Open CheatSheet
Back To List
Next Tutorial
Permissions and Ownership
Intro
[0:00 Video timestamp]This is the third in a series of tutorials on how to use Unix for software developers.
This section goes over file and directory permissions and ownership, including how to list and change permissions and ownership, and the sudo command.
Be warned this topic can be a little confusing, but you do need to understand it.
It is recommended to open your system's shell program and follow along with the topics covered.
- There is both a written and accompanying video version of this tutorial. There are timestamps under the headings that align with the video version of the topic.
- Read it: For each topic heading, First read the topic.
- Watch it: Then watch the associated section of the video.
- Do it: Then follow the instructions to replicate the steps in your Unix shell program.
- The Unix CheatSheet has a major category that aligns with this tutorial.
- Review it: When you are done with the whole tutorial, open the CheatSheet and review the Permissions and Ownership category category from this tutorial. Make sure you understand everything, and can refer back to the CheatSheet when you are working on your own projects in the future.
Your Username and Groups
Open your Terminal to access the Unix shell.Files and directories are assigned user and group permissions.
whoami Returns your username.
groups Returns the groups that you belong to.
If you are on a Mac then you probably are in the following groups: everyone, staff, admin.
- Staff is the default group that Mac's assign to files and directories created by users (i.e., non-system files).
- Admin group means you have administrative permissions for files and directories.
- Everyone group is the most basic permissions.
Directory & File Permissions
[1:46 Video timestamp]Let's check the permissions and ownership of some of the default directories.
Go to your home directory: cd ~
Then run the list command with the long version option.
ls -l
On a Mac, the Home directory holds a bunch of standard directories including Documents, Desktop, Downloads, Music, Movies, and more.
They all have the same permissions and ownership. Using Desktop as an example, the info would be something like the below.
| Permissions | ownerName | groupName | fileSize | dateModified | file/dir name |
|---|---|---|---|---|---|
| drwx------ | my-username | Staff | 224 | Jul 20 | Desktop |
- OwnerName: OwnerName should be your username.
- GroupName: The group should be staff, which you are a member of.
- Permissions: The permissions column contains 10 characters.
- Type: The first character is either
dor-. Ifdthen it is a directory. If-then it is a file. - The remaining 9 characters are 3 Permissions classes, each containing 3 character positions.
- The Permission classes are: owner, group, and other.
- In the above example the class permissions are:
- Owner: rwx
- Group: ---
- Other: ---
- This means the directory owner has full read, write, and execute permissions,
- The Group and Others (i.e., Everyone) have no permissions. The default group for all users is Staff. If there are multiple users of one machine, they each would have their own home directory and would all be members of the staff group. We don't want all users of the computer to be able to access each other's home directories, so the Staff group does not have assess to home directories.
- Each permissions class has three character positions, which in turn have two possible values:
rreadable,-not readable.wwritable,-not writable.xfile is executable or directory is traversable,-not executable/traversable.
- Note: only those with execute access for a directory can traverse through its files and subdirectories.
- Since only the owner has execute permission to the standard Home directories (e.g., Desktop, Documents, Downloads, Pictures, Music, Movies), other users cannot access their files or subdirectories, even if those files give Group or Others read, write, or execute permissions. We'll come back to this in the next section.
Permissions for user created files and directories
Let's create a file and directory on the Desktop.Change directories to your desktop.
cd ~/Desktop
pwd returns the absolute path to the directory you are in.
Create a file named myfile.txt and directory named temp.
touch myfile.txt
mkdir temp
ls -l Run the list command with the long version option.
This will return something like the below information for the temp directory and myfile.txt:
| Permissions | ownerName | groupName | fileSize | dateModified | file/dir name |
|---|---|---|---|---|---|
| drwxr-xr-x | my-username | staff | 0 | Jul 20 | temp |
| -rw-r--r-- | my-username | staff | 0 | Jul 20 | myfile.txt |
- For the temp directory:
- The first permission character is
dindicating it is a directory. - You should be the owner and have full
rwxread-write-execute permissions. - Staff should be the group and have
r-wread and execute permissions but not write. - Everyone else should also have r-w read and execute permissions but not write.
- For myfile.txt:
- The first permission character is
-indicating it is a file. - You should be the owner and have rw- read-write permissions.
- It is a text file, not an executable program file, so it should not have executable permission.
- Staff should be the group and have r-- read only access.
- Everyone else should also have r-- read only access.
To traverse a directory, the class must have execute permission
- Even though temp and myfile give read permissions to the Staff group and Others (Everyone), they are inside the Desktop directory, which we saw above only gave execute access to the directory owner. As such, only the owner can access items inside the Documents directory. Even though we granted Staff or Everyone read access, it has no effect.
- What a user can do is move Temp and myfile.txt directly under the Home directory.
- The Home directory, and all its ancestors does give execute permissions to Staff and Others.
- You confirm that with the following command and their results:
- ls -ld / Gets permissions for the root directory.
- ls -ld /Users Gets permissions for the /Users directory.
- ls -ld ~ Gets permissions for the home directory.
- ls -ld ~/Desktop Gets permissions for the Users' Desktop directory
- ls -ld ~/Desktop/temp Gets permissions for the temp directory we created.
The below table summarizes the results cascaded down from the root of the directory tree.
The last column states whether the group and others have permission to traverse the directory:
| Permissions | ownerName | groupName | file/dir name | Traverse Permission? |
|---|---|---|---|---|
| drwxr-xr-x | root | wheel | / | Yes |
| drwxr-xr-x | root | admin | /Users | Yes |
| drwxr-xr-x | my-username | staff | /users/my-username | Yes |
| drwx------ | my-username | staff | /users/my-username/Desktop | No |
| drwxr-xr-x | my-username | staff | /users/my-username/Desktop/temp | No |
Permissions for system files
Let's look at the permissions on a system file not under the users directory.
We'll look at the Z Shell executable file that runs the Unix shell program.
It comes preinstalled with MacOS.
If you are not on a Mac you may have a different Unix shell program (e.g., Bash).
It's in a folder under the root directory called bin which holds binary executable files:
We'll look at the Z Shell executable file that runs the Unix shell program.
It comes preinstalled with MacOS.
If you are not on a Mac you may have a different Unix shell program (e.g., Bash).
It's in a folder under the root directory called bin which holds binary executable files:
/bin/zsh Lets see the permissions. We'll include the -l long version and -h human readable options.
ls -lh /bin/zsh
| Permissions | ownerName | groupName | fileSize | dateModified | file/dir name |
|---|---|---|---|---|---|
| -rwxr-xr-x | root | wheel | 1.3M | Jul 20 | /bin/zsh |
- The first permission character is - indicating it is a file.
- The owner name is root. Root is the superuser account in Unix. It is a user account for administrative purposes, and typically has the highest access rights on the system.
- The owner has full rwx read, write, and execute permissions.
- The group is Wheel. Wheel is the system administrator group name.
- The Wheel Group and Others have r-x read and execute permissions but not write.
Change Permissions - chmod command
[8:32 Video timestamp]The permissions for myfile.txt and the temp directory are:
| Permissions | ownerName | groupName | fileSize | dateModified | file/dir name |
|---|---|---|---|---|---|
| drwxr-xr-x | my-username | staff | 0 | Jul 20 | temp |
| -rw-r--r-- | my-username | staff | 0 | Jul 20 | myfile.txt |
You can change permission for files and directories from the command line using the chmod command.
The command's first argument is for the permissions mode, followed by one or more files or directories to apply it to.
The mode is a shortcut syntax for assigning rwx permissions to the owner, group, others classes.
Instead of the 3 permission classes containing 3 character positions, we will use one mode number from 0-7 for each class that determines the rwx permissions.
Here is how it translates:
Mode Numbers: 7=
Temp directory:
Myfile.txt:
Now change permissions for the temp directory itself but not it's contents:
rwx, 6=rw-, 5=r-x, 4=r--, 3=-wx, 2=-w-, 1=--x, 0=--- Temp directory:
| Temp Directory | All Classes | Owner | Group | Others |
|---|---|---|---|---|
| Permissions | rwxr-xr-x | rwx | r-x | r-x |
| Modes | 755 | 7 | 5 | 5 |
Myfile.txt:
| myfile.txt | All Classes | Owner | Group | Others |
|---|---|---|---|---|
| Permissions | rw-r--r-- | rw- | r-- | r-- |
| Modes | 644 | 6 | 4 | 4 |
Now change permissions for the temp directory itself but not it's contents:
We will change it so the owner has full read-write-execute permissions but the group and others have no permissions: rwx------
- The mode for rwx------ is 700.
- This is the defacto permissions anyway, because the Desktop directory did not give execute permission for Group or Others.
- Let's move myfile into the temp directory.
mv myfile.txt temp
- List the temp directory's current permissions:
ls -l temp It should bedrwxr-xr-x
- Then change the permissions with the chmod command:
Chmod takes two or more arguments: the mode, then one or more files or directories to change.
chmod 700 temp
- Then list the new permissions:
ls -l temp It should bedrwx------
- But the contents of the temp folder should not be changed.
List the permissions for temp/myfile.txt:
ls -l temp/myfile.txt It should be unchanged at-rw-r--r--
Add the Recursive option:
- To change the permissions of a directory and all it's contents, add the -R recursive option:
chmod -R 700 temp
- Now check the myfile permissions again.
ls -l temp/myfile.txt It should now be changed to-rwx------
Optionally, change the permissions back to the way they were:
- The temp directory had permissions of 755,
read-write-execute permission (7) for the owner, read and execute permission (5) for the Group and everyone else.
chmod 755 temp
- Myfile.txt had permissions of 644,
Read and write permission (6) for the owner, read only permission (4) for the group and everyone else.
chmod 644 temp/myfile.txt
Change Ownership
[12:22 Video timestamp]
User File and directory ownership:
Under the root directory there is a directory named Users, which has directories for each registered user on that machine. For a personal computer there is probably just one user, and there may also be a directory named Shared.
This is the user's Home directory.
For files and directories under the Home directory the owner and group are:
/Users/my-usernameThis is the user's Home directory.
For files and directories under the Home directory the owner and group are:
- Owner: The signed in user. The owner has full read, write, execute access.
- Group: The default user group for all users on the computer or network. On Mac it's Staff.
- At the Home level The group has read and execute, but not write access.
- At the default subdirectories (e.g., Desktop, Documents, Downloads) level, Group has no access.
System File and directory ownership:
Files and directories outside the User directory are system files.Let's check the root directory:
ls -ld /
- The root directory holds system files and subdirectories not meant to be accessed directly by the user.
- The owner is: Root, which is the system administrator user. The Owner has full rwx permissions.
- The group is Wheel, which is the system administrator group. Root is the only member of the wheel group. The group, and all others have read and execute permissions but not write.
Earlier we listed the Unix shell's executable file in /bin/zsh and got the same result.
Commands to Change Ownership:
[13:18 Video timestamp]
For a personal computer, you will probably be the only user. As such there is no need to change ownership.
If the computer is a network server with many users, then the network administrator would need to change permissions, ownership, and groups for files and directories.
For a personal computer, you will probably be the only user. As such there is no need to change ownership.
If the computer is a network server with many users, then the network administrator would need to change permissions, ownership, and groups for files and directories.
Since you are most likely on a personal computer, we won't change ownership in this tutorial, but if you did, the command to change owner is:
- chown username path Changes the owner for the given path (file or directory).
- chown username:groupname path Changes the owner and group for the given path.
- chown -R username directory Changes directory owner and its children recursively.
[13:40 Video timestamp]
The command to change group is:
chgrp groupname path change group ownership of the path (file or directory).
Sudo
[13:58 Video timestamp]
Check which groups you belong to:
groups
If one of the groups is admin then you are a superuser.
If this is your personal computer, you would have been made an admin user when you first set up the computer.
While using the command line you may get a permission error when trying to execute a command.
You can try prefacing the command with sudo. Then enter your password when prompted.
sudo command
Check which groups you belong to:
groups
If one of the groups is admin then you are a superuser.
If this is your personal computer, you would have been made an admin user when you first set up the computer.
While using the command line you may get a permission error when trying to execute a command.
You can try prefacing the command with sudo. Then enter your password when prompted.
sudo command
Sudo is a program for Unix-like operating systems that enables users to run programs with the security privileges of another user, by default the superuser.
Sudo originally stood for "superuser do" before it could be used to run commands as other users. Now it stands for "substitute user, do".
Mac Finder App
If you are on a Mac, you can view permissions, owners and groups with the Finder app.Open Finder, right click on a file or directory, then select Get Info.
It will open a window that displays the permissions, owner, group, and other information.
Everything is the same as we saw from the command line, except the Root user in the Finder app is named System.
If you have the correct permissions you can make changes in the Info window.
View hidden files:
In Unix, system file names begin with a dot. These files are hidden in Finder by default.To view the hidden files, press Command+Shift+.