Join Kevin Skoglund for an in-depth discussion in this video File and directory permissions, part of Unix for Mac OS X Users.
- View Offline
Now that we understand file and directory ownership, we are ready to look at file and directory permissions. The way that we see permissions is using the ls -la, just like we did for owner, to show us the full listing. Notice that I am already inside my user directory inside the unix_files folder. In this listing, we just got through talking about the owner column, the column where it says kevin over and over and then the one where it says staff that's the group column. What I want to talk about now is that very first block there, all the rws and dashes that are there. The very first character that you see we already said was an indicator of whether or not it's a directory, a file, or a link.
d for directory, dash for file, l for symbolic link. The next nine characters after that is a notation that indicates the permissions for each of these files and directories. So before we can go about changing the permissions, we need to understand what these symbols are trying to tell us about the current permissions. So we need to know how to decode them. We refer to this system as being alpha notation because we are using the alphabet to describe the different permissions. Imagine that we have three categories. We have our user. which is our owner category. We are going to call it user.
That's the first category. The second one is group, everyone who belongs to the group, and then the third category is other. That's everyone else who might have access to this file. So user, group, and other are our three categories. And for each of them we can set three kinds of permissions. We can set read permissions, whether or not you can read the contents of a file or a directory. write, whether or not we can actually make changes to a file or make changes to a directory. And then execute, which for a file would mean that we could run it like a program or a script. For a directory, it means that we can search inside of it.
That's what it means to be able to execute on a directory. Notice in this table that I've got yes's and no's, indicating which permissions I'd like to give each of these three categories. So I want the owner of the file to be able to read, write, and execute a file. The group, I'd like to just be able to read and write it. They can't execute it. For everyone else, they can only read it. I don't want them to make changes. So the only people should be able to make changes are the user and the group. So what we do for each of those, read, write, and execute, is we use the letter r, w, or x to indicate it and then we essentially add them up, so that what we end up with for the user is r, w, and x and they can do all three things.
The group is r and w, but not an x and we put a placeholder dash in place of it. For everyone else, they can only read. So they get r and two dashes. Notice now we have nine characters. You take all of those, you smash them together, and that is the nine-character permission string that we are seeing in our directory listing. So for example, if we take this file lorem_ipsum.txt, you can see that its permissions allow me, the owner, to read and write to the file but not execute it and that's fine. Frequently we don't have execute turned on for files because it's not a script. It's a text file.
We don't need to run this. We are just going to be reading and writing to it. For the group, which would be everyone in the group staff, which you'll remember included the other user I created, lynda, has the ability to read the file, but not to write to it or execute it, and then everyone else, everyone else who might ever come in contact with this file, is able to read it, but not to write and execute to it. Now you can see that, for example, that there is different permissions down here for the test directory. By default, directories are given the x so that they are searchable. It's essentially the same thing as being able to read, so we're able to search inside of it if we can read what's in it.
So, by default, when you create a directory, it will include that as well. But you can see that the group staff and everyone else can't write to this directory. They can just read it and search it. So let's see how this prevents people from having access. Let's take a look as a contrast. I have the other user on here, which is lynda, and now we can see the contents of her directory. Here is the directory. Remember this dot represents the current directory. So this is the directory we are looking at. We as part of her group have read and execute permissions on this directory. That's why we are able to see this listing.
Let's try now to do the same thing, but let's add pictures to begin. We are going to try and look at her vacation photos. Notice what the permissions are down here. She has read, write, and execute privileges, but that's it. No one else has any privileges. So if we hit Return, it says "Oops, permission denied." If we do cd into that folder, you will see it says "Nope sorry, you can't get in there, permission denied." So you see how it works. You see how these keep us from getting into other people's stuff. So we can see her user directory, but we're not able to go any deeper into her documents or her movies or her pictures or anything like that.
- Moving around the file system
- Creating and reading files
- Copying, moving, renaming, and deleting files and directories
- Creating hard links and symbolic links
- Understanding user identity, file ownership, and sudo
- Setting file permissions with alpha and octal notation
- Changing the PATH variable
- Using the command history
- Directing input and output
- Configuring the Unix working environment
- Searching and replacing using grep and regular expressions
- Manipulating text with tr, sed, and cut
- Integrating with the Finder, Spotlight, and AppleScript