NIU Department of Mathematical Sciences
Unix File Permissions

STUCK? SEARCH INDEX MAIN

File and directory permissions protect your private documents from prying eyes, allow groups of people to share files, and prevent unauthorized persons from modifying or damaging the system.

For the impatient

Whenever you create a file or directory called foo which is not supposed to be accessible by anyone, type 
  chmod 600 foo
if it's a simple file, and 
  chmod 700 foo
if it's an executable program or a directory. This gives you the privileges to read and modify the file, and takes those privileges away from all other users.

For the secretive

If you want all files created in a given login session to have such restricted access, type the command 
  umask 077
at the beginning of the session.

If you want this to be the default, add this command near the end of the .cshrc file in your directory. It will then take effect every time you log in or create a new shell, e.g. a window (if you use another shell, you may have to alter some other configuration file, e.g. .tcshrc). There are cases when having such a restricted default setting is not desireable (see below). Note that this will affect only the newly created files.

For the moderately cautious

If you want to deny access privileges to other users of the system but retain them for members of your group (e.g. math, stat, and so on), use 
  umask 027
instead (as a one-time command, or a part of your shell's configuration). This is the recommended setting in most cases. Again, it is sometimes not what you want, since you may want to share your files with graduate students, etc. If that's the case then you should keep your existing umask setting.

For Bond wannabes

As tempting as a umask of 007 may be, it is not recommended for most users -- all other members of your group will then be able to do anything with your files...

Existing files

You can easily protect files by putting them in a subdirectory and then making that directory unreadable. The files inside will not be readable by others, even if they are not protected individually. This is strongly suggested with material such as exams, personal documents, student grades etc. For example: 
cd
mkdir Exams
chmod 700 Exams
mv test1.tex final.tex roster Exams

Some of your files are automatically protected for privacy: the mailbox, anything saved from mail, Netscape bookmarks, etc. Others may not be, depending on the "umask" setting that's in effect (type umask with no arguments to see what it is). The normal setting that has traditionally been used on our system is a "relaxed" value which causes most of the new files to be readable (but not modifiable) by all users. We suggest that you keep a "relaxed" umask setting of 022 and protect your secrets using subdirectories as mentioned above, or by protecting the whole home directory.

If you decide to use a restrictive umask such as 077, remember that anything that you want to be available to the Web server must be readable by all users since the server does not have any special privileges. Your Web directory, if any, already has correct permissions. But you have to remember to run chmod 644 on each file, and chmod 755 or at least chmod 711 on every directory inside the Web area.

The gory details

The first thing you should know is that users of a Unix system are divided into three categories: "you", "members of your group", and "others", i.e. "none of the above". The meaning of all this is, of course, different for each individual user. The categories are described using letters: "u" (user, i.e. yourself), "g" (group), "o" (others).

You can check which group(s) you are in by typing the command groups. On our system some of the main groups are `math' (Math faculty), `stat' (Statistics faculty), `grad' (graduate students) and `office' (office staff).

Permissions for each category are further divided into three types: "read" permission, "write" permission, and "execute" permission (the latter has a somewhat different meaning for directories, as opposed to regular files; it means "access", i.e. the ability to "get inside"). Again, we use letter shortcuts: "r", "w", "x". There are a couple of other special permissions which you normally don't need to worry about.

The command used to change permissions has the following general form: 

  chmod mode file_name
The "mode" part can be specified using symbols or a numeric value. Symbolic notation involves specifying, in sequence, the category of users ("u", "g" or "o"), what do you want to do ("-" to remove and "+" to add the permission), and finally the type of permission ("r", "w" or "x"). For example:
chmod o-r file_name prevent "others" from reading ("others" = everyone except you and your group)
chmod u+x file_name to let yourself execute the file
chmod o-w file_name to prevent "others" from altering the file
chmod o-x file_name to prevent "others" from executing
chmod g-r file_name to prevent group members from reading
Changes can be combined into one command using commas (and no spaces); e.g. chmod o-r,o-w file name will take away read and write permissions from "others".

To change permissions recursively, going into subdirectories, use 

 chmod -R mode directory
e.g. 
 chmod -R o-r,o-w,g-w directory
You can check permissions of your files by looking at the output of ls -lg The format of the output is: 
abcdefghij     .....   file_name
^^^^^^^^^^
||||||||||
|||||||||x if everyone can execute, - if not
||||||||w if everyone can write (edit, remove), - if not
|||||||r if everyone can read and copy, - if not
||||||x if group members can execute
|||||w if group members can write (edit, remove)
||||r if group members can read and copy
|||x if you can execute
||w if you can write (edit, remove)
|r if you can read and copy
d if directory, - if plain file
(you should ignore some other letters such as `s' and `t' for now...)

So after the directory/plain file indicator, permissions are listed in three triplets: user, group, others.

For example, a file which shows up as 

  -rwxrw-rw-   johndoe   friend
is an executable which everyone can access and modify (bad!!!), while 
  -rw-------   johndoe   friend
is "highly protected", and 
  -rw-r-----   johndoe   friend
is moderately secure (only users in group "friend" can read it, but not alter the file).

The symbols "r", "w" and "x" in each triplet can be interpreted additively as powers of 2; "r" corresponds to 4, "w" to 2, and "x" to 1. A permission which is not set (displayed as a minus) stands for zero. So in the examples above we have "protection modes" 766, 600, and 640.

As we mentioned, the chmod command can be given such numeric mode: 

  chmod 600 *
will make all files in the current directory readable and writeable only by you. But make sure not to give such protections to directories; they usually need the execute permission. Directories should always be given mode 7.. so the owner can `cd' to them and list them.

Now we can explain what the "umask" setting is for. The current value of the "umask" is always subtracted from the mode of any file or directory you create; umask of 077 will cause all new files and directories to be created without any permissions for the "group" and "others", while 027 leaves the group read and execute permissions intact.

Epilogue

There are several nuances of the Unix permissions mechanism. Certain modes for directories are different than for plain files. Some modes let a program "pretend" that it is being executed by the owner, rather than by the user who typed the command - this can be a big security hole. If you want to experiment with all this, please carefully read the manual pages for `chmod' and `ls'.

Last but not least: whatever permissions you set, the person in charge of the system can read all files, if he chooses to. The only protection against that is cryptographic encoding (e.g. PGP) of your data. The present system manager will never do anything with your files without your permission, unless it is directly related to system administration (and even then, files are copied, moved, shrunk etc. and not read), but you have to weigh your trust in this pledge against your need for privacy.

Back to the NIU Math Department Web page

webmaster@math.niu.edu