% /bin/ls -l example -rw-r--r-- 1 watrous sysprog 21340 Nov 21 10:49 exampleIn the above example, "-rw-r--r--" is the file's protection, "1" is the number of hard links to the file, "watrous" is the file's owner, "sysprog" is the group the file is in, "21340" is the number of bytes in the file, "Nov 21 10:49" is the file's creation date and time, and "example" is the file's name.
Ignoring for now the first character of the protection, the remaining 9 characters can be broken up into 3 triplets ("rw-", "r--", and "r--" from the example above). Each triplet specifies the file protection for a different set of people. The first triplet ("rw-") specifies what the owner may do with the file. The middle triplet ("r--") says what users in the same group as the file may do with the file. And the last triplet ("r--") says what everyone else can do with the file.
Each character in the triplets can be either a letter or a dash ("-"). If the first character in a triplet is an "r", the set of users corresponding to the triplet (owner, group, or world) can read the file. If the second character in a triplet is a "w", the corresponding set of users can write to the file. And if the third character in a triplet is an "x", the corresponding set of users can execute the file (ie, run it as a program). The lack of one of these access privileges is designated by the dash ("-").
Protections on files can be manipulated by the owner of the file with the chmod program. chmod refers to the different triplets by single characters. "u" refers to the owner of the file (user), "g" represents users in the same group as the file (group), and "o" is everyone else (other). You can add or remove access privileges using these symbols. For instance,
% /bin/chmod u+x examplewill add execute access to the file example for the owner of the file, while
% /bin/chmod o-r examplewill remove read access for those without owner or group rights to the file. (See the man page for more details.)
Some people find it easier to refer to the protections numerically. This is done by thinking of the positions of the characters in the triplets as binary digits. "r" corresponds with 4, "w" with 2, and "x" with 1. You can then add the values for all the access privileges on in a triplet to get a single number for that triplet. So "-rw-r--r--" can be represented numerically as 644, and to set a files protection to "-rw-r--r--" you could use the command
% /bin/chmod 644 example
Some sample file protections might be
Symbolic Numeric Meaning -rw-rw-r-- 664 Owner and group can read/write; Everyone else can read -rw-r--r-- 644 Owner can read/write; Everyone else can read -rwxr-x--- 750 Owner can read/write/execute; Group can execute; no access for world -rwx------ 700 Owner can read/write/execute; no access for anyone else
% /bin/ls -l example -rwsr-x--- 1 watrous sysprog 21340 Nov 21 10:49 exampleHere, the "x" access privilege is combined with the setuid bit and represented as an "s". In the above example, anyone in the group sysprog could run the program example and it would run with file access privileges as though it were the owner running it.
The setgid bit causes the program to run with the group file access of the group of the file.
% /bin/ls -l example -rwxr-sr-x 1 watrous sysprog 21340 Nov 21 10:49 exampleHere, anyone could run the program example and that program could access any files with group access rights of the sysprog group. The setuid and setgid bits are set and cleared with the chmod command. For example,
% /bin/chmod u+s examplewill make the file setuid.
If the "x" bit is not set "behind" the setuid or setgid bit, this is indicated by a capital "S".
% /bin/ls -ld sample drwxr-xr-x 2 watrous staff 2560 Feb 20 11:55 sampleDirectory protections under Unix are displayed, grouped, and manipulated just as file protections are above. However, the access rights have different meanings for directories.
"r" means you can read the contents of the directory. That is, you can only do a directory listing to see what files are there. "w" means you can write to the directory. You can create, rename, and remove files contained in the directory (regardless of their individual protections). "x" means you can access files in the directory, subject to their individual permissions. Some sample file protections might be
Symbolic Numeric Meaning drwxrwxr-x 775 Owner and group can create, rename, and delete files; Everyone can read access files (subject to their protection) drwxr-xr-x 755 Only owner can create, rename, and delete files; Everyone can read access files (subject to their protection) drwxr-x--- 750 Only owner can create, rename, and delete files; Owner and group can access files (subject to their protection) drwx------ 700 Only owner can create, rename, and delete files and access files (subject to their protection); no access for anyone else drwx--x--x 700 Only owner can create, rename, and delete files and access files (subject to their protection); Everyone else can access files (subject to their protection) only if they know the name of the file
% /bin/ls -ld sample drwxr-sr-x 2 watrous staff 2560 Feb 20 11:55 sampleindicates that new files created in this directory will have the same group as the directory (if the user creating the file is in that group).
The sticky bit (indicated by a "t" in the third character of the third triplet:
% /bin/ls -ld sample drwxrwxrwt 2 watrous staff 2560 Feb 20 11:55 sampleis typically used in a directory like /tmp where many people can have write access to the directory. If this bit is set on a directory, files can only be removed by the owner of the directory or file or by a user with write access to that file. The sticky bit is set and cleared with the chmod command:
% /bin/chmod o+t sample