System Grab Bag

Unix Permissions Calculator

Mode 631 is rw--wx--x

User Group Other

Representations

Type Representation
Octal 631
File Mask (Octal) 146
String rw--wx--x
Binary 110011001
Decimal 409
C (sys/stat.h) S_IRUSR | S_IWUSR | S_IWGRP | S_IXGRP | S_IXOTH

Permissions Overview

Unix systems, at their most basic level, tend to use file modes. Three bits determining whether someone can read, write, or execute (traverse on directories) a file or directory. These apply to both the file's owner, the file's group, and everyone else.

The most common representation is in octal (base 8) notation or as a binary-like string such as rwxrwxrwx which show the individual permission bits in the order user, group, then everyone else.

Newer systems may use access control lists in addition to, or instead of file mode bits. These come in one of a few different flavors. So-called "POSIX" ACLs use and extend the rwx model for more fine grained permissions. NFSv4 also has a flavor of access control lists.

Read (r)

The permissions you've selected above allow the file owner, deny the group, and deny everyone else the ability to read from a particular file or directory.

Read permissions allow, as the name implies, one to read the contents of a file or view a list of filenames in a directory.

Write (w)

The permissions you've selected above allow the file owner, allow the group, and deny everyone else the ability to write to a particular file or directory.

Write permissions allow users to write to a particular file. This also allows a user to overwrite the contents of a file. Write permissions on a directory allow users to add or delete files from the directory (although users are able to remove any contents quite easily with solely write permissions on a file).

Execute (x)

The permissions you've selected above deny the file owner, allow the group, and allow everyone else the ability to execute a particular file or traverse a particular directory.

Execute permissions allow a user to invoke an application directly (even without this permission, interpreted languages like Shell, Python, or Perl are likely to be able to still run scripts if the interpreter is invoked instead). On directories, the execute bit behaves a bit differently. If granted, they are allowed to access directories which are nested below this directory, even if they can't read the directory itself. A simple example:

| /        (rwx-----x)
| | /dir1/ (rwx---r-x)

All users on the system can read the contents of /dir1/, even though they can't read the contents of / directly.

Some executables may display s where x is displayed. This indicates that the setuid (for users) or setgid bit is set on the file, which is used by some utilities that need to elevate their permissions (for example `passwd` needs to be able to change a user's password).

What file mode should a file or directory be set at?

General Advice

What file mode a file or directory should be set at is going to vary greatly depending on the nature of the files or directories, the sensitivity of the data. The most general advice that can be given is to very rarely (or never) use 777 (rwxrwxrwx), as this lets anyone and everyone who has an account to read, write, or execute a particular file. Mode 666 (rw-rw-rw-) has similar characteristics (but denies execution).

This is particularly problematic if a program (such as a web server or application) allows execution of some code on a server or the ability to browse a file. If a malicious user is able to get access to run attacker-controlled code on a server, files with improper permissions set could damage other parts of the system.

In general, the best advice is to follow a principle of least privilege, that is, don't allow any more access than needed to complete a task. A web server for example may have a user account who creates files with a mode of 600 (rw-------), allowing itself but no one else to modify the file, but also to deny direct execution.

Note that for directories, as mentioned in the execute bit overview, execute functions as a "traverse" permission.

Personal shell scripts may tend to use 700 (rwx------), as this allows them to be conveniently executed. For personal data that is unlikely to change, a mode which restricts writing (such as 400 (r--------)) may help to prevent accidental overwrites of data, although will not help if a malicious user gains control of the account, since they would often be able to change the file mode on files they own.

SSH Authorized Keys

Use 600 (rw-------) or 400 (r--------). Many SSH servers do not process keys if the contents of the home directory, the .ssh subdirectory or the .ssh/authorized_keys file is writable by group or others (i.e. owner only). These generally will accept public keys that are readable by others, however there is often little reason to leave even public keys visible to others.

Table

Octal Binary Text Meaning
0 000 --- No Permissions
1 001 --x Execute
2 010 -w- Write
3 011 -wx Write and Execute (2 + 1)
4 100 r-- Read
5 101 r-x Read and Execute (4 + 1)
6 110 rw- Read and Write (4 + 2)
7 111 rwx All Permissions

List of All Modes

000 001 002 003 004 005 006 007
010 011 012 013 014 015 016 017
020 021 022 023 024 025 026 027
030 031 032 033 034 035 036 037
040 041 042 043 044 045 046 047
050 051 052 053 054 055 056 057
060 061 062 063 064 065 066 067
070 071 072 073 074 075 076 077
100 101 102 103 104 105 106 107
110 111 112 113 114 115 116 117
120 121 122 123 124 125 126 127
130 131 132 133 134 135 136 137
140 141 142 143 144 145 146 147
150 151 152 153 154 155 156 157
160 161 162 163 164 165 166 167
170 171 172 173 174 175 176 177
200 201 202 203 204 205 206 207
210 211 212 213 214 215 216 217
220 221 222 223 224 225 226 227
230 231 232 233 234 235 236 237
240 241 242 243 244 245 246 247
250 251 252 253 254 255 256 257
260 261 262 263 264 265 266 267
270 271 272 273 274 275 276 277
300 301 302 303 304 305 306 307
310 311 312 313 314 315 316 317
320 321 322 323 324 325 326 327
330 331 332 333 334 335 336 337
340 341 342 343 344 345 346 347
350 351 352 353 354 355 356 357
360 361 362 363 364 365 366 367
370 371 372 373 374 375 376 377
400 401 402 403 404 405 406 407
410 411 412 413 414 415 416 417
420 421 422 423 424 425 426 427
430 431 432 433 434 435 436 437
440 441 442 443 444 445 446 447
450 451 452 453 454 455 456 457
460 461 462 463 464 465 466 467
470 471 472 473 474 475 476 477
500 501 502 503 504 505 506 507
510 511 512 513 514 515 516 517
520 521 522 523 524 525 526 527
530 531 532 533 534 535 536 537
540 541 542 543 544 545 546 547
550 551 552 553 554 555 556 557
560 561 562 563 564 565 566 567
570 571 572 573 574 575 576 577
600 601 602 603 604 605 606 607
610 611 612 613 614 615 616 617
620 621 622 623 624 625 626 627
630 631 632 633 634 635 636 637
640 641 642 643 644 645 646 647
650 651 652 653 654 655 656 657
660 661 662 663 664 665 666 667
670 671 672 673 674 675 676 677
700 701 702 703 704 705 706 707
710 711 712 713 714 715 716 717
720 721 722 723 724 725 726 727
730 731 732 733 734 735 736 737
740 741 742 743 744 745 746 747
750 751 752 753 754 755 756 757
760 761 762 763 764 765 766 767
770 771 772 773 774 775 776 777