# Decoding File Permissions - Shell Scripting

Now that you know about users and groups, it’s time to decode the cryptic file permissions you’ve seen when using the ls command. This section describes how to decipher the permissions and where they come from.

Using file permission symbols

If you remember from previous sections, the ls command allows us to see the file permissions for files, directories, and devices on the Linux system:

$ls -l total 68 -rw-rw-r-- 1 rich rich 50 2007-09-13 07:49 file1.gz -rw-rw-r-- 1 rich rich 23 2007-09-13 07:50 file2 -rw-rw-r-- 1 rich rich 48 2007-09-13 07:56 file3 -rw-rw-r-- 1 rich rich 34 2007-09-13 08:59 file4 -rwxrwxr-x 1 rich rich 4882 2007-09-18 13:58 myprog -rw-rw-r-- 1 rich rich 237 2007-09-18 13:58 myprog.c drwxrwxr-x 2 rich rich 4096 2007-09-03 15:12 test1 drwxrwxr-x 2 rich rich 4096 2007-09-03 15:12 test2$

The first field in the output listing is a code that describes the permissions for the files and directories. The first character in the field defines the type of the object:

• - for files
• d for directories
• c for character devices
• b for block devices
• n for network devices

After that, there are three sets of three characters. Each set of three characters defines an access permission triplet:

• r for read permission for the object
• w for write permission for the object
• x for execute permission for the object

If a permission is denied, a dash appears in the location. The three sets relate the three levels of security for the object:

• The owner of the object
• The group that owns the object
• Everyone else on the system

This is broken down in Figure below.

The Linux file permissions

-rwxrwxr-x 1 rich rich 4882 2007-09-18 13:58 myprog
permissions for everyone else
permissions for group members
permissions for the file owner

the easiest way to discuss this is to take an example and decode the file permissions one by one:

-rwxrwxr-x 1 rich rich 4882 2007-09-18 13:58 myprog

The file myprog has the following sets of permissions:

• rwx for the file owner (set to the login name rich)
• rwx for the file group owner (set to the group name rich)
• r-x for everyone else on the system

These permissions indicate that the user login name rich can read, write, and execute the file (considered full permissions). Likewise, members in the group rich can also read, write, and execute the file. However, anyone else not in the rich group can only read and execute the file; the w is replaced with a dash, indicating that write permissions are not assigned to this security level.

Default file permissions

You may be wondering about where these file permissions come from. The answer, is umask. The umask command sets the default permissions for any file or directory you create:

$touch newfile$ ls -al newfile
-rw-r--r-- 1 rich rich 0 Sep 20 19:16 newfile
$The touch command created the file using the default permissions assigned to my user account. The umask command shows and sets the default permissions:$ umask
0022
$Unfortunately, the umask command setting isn’t overtly clear, and trying to understand exactly how it works makes things even muddier. The first digit represents a special security feature called the sticky bit. We’ll talk more about that later on in this chapter in the ‘‘Sharing Files’’ section. The next three digits represent the octal values of the umask for a file or directory. To understand how umask works, you first need to understand octal mode security settings. Octal mode security settings take the three rwx permission values and convert them into a 3-bit binary value, represented by a single octal value. In the binary representation, each position is a binary bit. Thus, if the read permission is the only permission set, the value becomes r--, relating to a binary value of 100, indicating the octal value of 4. Table below shows the possible combinations you’ll run into. Octal mode takes the octal permissions and lists three of them in order for the three security levels (user, group, and everyone). Thus, the octal mode value 664 represents read and write permissions for the user and group, but read-only permission for everyone else. Now that you know about octal mode permissions, the umask value becomes even more confusing.The octal mode shown for the default umask on my Linux system is 0022, but the file Icreated had an octal mode permission of 644. How did that happen? The umask value is just that, a mask. It masks out the permissions you don’t want to give to the security level. Now we have to dive into some octal arithmetic to figure out the rest of the story. The umask value is subtracted from the full permission set for an object. The full permission for a file is mode 666 (read/write permission for all), but for a directory it’s 777 (read/write/execute permission for all). Thus, in the example, the file starts out with permissions 666, and the umask of 022 is applied, leaving a file permission of 644. The umask value is normally set in the /etc/profile startup file. You can specify a different default umask setting using the umask command:$ umask 026
$touch newfile2$ ls -l newfile2
-rw-r----- 1 rich rich 0 Sep 20 19:46 newfile2
$By setting the umask value to 026, the default file permissions become 640, so the new file now is restricted to read-only for the group members, and everyone else on the system has no permissions to the file. The umask value also applies to making new directories:$ mkdir newdir
\$ ls -l
drwxr-x--x 2 rich rich 4096 Sep 20 20:11 newdir/

since the default permissions for a directory are 777, the resulting permissions from the umask are different from those of a new file. The 026 umask value is subtracted from 777, leaving the 751 directory permission setting.