MD13 - Securing Files and Directories
Each filesystem object is associated with a set of permissions (also known as a mode) which can be expressed as a series of four octal numbers. The permissions on a file correspond to three possible privileges (read, write, and execute) that can be assigned to each of three different classes of user (the user that owns the file, members of the group that owns the file, and others.)
| 0400 | read by owner |
| 0200 | write by owner |
| 0100 | execute by owner |
| 0040 | read by group |
| 0020 | write by group |
| 0010 | execute by group |
| 0004 | read by other |
| 0002 | write by other |
| 001 | execute by other |
Note:This page does not explain the finer points of permissions including setuid, setgid, and sticky bits and ACL's.
The semantics of Unix permissions are fairly clear for files. For directories, permission to read means that a process can obtain a list of the directory's contents. For directories, permission to execute means that a process can access filesystem objects below the directory. For example, if you were to do:
mkdir foo
chmod 711 foo
echo bar >foo/bar.txt
chmod 644 foo/bar.txt
then all other users would not be able to read the directory foo and so would not be able to see that
that the file bar.txt exists (using ls, for example) but they would be able to
read the file bar.txt ( with a command like cat foo/bar.txt.) Execute permission also controls a processes ability to use a directory as it's current working directory (cwd.)
You can set the permissions of a file using the command chmod. For example, to make the file foo, that you own, readable and writable by you, but not readable or writable (or executable) by anyone else, you can use the command:
chmod 600 foo
You can see the permissions of a file using the ls command:
ls -al foo
The above ls command, might result in output that looks like:
-rw-r--r-- 1 auser agroup 0 Mar 16 01:57 foo
if auser had first done chmod 644 foo.
Note that the permissions are displayed using the symbols r, w, x, and - (a dash). They are arranged in three groups corresponding to, in order, privileges corresponding to the user, the group, and others.
You can use the symbols above as arguments to chmod. For example, in the following table, each row contains two equivalent commands:
| chmod 600 foo | chmod u=rw,go-rwx foo |
| chmod 644 foo | chmod u=rw,go=r foo |
| chmod 755 foo | chmod u=rwx,go=rx foo |
