Unix Permissions Calculator
Mode 000 is ---------
| User | Group | Other |
|---|---|---|
Representations
| Type | Representation |
|---|---|
| Octal | 000 |
| File Mask (Octal) | 777 |
| String | --------- |
| Binary | 000000000 |
| Decimal | 0 |
C (sys/stat.h) |
|
Permissions Overview
Unix systems, at their most basic level, tend to use file modes. Three bits determining whether someone can read, write, or execute (traverse on directories) a file or directory. These apply to both the file's owner, the file's group, and everyone else.
The most common representation is in octal
(base 8) notation or as a binary-like string such as rwxrwxrwx which show the
individual permission bits in the order user, group, then everyone else.
Newer systems may use access control lists in addition to, or instead of file mode bits.
These come in one of a few different flavors. So-called "POSIX" ACLs
use and extend the rwx model for more fine grained permissions. NFSv4
also has a flavor of access control lists.
Read (r)
The permissions you've selected above deny the file owner, deny the group, and deny everyone else the ability to read from a particular file or directory.
Read permissions allow, as the name implies, one to read the contents of a file or view a list of filenames in a directory.
Write (w)
The permissions you've selected above deny the file owner, deny the group, and deny everyone else the ability to write to a particular file or directory.
Write permissions allow users to write to a particular file. This also allows a user to overwrite the contents of a file. Write permissions on a directory allow users to add or delete files from the directory (although users are able to remove any contents quite easily with solely write permissions on a file).
Execute (x)
The permissions you've selected above deny the file owner, deny the group, and deny everyone else the ability to execute a particular file or traverse a particular directory.
Execute permissions allow a user to invoke an application directly (even without this permission, interpreted languages like Shell, Python, or Perl are likely to be able to still run scripts if the interpreter is invoked instead). On directories, the execute bit behaves a bit differently. If granted, they are allowed to access directories which are nested below this directory, even if they can't read the directory itself. A simple example:
| / (rwx-----x) | | /dir1/ (rwx---r-x)
All users on the system can read the contents of /dir1/, even though they can't read the
contents of / directly.
Some executables may display s where x is displayed. This indicates
that the setuid (for users) or setgid bit is set on the file, which is
used by some utilities that need to elevate their permissions (for example `passwd` needs to be
able to change a user's password).
What file mode should a file or directory be set at?
General Advice
What file mode a file or directory should be set at is going to vary greatly depending on
the nature of the files or directories, the sensitivity of the data. The most general advice
that can be given is to very rarely (or never) use 777 (rwxrwxrwx),
as this lets anyone and everyone who has an account to read, write, or execute a particular
file. Mode 666 (rw-rw-rw-) has similar characteristics (but denies execution).
This is particularly problematic if a program (such as a web server or application) allows execution of some code on a server or the ability to browse a file. If a malicious user is able to get access to run attacker-controlled code on a server, files with improper permissions set could damage other parts of the system.
In general, the best advice is to follow a principle of least privilege, that is, don't
allow any more access than needed to complete a task. A web server for example may have a
user account who creates files with a mode of 600 (rw-------), allowing
itself but no one else to modify the file, but also to deny direct execution.
Note that for directories, as mentioned in the execute bit overview, execute functions as a "traverse" permission.
Personal shell scripts may tend to use 700 (rwx------), as this allows them
to be conveniently executed. For personal data that is unlikely to change, a mode which restricts
writing (such as 400 (r--------)) may help to prevent accidental overwrites of
data, although will not help if a malicious user gains control of the account, since they would
often be able to change the file mode on files they own.
SSH Authorized Keys
Use 600 (rw-------) or 400 (r--------). Many SSH servers
do not process keys if the contents of the home directory, the .ssh subdirectory
or the .ssh/authorized_keys file is writable by group or others (i.e. owner only).
These generally will accept public keys that are readable by others, however there is often
little reason to leave even public keys visible to others.
Table
| Octal | Binary | Text | Meaning |
|---|---|---|---|
0 |
000 |
--- |
No Permissions |
1 |
001 |
--x |
Execute |
2 |
010 |
-w- |
Write |
3 |
011 |
-wx |
Write and Execute (2 + 1) |
4 |
100 |
r-- |
Read |
5 |
101 |
r-x |
Read and Execute (4 + 1) |
6 |
110 |
rw- |
Read and Write (4 + 2) |
7 |
111 |
rwx |
All Permissions |