What are Linux File Permissions for?
Just for a few minutes, forget about Windows, where you start up your computer, create a file, can open it for reading and writing or delete it without doing anything special.
On Linux servers, the server needs to know two things about files:
- What can be done to a file; and
- Who can do it
The “What can be done to a file” is broken down into three action types: read, write, execute.
- Reading is just opening a file and looking at its contents
- Writing is overwriting, appending or deleting a file
- Executing is allowing a CGI *program* to run. Putting execute permissions on an HTML file is useless because the HTML file will not “do” anything.
The “who can do it” is also broken down into 3 sections: owner, group, and public (or world). For mydomain.com:
- The owner is mydomain. This is the ruler of the account.
- The group is mydomaing. Groups usually are the owner name, appended with a g or grp
- The public is anyone who comes to your site (or any other user on the same server.)
What do they look like?
Now that we know the what and who, we need to show what permissions “look like.” Here’s some output from looking at a couple of mydomain.com’s directories (we got this by SSHing to the domain, and issuing the Unix command,
-rw-r--r-- 1 mydomain mydomaing 193 Sep 14 20:12 index.html -rwxr-xr-x 1 mydomain mydomaing 61970 Sep 15 02:57 script.pl* -rw-r--r-- 1 mydomain mydomaing 2214 Sep 15 02:57 variables.var drwxr-xr-x 2 mydomain mydomaing 4096 Sep 15 02:57 data/ -rwx------ 1 mydomain mydomaing 489 Jun 27 13:00 sitevars*
The file permissions are in the first column.
As you’ve probably already determined by glancing at the listing above, the ‘r’ signifies read permission; the w signifies write permission, and the ‘x’ signifies execute permission.
Now, let’s break down that mysterious grouping of r’s, w’s and x’s for index.html.
D O G P - rw- r-- r--
The first dash is to signify if it’s a directory or not. If you refer back to the file listing above, you’ll see that the data/ directory has a “d” in the first column. This means that the machine realizes data/ is a directory and not a file. You don’t need to concern yourself about adding the d setting – Linux will automatically toss in a d if it’s a directory.
The next group, under “O” is the owner permissions. Since you already know that r is read permission and w is write permission, you know that the owner has both of these perms. Both the group and public have read-only permissions.
Let’s just look at the permissions for two more files:
D – It’s not a directory.
O – has read/write/execute permissions
G, P – have read/execute permissions
You’ll also notice the script.pl has a star * next to it in the directory listing above. That’s a quick and easy identifier that the file is executable.
Here, only the owner has any permissions on the file at all. No one else can read, write or execute the file. This is the safest file permissions, but can only be used if you don’t want anyone to see its contents (can’t be viewed on a website).
Minimum Permission Settings
For an executable CGI file (e.g. CGI, pl or any other CGI program that needs to be invoked from a web browser):
rwxr-xr-x or 755
For a read-only file (e.g. .html, .shtml, .txt or any other file that’s not a CGI script that needs to be accessible from a web browser)
rw-r--r-- or 644
For a file that needs to be written from a cgi-program, such as a flat file database that is managed from the browser.
rw-rw-rw- or 666
Now you may be wondering what the numbers are. Essentially, they are numeric representations of the rwxrwxrwx methods described here. Each number correlates to each of the 3 of rwx sets (owner, group, and public permissions). For example:
O G P 7 5 5 rwx r-x r-x
Here’s a little chart that you can use to convert the most common alphabetic permission settings to numeric:
0 No permissions whatsoever
5 Read / execute
6 Read / write
7 Read / write / execute
For a file to actually write or execute, it must have read permissions, so don’t concern yourself about the other permutations (write/execute only, write only, execute only ).
How to change file permissions
There are many ways to change file permissions: from the shell, from an FTP program or from any of the various CGI scripts that alter permissions. Here’s I’ll outline two.
The command to change permissions is CHMOD (change mode). Here are a few of the common permission settings:
chmod 755 file.cgi chmod 644 file.html
Now let’s say that you have just uploaded 5 (or more) CGI files. It would be rather tedious to do:
chmod 755 file1.cgi chmod 755 file2.cgi chmod 755 file3.cgi chmod 755 file4.cgi chmod 755 file5.cgi
Linux allows you to use wildcards, represented by an asterisk * do perform an action on a group of files:
chmod 755 *.cgi
Here, we’ve told Linux to set permissions on all files in the directory that end in .cgi.
Many FTP programs now have the ability to change permissions on files. In CuteFTP for example, right-click the remote file and select CHMOD from the menu. Then, simply check the permission settings you want for each group.