Protecting Your Files

UNIX file protections.

Using and understanding the ls command.

First we need to know how to view the protections of the files. the ls command will list the files in a directory, but we do not want to just see their names, we want to know their owner, group and protections as well. Thus, we will use the command ls -la the -l is to list owner, group and protections, and the -a is to list 'hidden' files. (hidden files are the ones that begin with a .) so, in a sample directory:

mordor> ls -la
total 20
drwx------  3 brian  staff   512 Jun 13 09:27 ./
drwxr-xr-x 12 brian  staff  1024 Jun 13 09:18 ../
-rw-------  1 brian  staff  2615 Jun 13 09:33 .omega
-rw-r--r--  1 brian  staff   365 Jun 13 09:33 alpha
-rw-------  1 brian  staff  1834 Jun 13 09:34 beta
-rwxr-xr--  1 brian  staff 10031 Jun 13 09:34 delta*
drwx------  2 brian  staff   512 Jun 13 09:18 gamma/
lrwxrwxrwx  1 brian  staff     4 Jun 13 09:25 rho@ -> beta
mordor> 

So what does this tell us.

The total 20, means that there's a total of 20 kilobytes of files in the files that are displayed.

The first column tells us something about the type of file: d is a directory, - is a normal file, and l is a link. (The file rho is a link pointing to the file beta. more rho and more beta are equivalent.)

The next nine characters are the protection mask, for example alpha's is rw-r--r--. Reading this will be discussed later.

Following that is the files owner (all brian) and group (all staff). Since, it is more rare for users to need to change a file's owner or group, that will not be discussed here.

The next number is the size of the file in bytes, for example beta's is 1834.

Following that is the creation date of the file, and finally the file name.

(You will also notice that after the filenames there is a /, *, @, or nothing. This is because ls is aliased to ls -F, which adds / for a directory, * for an executable file, @ for a link, and nothing for a normal file, after the filename. This is so you can tell something about the files without having to do an ls -l. These last characters are _not_ part of the file's name, so you would type more rho to see what is in rho, not more rho@.)

We also see the files .omega which is a normal file, . which stands for the current directory, and .. which is the next higher directory, so cd .. will take you up a directory.

Reading the protection mask.

There are three levels of unix file protections: owner, group, world. Within each one of these there are three different types of protection: read, write and execute (r, w, and x). Thus the nine entries in the protection mask correspond to owner, group, world, each with three entries. So the file delta:

-rwxr-xr--  1 brian  staff 10031 Jun 13 09:34 delta*

Means that owner has rwx, group r-x, and world r--. That is, owner has read, write and execute, group has read and execute, and world has only read. This means anyone on the system can read this file (world protection), anyone in the group staff can read or execute it, and the owner, brian, can read, change (write), and execute the file.

The types of protection mean different things when applied to files or directories.

Files:
read - can see the contents of the files
write - can change, overwrite or delete the file
execute - can run the file from the command line

Directories:
read - can see (ls) the files in the directory
write - can create and delete files in the directory
execute - can cd into the directory, and use the directory name in a path to a file

Thus, by setting directory protections, files that normally could be read can be protected by the directory, or files that normally can not be deleted can be, just by the protection of the directory.

Note that for links, it's always rwxrwxrwx. This is because the protection is controlled be the file the link points to.

Setting the protection mask.

Protections are set by using the chmod command. The format of the command is: chmod mask filename(s) Where filename(s) are the file(s) that you want to change, with wild cards being allowed. For example, chmod 644 qwe* will change all the files beginning with qwe in the current directory.

Mask is a little tricky. The mask of a file, like rwxr-xr--, consists of three separate segments, in this case rwx r-x and r--. These can be considered a three bit binary number, where if a bit is on (a one), that type of protection is set. For example:
--- = 000 in binary = 0 in decimal
r-- = 100 in binary = 4 in decimal
r-x = 101 in binary = 5 in decimal
rw- = 110 in binary = 6 in decimal
rwx = 111 in binary = 7 in decimal
These are probably the only combinations that you will ever need to use. The 7, 5, and 0 for directories and executable files, and the 6, 4, and 0 for other files.

Thus doing a chmod 750 beta would change beta to owner rwx, group r-x, and world --- (nothing). A chmod 644 beta would change beta to owner rw-, group rw-, and world rw-. For normal files I either set them to 644 or 600, if I want them to be seen or not. For directories, I generally set them to 755 or 700, again depending on if I want them to be used be other people or not. If you only want people in your group to see something, you could do 640 on a normal file and 750 on the directory above it. If you wanted the group to be able to change this file, you could chmod 660 it.

And more...

The umask command (normally in the .login) controls the default protections for file creation. All files after a umask command is issued will be created according to the umask specified. It's a reverse mask of the chmod bit mask, so umask 077 creates secure, owner only files, while umask 022 allows world and group to read files.

Of course there are man pages for ls, chmod, and umask which will explain things in greater detail. Also see chown and chgrp for changing owner and group of files.