Write access = user can change contents of the directory (like adding a new file)
  • Execute access = user can enter the directory (via cd for instance)

When you, as a user in the system, do not have permission to do what you want to a file, you typically have three options:

  1. Change the permission mode bits
  2. Become a different user that does have permission. This can either be the super user or the owner (assuming the file owner has the permissions you need)
  3. Become a member of the owner group (assuming the owner group has the permissions you need)

In the next part, I will focus on option #1: changing the permissions.

Changing permissions

There’s one program you’ll lean on for nearly all permission changes: chmod.

From the chmod manual:

chmod changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits.

To rephrase more concisely, this means you can make changes to permissions on a file in one of two ways:

  1. Symbolic Way
  2. Octal Way

If you’ve ever blindly applied chmod 777 out of sheer desperation, you’ve done it the octal way. I’ll start with the symbolic way first because I find it a bit more intuitive.

The Symbolic Way

The basic command structure for the symbolic method using chmod is:

chmod <user_type><modification_type><permission_type>

The three components are (in order of left to right as you see above):

  1. users (user owner? group owner? other?)
  2. modification (type of change you want to make. This can be add, remove or set),
  3. permission type (read, write, execute)

chmod u+r is an example that adds READ access for the owner (denoted by the u symbol).

Since you already know what the symbols are for (r)ead, (w)rite, and e(x)ecute, here are the translation tables for specifying the user type and modification type.

userssymbol
owneru
group ownerg
othero
alla
modificationsymbol
Add+
Remove-
Set=

So if you want to give the group owner read AND write permissions, you can use chmod g+rw.

Lets work through some examples.

I will start with a file and then make a series of permission changes to it. I think you’ll get a feel for it.

Here’s a file that’s absolutely locked down (no read, write, or execute for any users). None of the mode bits are on.

> ls -l
----------  1 alin admin   20 May 25 13:04 test.txt

Add read permission for the owner:

> chmod u+r test.txt
> ls -l
-r-------- 1 alin admin   20 May 25 13:04 test.txt

Add write permission for the owner:

> chmod u+w test.txt
> ls -l
-rw------- 1 alin admin   20 May 25 13:04 test.txt

Remove write permission from the owner:

> chmod u-w test.txt
> ls -l
-r-------- 1 alin admin   20 May 25 13:04 test.txt

Set read, write, execute permissions for the group:

> chmod g=rwx test.txt
> ls -l
-rw-rwx--- 1 alin admin   20 May 25 13:04 test.txt

Remove write and execute permissions for the group:

> chmod g-wx test.txt
> ls -l
-rw-r----- 1 alin admin   20 May 25 13:04 test.txt

Add write permissions for all:

> chmod a+w test.txt
> ls -l
-rw-rw--w- 1 alin admin   20 May 25 13:04 test.txt

Create files and play around with the commands! See what you can or cannot do.

The Octal (absolute) Way

Turns out, unix can represents the read, write, execute permissions numerically.

The command takes on the form chmod [0-7][0-7][0-7]

Three numbers, 0 to 7. What do they mean?

Here’s a table that translate read, write, and execute permissions to their numeric form:

SymbolNumber
READ (r)4
WRITE (w)2
EXECUTE (e)1

Since the maximum number of numeric symbols needed to represent the various combinations is 8 (0, 1, 2, 3, 4, 5, 6, 7), this is also known as the octal or base 8 representation.

Specifying any combination of permissions (read and write, write and execute, etc) is a matter of adding up the numbers! For example, (4 + 2 + 1) will denote read, write, and execute. 5 (4 + 1) will denote only reading and executing. 0 means no permissions at all!

One advantage of this method is that you can specify read, write, and execute permissions using ONE number rather than THREE letters (gasp).

Ok, but how do you set it for the user owner or group owner specifically?

The first number sets the mode bits for the owner. The second one sets the mode bits for the group owner. The third one sets the mode bits for everyone else (other). So 421 means: READ access for the user owner. WRITE access for the group owner. EXECUTE access for everyone else!

Absoluteness

The octal representation is also known as the “absolute” representation because there’s no way to specify read, write, execute mode bits for a specific set of users (owner, group, or other).

When you use this approach, you are setting the full and final set of permissions for the file. In other words, you can’t do something like u+4 to add READ permissions for the user only.

Lets see this put in practice.

Starting state of a file that’s totally locked down (no mode bits on):

> chmod 000 test.txt
> ls -l
---------- 1 alin admin   20 May 25 13:04 test.txt

Add read permission for the owner:

> chmod 400 test.txt
> ls -l
-r-------- 1 alin admin   20 May 25 13:04 test.txt

Add write permission for the owner:

> chmod 600 test.txt
> ls -l
-rw------- 1 alin admin   20 May 25 13:04 test.txt

Remove write permission from the owner:

> chmod 400 test.txt
> ls -l
-r-------- 1 alin admin   20 May 25 13:04 test.txt

Set read, write, execute permissions for the group:

> chmod 670 test.txt
> ls -l
-rw-rwx--- 1 alin admin   20 May 25 13:04 test.txt

Remove write and execute permissions for the group:

> chmod 640 test.txt
> ls -l
-rw-r----- 1 alin admin   20 May 25 13:04 test.txt

Add write permissions for all:

> chmod 662 test.txt
> ls -l
-rw-rw--w- 1 alin admin   20 May 25 13:04 test.txt

Hope that was informative!