How do I protect my files?
All files and directories have permissions on them which describe who is
allowed to do what with them. You can see the permissions on a file or folder
by running ls -l
. Permissions have have a form of 10 character string that
is grouped as follows:
- The first character describes what the item is. Files are marked with
-
, and directories are marked withd
. - The next three characters (2 through 4) correspond to permissions for
u
, the user who owns the item. - The next three characters (5 though 7) correspond to permissions for
g
, the group that the item belongs to. These permissions apply to users who are members of the item’s group, but do not own the item. - The last three characters (8 through 10) correspond to permissions for
o
, for “other” or “world.” These permissions apply to everyone else.
Except for the item description character, each set of three characters is organized in the same way:
- The first character is
r
if reading is allowed, or-
is reading is not allowed. - The second character is
w
if writing is allowed, or-
is writing is not allowed. - The third character is
x
if executing the file (or searching the directory) is allowed, or-
is executing the file is not allowed.
For files, these permissions are fairly self explanatory: read allows you to read the file, write allows you to edit the file, and execute allows you to run a file (like a shell script). For directories, read allows you to see the contents of the directory, write allows you to create and delete files in the directory, and execute allows running programs (including a web browser) to access the files in the directory.
Keep in mind that even if you disallow someone from editing a file by denying them write access, if the directory allows them write access, they can read the file, copy its contents, and then delete and recreate the file with whatever permissions they desire. If you deny write access to a directory, but allow write access to the parent directory, they can delete and recreate the whole directory in the same way. Be careful with who you give write access to!
To change permissions on a file or folder, use the command chmod <mode>
<file>
, where <mode>
is how you want to change the permissions, and
<file>
is the file or folder whose permissions you want to change. To
describe to chmod
how you wish to change the permissions of the file, you
can either describe only the change you wish to make, or describe the
permissions for the file as a whole.
To describe just the permission change, the mode will be a character
representing the group you want to change (u
for user/owner, g
for group,
o
for other/world, or a
for all three) followed by a character
representing how you want to change the permission (+
to grant the
permission, -
to revoke it), followed by a character representing the
permission to change (r
for read, w
for write, x
for execute). For
example, to remove write permissions for other on a file, the mode is o-w
,
while to add execute permissions for everyone, the mode is a+x
. You can also
combine multiple groups and and permission settings in one mode: to add read
access for user and group, but not other, you the mode is ug+r
, while to
remove write and execute permissions for other, the mode is o-wx
.
To describe the permissions for the file as a whole, we use a number, instead
of a string of characters. Each permission type is assigned a number: read is
4, write is 2, execute is 1. The mode we will use is a set of three sums, one
for each permissions group. For example, let’s say we want user to have read,
write, and execute access, group to have read and execute access, and other to
have read access only. The sum for user is 4+2+1=7, the sum for group is
4+0+1=5, and the sum for other is 0+0+1=1, so the mode is 751
.