Changing File and Directory Permission



Changing File and Directory Access Permission

In general, IRIX file access permissions are set to allow ease of use among multiple users while maintaining system security. This section discusses how you can change file access permissions to permit or deny read, write, and execution permission for users, groups, or everyone. Note that users can also configure a umask to control default access to their own files (see "About Default File Permissions (umask)" on page 123 for more information.)

IRIX divides permissions into three categories, and users into three relationships. The three relationships are the owner of the file, the owner's user group, and all users. If you view a long listing of a directory, you see that the permissions field for each file in the directory looks something like this:


Note that the line of permissions has the string rwx repeated three times. The first instance of rwx applies to the file owner, the next instance applies to the group members, and the third applies to all other users on the system. The example above shows full permissions. A more restricted permission set might look like this:


The three categories of permissions are read, write, and execute. They are denoted as "r" for read, "w" for write, and "x" for execute in long listings of files. To get a long listing, enter:

ls -l

at your system prompt in any directory. Along with the permission information, the ls l command lists the owners and the sizes of the files and the date they were last modified.

Read permission allows you to look at the contents of a file. Write permission allows you to make changes to or remove a file. Execute permission allows you to run the file as a command from your shell prompt.

Each character is separately significant in the permissions listing. Starting at the left, the first character is a dash. A dash in any other position means that no permission is granted and the actions associated with that permission are denied. However, in the leftmost place, the contents of that space describes whether the file is a file or a directory. If it is a directory, a d appears in that space. Other characters in this place indicate that the file is a pipe, a block or character special device file, or other type of file.

To see the current status of a file's permission settings, use the ls -l command. For example, to see the status of permission on the file review, enter:

ls -l review

Now the access permissions should look like this:

-rw-r--r-- 1 jones engr 1015 Aug 14 16:20 review

Permissions are shown as read (r), write (w), and execute (x), for each of user, group, and other, respectively. That is, each of the user, group, and everyone else has some combination of read, write, and execute access to the file. After the first character (in this example, a dash), the next three characters give the read, write, and execute permission for the user, the next three characters give the read, write, and execute access for the group, and the last three characters give the read, write, and execute access for everyone else. So in the example, user jones has read (r) and write (w), access to the file review, while the group has only read (r) access, and other also has only read (r) access. Nobody has execute (x) permission.

The superuser or owner of the file can change these permission settings. As superuser, you can give everyone write access to a file with the chmod command. For example, to add write access for the group and others to the review file, use the go+w (g for group, o for other, and +w to permit writing) option as follows:

chmod go+w review

Now the access permissions should look like this:

-rw-rw-rw- 1 jones engr 1015 Aug 14 16:20 review

Another way of controlling permission settings is with the octal number representation obtained by using 7 as representing read, write and execute permission (4+2+1). In this way, to give complete read, write, and execute permissions to a file, use the chmod 777 command, and to give just read permission to the owner and no other permissions at all, use chmod 400. For complete information on setting access permissions on files and directories, refer to the chmod(1) reference page.

Note: If you use chmod on a device file, edit the /etc/ioperms file to reflect the change, or the device file returns to the default access permissions after a reboot. The format of an entry in /etc/ioperms is:

device_name owner group nnn

where device_name is the device filename, owner is the file owner, group is the group, and nnn is the octal permission setting as described above and in the chmod(1) reference page. Refer to the ioconfig(1M) reference page for details on device permission settings in the /etc/ioperms file.

Directory Permissions

Directories use the same permissions as files, but their meanings are slightly different. For example, read permission on a directory means that you can use the ls command to look at the contents of that directory. Write permission allows you to add, change, or remove files in that directory. (However, even though you may have write permission in that directory, you must also have write permission on the individual files to change or remove them, unless you own the directory.) Finally, execute permission on a directory allows you to use the cd command to change directories into that directory.

File Permissions

The first series of three places after the leftmost place in the permissions field describe the permissions for the owner of the file. Here is an example of a long listing for a file:

-rwx------ 1 owner grp 6680 Apr 24 16:26 shell.script

The file is not a directory, so the leftmost space is blank. The characters rwx indicate that the owner of the file, owner, has read, write, and execute permission on this file. The second series of three spaces describe permissions for the owner�s group. In this case, the group is grp. Suppose permissions for this file were slightly different, like this:

-rwxr-x--- 1 owner grp 6680 Apr 24 16:26 shell.script

In that case, any member of the group grp could read or execute the file, but not change it or remove it. All members of group grp can share a pool of files that are individually owned. Through careful use of group read and write permissions, you can create a set of doc source files that are owned by one person, but any group member can work on them.

The third series of spaces provides for all other users on the system and is called the public permissions. A file that is set to be readable by any user on the system is called publicly readable.

Here is a long listing of a sample Projects directory:

total 410

drw------- 1 owner grp 48879 Mar 29 18:10 critical

-rw-r--r-- 1 owner grp 1063 Mar 29 18:10 meeting.notes

-rw-rw-rw- 1 owner grp 2780 Mar 29 18:10

-rwxrwxrwx 1 owner grp 8169 Jun 7 13:41 new.items

-rw-rw-rw- 1 owner grp 4989 Mar 29 18:10 response

-rw------- 1 owner grp 23885 Mar 29 18:10 project1

-rw-r----- 1 owner grp 3378 Jun 7 13:42 saved_mail

-rw-r--r-- 1 owner grp 2570 Mar 29 18:10 schedules

-rwxrwxr-x 1 owner grp 6680 Apr 24 16:26 shell.script

The files in this directory have varying permissions. Some are restricted to the owner, some can be read only by members of the owner�s group, and some can be read, changed, or removed by anybody. The shell script is executable by any user.

Changing Permissions

You change the permissions on a file by means of the chmod(1) command. You can use chmod only to change files that you own. Generally, you use this command to protect files you want to keep secret or private, to protect private directories, and to grant permissions to files that need to be used by others. To restrict access to a file or directory to yourself only, enter:

chmod 600 filename

chmod 700 dirname

Other permissions may be added by using the chmod command with the letter associated with the permission. For example, to add general write permission to a file, enter:

chmod +w filename