What are permissions ?

Topics

What are permissions?

Under UNIX, files and directories (folders) have "permissions" which are a way to control their access and use. You can see these permissions when logged on to the server with your telnet client by issuing the command ls -l for a "long" listing of the contents of the directory you are in. The leftmost part of each line (which represents a file or directory) is made up of a series of dashes and/or d, l, s, t, r, w and x which are, in fact, the file's permissions. The leftmost bit can be a dash (-) for a standard file, a d for a directory or an l for a symbolic link (a symbolic link is a link to a real file located somewhere else on the server). Following the leftmost bit are 3 groups of 3 "flags" (or bits), also called "triplets", which appear as rwx and stand for read (r), write (w) and execute (x). When a letter is there, the file has that permission. When a dash is there, the file doesn't have that permission. These 3 triplets are respectively from the left, the owner's (user's), the group's and the other's (everybody else) permissions.
For example, a file with permissions:

-rwx------

has read, write and execute permissions for its owner only. This is the type of permissions generally preferred to prevent your private files from being accessed by anybody else but you. However, if your files are html documents in your home directory, for the server to send them out to the public, these files would need permissions such as:

-rw-r--r--

which would allow the owner to read and write those files but give only read permissions to everybody else. This usually is the default for newly created files, even those created remotely by an ftp uploader. The above permissions would allow the server to access these files to be sent out.

In the case of cgi scripts, the execute permission needs to be turned on to allow them to run, but the read permissions aren't needed and the write permission should be allowed for the owner only, example:

-rwx--x--x

If a file called file.cgi needs its permissions set up that way, the proper command would be:

chmod 711 file.cgi

chmod u+rwx,g-rw+x,o-rw+x file.cgi

which would have the same effect. For a more extensive explanation on this command, you can use the UNIX online manual by issuing the command man chmod, or click here for more details.

If your cgi script isn't a compiled program (executable binary) but is written in Perl, Tcl or other kind of "interpreted" scripting language, then you will also need to set the read permission along with the execute permission for the "others" part:

-rwxr-xr-x

Or that script won't run.

The "s" and "t" bits

Sometimes, you will see an s or t instead of an x in the permissions, the s would be found in executable programs and a t would be in a folder's permissions. The s bit in the "user's" part (the leftmost triplet) means that when that program is executed, it runs "as" the user ID of the owner, and called the suid bit (set user ID). If that s bit is in the "group's" part (the middle triplet), it runs as the group ID, and it's called the sgid bit (set group ID). If the t flag appears in the rightmost position, (on folders only) then only the owner of that folder can delete, rename or move files and folders located in that folder (the one with the t flag). The t flag is commonly called "sticky bit". When the t bit is raised but the underlying x isn't, the t will be shown as T.

More on the chmod command

A more practical way to specify the permission bits when using the chmod command is to use numbers instead of the u, g, o and r, w, x. These letters make a little more complex syntax for users who aren't familiar enough with the chmod command.

However, to use these numbers properly, their meaning must be understood. They are a symbolic representation in "octal" of the permission bits. Most of the time, only 3 digits are needed and knowing about the other possibilities isn't necessary for web users, as only the "superuser" or system administrator can modify such other permission bits (like the s or t). These octal digits each represent a set of 3 bits, the rwx permissions, and so can only take values of 0 through 7.

The examples below show the correlation between the 2 representations:

	user	group	others
	rwx	rwx	rwx
chmod	7	7	7

	rwx	---	r-x
chmod	7	0	5

	r-x	--x	--x
chmod	5	1	1

See the table below for a translation of the possible values:

--- 000 0

--x 001 1

-w- 010 2

-wx 011 3

r-- 100 4

r-x 101 5

rw- 110 6

rwx 111 7

When you need to know what octal number will be needed to achieve the specific permission settings for a file or folder, try this rule of thumb:

read = 100 = 4
write = 010 = 2
execute = 001 = 1

To find the octal digit needed, just add the numbers above for each permission to set, and don't count anything for the permissions to not set. For example, you have a cgi script and your upload gave that file the rw-r--r-- settings, but it won't work with these permissions because the execute bit is not set for "others", which is what the server needs to properly run that script. Therefore the execute bit must be raised for "others". The command to do this with the non-symbolic method would be:

chmod o+x filename

But if you are not logged on with telnet, and just need to know the octal value, do it like this:

The existing permissions do not matter, as with the octal method, all bits will be set or unset exactly as the number says, so since we need read and write for "user", let's add 100 plus 010, which makes 110 or 6 in octal and makes the first (leftmost) digit. Then we only want to keep the read for "group", so 100 or 4 will be the second (middle) digit. Then lastly, we want to keep the read but also add execute for "others", so that's 100 plus 001, which makes 101 or 5 and the last (rightmost) digit. So the complete octal number is 645 (rw-r--r-x).

On the server with telnet, the command would be:

chmod 645 filename

(in both chmod commands above, filename is your file's name)

Advanced users can get even more control with ACLs

If you have a little more experience and are comfortable with the usual handling of your file permissions, there are more advanced ways to enhance the security and privacy of your information. There are 2 Unix commands available on the orbhost server, to handle these more advanced permission settings. These commands are:

getacl

and

setacl

and they allow setting up what are called ACLs (Access Control Lists), which are permission settings that goes beyond the regular Unix "user/group/others" model, and allow setting permissions for specific users and groups in addition to the already existing "user/group/others". This model allows much more "granular" precision on the settings of permissions. For example, to permit the http server to "serve" html files and their accociated pictures and resources to the "world", the permissions on those files must authorize read for "others", since the http server isn't the owner of the files and doesn't belong to the same group as the real owner of those files. But the "others" part of the standard permissions truly is too permissive, as it will authorize anyone access to the files. So, one application of the ACLs is to give permission only to the http server and nobody else besides the owner's user and group. This can be done with a command such as this:

setacl -u user:httpd:r-- filename

The -u above is to update the existing settings of permissions, without changing anything else but what is specified on the command line. The user:httpd:r-- is the additional permission for the http server, and this allows removal of all other permissions in the "others" part of the standard permissions (chmod o-rwx filename). When listing the files in the folder with ls -l, the standard permissions would show something like this:

-rwxr-x---

with all 3 bits in the rightmost part ("others") unset. But the getacl command on these files would show an extra line:

user:httpd:r--

In the example above, "others" doesn't give any permissions to anyone, only the user and his group, plus the http server are authorized to access the files.

To take this one step further, by allowing only "execute" permission for the http server on the folders that contain what is to be "served" to the world (home folder and every folder it contains), nobody besides the owner will be able to list the contents of those folders, but the http server will still be able to send the files out, because it doesn't need "read" permission on the folders to access and send out the files contained in the folders. The "execute" permission on a folder is not acutally "execute", it is interpreted as "scan", which is the permission to look into that folder and find the files, while not being able to "list" the contents of that folder (if the "read" permission isn't on).

Thus, by setting the permissions for "others" to --- (no permission at all) on a folder containing html and accociated files, and setting the ACL for that folder with an extra user:http:--x then the http server will be able to function as usual while nobody else but the owner of the account will be able to list anything in the account.

All this can be applied with these couple of steps:

chmod o-rwx foldername

(to remove all permissions to "others")

setacl -u user:httpd:--x foldername

(to enable the "scan" only for the http server)

Glossary

Telnet, Unix, FTP, CGI, cgi-bin , Server, Binary, Octal, HTTP

Send your comments about the site to the Webmaster

orbhost's Support

Check the How Do I page for answers to many of the most common basic questions
Hit Counter
FTP login
Telnet login
Basic UNIX
Basic CGI
permissions
E-mail & Mailboxes
Web design
Tips and tools
Search Engines
Hints & strategies
Shopping cart
Also check the external links about Minivend
Database
Also check the external links about MySQL

External Links

MySQL site
Relational database
Minivend site
Shopping cart
wwwcount
Graphical hit counter
Perl Links
Search engines
Info & resources

In case of emergency

E-mail the tech support
or you can also try contacting the system administrator directly on ICQ at #18164451