Security basics, Part 1

March 15, 2001, 3:54 PM —

Security is always an issue in multiuser computing systems. Unix provides a rich set of security options, and this month we begin a three-part security series by exploring some basics.

As a true multiuser, multitasking operating system, Unix has a fairly sophisticated method for setting file and directory permissions.

The chmod command is simple once you've grasped the basics. To understand it, let's start with a small directory listing that can be generated by the ls -l command.

$ ls -l 
  drwxrwxr-x    1 mob      wp    2018 Aug 30 23:45 adir 
  -rw-rw-r--    1 mob      wp    8755 Aug 30 23:37 picture.gif 
  -rwxrwxr-x    1 mob      wp    8525 Sep  4 02:48 command.sh 
 
$ 

The permissions are indicated by a series of letters on the left-hand side of the listing. The first character indicates the type of the entry. For our purposes, the first character will be either a dash (-) to indicate that the entry is a file or a d to indicate that it's a directory.

After the initial character, a series of rwxs (or the absence of the same) on the left side of the listing indicates the access permissions for that file or entry.

The nine characters after the initial entry-type indicator are broken into three groups, each containing three characters. Each group of three from left to right indicates the permissions given to the owner, group, and others, respectively.

An r indicates that read permission is given to the user who owns the file, group the owner belongs to, or the rest of the world. An r allows a file to be read, and a directory to be listed with ls and related utilities. A w indicates write permission. If this is an entry for a directory, w means that new files can be created within it.

In the following example, the owner, mob, has read and write permissions on picture.gif. The group wp has read permission only, and no other permissions are given.

$ ls -l 
  -rw-r-----    1 mob      wp    8755 Aug 30 23:37 picture.gif 
 
$ 

An x indicates execute permission for executable files, and search permission for directories.

In the following example mob members of the group wp, and all others have search permission for adir.

$ ls -l 
  drwxrwxr-x    1 mob      wp    2018 Aug 30 23:45 adir 
  -rw-rw-r--    1 mob      wp    8755 Aug 30 23:37 picture.gif 
  -rwxrwxr-x    1 mob      wp    8525 Sep  4 02:48 command.sh 
 
$ 

An x permission on a standard data file has no effect.

To change the permissions on a file, use chmod, followed by the permissions you want to change and the file name. A permission is expressed as a one-character identifier that signifies (u)ser, (g)roup, (o)thers, or (a)ll, followed by +, -, or =, meaning add, remove, or set, respectively. After these characters, add one or more of the following permissions: r, w, or x. The permission strings should look something like the following examples:

u+rw 
a-w 
o+x 
a=rwx 

Some more examples are shown below. Line 3 adds write privileges to group, line 6 removes write privileges, and line 9 adds read privileges for others. Line 12 sets privileges for others to write only. In line 14, the r has disappeared and the w has appeared. Line 15 removes read and write privileges for all; note the result at line 17.