Department of Mathematics

Math 300: Mathematical Computing

Setting File Permissions

Part of the security provided by every operating system involves the rights to read, copy, change, delete, and execute the files stored on a machine's file system. The way those rights are handled and modified varies from OS to OS.

The basic rights to all files are similar across both Unix and Windows operating systems. The permissions on those files fall into three basic categories:

Each operating system provides other rights. For example, in Windows the ability to change file rights is separate from the ability to change the contents of a file, while in Unix the ability to change permissions on the file is included in the "write" permission. Both operating systems provide rights based on the groups of which one is a member.

One may view the permissions on files in Windows using the cacls command. For example

cacls myfile.txt

should show each account or group that has any rights to the file, and the nature of those rights. For example, it may give a listing such as "everyone:r", which indicates that the group called "everyone", which includes all accounts, has "read" access. It might also show "administrator:f", which indicates that the administrator of the machine has full control of the file. The possibilities include

We can set the rights on a file for which we have full control using the cacls command. For example, the command

cacls myfile.txt /e /g everyone:r

grants all accounts in the group "everyone" read access to the file. The switch "/e" indicates that we are just changing the permissions, not replacing them. The "/g" switch grants the privilege. To revoke privileges, use a command such as

cacls myfile.txt /e /r everyone

This revokes all rights for users in the group "everyone" . Note that you must use the /e switch in order to use the /r switch.

The command to change file rights in Unix is called chmod (change mode). In order to use it, we must understand the listing of rights on files in Unix. Each file has a 10-character string associated with it that describes its nature and rights completely. We can view this string using the ls -l command:

ls -l myfile.txt

The result of this command is a line that begins with e.g. -rw-rw-r--. The first dash corresponds to a file descriptor that tells whether the file corresponds to a directory, a link (shortcut, if you will), or a device. The dash means it is a plain file. If it were a directory, the first character would be a "d". The next nine characters are broken into three sets of three. The first three characters correspond to the rights of the owner of the file (the user). The next three give the rights for members of the group that owns the file. The third set of three gives the rights of everyone who has an account on the machine. Thus, if we run the command ls -l and look at "WebSite" we see

drwxr-xr-x 3 owner grp 1024 Dec 13 14:16 WebSite

The first ten characters say that WebSite is a directory, the owner (called "owner") has read, write, and execute permission on the file, while members of the group (called "grp") are treated the same as anyone else: they can read or execute the file, but not write to it. This means that anyone can view, copy or run the files in the directory, but cannot change it or delete its contents. Here is another example: the command ls -l VandS*.pdf yields

-rw-rw-r-- 1 sally grp 2384061 Jan 4 10:45 VandS_Book_3.pdf

In this case, VandS_Book_3.pdf is a plain file whose owner ("sally") and group ("grp") has read and write permission, while everyone else has only read permission.

We can change these permissions using the chmod command. The command has the form

chmod [ugo][+-][rwx] filename

where the characters inside the brackets represent choices. The following commands take away read permission from others, and add execute permission for the the user (owner) and group members on the file VandS_Book_3.pdf.

chmod o-r VandS_Book_3.pdf

chmod ug+x Vc

There is a shorthand notation for the chmod command that uses numbers to set all nine permissions at once. For example, consider a permission string of the form

rwx -w- --x   As it appears from an ls -l command
111 010 001   Each permission that is set gets a 1, each that is off gets a 0
7 2 1   Octal representation of the binary numbers above them
        chmod 721 VandS_Book_3.pdf (sets the permissions as indicated)

Thus we can set permissions to rwxr-xr-x using the command chmod 755 VandS_Book_3.pdf, and can set them to rw-r--r-- using chmod 644 VandS_Book_3.pdf.

Department of Mathematics, PO Box 643113, Neill Hall 103, Washington State University, Pullman WA 99164-3113, 509-335-3926, Contact Us
Copyright © 1996-2020 Kevin Cooper