File Permissions

Owned by Marc Miller
Last updated: May 31, 2018
4 min read

PROTECTING YOUR FILES AND DIRECTORIES

Adapted from: http://vertigo.hsrl.rutgers.edu/ug/permissions.html

Important

Make sure the directory you keep your assignments in cannot be read by others.

Leaving your directory open can be considered cheating, but you can prevent this by simply using the command:

chmod og-rx your_assignment_directory

This will ensure that the permissions will be set appropriately.

Understand that your files and directory permissions are essential for the security of your account.

You might have a very secure password, but if your file permissions are inappropriate, having a secure password is pointless.

Your home directory contains files you need to do your work.

Some of these will be private, such as program assignments and top secret documents.

Since the default in UNIX is to make files accessible, you need to understand the UNIX protection scheme in order to keep your files from being read by others.

Here is an example of file permissions:

Example of directory listing
-bash-2.05b$ ls -l 
total 8 
drwxr-xr-x 2 dvoita ugrad 4096 Feb 1 15:25 public_html 
drwx------ 2 dvoita ugrad 4096 Feb 1 15:29 top_secret 
drwxrwx--- 2 dvoita ugrad 4096 Feb 1 15:29 love_letters

Here's how this is organized:

drwxr-xr-x 2  dvoita ugrad 4096 Feb 1 15:29 top_secret

The permissions for each file are listed in the left-most field.

The "d" stands for directory.

After this, there are three sets of permissions for each file.

The permissions are read, write, and execute.

The first set of three is for the owner of the file ("dvoita"), the second for a group of users ("ugrad"), and the last for all other users on the system (sometimes called "world".)

read (r)(4) write (w)(2) execute (x)(1)

In the example above, the directory public_html can be read and executed by everyone, but top_secret can be read, written and executed only by the owner of the directory ("dvoita".)

The "love_letters" directory is open to the owner and the members of the "ugrad" group, but to no other users on the system.


Note

A directory that can be read and executed by everyone means anyone can "cd" into and "ls" the directory.

The default permissions for most files are rwxr-xr-x or rw-r--r--, depending on whether it is executable or not.

With these permissions, only the owner can change the file, but others can read it.

Changing your file and directory permissions

If you have a text file you want to prevent all others from seeing, you can change its permissions to rw------- .

This is done by the chmod command.

To change rw-r--r-- to rw-------, you subtract permissions:

Removing READ from Other and Group
% chmod og-r

(the "o" stands for owner, the "g" for group) which is equivalent to

Setting file to READ WRITE to Owner only.
% chmod 600

where 6=owner permissions of 4(read) + 2(write) 0=group permissions (none) 0=world permissions (none)

This removes group (g) and other (o) read permissions.

For more information, execute "man chmod".

You can set your environment so that newly created files will always have certain permissions removed.

This is done by the umask command in your .login.

To remove all write permissions by group members and others, include

Setting a file permission mask
umask 022

in your .login.

If you want all your files protected from read, write, and execute access, use

Setting a file permission mask
umask 077

Log out and back in again, and all files created from that point will have the new permissions.

Any files that already exist will not have their permissions changed, and you will need to use chmod to change them.

Since you as owner can read and change all your files, it is important that you never give another user your password.

Also, you should never stay logged in unattended, as that would make it very easy for someone to come by and change your files or permissions.

You need to decide when to protect a file.

Consider whether you care if anyone else reads or executes that file, since that is what the default permissions allow.

Any file created for a class assignment should of course be protected, as should most correspondence.

Files with financial information should also be kept private.

If most of your files contain sensitive material, consider using the umask command to limit access automatically.

It is also recommended that you don't allow public or group write access to any of your directories.

If you have write permission for group "other" on one of your directories, it allows anyone with a login to erase or create files of their choice in that particular directory.

An intruder can delete files you own, simply because he or she has write permissions on the directory.

The intruder can also install a program of the same name as one you normally use, and there may be serious consequences if you run the intruder's program.

Note about the public_html directory

Your home and public_html directories "other" permissions need to be set to "--x" in order to be viewed by internet users.

Also, any files in public_html should be world-readable if you'd like them to be seen on the internet.

Additional Resources

There are several sites on the web that deal with file and directory permissions. Here are a few (in no particular order):