This weeks tip describes file and directory permissions. When ``file'' is mentioned below, you can replace it with ``directory or file'' unless otherwise noted. When I mention ``user'', I am referring to the owner of a particular file. Some background --------------- Files have a user ID associated with them -- your files use your login name for the User ID. Files also have one group ID associated with them -- usually your group is something like ``fac'', ``grad'', or ``guest''. Suppose you do a long directory listing of your files with ``ls -lg'' and see the following: drwxr-xr-x 3 fischer staff 512 Jan 29 11:44 books/ -rw-r--r-- 1 fischer staff 222072 Nov 25 04:08 brooks-ijcai91.dvi -rw-r----- 1 fischer staff 72148 Feb 15 02:31 cm-6.1 -rwxr-xr-x 1 fischer staff 72148 Feb 15 02:31 cmf Normally people don't use the ``-g'' option to the ``ls'' program -- all it adds is group information, here the single column ``staff''. If you want to find out what group(s) you are in, you may execute the program ``groups''. Breaking down the information in these listings: drwxr-xr-x 3 fischer staff 512 Jan 29 11:44 books/ -rw-r--r-- 1 fischer staff 222072 Nov 25 04:08 brooks-ijcai91.dvi ^ ^ First character, if ``d'', means the file is a directory. -rwxr-xr-x 1 fischer staff 72148 Feb 15 02:31 cmf ^^^ ^^^ The first group of three characters refer to permissions that apply to the user's access -- here the user fischer. ``r'' means fischer can Read (or copy) the file. ``w'' means fischer can Write (or delete) the file. ``x'' means fischer can eXecute the file (that is, it can be run as a program). There is one subtlety here. If the file is a directory, then execute permissions have a different meaning: the directory can be searched. ----ASIDE---- This means that while an arbitrary individual might not be able to list out a directory (the case if read permissions are denied) he may well be able to get to a file in the directory if: the directory is searchable; he knows the name of the file in the directory; and that file in the directory is readable. This is useful for granting "blind access" to files in a directory, or for allowing an otherwise unreadable directory to contain readable sub-directories. As I said, rather subtle, although we take advantage of this at math.ufl.edu. --END OF ASIDE-- -rwxr-xr-x 1 fischer staff 72148 Feb 15 02:31 cmf ^^^ ^^^ The second group of three characters refer to permissions that apply to people in the same group as that of the file. Here, people in the ``staff'' group can execute or read the program ``cmf''. The ``-'' means that the corresponding permission is not granted, that is, people in the staff group are not allowed to write (or delete) this file. -rwxr-xr-x 1 fischer staff 72148 Feb 15 02:31 cmf ^^^ ^^^ Finally, the last group of three characters refer to permissions to all other people not in the staff group: anyone may execute (run as a program) or read (copy) this file. How to set permissions on files ------------------------------- The program to change permissions is called ``chmod'', in the usual obscure Unix manner (it really stands for CHange MODe and is pronounced correctly as cha'-mod). There are two methods for using chmod. First, some examples using a mnemonic method: chmod g+wr Allow (+) members in your Group to Read or Write the files listed as chmod o-wrx Do not allow (-) Others (excluding yourself and your group) to Read or Write or Execute files listed as chmod ugo-w Do not allow (-) User (yourself), Others or Group to Write (or delete) the the files listed as . The above method is conservative: it does not change any permissions that are not specified. There is also a more technical method for setting permissions that is more common and has more appeal: if you consider the 3 sets of 3 permissions as bits you can generate an octal (base 8 number) in the following manner. rwx r-x r-x fischer 72148 Feb 15 02:31 cmf base 2 111 101 101 base 8 7 5 5 Another method: you can simply use the following table and add the numbers corresponding to the permissions desired -- the entries that pertain to the above example have an asterisk prepended. * 400 Read by owner. * 200 Write by owner. * 100 Execute (search in directory) by owner. * 040 Read by group. 020 Write by group. * 010 Execute (search) by group. * 004 Read by others. 002 Write by others. * 001 Execute (search) by others. ----- 755 This number is used in the compact chmod command: ``chmod 755 cmf'' would set the permissions in the example listing for the file ``cmf'' above. In reality, most people just remember the following common uses: chmod 600 only the user is allowed to read or write this file. chmod 640 People in the same group are allowed to read, but not write, the . chmod 644 only the user can read or write but anyone can read chmod 700 only the user is allowed access to chmod 750 additionally, members of the same group are allowed to read or search . chmod 755 anyone is allowed to search . How to set default permissions ------------------------------ Perhaps you are wondering what permissions are in effect for newly created files, such as those created by the emacs editor or the .dvi files produced by the TeX program. This is set by a special command called ``umask'', and is typically done in your startup file .cshrc; you will probably find something like the following in that file: umask 026 This is used to turn off permissions for file creation. Look at the binary representation of this (octal) number next to the permissions -- wherever there is a set bit, the associated permissions are denied: User Group Others rwx rwx rwx 000 010 110 This specifies that any newly created file will not be readable or writable by others, nor writable by the members of the same group (the execute portion is ignored unless the file is a directory). Otherwise, the permission is granted, i.e., permissions of newly created files are 640. If a directory is being created then permissions are set to 751 (note the aside above for details on the uses of that last bit). You can find out what your default umask is by simply running ``umask'' without arguments. Some programs override this -- the Unix ``mail'' program sets the ``mbox'' file (where read mail is saved) to be readable only by the user. Not all mail handling programs do this, however. Current practice at math.ufl.edu -------------------------------- In general, all faculty and graduate accounts are set up with their own groups, ``fac'' and ``grad'', respectively, with umasks of 026. Thus graduate students can read (but not write) other graduate student's files, while all others cannot read their directories. Similarly faculty members can read (but not write) other faculty member's files, while members of the ``grad'' and ``class'' accounts are denied access. Special tricks are used for ``class'' accounts -- the group permissions at the top level directories for these accounts are initially all turned off so that class accounts cannot see one another's files at all. This of course is under each user's personal control. There are other groups with more complex schemes, for instance the ``usps'' group. I personally use a umask of 022 so that anyone can read whatever files I create or execute the programs I write. Files of a sensitive nature I place in one or more directories with permissions of 700, restricting access to anyone but myself: I thus do not need to worry about the read permissions on the individual files contained therein. Part of the design philosophy behind Unix was to allow a very open and communicative system, so it is generally felt that directories open for read are fair game for browsing. This is fairly safe considering the default umask of 026: you needn't worry about your students stumbling onto your tests, for example. Learning more about the commands -------------------------------- As always, this is only the tip of the iceberg (sorry). There are man pages on all these commands. You may want to start by looking at the man pages for ``ls'' and ``chmod''. There are usually references at the end of each manual entry to other relevant man pages; look for the heading ``SEE ALSO''. Subject: file and directory permissions