Unix file/directory protections

Unix file/directory protections

File protections

Unix file protections are represented as a string of 10 characters.
    % /bin/ls -l example
    -rw-r--r--   1 watrous  sysprog    21340 Nov 21 10:49 example
In the above example, "-rw-r--r--" is the file's protection, "1" is the number of hard links to the file, "watrous" is the file's owner, "sysprog" is the group the file is in, "21340" is the number of bytes in the file, "Nov 21 10:49" is the file's creation date and time, and "example" is the file's name.

Ignoring for now the first character of the protection, the remaining 9 characters can be broken up into 3 triplets ("rw-", "r--", and "r--" from the example above). Each triplet specifies the file protection for a different set of people. The first triplet ("rw-") specifies what the owner may do with the file. The middle triplet ("r--") says what users in the same group as the file may do with the file. And the last triplet ("r--") says what everyone else can do with the file.

Each character in the triplets can be either a letter or a dash ("-"). If the first character in a triplet is an "r", the set of users corresponding to the triplet (owner, group, or world) can read the file. If the second character in a triplet is a "w", the corresponding set of users can write to the file. And if the third character in a triplet is an "x", the corresponding set of users can execute the file (ie, run it as a program). The lack of one of these access privileges is designated by the dash ("-").

Protections on files can be manipulated by the owner of the file with the chmod program. chmod refers to the different triplets by single characters. "u" refers to the owner of the file (user), "g" represents users in the same group as the file (group), and "o" is everyone else (other). You can add or remove access privileges using these symbols. For instance,

    % /bin/chmod u+x example
will add execute access to the file example for the owner of the file, while
    % /bin/chmod o-r example
will remove read access for those without owner or group rights to the file. (See the man page for more details.)

Some people find it easier to refer to the protections numerically. This is done by thinking of the positions of the characters in the triplets as binary digits. "r" corresponds with 4, "w" with 2, and "x" with 1. You can then add the values for all the access privileges on in a triplet to get a single number for that triplet. So "-rw-r--r--" can be represented numerically as 644, and to set a files protection to "-rw-r--r--" you could use the command

    % /bin/chmod 644 example

Some sample file protections might be

SymbolicNumericMeaning
-rw-rw-r--
664
Owner and group can read/write; Everyone else can read
-rw-r--r--
644
Owner can read/write; Everyone else can read
-rwxr-x---
750
Owner can read/write/execute; Group can execute; no access for world
-rwx------
700
Owner can read/write/execute; no access for anyone else

Other protection bits

Two other protection settings you're likely to see on files are the setuid and setgid bits. When setuid is set on an executable file, the program runs with the ownership access of the owner of the file. It looks like this:
    % /bin/ls -l example
    -rwsr-x---   1 watrous  sysprog    21340 Nov 21 10:49 example
Here, the "x" access privilege is combined with the setuid bit and represented as an "s". In the above example, anyone in the group sysprog could run the program example and it would run with file access privileges as though it were the owner running it.

The setgid bit causes the program to run with the group file access of the group of the file.

    % /bin/ls -l example
    -rwxr-sr-x   1 watrous  sysprog    21340 Nov 21 10:49 example
Here, anyone could run the program example and that program could access any files with group access rights of the sysprog group. The setuid and setgid bits are set and cleared with the chmod command. For example,
    % /bin/chmod u+s example
will make the file setuid.

If the "x" bit is not set "behind" the setuid or setgid bit, this is indicated by a capital "S".


Directory protections

Directories are indicated by a "d" in the first character of the protection string:
    % /bin/ls -ld sample
    drwxr-xr-x   2 watrous  staff       2560 Feb 20 11:55 sample
Directory protections under Unix are displayed, grouped, and manipulated just as file protections are above. However, the access rights have different meanings for directories.

"r" means you can read the contents of the directory. That is, you can only do a directory listing to see what files are there. "w" means you can write to the directory. You can create, rename, and remove files contained in the directory (regardless of their individual protections). "x" means you can access files in the directory, subject to their individual permissions. Some sample file protections might be

SymbolicNumericMeaning
drwxrwxr-x
775
Owner and group can create, rename, and delete files; Everyone can read access files (subject to their protection)
drwxr-xr-x
755
Only owner can create, rename, and delete files; Everyone can read access files (subject to their protection)
drwxr-x---
750
Only owner can create, rename, and delete files; Owner and group can access files (subject to their protection)
drwx------
700
Only owner can create, rename, and delete files and access files (subject to their protection); no access for anyone else
drwx--x--x
700
Only owner can create, rename, and delete files and access files (subject to their protection); Everyone else can access files (subject to their protection) only if they know the name of the file

Other protection bits

The setgid bit in a directory
    % /bin/ls -ld sample
    drwxr-sr-x   2 watrous  staff       2560 Feb 20 11:55 sample
indicates that new files created in this directory will have the same group as the directory (if the user creating the file is in that group).

The sticky bit (indicated by a "t" in the third character of the third triplet:

    % /bin/ls -ld sample
    drwxrwxrwt   2 watrous  staff       2560 Feb 20 11:55 sample
is typically used in a directory like /tmp where many people can have write access to the directory. If this bit is set on a directory, files can only be removed by the owner of the directory or file or by a user with write access to that file. The sticky bit is set and cleared with the chmod command:
    % /bin/chmod o+t sample

This page last updated February 7, 2007.