Playing with permissions using umask & chmod
Aftab Hussain
January 25, 2020
UNIX SYSTEM ADMINISTRATION
r, w, x
Files and directories have permissions in UNIX, with respect to a user, a group, and others.
For example (output by ll
),
-rw-rw-r-- 1 aftab aftab 74150 Jan 20 19:45 favicon1.ico
A total of 10 characters are used for determining a file’s permission. The first character is a dash, which shows that this is the information for a file.
For a directory the first character would be a d
. For example,
drwxrwxr-x 2 aftab aftab 4096 Jan 20 18:57 css/
The next 9 characters show the permissions, of which the first 3 show the access permissions for the file/directory available to a user. The next 3 characters show the access permissions available for the group. The last set of 3 characters show those available for anybody outside the group.
(We can know the current user id, group, and all the available groups using id
.)
Any 3-character set defines the following permissions, in the following order:
read (r)
, write (w)
, and execute (x)
. The absence of these permissions is
shown using a -
in the corresponding position.
For example, for the favicon1.ico
file shown above, the user aftab
does not have execute permissions.
chmod
The chmod
command can be used to change the permissions of that file. Here’s an example
chmod 777 favicon1.ico
Each digit in the numeric input to chmod corresponds to a set of 3 characters
of the file’s permission. As such, the characters are set based on the binary
representation of a digit. For example the first 7, is 111 in binary (by
converting each digit to its binary representation). This means the first 3
characters (or permissions) for the user would be changed to rwx
(i.e. all
set). 777 gives maximum access to all users of a file.
What about r, w, x for directories?
r
- You are able to see what’s in a directory.
w
- You are able to write to a directory, i.e., create files and subfolders in it.
x
- You can enter it, i.e., you can change directory into it, and access any of its files.
Reference:
File and Directory Permissions in UFS and NFS, MIT
To know how to see octal permissions of a file, check out How to get octal file permissions on Linux/Unix command line, nixCraft.
umask
Unix defines something known as a default base permission or pre-defined initial permission which is generally 666. This gives us the following permissions,
110110110 (in binary)
rw-rw-rw- (in r,w,x character representation)
Now, when you create any file in UNIX, it is given a certain set of permissions by default (the default permission). Note that the above permissions are not directly applied to the file. There is a little calculation that takes place.
A bit-wise AND is performed between the above pre-defined initial permission (P) and the bit-wise OR of a umask permission (M). The result, the default permission (R) of the file is obtained as follows:
R = P & ( ! M )
Alternately,
R = P - M
(Using their octal representations)
Pre-defined initial permissions for files and directories are 666 and 777 respectively. Default umask permissions for root user and the rest of the users are 0022 and 0002 respectively.
References:
File Mode Creation Mask / umask Calculator
How to change Default Umask Permission in Linux, ComputerNetworkingNotes.com
You can change the mask as follows:
umask 0007
(Note the extra 0 in the beginning. This is because, by convention, UNIX represents these values using 4-bit octal numbers (0-7).)
Reference:
Practical Unix & Security
Example
Using the default settings, say we created a file testfile.txt
. Here are the permission info:
-rw-rw-r--
Let’s see how we got the above. Since this is a file, the P value we would be
using is 666, and the M value is 002. Subtracting, we get 664. This is
110110100 in binary (again, converting each digit to its binary
representation). Translating this binary sequence into the rwx-character
sequence gives us, rw-rw-r--
.
The Access Control List
For more subtle management of permissions, we have something known as the access control list in Unix.
Access control list (ACL) provides an additional, more flexible permission mechanism for file systems. It is designed to assist with UNIX file permissions. ACL allows you to give permissions for any user or group to any disk resource. - Access Control Lists, wiki.archlinux.org
getfacl
(get full acl) and setfacl
are the commands that would come handy. Check out the above link for details.