Introduction to UNIX-family File Permissions

Learning Tree’s System and Network Security Introduction course begins with a description of the four fundamental concepts of cyber security: authentication, confidentiality, integrity, and availability. That leads into a discussion of authorization: “who is allowed to do what.” The conclusion is the “access equation”:

Authentication + Authorization = Access

(We also discuss situations where access is allowed without authentication, but that is a topic for a different time).

UNIX-family File Permissions

When we discuss authorization specifics, many participants are intrigued by the UNIX/Linux/BSD file system permissions because they’ve never seen them before or because nobody ever explained them to them. In this post, we’ll look at the basic aspects of those file permissions.

First, let’s look at a simple “long” directory listing:

file permissions

Here we see six files:ls explained

The four regular files each have permissions that reflect their names. An explanation of the octal and the meanings follows:Permissions explained

The permission characters are broken into three groups corresponding to user (owner of the file), group (the group associated with the file), and other (often referred to as “world”). The first character of the first column is the “type” – remember we saw a directory and a symbolic link, and there may be characters after the permissions for other information about the file type or characteristics.

The permission groups are divided into three permissions Read, Write, and eXecute. These can be expressed with the lowercase letters,r,w, and x, or as three bits written as an octal (base 8) digit. If the letter is present, it represents a 1, if there is a -, it represents a 0:Octal decimal table

With that information, consider writable. It has r and w in the first group and dashes for all the other permissions. That means the owner can read and write the file, and nobody else can do anything. The permission code is 600 as noted in the table above. Seasoned users of the systems that use these file permissions will talk about files having permissions such as “644” and understand that 644 refers to rw-r—r--. “644” is far easier to say than “user readable and writable and readable by group and other”, but it may take a while for new users to become fluent in that lingo.

Changing Permissions

One important principle of cyber security is that of “least privilege.” The idea as it applies here is that users, processes, and other system entities should have only the access to a file that is absolutely necessary. That generally means an administrator or the owner of the file will need to change the permissions on a file.

Suppose, for instance, that members of the group video need read access to the file “readable”. We know from the description above that the permissions need to be “-r—r-----“ or “440”. The chmod command is used to change file permissions (technically called the “mode”). The general form is:

chmod mode file

One way to set the desired permission would be “chmod 440 readable”. In fact, that was the only way to do it in the early days of UNIX. Now we have another way to do set the permission either explicitly or by adding or removing permissions (setting or clearing permission bits)

chmod g+r readable adds read permission for the group

or

chmod u=r,g=r readable or chmod ug=rr readable to explicitly set the permission

If we wanted to add “other” read permission we could “chmod o+r readable”.

Some common file modes are:

000, 777, 700, 555, 400, 444, 644, 660, and 600

If you aren’t proficient in reading these in octal, try explaining each by writing out the “rwx” permissions and thinking about why they might be useful.

To Read More

You can learn more about the mode bits in the chmod manual. If there isn’t one on your system, you can use your favorite search engine and search for

man chmod

For more about the ls command, you can check its manual.

In future posts, I will discuss how to access these in a shell script.

To your safe computing,
John McDermott

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.