drh.net - Hosting Technical Support

		DRH Internet Inc. Website hosting technical support library

What's the deal with unix permissions?

The important thing to know about UNIX permissions is this: each file is "owned" by a user and not every user can access every file.

Not too hard, eh? However, this is a big departure from the world of Dos, Windows 98, or MAC where there might have been different "users" on the machine but everyone could access every file. The only difference between these "users" was what desktop theme that got loaded.

Unix is different. It was designed to be a multi-user system where security is important.

More about users and permissions

Each web hosting account that we setup at DRH has its own unix user. This is the username that you specified when the account was setup and that you connect with using FTP.

Each file that you create is owned as your user, and has specific permissions on what you and other users in the system can do with it. By default, your files are created so that you can read and write them, but everyone else can just read them.

There are three "rights" that can be granted for each file: the right to "read" a file, to "write" a file, and to "execute" a file (if it is a program). Each of these rights can be granted to the "user" (that's you, the owner of the file), the "group" (that's everyone else on the system, we don't use groups) and "other" (that's also everyone else on the system).

When you are logged in via telnet and use the "dir" command, you see a symbolic representation of the permissions of each file. (These representations of the permissions have been bolded below.)

[snoik@w2 permshow]$ dir
total 16
-rw-r--r--   1 snoik    web     843 Aug 28 19:01 index.html
-rwxr-xr-x   1 snoik    web     804 Aug 28 19:01 whois.cgi

Now let me explain. First, you can see that both files, index.html and whois.cgi, are owned by the user "snoik" and the group "web". This is because the username for this account is snoik and all web hosting files will be in the web group.

For the first file, index.html, you can see from the red rw- letters that the file can be read ("r") and written ("w") by the user. The blue r-- shows that the group can only read ("r") the file. And the green r-- shows that everyone else ("other") can only read ("r") the file.

Basically each grantee ("user", "group", or "other") has three letters that show what accesses they were granted: "r" for read, "w" for write, and "x" for execute. If the grantee was not granted that access a dash is shown.

It then follows that for the second file, whois.cgi, you can see that rwxr-xr-x signifies that the file can be read, written, and executed by the owner ("user"), and read and executed by everyone else ("group" and "other").

You should also be able to recognize the following permissions:

-rw-rw-rw-   1 snoik    web     804 Aug 28 19:01 data.txt

This file has permissions such that everyone on the system and read and write it. This is insecure because other users (who you probably don't trust) can modify your file.

When do I use this?

Normally you don't have to bother at all with permissions. The default of "everyone can read, but only I can write" (rw-r--r--) is what you want.

When you have a CGI script you must specify that it can be executed by granting everyone execute permission (rwxr-xr-x).

Permissions mainly come into play when you use CGI scripts. The next section explains this.

Permissions and CGI scripts

There are two important things to know about permissions and CGI scripts.

First, the CGI script must be set so that it can be executed. Do this by granting everyone execute permission (rwxr-xr-x). Do this with the unix command "chmod 755 filename".

The second thing to know is that, by default, the CGI script does not run as your username so it can't modify your files.

Many CGI scripts need to modify a file on your system, such as a guestbook program which stores user information in a file. By default a CGI script can't do this because the CGI script runs as another user and that user does not have write permission on your files (unless you explicitly give it).

There are two ways to enable a CGI script to be able to modify your files: (1) make the CGI script run as your username by renaming it from ".cgi" to ".cgi-set", or (2) give everyone permission to modify the file that needs to be modified by the CGI script, by setting the permissions to rw-rw-rw-.

The second option is not secure, since anyone can modify that file. We recommend you use option one.

For more information about the .cgi-set extension, see the following page in the support library:
Our proprietary .cgi-set enhancement

How to modify permissions

Modify permissions of files from telnet using the chmod command.

The chmod command is called with an octal number which represents the permissions to be set and then a list of files to change. This looks like "chmod 755 whois.cgi" which sets the permissions for whois.cgi to 755. (Chmod can also be called with a symbolic permission code, but we don't go into that here.)

Here is a lookup table for the common permissions to their octal codes:

Permission Octal code Meaning

rw-r--r-- 644 The owner can read and write the file, everyone else can just read the file. This is the default permissions for a new file that is created.

rwxr-xr-x 755 The owner can read, write, and execute the file. Everyone else can read and execute the file. This is what the permissions for a CGI script should be.

rw-rw-rw- 666 Everyone can read and write the file. (insecure)

rw------- 600 The user can read and write the file, but no one else can read or write it. Use this to make a file secret.

Learn more about the chmod command by typing "man chmod" at a telnet prompt for the manual page.