The Planet Blog

Permissions in a UNIX environment cause a lot of customer issues. While everyone understands the value of secure systems and limited access, any time an “access denied” message pops up, the most common knee-jerk reaction is to enable full access to one’s files (chmod 777, as I’ll explain later). This is a BAD IDEA. Open permissions are a hacker’s dream come true. An open permission setting might have been a temporary measure, but more often than not, the permissions are left in place, and the files remain vulnerable.

To better understand how to use permissions, let’s take a step back and get a quick refresher on key components.

You’ll need to remember the three permission types:
r w x: r = read; w = write; x = execute

And the three types of access they can be applied to:
u g o: u = user; g = group; o = other

Permissions are usually displayed in one of two ways – either with letters (rwxrwxrwx) or numbers (777). When the permissions are declared with letters, you should look at it as three sets of three characters. The first set applies to the user, the second applies to the group, and the third applies to other (everyone else). If a file is readable only by the user and cannot be written to or executed by anyone, its permission level would be r--------. If it could be read by anyone but could only be writeable by the user and the group, its permission level would be rw-rw-r--.

The numeric form of chmod uses bits to represent permission levels. Read access is marked by 4 bits, write is 2, and execute is 1. When you want a file to have read and write access, you just add the permission bits: 4 + 2 = 6. When you want a file to have read, write and execute access, you’ll have 4 + 2 + 1, or 7. You’d then apply that numerical permission to a file in the same order as above: user, group, other. If we used the example from the last sentence in the previous paragraph, a file that could be read by anyone, but could only be writeable by the user and the group, would have a numeric permission level of 664 (user: 6, group: 6, other: 4).

Now the “chmod 777” I referenced above should make a little more sense: All users are given all permissions (4 + 2 + 1 = 7).

Applying Permissions

Understanding these components, applying permissions is pretty straightforward with the use of the chmod command. If you want a user (u) to write and execute a file (wx) but not read it (r), you’d use something like this:

In the above terminal image, I added the -v parameter to make it “verbose,” so it displays the related output or results of the command. The permissions set by the command are shown by the number 0300 and the series (-wx------). Nobody but the user can write or execute this file, and as of now, the user can’t even read the file. If you were curious about the leading 0 in “0300,” it simply means that you’re viewing an octal output, so for our purposes, it can be ignored entirely.

In that command, we’re removing the read permission from the user (hence the minus sign between u and r), and we’re giving the user write and execute permissions with the plus sign between u and wx. Want to alter the group or other permissions as well? It works exactly the same way: g+,g-,o+,o- … Getting the idea? chmod permissions can be set with the letter-based commands (u+r,u-w) or with their numeric equivalents (eg. 400 or 644), whichever floats your boat.

A Quick Numeric chmod Reference

chmod 777 | Gives specified file read, write and execute permissions (rwx) to ALL users
chmod 666 | Allows for read and write privileges (rw) to ALL users
chmod 555 | Gives read and execute permissions (rx) to ALL users
chmod 444 | Gives read permissions (r) to ALL users
chmod 333 | Gives write and execute permissions (wx) to ALL users
chmod 222 | Gives write privileges (w) to ALL users
chmod 111 | Gives execute privileges (x) to ALL users
chmod 000 | Last but not least, gives permissions to NO ONE (Careful!)

Get a List of File Permissions

To see what your current file permissions are in a given directory, execute the ls –l command. This returns a list of the current directory including the permissions, the group it’s in, the size and the last date the file was modified. The output of ls –l looks like this:

On the left side of that image, you’ll see the permissions in the rwx format. When the permission begins with the “d” character, it means that object is a directory. When the permission starts with a dash (-), it is a file.

Practice Deciphering Permissions

Let’s look at a few examples and work backward to apply what we’ve learned:

• Example 1: -rw-------
• Example 2: drwxr-x---
• Example 3: -rwxr-xr-x

In Example 1, the file is not a directory, the user that owns this particular object has read and write permissions, and when the group and other fields are filled with dashes, we know that their permissions are set to 0, so they have no access. In this case, only the user who owns this object can do anything with it. We’ll cover “ownership” in a future blog, but if you’re antsy to learn right now, you can turn to the all-knowing Google.

In Example 2, the permissions are set on a directory. The user has read, write and execute permissions, the group has read and execute permissions, and anything/anyone besides user or group is restricted from access.

For Example 3, put yourself to the test. What access is represented by “-rwxr-xr-x”? The answer is included at the bottom of this post.

Wrapping It Up

How was that for a crash course in Unix environment permissions? Of course there’s more to it, but this will at least make you think about what kind of access you’re granting to your files. Armed with this knowledge, you can create the most secure server environment.

Here are a few useful links you may want to peruse at your own convenience to learn more:

Linuxforums.org
Zzee.com
Comptechdoc.org
Permissions Calculator

Did I miss anything? Did I make a blatantly ridiculous mistake? Did I use “their” when I should have used “they’re”??!!… Let me know about it. Shoot me an email (rrobson @ theplanet.com) or leave a comment if you’ve got anything to add, suggest, subtract, quantize, theorize, ponderize, etc. Think your useful links are better than my useful links? Throw those at me too, and we’ll toss ‘em up here. I hope this helps make at least one or two confused sysadmin’s first foray into the Unix dimension just a little bit easier.

- Ryan

Smack dab in the middle of downtown Houston’s theater district sits the somewhat ambiguous – and intriguing – structure we call The Planet HQ. Just walking into the place is an awe-inspiring undertaking. It’s an old conference center that has been completely renovated with offices, conference rooms and catwalks. At this very moment, if I look to the right I see a neon blue-lit Ferris wheel spinning at the Aquarium restaurant complex across the road, and I can’t help but feel a little intimidated by the environment.

I recently joined The Planet as a Sr. Technical Support Specialist, so part of the intimidation might be the “new job” aspect. The place looks nice and the people seem great, so there has to be a catch. I’ve been around the block in the IT industry’s call centers and their ilk, and my honest expectation was to be hurled into the important, but somewhat soul-sucking, role of being a nameless cog in a corporate machine. That isn’t the case at all here.

I’m amazed by the depth of effort each of The Planet’s departments puts into interconnectivity. Yes, I answer phones, take care of customer concerns and work on servers, but what makes the real difference is the fact that everyone – and I mean everyone – has the opportunity to participate in the inner workings of The Planet as a whole.

My primary focus is helping our customers get the results they want, and at the same time, I have the opportunity to research, develop and contribute to every aspect of The Planet’s business. If I think something could be done better and have an idea on how to fix it, I won’t be dropping a card into a bottomless suggestion box … I’ll be contacting the person in charge – even up to the CEO – and presenting it myself. From what I’ve witnessed, those recommendations are taken seriously. Employees are empowered to make their jobs better and make customers happier. That’s unlike anything I’ve ever seen before.

I’m still pretty new here, and the natural intimidation I felt when I first walked into this building hasn’t completely worn off. But as I start to feel a little more comfortable, I can’t help but be proud that I have the opportunity to work with a company that treats its employees the way The Planet does. Not only does the environment give me the enthusiasm to do what needs to be done, but I honestly believe this approach will take the company to the top. If you ask me, that’s the kind of company I want to be a part of.

This may all sound like a PR spiel, but I can’t think of any other way to be more honest about my impressions as a first-month employee entering the fray. In the coming months, I hope to elaborate more on some of the actual operations happening here and talk about some of the services we’re building and providing. There’s definitely some exciting stuff in the works, and I’m looking forward to diving in head-first and giving you all a sneak peek.

-Ryan