Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

An intro to UNIX file permissions UNIX
If you're new to UNIX, the concept of file permissions can be somewhat daunting, to say the least. In a nutshell, permissions control who is able to do what to any given file or directory. It's important that they're properly set, otherwise certain things (such as CGI's for your web server, or shell scripts) may not work as you expect them to.

Read the rest of this article if you'd like an introduction to managing permissions in UNIX. Although quite detailed, this is not intended to be a complete education on file permissions; a good UNIX book is still recommended as the best way to further increase your knowledge.

Although Mac OS X presents a graphical means of managing some permissions (do Get Info on a file or folder, and set them from there), you really need to use a terminal session to gain a complete understanding of permissions. In addition, the "execute" permission cannot (as far as I can tell) be set from the GUI. So this tutorial will be presented from a terminal session perspective.

The first thing you need to know is that UNIX has a default permission set which gets applied to new documents you create. Logged in as your normal user, start a terminal session, and type the following:
cd Documents
touch test.txt
ls -al test.txt
The 'touch' command changes a file's access and modification times, and if the file doesn't exist, it creates it. So we now have a new file we can use for playing with permission settings. The output of the 'ls' command should look something like this:
-rw-r--r--  1 robg  staff  0 Dec 31 11:18 test.txt
The part we're interested in is the string at the beginning of the line. This shows the current state of the file's permissions. The first character, '-', indicates that we're looking at a file, and not a directory ('d'), link ('l') or some other type (there are a number of others) . Starting at character two, each set of three shows the value for permissions for the user (or owner), the group, and others (or world). Within each group of three, the first position indicates read ('r') permission, the second indicates write permission ('w'), and the third indicates execute ('x') permission. If any values are not enabled, they are represented with a '-'. So our test.txt file's default permissions (rw-r--r--) break out as:
   rw- = user can read and write but not execute this file.
r-- = group can read but not write or execute.
r-- = others can read but not write or execute.
The user (you) has the ability to read (view) and write (change) the file, but everyone else can only view the file. To change permissions, the primary command is chmod. You can use chmod in two different formats, either absolute or symbolic. Symbolic is the easiest to understand, absolute is the quickest to use. Symbolic mode will also let you add or remove individual permissions, while absolute mode sets the entire permissions string.

The following two commands do exactly the same thing:
chmod u=rwx,go=rx test.txt
chmod 755 test.txt
The first line is in symbolic mode, the second is in absolute. I'll explain each one shortly. To reverse this command, you'd use one of the following:
chmod u=rw,go=r test.txt
chmod 644 test.txt
The basic format of the chmod command in symbolic mode is fairly straightforward. You simply list which permissions you want changed (u=user, g=group, o=other) and what you want to set it to (r=read, w=write, x=execute, blank=no permission), separated by an equal sign. You separate commands with a "," as shown in the example above. As mentioned earlier, you can also use it to change individual permissions:
chmod go-w filename
This would remove write permission for group and others, while leaving user untouched. Type man chmod for more info on symbolic mode.

Absolute mode, although it can't change individual permissions, is by far the quickest way to set a given file's permissions. It will, however, require a bit more explanation.

Since all data is stored as binary on your computer, the permission string is eventually broken down into 1's and 0's, with 1's being used to represent a character (r or w), and 0's being used to represent blanks (-). For example, this permission string:
would translate into binary as:
Taking just one piece ('rw-', or '110') and finding the decimal value of the binary number yields: (1 * 2^2) + (1 * 2^1) + (0 * 2^0) = 6. Note: I'm not going to explain the binary number system here, but there are many tutorials on the web; here's one that summarizes it quite nicely. You could do similar exercises with all of the other possible combinations, and what you'd quickly get is a table that looks like this:
Permission     Binary     Decimal

--- 000 0
--x 001 1
-w- 010 2
-wx 011 3
r-- 100 4
r-x 101 5
rw- 110 6
rwx 111 7
As you can see, any possible permission setting can be represented by one decimal digit. Although there are a number of ways to combine the permission string for user, group, and others, it turns out that there are only a few that are used relatively often. These include:
Permission          Binary       Decimal

r--r--r-- 100100100 444
rw-r--r-- 110100100 644 (Mac OS X default)
rw-rw-rw- 110110110 666
rwxr-xr-x 111101101 755
rwxrwxrwx 111111111 777
--------- 000000000 000
The absolute syntax of chmod is:
chmod xyz filename
where 'xyz' represents a string of digits as shown in the table. 'x' establishes the user permission, 'y' is for the group, and 'z' is for others.

For a permission string that I haven't listed, it's a simple matter of combining the digits you want from the first table to make the new string. For example, if you wanted to set user and group to read and write, but others to read only, you'd use:
chmod 664 filename
6 indicates read and write, and 4 indicates read only.

Permissions are important, especially if you want to share files with others who may use your machine, or install CGI's (almost all require "755" or "777" permissions on their files), or prevent others from seeing your private files or directories. Hopefully you now have a slightly better understanding of what they are and how they work.
  • Currently 1.63 / 5
  You rated: 1 / 5 (8 votes cast)

An intro to UNIX file permissions | 4 comments | Create New Account
Click here to return to the 'An intro to UNIX file permissions' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Okay, I'm down with all this. but what about the
Authored by: mshepherd on Jun 22, '02 10:56:57PM

Take this for example with the sendmail app:

r-sr-xr-x 1 root smmsp 581060 Jun 4 23:14 sendmail

How the heck do you set an "s"????

I really need a reply, as I have to change my sendmail permissions to get the thing to work under 10.1.5.


[ Reply to This | # ]
Okay, I'm down with all this...
Authored by: dm2243 on Jun 24, '02 11:10:53AM

try "chmod 6555 /usr/sbin/sendmail" - that will get you -r-sr-sr-x, which works for my sendmail.

[ Reply to This | # ]
Okay, I'm down with all this. but what about the
Authored by: shepmaster on Jun 24, '02 08:38:27PM
01000000 temporary file 02000000 compressed file 4000 Hidden file (setuid bit) 2000 System file (setgid bit) 1000 Archive bit (sticky bit) 0400 Individual read 0200 Individual write 0100 Individual execute (or list directory) 0040 Group read 0020 Group write 0010 Group execute 0004 Other read 0002 Other write 0001 Other execute
This was copied from These correspond to the numbers in addition to robg's.

[ Reply to This | # ]
Symbolic is probably easiest.
Authored by: serversurfer on Jun 25, '02 02:58:26AM
You can also use chmod u+s to make the file setuid and chmod g+s to make it setgid.

[ Reply to This | # ]