I hope you brought your sweat band … Today’s Boot Camp workout is going to be pretty intense. We’re focusing on our permissions muscles. Permissions in a UNIX environment cause a lot of customer issues … While everyone understands the value of secure systems and limited access, any time an “access denied” message pops up, the most common knee-jerk reaction is to enable full access to one’s files (
chmod 777, as I’ll explain later). This is a BAD IDEA. Open permissions are a hacker’s dream come true. An open permission setting might have been a temporary measure, but more often than not, the permissions are left in place, and the files remain vulnerable.
To better understand how to use permissions, let’s take a step back and get a quick refresher on key components.
You’ll need to remember the three permission types:
r w x: r = read; w = write; x = execute
And the three types of access they can be applied to:
u g o: u = user; g = group; o = other
Permissions are usually displayed in one of two ways – either with letters (
rwxrwxrwx) or numbers (
777). When the permissions are declared with letters, you should look at it as three sets of three characters. The first set applies to the user, the second applies to the group, and the third applies to other (everyone else). If a file is readable only by the user and cannot be written to or executed by anyone, its permission level would be
r--------. If it could be read by anyone but could only be writeable by the user and the group, its permission level would be
The numeric form of
chmod uses bits to represent permission levels. Read access is marked by 4 bits, write is 2, and execute is 1. When you want a file to have read and write access, you just add the permission bits: 4 + 2 = 6. When you want a file to have read, write and execute access, you’ll have 4 + 2 + 1, or 7. You’d then apply that numerical permission to a file in the same order as above: user, group, other. If we used the example from the last sentence in the previous paragraph, a file that could be read by anyone, but could only be writeable by the user and the group, would have a numeric permission level of 664 (user: 6, group: 6, other: 4).
Now the “
chmod 777” I referenced above should make a little more sense: All users are given all permissions (4 + 2 + 1 = 7).
Understanding these components, applying permissions is pretty straightforward with the use of the
chmod command. If you want a user (
u) to write and execute a file (
wx) but not read it (
r), you’d use something like this:
In the above terminal image, I added the -v parameter to make it “verbose,” so it displays the related output or results of the command. The permissions set by the command are shown by the number
0300 and the series (
-wx------). Nobody but the user can write or execute this file, and as of now, the user can’t even read the file. If you were curious about the leading
0 in “
0300,” it simply means that you’re viewing an octal output, so for our purposes, it can be ignored entirely.
In that command, we’re removing the read permission from the user (hence the minus sign between
r), and we’re giving the user write and execute permissions with the plus sign between
wx. Want to alter the group or other permissions as well? It works exactly the same way:
g+,g-,o+,o- … Getting the idea? chmod permissions can be set with the letter-based commands (
u+r,u-w) or with their numeric equivalents (eg. 400 or 644), whichever floats your boat.
A Quick Numeric
chmod 777 | Gives specified file read, write and execute permissions (
rwx) to ALL users
chmod 666 | Allows for read and write privileges (
rw) to ALL users
chmod 555 | Gives read and execute permissions (
rx) to ALL users
chmod 444 | Gives read permissions (
r) to ALL users
chmod 333 | Gives write and execute permissions (
wx) to ALL users
chmod 222 | Gives write privileges (
w) to ALL users
chmod 111 | Gives execute privileges (
x) to ALL users
chmod 000 | Last but not least, gives permissions to NO ONE (Careful!)
Get a List of File Permissions
To see what your current file permissions are in a given directory, execute the
ls –l command. This returns a list of the current directory including the permissions, the group it’s in, the size and the last date the file was modified. The output of
ls –l looks like this:
On the left side of that image, you’ll see the permissions in the
rwx format. When the permission begins with the “
d” character, it means that object is a directory. When the permission starts with a dash (
-), it is a file.
Practice Deciphering Permissions
Let’s look at a few examples and work backward to apply what we’ve learned:
- Example 1:
- Example 2:
- Example 3:
In Example 1, the file is not a directory, the user that owns this particular object has read and write permissions, and when the group and other fields are filled with dashes, we know that their permissions are set to 0, so they have no access. In this case, only the user who owns this object can do anything with it. We’ll cover “ownership” in a future blog, but if you’re antsy to learn right now, you can turn to the all-knowing Google.
In Example 2, the permissions are set on a directory. The user has read, write and execute permissions, the group has read and execute permissions, and anything/anyone besides user or group is restricted from access.
For Example 3, put yourself to the test. What access is represented by “
-rwxr-xr-x“? The answer is included at the bottom of this post.
Wrapping It Up
How was that for a crash course in Unix environment permissions? Of course there’s more to it, but this will at least make you think about what kind of access you’re granting to your files. Armed with this knowledge, you can create the most secure server environment.
Here are a few useful links you may want to peruse at your own convenience to learn more:
Did I miss anything? Did I make a blatantly ridiculous mistake? Did I use “their” when I should have used “they’re”??!!… Let me know about it. Leave a comment if you’ve got anything to add, suggest, subtract, quantize, theorize, ponderize, etc. Think your useful links are better than my useful links? Throw those at me too, and we’ll toss ‘em up here.