Common Problems: Permissions
August 07 2017
Permissions can be a frustrating thing to deal with on shared computers, especially without much introduction. Hopefully, this walkthrough will introduce you to the major concepts and reduce the confusion!
Why do we have them?
Unix permissions allow us to control who can access and change files and directories, which is critical on a shared system. Each file and directory in a unix system is required to have to attributes – an owner and a group. The owner is initially whomever created the file, but can be changed by the root user (handy if you have someone leaving your lab!).
Group designations exist to allow people other than the owner to access the file with more limitations than the user. It is also a convenient to add people to a group and give them access to a set of files rather than have to add them individually to all files.
How do we read them?
If you use the ls command, with the –lah options (long, all, human readable), you can see the permission of a file:
The permissions are encoded in the first segment of the line – the drwxr-xr-x. In this case, the d indicates a directory. The lack of a d in the first slot for class0.txt indicates that this is a regular file. The rest of the letters indicate permission levels:
So why multiple r’s, w’s, and x’s? These are for different levels of ownership. The first three slots after the directory slot indicate the permission settings for the owner (listed in the third column of the ls –lah output). In the first file, they are rw-, indicating a read/writable file that cannot be executed as a program. In the second file example, the owner permissions are rwx, indicating that this directory is viewable, modifiable, and able to be entered.
The second set of rwx slots indicate the group permissions. In the first file, members of the group (listed after the owner – dip is the group in this case) can only read the file. In the directory example, the dip group members can also enter this directory.
The final rwx set is for “other” (sometimes referred to as “world”). This is anyone outside the group. In both cases, these are set to the same as the group.
How do we change them?
To change file and directory permissions, we use the command chmod (change mode). The owner of a file can change the permissions for user(u), group(g), or others(o) by adding (+) or subtracting (-) the three kinds of permissions.
chmod u+x class0.txt
#this would add executable permissions to user
chmod ugo-rx class0.txt
#this would remove read and execute permissions from user, group, and other.
You can also change permissions recursively – that is, in all subdirectories from wherever you start. For example:
chmod –R o+x Example
Would add executable permission to all files/directories in the Example folder.
You may also see examples of this done numerically. If we attribute a number to each permission level, using binary counting, we get the following:
You can then simply add the numbers of the permissions you want to give. For example:
chmod 755 class0.txt
#This would set (4+2+1/rwx) permissions to user and (4+1/r-x) to group and other.
This coding is common to see and convenient in setting files in tutorials because it makes no assumptions about the current settings.
More information on permissions: https://kb.iu.edu/d/abdb
NOTE: there are way more options and oddities to unix permissions not covered here. You will likely pick them up as you go. Also, there are a second set of permission (ACLs) that are layered on top of these in many file systems – but that is a topic for another day!
When do I need to know this?
The most common point in which you will need to deal with permissions (other than making something executable) is when sharing files.
Common question: My PI/labmate/etc. shared a folder with me, but I still cannot access it!
Think of the filesystem as a physical place. Your permissions work as keys/access to different directories. The benefit of thinking of directories as a physical space is that it makes it a bit more intuitive to think of how files trees behave. Imagine you are standing in a file space. You can look (ls; list) in directories with r (read) permission (window); you can move into (cd) directories with x (execute) permissions (key). Conversely, you cannot look in directories without r permissions; you cannot enter directories without x permissions. Once you get to a directory with w (write) permissions, you can add or remove files freely (and potentially cause damage).
However, if you don’t have x permission to a directory, YOU CANNOT move through it to other areas (you lack a key to that directory), even if you have the keys (x permission) to a directory within. You have to be able to get to that door to use the key. Read permissions work similarly – you cannot see the contents of a directory if one of the intermediate doors lacks a window (r permissions).
In short, you have to make sure that you give x permission (keys) to each directory in the absolute path in order to let people share that space. You have to give people r permission (windows) to each directory in the absolute path in order to let people view that space.
NOTE: You don’t have to give people read permissions to each intermediate directory to shared space… you can basically make them walk through dark rooms (as long as they have keys/x ) to the final destination.