Understanding File Permissions
What are UNIX file permissions, and how do you set them? This tutorial explains it all.
One of the hardest things for the beginner webmaster to get to grips with is how to use
chmod correctly to set permissions on files on UNIX and Linux web servers. You need to set the correct permissions on CGI scripts when you install them, to stop those dreaded "500 Server Error" messages.
In this tutorial, we're going to explain the concept of permissions, and show you how to set permissions using your FTP program or via Telnet.
What are permissions?
On a UNIX web server, every single file and folder stored on the hard drive has a set of permissions associated with it, which says who is allowed to do what with the file. Every file (and folder) also has an "owner" and a "group" associated with it. If you created the file, then you are usually the owner of that file, and your group, or the group associated with the folder you created the file in, will usually be associated with that file.
Who can do stuff?
There are three types of people that can do stuff to files - the Owner of the file, anyone in the Group that the file belongs to, and Others (everyone else). In UNIX, these 3 types of people are referred to using the letters U (for Owner, or User in UNIX-speak!), G (for Group), and O (for Others).
What stuff can you do?
There are three basic things that can be done to files or folders:
- You can read the file. For folders, this means listing the contents of the folder.
- You can write to (change) the file. For folders, this means creating and deleting files in the folder.
- You can execute (run) the file, if it's a program or script. For folders, this means accessing files in the folder.
What do all these funny letters and numbers mean?!
That's the basics of permissions covered. As you can see, there's not much to them really!
The confusion often occurs when you have to start actually setting permissions on your file server. CGI scripts will tell you to do things like "chmod 755" or "Check that the file is executable". Also, when you use FTP or SSH, you'll see lots of funny letters next to the files (such as
rwxrw-rw-). We'll now explain what all these hieroglyphics mean!
When you FTP to your web server, you'll probably see something like this next to every file and folder:
This string of letters,
drwxrwxrwx, represents the permissions that are set for this folder. (Note that these are often called attributes by FTP programs.) Let's explain what each of these letters means:
As you can see, the string of letters breaks down into 3 sections of 3 letters each, representing each of the types of users (the owner, members of the group, and everyone else). There is also a "d" attribute on the left, which tells us if this is a file or a directory (folder).
If any of these letters is replaced with a hyphen (-), it means that permission is not granted. For example:
- A folder which has read, write and execute permissions for the owner, but only read and execute permissions for the group and for other users.
- A file that can be read and written by anyone, but not executed at all.
- A file that can be read and written by the user, but only read by the group and everyone else.
Using numbers instead of letters
As we said earlier, you'll often be asked to do things using numbers, such as "set 755 permissions". What do those numbers mean?
Well, each of the three numbers corresponds to each of the three sections of letters we referred to earlier. In other words, the first number determines the owner permissions, the second number determines the group permissions, and the third number determines the other permissions.
Each number can have one of eight values ranging from 0 to 7. Each value corresponds to a certain setting of the read, write and execute permissions, as explained in this table:
|Number||Read (R)||Write (W)||Execute (X)|
So, for example:
777 is the same as
755 is the same as
666 is the same as
744 is the same as
The two most common ways to set permissions on your files and folders is with FTP or SSH. Let's take a look at FTP first.
Setting permissions with FTP
Your FTP program will probably allow you to set permissions on your files by selecting the file (in the remote window) and either right-clicking on it and selecting an option such as CHMOD or Set permissions, or by selecting CHMOD / Set permissions from a menu option.
Once you've selected the appropriate menu option, you'll probably see a dialog box similar to the following (this is from CuteFTP for Windows):
As you can see, it's pretty easy to set or un-set read, write and execute permissions for the owner, group and others using the check boxes. Alternatively, you can type in the equivalent 3-digit number, if you know it (see the previous section). Easy!
Setting permissions with SSH
The other common way to set permissions on your files is using SSH (or a standard shell if you're actually sitting at your Web server). This is generally quicker if you want to change lots of files at once (e.g. change all .cgi files in a folder to have execute permission), but is a bit more fiddly for the beginner.
Once you've SSHed to your server and logged in, change to the folder containing the files you want to change, e.g.:cd mysite/cgi-bin
You can then use the command
chmod to set permissions on your files and folders. You can use the number notation described above, or you can use an easier-to-remember letter-based system.
Using number notation
To set permissions with numbers, use the following syntax:chmod nnn filename
where nnn is the 3-digit number representing the permissions, and filename is the file you want to change. For example:chmod 755 formmail.cgi
will assign read, write and execute permission to the owner, and just read and execute permission to everyone else, on the script called
Using letter notation
You can use the letters
g (group) and
o (other) to set permissions for each of the user types, and
w (write) and
x (execute) to represent the permissions to set.
You can also use
a instead of u, g, and o, to mean all users (u,g,o).
You assign permissions using either the plus sign (
+), which means "add these permissions", the minus sign (
-), which means "remove these permissions", or the equals sign (
=), which means "change the permissions to exactly these".
chmod a+x formmail.cgi adds execute permissions for all users to the file
formmail.cgi (in other words, makes the file executable).
chmod u=rwx formmail.cgi sets read, write and execute permission just for the owner (the permissions for the group and for others remain unchanged).
chmod go-w formmail.cgi removes write permission for the group and for others, leaving the permissions for the owner unchanged.
Checking your permissions
You can check the permissions on all files and folders in the current directory by using the command:ls -l
This will show you the permissions for every file and folder, in the same way as your FTP program does.
Responses to this article
8 responses (oldest first):
This post is wonderful. I usually do not read whole post/ Tutorial's / HowTo's on blogs however the preciseness and simplicity of the post made me read the whole post and actually understand the topic quite well (now just need to practically do it).
I wasn't going to sign up but the quality of the posts basically the whole site compelled me to sign up.
Thanks for making Internet better with your presence.
EXAMPLE: I found your post after Googling: ftp "file attributes" for web folders.
MY PROBLEM: I wish to make a web folder available to all my clients ONLY for the purpose of them being able to download a zipped file (bundle of AntiVirus fixes).
How would you go about this? Is it not the correct use of folder permissions?
WHAT I'VE TRIED:
I've set the folder "/AV" to 444 i.e.'Read permission only' for Owner, Group and Public. Yet, I am unable to view the folder at my domain now?! How much do I need to set in order for you and other to be able to goto mywebsite.com/AV and view&download the zip file.
Thank in anticipation of your reply.
Steve Walters. Small Business Helper Limited.
[Edited by sbusinesshelper on 11-May-11 14:02]
You can set the file(s) within the folder to 644.
You pretty much always want to keep read/write permissions for the owner on files, and read/write/execute permissions for the owner on folders.
[Edited by ESHWOR KC on 01-Jul-13 08:14]
Post a response
Want to add a comment, or ask a question about this article? Post a response.
To post responses you need to be a member. Not a member yet? Signing up is free, easy and only takes a minute. Sign up now.