Managing Permissions with Unix

Unix allows a number of people to work on the same machine at once and have access to shared files. This allows hundreds of members of the NYU community to develop and maintain content for NYU Web; you and your colleagues may even have been put into a web permissions group so you can share file access to content in your directory.

Unix allows you to designate, on a file-by-file basis, who has permission to read the file and and/or write to the file. This is known as setting file permissions. When you upload a file, you become the owner of that file and it is assigned (usually) to the default permissions group that you are in. But, unless you say that other group members have permission to write to the file, they cannot make modifications, they’ll only be able to read the file.

On this page:

• Terminology
• Reading Permissions
• Modifying Permissions
  • All permissions inside a permission except subdirectories
  • Directory permissions
  • All files and subdirectories
  • Group permissions

Terminology

When reading tutorials on how to edit Unix permissions there are several common terms used. Please reference these tables to better understand what each term and/or symbol means.

^ Back to top

Reading Permissions

The line below is an example of what file permissions look like on the web server.

-rwxr--r-- username groupname 546 Dec 10 13:10 filename

Broken down section by section, that line means:

• -rwxr--r--
  • This first character (-) designates what type of entry it is.
  • If it is a file, the first character will be a "-" and the entry will look like this: -rwxr--r--
  • If it is a directory, the first character will be a d and the entry will look like this: drwxr--r--
• rwx
  • The first three slots are the permissions for the owner of the file.
  • The r means the owner can read the file; the w means the owner can write to the file; and the x means the owner can execute the file.
  • The x bit, e.g., the execute option, is usually only set when the file is a script or when permissions are set for a directory. If a script is not executable, it cannot run. If a directory is not executable, it cannot be opened or seen by the web browser.
    
• r--
  • The second three slots are the permissions for the group.
  • In this case, the group members can read the file (r) but not write it or execute it.
    
• r--
  • The last three slots are the permissions for the world.
  • In order to have your pages visible by people viewing through a web browser, you need this set to "readable."
    
• username
  • This is the owner of the file. Your NetID will appear in this space.
    
• groupname
  • This is the name of the web permissions group to which this file belongs. Your web permissions group name will appear in this space.
  • The NYU Web Team will assign a web permissions group name when we create your account.
  • Those working on sites alone will not be in a web permissions group and need not worry about group permissions.
  • The default web permissions group is "users". You will be placed in this group when your account is created.
    
• 546
  • This is the file's size in bytes.
  • 546 bytes is roughly equal to .5 Kilobytes (K). 1 Megabyte (MB) is equal to 1024K.
    
• Dec 10 13:10
  • This is the last modification date of the file.
    
• filename
  • This is the name of the file.

^ Back to top

Modifying Permissions

When you upload a file to the web server, the permissions are set by default so that the owner of the file can read and write to the file, the group and world can only read it (-rw-r--r--). If you're working with a web permissions group, then your default permissions should be set so that both you as the owner of the file and the group with whom you're working will be able to write to the file (-rw-rw-r-).

If you find that this is not the case, you will need to log into the server using SSH, go to the specific web directory in which the file(s) resides (see Unix navigation commands), and use specific Unix commands to change the file(s) permissions.

First, list the contents of the directory, by using the ls -lag command which will allow you to see file permissions, owners and groups. For example:

i4% ls -lag
total 18
drwxrwxr-x    2     aqe123    users           6   Sep 10 17:43 .
drwxrwxr-x   26    aqe123    users         122   Sep 2 17:58 ..
-rw-r--r--        1    aqe123    webedit       19   Sep 10 17:43 .htaccess
-rw-r--r--        1    aqe123    webedit  16209  Sep 10 17:43 address.html
-rw-r--r--        1    aqe123    webedit      887  Sep 10 17:30 examples.html

Here, the file owner is NetID aqe123. The group ownership belongs to the group called webedit. The files, however, are not set correctly for group permissions. Therefore, we must change them appropriately.

^ Back to top

Modify all permissions inside a directory except subdirectories

Use the command:

chmod 664 *.*

Broken down by section, that command means:

• chmod
  • Unix command meaning "change mode."
    
• 644
  • Number combination that will set the permissions correctly so that both the owner and group can read and write to the file(s).
    
• *.*
  • Means that all files that contain a period before the file extension; for example, this would affect files with a .html or .jpg suffix.
  • This character combination will omit directories and files such as .htaccess.

Once the chmod command is executed, the file's permissions will be changed. To check, use the ls -lag command again:

i4% ls -lag
total 18
drwxrwxr-x     2     aqe123      users         6   Sep 10 17:43 .
drwxrwxr-x   26     aqe123      users      122   Sep 2 17:58 ..
-rw-r--r--        1     aqe123    webedit      19   Sep 10 17:43 .htaccess
-rw-r--r--        1     aqe123    webedit 16209   Sep 10 17:43 address.html
-rw-r--r--        1     aqe123    webedit     887   Sep 10 17:30 examples.html

Note the changes to the first column - the permissions have been changed from rw-r--r-- to rw-rw-r--.

^ Back to top

Modify directory permissions

Use the command:

chmod 775 directoryname

will allow the directory to be accessed by both its owner and the group. But remember, you cannot be inside of the directory whose permissions you are trying to change. You must be one directory above it to make any changes.

^ Back to top

Modify permissions on all files and subdirectories

Use the command:

chmod -R g+w directoryname

to execute permission changes on every file and subdirectory contained within a main directory. Use the -R flag to indicate a recursive change.  

This means change the permissions mode recursively so that all files and subdirectories within directoryname are readable and writeable by the permissions group.

^ Back to top

Modify group permissions

If you find that some of your files or directories are not owned by the correct web permissions group (for example, they were created with the default "users" group), you can change the group ownership (as long as you own the file/directory) using the chgrp command. The command chgrp means "change group".

For example:

chgrp –R group directoryname

This means change the group permissions recursively so that all files and subdirectories are owned by the group called group within the directory directoryname (where directoryname is the name of the directory in which you wish to change all the group ownership permissions and group is your correct web permissions group).

You can also change group permissions on individual files:

chgrp group file.html

where group above is your correct web permissions group and file.html is the file for which you want to change group permissions.

In case you are interested, the following chart shows how we get the numbers 664 and 775 that were used in the previous examples. You just add up the numbers of the settings you want:

Examples

^ Back to top