This
document explains the basics of the permissions scheme that is used on
Linux and other unix platforms to control access to parts of the system.
Permissions basically referer to what you(the user) has access
to. If you login as user suso, you have access to anything that the user
suso or the group that user suso is in has access to. When you run 'ls
-la' in a directory you get output somewhat like this:
[suso@arvo www]$ ls -l
total 17002
drwxr-xr-x 23 suso suso 2048 Apr 16 19:45 .
drwx---r-x 36 suso users 3072 Apr 17 01:15 ..
-rw-r--r-- 1 suso suso 466 Mar 20 02:29 .htaccess
-rw-r--r-- 1 suso suso 9328 Mar 20 02:15 index.html
drwxr-xr-x 3 suso suso 1024 Jun 5 2003 images
[suso@arvo www]$
In this output you see many things that may confuse you. I'll explain. Starting from left to right.
The first column of output you see are the actual permission bits
that are set for each file. These bits are 10 characters which
represent specific things in each place. If we divide them up below
we'll see what each section does:
Breakdown of type and permissions characters
As you can see the ten characters can be easily divided up into
one first character and three sets of three characters. The first
character shows what kind of file this file is. That may sound kind of
silly but in Unix, nearly everything(including directories) are files.
So if this bit is a 'd' character then the file is a directory. If the
bit is a '-' then it is just a normal file. There are a few other types
too such as devices files.
The first "triplet" of bits are the permissions refering to the
user who owns the file. The way each triplet works is that the first bit
of the triplet refers to the read permission, the second bit is the
write permission and the third is the execute permission. Each one of
these can be used to turn on and off the respective function for the
user who owns the file.
The second triplet of bits control the permissions for the group who owns the file.
The third triplet controls all the others who might try to access
the file. This includes the permissions of any web browser that might
try to access your files.
The second column refers to the number of files that reference
the file. This is usually useless information and you don't need to
worry about it. The third and forth columns refer to the user and group
names who own the file.
The fifth column is the size of the file in bytes. The sixth
column(which is actually three columns, 6th 7th and 8th) is the date
that the file was last modified. The final column shows the name of the
file.
So let's say that create a file called index.html in a directory
called www. By default the file is created with the following
parameters:
[suso@antonio www]$ touch index.html
[suso@antonio www]$ ls -l index.html
-rw-rw-r-- 1 suso suso 0 Apr 17 03:44 index.html
[suso@antonio www]$
So this file is a normal file of zero bytes that can be read by anyone and is writeable by the user 'suso' and the group 'suso'.
Let's say that we want to change the permissions of this file so
that only the user 'suso' can read and write it and nobody else has
access to it. We do this using the 'chmod' command. The chmod command
takes at least two arguments. The first is an argument symbolizing how
you would like the permissions to be set and the second argument is the
name of the file or files you want it to affect.
To set the permissions on the index.html file to only be readable/writeable by user suso we use this command:
Think of the number as actually three numbers. The first number,
'6', affects the user permissions, the second, '0', affects the group
permissions and the third, '0', affects all else. The number 6 means
read and write permissions are to be turned on for that group. It is
derived by adding a set of numbers together. Each permission bit(r, w
and x) has a value assigned to it in the permissions system.
All other possibilities are generated by adding the numbers together.
So if we would like something to be just readable, we use a 4. If we
want it read/write we use a 6, if we want it to be read/execute we use a
5 and so on:
[suso@antonio www]$ ls -l index.html
-rw-rw-r-- 1 suso suso 0 Apr 17 03:44 index.html
[suso@antonio www]$ chmod 644 index.html
[suso@antonio www]$ ls -l index.html
-rw-r--r-- 1 suso suso 0 Apr 17 03:44 index.html
[suso@antonio www]$ chmod 755 index.html
[suso@antonio www]$ ls -l index.html
-rwxr-xr-x 1 suso suso 0 Apr 17 03:44 index.html
[suso@antonio www]$ chmod 175 index.html
[suso@antonio www]$ ls -l index.html
---xrwxr-x 1 suso suso 0 Apr 17 03:44 index.html
[suso@antonio www]$ chmod 000 index.html
[suso@antonio www]$ ls -l index.html
---------- 1 suso suso 0 Apr 17 03:44 index.html
[suso@antonio www]$ chmod 400 index.html
[suso@antonio www]$ ls -l index.html
-r-------- 1 suso suso 0 Apr 17 03:44 index.html
[suso@antonio www]$ chmod 040 index.html
[suso@antonio www]$ ls -l index.html
----r----- 1 suso suso 0 Apr 17 03:44 index.html
[suso@antonio www]$ chmod 004 index.html
[suso@antonio www]$ ls -l index.html
-------r-- 1 suso suso 0 Apr 17 03:44 index.html
[suso@antonio www]$
Now that you understand how chmod works we can apply it's use to a
more practical situation. Let's say that you are getting permission
denied errors when you go to your website on suso.org with your favorite
browser. Chances are it's one of the following sitatuations.
One possibility is that the permissions on the directory itself
that the files are in are set too restrictive and need to be changed.
The ability to view a file can be set by the permissions on the file
itself but the ability of someone to read, write or execute a file are
also controlled somewhat by the permissions set on the directory you are
in, and possibly the parent directory of the one you are in, etc.
So when we list out the whole directory we see this:
[suso@antonio www]$ ls -la
total 3
drwxr-x--- 2 suso suso 1024 Apr 17 03:43 .
drwxr-xr-x 24 suso suso 2048 Apr 17 03:43 ..
-rw-rw-r-- 1 suso suso 0 Apr 17 03:44 index.html
[suso@antonio www]$
Ahh, that's it. The file called '.' refers to the directory that we
are in and the file called '..' refers to the parent directory. Since
the webserver is neither the user or the group of that owns the
directory it it's ability to read files in this directory is set by the
third triplet of permission bits(the other category). So if we want to
make this directory accessable through the webserver we need to turn on
the read and execute permissions for the other category:
[suso@antonio www]$ chmod 755 .
[suso@antonio www]$ ls -la
total 3
drwxr-xr-x 2 suso suso 1024 Apr 17 03:43 .
drwxr-xr-x 24 suso suso 2048 Apr 17 03:43 ..
-rw-rw-r-- 1 suso suso 0 Apr 17 03:44 index.html
[suso@antonio www]$
This is a fine way to set the permission if you know what you are doing, but there is a much safer way to do the same thing:
[suso@antonio www]$ chmod o=rx .
[suso@antonio www]$ ls -l
total 3
drwxr-xr-x 2 suso suso 1024 Apr 17 03:43 .
drwxr-xr-x 24 suso suso 2048 Apr 17 03:43 ..
-rw-rw-r-- 1 suso suso 0 Apr 17 03:44 index.html
[suso@antonio www]$
Notice that we used 'o=rx' as the second argument to chmod instead of
755. The means that we want to set the other group to read/execute. You
can also do this on a file:
[suso@antonio www]$ chmod o+r index.html
[suso@antonio www]$ ls -l index.html
-rw-rw-r-- 1 suso suso 0 Apr 17 03:44 index.html
[suso@antonio www]$
The reason why we use a = on the directory and a + on the file is
just to make sure that the directory does not have a w bit set for the
other category. With files, that's up to you. By using a + it will add
to the permissions that are already there. So we did this:
chmod o+r *
It would make sure that all the files and directories in the current
directory are readable by the webserver. Directories need to be
executeable so for each directory you would need to also do a 'chmod
o+x'
Using the symbolic method with the chmod command instead of the
numeric can be easier to read as well. It's good to know both ways
because you'll need them in different situations.
Let's say that we are still getting the permission denied error.
The next thing to check is the permissions on the parent
directory('..'). Since the whole filesystem is one big hierarchy, the
permissions of directories above the one you are in can affect the
readability of a file.
It's also important to not that for a directory to work, it has
to be executeable. If the directory is only reable you will only be able
to list the contents of the directory, you wouldn't be able to 'cd'
into it or do anything with the files it contains.
Hope this helps. Let me know if you have any questions about all this. It's a lot to digest in one sitting.