Permissions

Unix is a multiuser operating system. That means that it was designed for multiple users to be logged in at once and each running their own programs without getting in the way of each other.

Every program that runs on a Unix machine runs as a specific user account. This includes the web server itself, any command line shell you are running, and whatever software you use to access the servers file system and admin interfaces (eg FTP software, CPanel interface etc). When you log in with a username and password through an FTP client or a control panel you are now operating on the server using that user account.

All files on a Unix server have an owner and a group assigned to them. Whenever a file is created on the server it is automatically owned by the user account running the program that created it. Each user account also has a primary group associated with it, and this group also gets assigned to the files group.

Permission Groups

Each file and directory has three user based permission groups:

owner – The Owner permissions apply only to the owner of the file or directory, they will not impact the actions of other users.

group – The Group permissions apply only to the group that has been assigned to the file or directory, they will not affect the actions of other users.

other – The Other permissions apply to all other users on the system. This is the permission group that you want to watch the most.

Permission Types

Each file and directory has three user based permission groups:

read – The Read permission refers to a user’s capability to read the contents of the file.

write – The Write permissions refer to a user’s capability to write or modify a file or directory.

execute – The Execute permission affects a user’s capability to execute a file or view the contents of a directory.

Each file and directory also has a set of permission 'bits' assigned to it as well. These permission bits determine what access various users get to a file. The owner of a file is allowed to change these permissions, but all other users can't change them (with the exception of the root user).

The file permission bits are arranged into three sets: 'user owner', 'group owner', and 'other'. These three sets can also be referred to as 'user', 'group' and 'world' respectively. 'world' or 'other' refers to the permissions that apply for any user that isn't the owner and isn't in the files group. Each of these can have its own combination of three basic permissions.

The three basic permissions are 'read', 'write', and 'execute' and are abbreviated as 'rwx'. When you see dashes replacing a letter that means that the permission is absent eg 'r--' means that only read access is present.

When all three sets of permission bits are combined you get a setting like 'rwxr-xr-x' which represents 'rwx' for the owner, 'r-x' for the group, and 'r-x' for everyone else.

You will also see permissions represented as a numerical shorthand eg 755 or 644 etc. In this case the value of 'r' = 4, 'w' = 2, and 'x' = 1, and the digits are determined by adding up these numbers for each set.

Examples:


Permissions Explanation

read (r) = 4
write (w) = 2
execute (x) = 1

So:
    7 = rwx
    6 = rw-
    5 = r-x
    4 = r--

Digit	rwx	Result
0	---	no access
1	--x	execute
2	-w-	write
3	-wx	write and execute
4	r--	read
5	r-x	read and execute
6	rw-	read and write
7	rwx	read write execute

For example:

	4	2	1	totals   ---   chmod 777 *
	r	w	x
Owner	X	X	X	7
Group	X	X	X	7
All	X	X	X	7

	4	2	1	totals   ---   chmod 775
	r	w	x
Owner	X	X	X	7
Group	X	X	X	7
All	X		X	5

	4	2	1	totals   ---   chmod 755 **
	r	w	x
Owner	X	X	X	7
Group	X		X	5
All	X		X	5

	4	2	1	totals   ---   chmod 644 ***
	r	w	x
Owner	X	X		6
Group	X			4
All	X			4

	4	2	1	totals   ---   chmod 600 ****
	r	w	x
Owner	X	X		6
Group				0
All				0

-----------------------------------

Owner	Group	All Others	example   ---   chmod 777 *
rwx	rwx	rwx		rwx rwx rwx

Owner	Group	All Others	example   ---   chmod 775 **
rwx	r-x	r-x		rwx r-x -r-x

Owner	Group	All Others	example   ---   chmod 766
rwx	rw	rw		rwx rw- rw-

Owner	Group	All Others	example   ---   chmod 644 ***
rw-	r--	r--		rw- r-- -r--

Owner	Group	All Others	example   ---   chmod 600 ****
rw-	---	---		rw- --- ---

    * most insecure
    ** normally thought of as secure for directories
    *** normally thought of as secure for files
    **** most secure