In this instalment it’s time to make a start on one of the most important Unix/Linux concepts, file permissions. This can get quite confusing, but it’s impossible to over-state the importance of understanding how to read and set permissions on files and folders. To keep things manageable, I’m splitting understanding and altering permissions into two separate instalments.
Linux and Unix (and hence OS X) all share a common file permissions system, but while they share the same common core, they do each add their own more advanced permissions systems on top of that common core. In this first instalment we’re only going to look at the common core, so everything in this instalment applies equally to Linux, Unix, and OS X. In future instalments we’ll take a brief look at the extra file information and permissions OS X associates with files, but we won’t be looking at the Linux side of things, where more granular permissions are provides through kernel extensions like SELinux.
Lets start with some context. Just like every command shell has a present working directory, every process on a Linux/Unix system is also owned by a user, including shell processes. So, when you execute a command in a command shell that process has a file system location associated with it, and a username. By default your shell will be running as the user you logged into your computer as, though you can become a different user if and when you need to (more on that in future instalments). You can see which user you are running as with the very intuitive command:
Secondly, users on Unix/Linux systems can be members of one or more groups. On OS X there are a number of system groups to which your user account may belong, including one called
staff to which all admin users belong. You can see what groups you belong to with the command:
(you can see the groups any username belongs to by adding the username as an argument)
On older versions of OS X creating your own custom groups was hard. Thankfully Apple have addressed this shortcoming in more recent versions of the OS, and you can now create and manage your own custom groups in the
Users & Groups preference pane (click the
+ button and choose
group as the user type, then use the radio buttons to add or remove people from the group).
Unix/Linux file systems like EXT and HFS+ store metadata about each file and folder as part of that file or folder’s entry in the file system. Some of that metadata is purely informational, things like the date the file was created, and the date it was last modified, but that meta data also includes ownership information and a so-called Unix File Permission Mask.
There are two pieces of ownership information stored about every file and folder, a UID, and a GID. What this means is that every file and folder belongs to one user and one group.
In the standard Linux/Unix file permissions model there are only three permissions that can be granted on a file or folder:
- Read (
r): if set on a file it means the contents of the file can be read. If set on a folder it means the contents of the files and folders contained in within the folder can be read, assuming the permissions masks further down the filesystem tree also allow that. If you are trying to access a file, and read permission is blocked at even one point along the absolute path to the file, access will be denied.
- Write (
w): if set on a file it means the contents can be altered, or the file deleted. If set on a folder it means new files or folders can be created within the folder.
- Execute (
x): f set on a file it means the file can be run. The OS will refuse to run any file, be it a script or a binary executable, if the user does not have execute permission. When set on a a folder execute permission controls whether or not the user has the right to list the contents of a directory.
All permutations of these three permissions are possible on any file, even if some of them are counter-intuitive and rarely needed.
The Unix file Permission Mask ties all these concepts together. The combination of the context of the executing process, and the metadata in a file or folder determine the permissions that apply. You can use the
ls -l command to see the ownership information and file permission mask associated with any file or folder.
The hard part is interpreting the meaning of the file permission mask.
On standard Unix/Linux systems this mask contains ten characters, though on OS X it can contain an optional 11th or even 12th character appended to the end of the mask (we’ll be ignoring these for this instalment).
The first character specifies the ‘type’ of the file:
-signifies a regular file
dsignifies a directory (i.e. a folder)
lsignifies a symbolic link (more on these in a later instalment)
pare also valid file types, but they are used to represent things like block devices and sockets rather than ‘normal’ files, and we’ll be ignoring them in this series.
The remaining nine characters represent three sets of read, write, and execute permissions (
rwx), specified in that order. If a permission is present then it is represented by an
x, and if it’s not present, it’s represented by a
The first group of three permission characters are the permissions granted to the user who owns the file, the second three are the permissions granted to all users who are members of the group that owns the file, and the last three are the permissions granted to everyone, regardless of username or group membership.
To figure out what permissions you have on a file you need to know the following things:
- your username
- what groups do you belong to
- what user the file or folder belongs to
- what group the file or folder belongs to
- the file or folder’s permission mask
When you try to read the contents of a file, your OS will figure out whether or not to grant you that access using the following algorithm:
- is the user trying to read the file the owner of the file? If so, check if the owner is granted read permission, if yes, allow to read, if no, continue.
- is the user trying to read the file a member of the group that owns the file? If so, check if the group is granted read permission, if yes, allow read, if no, continue.
- check the global read permission, and allow or deny access as specified.
Write and execute permissions are processed in exactly the same way.
When you see the output of
ls -l, you need to mentally follow the same algorithm to figure out whether or not you have a given permission on a given file or folder. The three columns to look at are the mask, the file owner, and the file group.
We’ll stop here for now. In the next instalment we will explain the meaning of the
@ characters which can show up at the end of a file permission masks on OS X, and we’ll look at the commands for altering the permissions on a file or folder.