File Permissions

Viewing File Permissions

File permissions provide a way of controlling whether other people can read (or even modify) your files. This page discusses how file permissions work in Unix and how to change them.

You can view the permissions on a file by typing ``ls -l filename''. For example, here is the result of typing ``ls -l test.html'' in my home directory:

-rw-r--r--   1 eva        users          831 Sep  8 16:45 test.html

The ``-rw-r--r--'' is the part of the output that shows the permissions. To understand what it means, we need to break it into four parts.

File permissions diagram

The first character indicates the file type. Here it is a dash because test.html is an ordinary file. It could also be a d for a directory, or various other letters for more obscure types of file.

The next nine characters fall into three sets of three, corresponding to the access rights of the user who owns the file, the group which owns the file, and all other users. The three characters in each set indicate whether users in the relevant category may read, write or execute the file. An r, w or x means that the users do have the corresponding right, while a dash means that they do not.

Thus in the above example, eva (the user who owns the file) has the access rights rw-, meaning that she may read and write the file but not execute it (since it's an HTML file, executing it wouldn't make much sense). Everyone else has the access rights r--, meaning that they may read the file but not write or execute it.

The following table shows what read, write and execute permissions mean for ordinary files and for directories.

File Directory

Read Can read the file Can list files in the directory

Write Can edit the file Can create and delete files in the directory

Execute Can run the file as a program Can change to the directory

	File	Directory
Read	Can read the file	Can list files in the directory
Write	Can edit the file	Can create and delete files in the directory
Execute	Can run the file as a program	Can change to the directory

A note for those who are concerned about the privacy of their files but want to put up web pages. To view a file, one must be able to change to its directory. Thus if your web pages are to be visible, your home directory and your public_html directory must both be executable by everyone.

Changing File Permissions

File permissions are changed by using the chmod command. The format of this command is
chmod permissions list_of_files

``permissions'' is a three-digit octal number where the three digits correspond to the access rights of the user who owns the file, the group and other users, as discussed above. Each octal digit is the sum of 4 if read permission is granted, 2 if write permission is granted and 1 if execute permission is granted. Here are the most commonly needed permissions:

755 means you can do anything with the file or directory, and other users can read and execute it but not alter it. Suitable for programs and directories you want to make publicly available.
644 means you can read and write the file or directory and other users can only read it. Suitable for public text files.
711 means you can do anything with the file or directory and other users can only execute it. Suitable for directories where you don't want other people browsing through the contents but do want to give them access to selected files.
700 means you can do anything with the file or directory and other users have no access to it at all. Suitable for private directories and programs.
600 means you can read and write the file or directory and other users have no access to it. Suitable for private text files.

You may notice that the permissions for the group and other users are always the same. Since the group ``users'' contains all users, this makes sense.

You can change the default permissions on new files you create using the umask command. The format of this command is
umask octal_number
where octal_number is a three-digit octal number representing what each category of user may not do with the file.

umask 022 means that other users may not edit your files but may read them and execute them where appropriate. (This is the default.)
umask 066 means that other users may not modify or read your files but may execute them where appropriate (for example, they can change to subdirectories of your home directory).
umask 077 means that other users may not access your files at all.