Manage file permissions on Unix-like systems

On this page:


Overview

Unix-like operating systems, such as Linux, running on shared high performance computers use settings called permissions to determine who can access and modify the files and directories stored in their file systems. Each file and directory in a file system is assigned "owner" and "group" attributes.

Most commonly, by default, the user who creates a file or directory is set as owner of that file or directory. When needed (for example, when a member of your research team leaves), the system's root administrator can change the user attribute for files and directories.

The group designation can be used to grant teammates and/or collaborators shared access to an owner's files and directories, and provides a convenient way to grant access to multiple users.

View file permissions

To view the permissions for all files in a directory, use the ls command with the -la options. Add other options as desired; for help, see List the files in a directory in Unix.

For example, if you enter:

ls -lah

You should see output similar to the following:

-rw-r--r-- 1 user1 group1 62 Jan 15 16:10 myfile.txt
drwxr-xr-x 2 user1 group1 2048 Jan 15 17:10 Example

In the output example above, the first character in each line indicates whether the listed object is a file or a directory. Directories are indicated by a (d); the absence of a d at the beginning of the first line indicates that myfile.txt is a regular file.

The letters rwx represent different permission levels:

Permission Files Directories
r can read the file can ls the directory
w can write the file
can modify the directory's contents
x can execute the file can cd to the directory

Note the multiple instances of r, w, and x. These are grouped into three sets that represent different levels of ownership:

  • Owner or user permissions: After the directory (d) slot, the first set of three characters indicate permission settings for the owner (also known as the user).

    In the example -rw-r--r--, the owner permissions are rw-, indicating that the owner can read and write to the file but can't execute it as a program.

    In the example drwxr-xr-x, the owner permissions are rwx, indicating that the owner can view, modify, and enter the directory.

  • Group permissions: The second rwx set indicates the group permissions. In the fourth column of the example above, group1 is the group name.

    In the example -rw-r--r--, group members can only read the file.

    In the example drwxr-xr-x, group members can view as well as enter the directory.

  • Other permissions: The final rwx set is for "other" (sometimes referred to as "world"). This is anyone outside the group. In both examples above, these are set to the same permissions as the group.

Change file permissions

To change file and directory permissions, use the command chmod (change mode). The owner of a file can change the permissions for user (u), group (g), or others (o) by adding (+) or subtracting (-) the read, write, and execute permissions.

There are two basic ways of using chmod to change file permissions: The symbolic method and the absolute form.

Symbolic method

The first and probably easiest way is the relative (or symbolic) method, which lets you specify permissions with single letter abbreviations. A chmod command using this method consists of at least three parts from the following lists:

Access class Operator Access Type
u (user) + (add access) r (read)
g (group) - (remove access) w (write)
o (other) = (set exact access) x (execute)
a (all: u, g, and o)

For example, to add permission for everyone to read a file in the current directory named myfile, at the Unix prompt, enter:

chmod a+r myfile

The a stands for "all", the + for "add", and the r for "read".

Note:
This assumes that everyone already has access to the directory where myfile is located and its parent directories; that is, you must set the directory permissions separately.

If you omit the access class, it's assumed to be all, so you could also enter the previous example as:

chmod +r myfile

You can also specify multiple classes and types with a single command. For example, to remove read and write permission for group and other users (leaving only yourself with read and write permission) on a file named myfile, you would enter:

chmod go-rw myfile

You can also specify that different permissions be added and removed in the same command. For example, to remove write permission and add execute for all users on myfile, you would enter:

chmod a-w+x myfile

In each of these examples, the access types that aren't specified are unchanged. The previous command, for example, doesn't change any existing settings specifying whether users besides yourself may have read (r) access to myfile. You could also use the exact form to explicitly state that group and other users' access is set only to read with the = operator:

chmod go=r myfile

The chmod command also operates on directories. For example, to remove write permission for other users on a subdirectory named mydir, you would enter:

chmod o-w mydir

To do the same for the current directory, you would enter:

chmod o-w 

To change permissions recursively in all subdirectories below the specified directory, add the -R option; for example, to grant execution permissions for other users to a directory (mydir) and all the subdirectories it contains, you would enter:

chmod -R o+x mydir

Be careful when setting the permissions of directories, particularly your home directory; you don't want to lock yourself out by removing your own access. Also, you must have execute permission on a directory to switch (cd) to it.

Absolute form

The other way to use the chmod command is the absolute form, in which you specify a set of three numbers that together determine all the access classes and types. Rather than being able to change only particular attributes, you must specify the entire state of the file's permissions.

The three numbers are specified in the order: user (or owner), group, and other. Each number is the sum of values that specify read, write, and execute access:

Permission Number
Read (r)4
Write (w)2
Execute (x)1

Add the numbers of the permissions you want to give; for example:

  • For file myfile, to grant read, write, and execute permissions to yourself (4+2+1=7), read and execute permissions to users in your group (4+0+1=5), and only execute permission to others (0+0+1=1), you would use:
    chmod 751 myfile
  • To grant read, write, and execute permissions on the current directory to yourself only, you would use:
    chmod 700 

You can think of the three digit sequence as the sum of attributes you select from the following table:

Read by owner 400
Write by owner 200
Execute by owner 100
Read by group 040
Write by group 020
Execute by group 010
Read by others 004
Write by others 002
Execute by others 001

Sum all the accesses you wish to permit. For example, to give write and execute privileges to the owner of myfile (200+100=300), and give read privileges to all (400+040+004=444), you would enter:

chmod 744 myfile

Some other examples are:

777 anyone can do anything (read, write, or execute)
755 you can do anything; others can only read and execute
711 you can do anything; others can only execute
644 you can read and write; others can only read

Common issues when sharing data with other users

Important:
Be sure you understand your responsibilities when processing, storing, and sharing data containing protected health information (PHI). For more, see Your legal responsibilities for protecting data containing protected health information (PHI) when using UITS Research Technologies systems and services.

To share a file or directory that you own with someone, you can grant read and execute privileges for that user. However, you must also set the same privileges on any parent directories above the item you're sharing; if you don't, the user can't look and change into (cd) all the parent directories above your file or directory.

If you think of a file system as a physical place, then permissions work like keys that let you access different directories:

  • The read (r) permission lets users look (ls) into directories.
  • The execute (x) permission lets users move (cd) into directories.
  • The write (w) permission lets users add and remove files.

For example, say you want to give someone access to /N/u/leorgana/R2D2/blueprints. Imagine the path as a physical space:

  • /N is the gated community where you live.
  • /u is the unit.
  • /leorgana is your apartment.
  • /R2D2 is a room in your apartment.
  • /blueprints is a closet in your room.

To let someone run scripts you have stored at /N/u/leorgana/R2D2/blueprints, you would need to give that person access to every part of /N/u/leorgana/R2D2/blueprints. You might try to do it this way:

chmod +rx /N/u/leorgana/R2D2/blueprints

However, users can't read or access a subdirectory unless they also have x permissions to the parent directories. In other words, the above command gives out a key to your closet, but not to your room or apartment.

To resolve this, give x permissions to the parent directories you control:

chmod +x /N/u/leorgana/
chmod +x /N/u/leorgana/R2D2

This will let others move (cd) to the blueprints directory. Because the parent directories don't have r permissions, users will only be able to look (ls) within the blueprints directory, keeping the rest of your file system private.

Get help

For more about chmod, consult the manual page. At the Unix prompt, enter:

man chmod

At Indiana University, for personal or departmental Linux or Unix systems support, see Get help for Linux or Unix at IU.

This is document abdb in the Knowledge Base.
Last modified on 2023-07-24 10:38:59.