climagic Logo climagic

This document explains the basics of the permissions scheme that is used on Linux and other unix platforms to control access to parts of the system.

Permissions basically referer to what you(the user) has access to. If you login as user suso, you have access to anything that the user suso or the group that user suso is in has access to. When you run 'ls -la' in a directory you get output somewhat like this:

[suso@arvo www]$ ls -l total 17002 drwxr-xr-x 23 suso suso 2048 Apr 16 19:45 . drwx---r-x 36 suso users 3072 Apr 17 01:15 .. -rw-r--r-- 1 suso suso 466 Mar 20 02:29 .htaccess -rw-r--r-- 1 suso suso 9328 Mar 20 02:15 index.html drwxr-xr-x 3 suso suso 1024 Jun 5 2003 images [suso@arvo www]$

In this output you see many things that may confuse you. I'll explain. Starting from left to right.

The first column of output you see are the actual permission bits that are set for each file. These bits are 10 characters which represent specific things in each place. If we divide them up below we'll see what each section does:

Breakdown of type and permissions characters


As you can see the ten characters can be easily divided up into one first character and three sets of three characters. The first character shows what kind of file this file is. That may sound kind of silly but in Unix, nearly everything(including directories) are files. So if this bit is a 'd' character then the file is a directory. If the bit is a '-' then it is just a normal file. There are a few other types too such as devices files.

The first "triplet" of bits are the permissions refering to the user who owns the file. The way each triplet works is that the first bit of the triplet refers to the read permission, the second bit is the write permission and the third is the execute permission. Each one of these can be used to turn on and off the respective function for the user who owns the file.

The second triplet of bits control the permissions for the group who owns the file.

The third triplet controls all the others who might try to access the file. This includes the permissions of any web browser that might try to access your files.

The second column refers to the number of files that reference the file. This is usually useless information and you don't need to worry about it. The third and forth columns refer to the user and group names who own the file.

The fifth column is the size of the file in bytes. The sixth column(which is actually three columns, 6th 7th and 8th) is the date that the file was last modified. The final column shows the name of the file.

So let's say that create a file called index.html in a directory called www. By default the file is created with the following parameters:

[suso@antonio www]$ touch index.html [suso@antonio www]$ ls -l index.html -rw-rw-r-- 1 suso suso 0 Apr 17 03:44 index.html [suso@antonio www]$

So this file is a normal file of zero bytes that can be read by anyone and is writeable by the user 'suso' and the group 'suso'.

Let's say that we want to change the permissions of this file so that only the user 'suso' can read and write it and nobody else has access to it. We do this using the 'chmod' command. The chmod command takes at least two arguments. The first is an argument symbolizing how you would like the permissions to be set and the second argument is the name of the file or files you want it to affect.

To set the permissions on the index.html file to only be readable/writeable by user suso we use this command:

Think of the number as actually three numbers. The first number, '6', affects the user permissions, the second, '0', affects the group permissions and the third, '0', affects all else. The number 6 means read and write permissions are to be turned on for that group. It is derived by adding a set of numbers together. Each permission bit(r, w and x) has a value assigned to it in the permissions system.

  • x = 1
  • w = 2
  • r = 4

All other possibilities are generated by adding the numbers together. So if we would like something to be just readable, we use a 4. If we want it read/write we use a 6, if we want it to be read/execute we use a 5 and so on:

[suso@antonio www]$ ls -l index.html -rw-rw-r-- 1 suso suso 0 Apr 17 03:44 index.html [suso@antonio www]$ chmod 644 index.html [suso@antonio www]$ ls -l index.html -rw-r--r-- 1 suso suso 0 Apr 17 03:44 index.html [suso@antonio www]$ chmod 755 index.html [suso@antonio www]$ ls -l index.html -rwxr-xr-x 1 suso suso 0 Apr 17 03:44 index.html [suso@antonio www]$ chmod 175 index.html [suso@antonio www]$ ls -l index.html ---xrwxr-x 1 suso suso 0 Apr 17 03:44 index.html [suso@antonio www]$ chmod 000 index.html [suso@antonio www]$ ls -l index.html ---------- 1 suso suso 0 Apr 17 03:44 index.html [suso@antonio www]$ chmod 400 index.html [suso@antonio www]$ ls -l index.html -r-------- 1 suso suso 0 Apr 17 03:44 index.html [suso@antonio www]$ chmod 040 index.html [suso@antonio www]$ ls -l index.html ----r----- 1 suso suso 0 Apr 17 03:44 index.html [suso@antonio www]$ chmod 004 index.html [suso@antonio www]$ ls -l index.html -------r-- 1 suso suso 0 Apr 17 03:44 index.html [suso@antonio www]$

Now that you understand how chmod works we can apply it's use to a more practical situation. Let's say that you are getting permission denied errors when you go to your website on suso.org with your favorite browser. Chances are it's one of the following sitatuations.

One possibility is that the permissions on the directory itself that the files are in are set too restrictive and need to be changed. The ability to view a file can be set by the permissions on the file itself but the ability of someone to read, write or execute a file are also controlled somewhat by the permissions set on the directory you are in, and possibly the parent directory of the one you are in, etc.

So when we list out the whole directory we see this:

[suso@antonio www]$ ls -la total 3 drwxr-x--- 2 suso suso 1024 Apr 17 03:43 . drwxr-xr-x 24 suso suso 2048 Apr 17 03:43 .. -rw-rw-r-- 1 suso suso 0 Apr 17 03:44 index.html [suso@antonio www]$

Ahh, that's it. The file called '.' refers to the directory that we are in and the file called '..' refers to the parent directory. Since the webserver is neither the user or the group of that owns the directory it it's ability to read files in this directory is set by the third triplet of permission bits(the other category). So if we want to make this directory accessable through the webserver we need to turn on the read and execute permissions for the other category:

[suso@antonio www]$ chmod 755 . [suso@antonio www]$ ls -la total 3 drwxr-xr-x 2 suso suso 1024 Apr 17 03:43 . drwxr-xr-x 24 suso suso 2048 Apr 17 03:43 .. -rw-rw-r-- 1 suso suso 0 Apr 17 03:44 index.html [suso@antonio www]$

This is a fine way to set the permission if you know what you are doing, but there is a much safer way to do the same thing:

[suso@antonio www]$ chmod o=rx . [suso@antonio www]$ ls -l total 3 drwxr-xr-x 2 suso suso 1024 Apr 17 03:43 . drwxr-xr-x 24 suso suso 2048 Apr 17 03:43 .. -rw-rw-r-- 1 suso suso 0 Apr 17 03:44 index.html [suso@antonio www]$

Notice that we used 'o=rx' as the second argument to chmod instead of 755. The means that we want to set the other group to read/execute. You can also do this on a file:

[suso@antonio www]$ chmod o+r index.html [suso@antonio www]$ ls -l index.html -rw-rw-r-- 1 suso suso 0 Apr 17 03:44 index.html [suso@antonio www]$

The reason why we use a = on the directory and a + on the file is just to make sure that the directory does not have a w bit set for the other category. With files, that's up to you. By using a + it will add to the permissions that are already there. So we did this:

chmod o+r *

It would make sure that all the files and directories in the current directory are readable by the webserver. Directories need to be executeable so for each directory you would need to also do a 'chmod o+x'

Using the symbolic method with the chmod command instead of the numeric can be easier to read as well. It's good to know both ways because you'll need them in different situations.

Let's say that we are still getting the permission denied error. The next thing to check is the permissions on the parent directory('..'). Since the whole filesystem is one big hierarchy, the permissions of directories above the one you are in can affect the readability of a file.

It's also important to not that for a directory to work, it has to be executeable. If the directory is only reable you will only be able to list the contents of the directory, you wouldn't be able to 'cd' into it or do anything with the files it contains.

Hope this helps. Let me know if you have any questions about all this. It's a lot to digest in one sitting.