In the case of myfile, the owner has rw-, which means read and write permissions. This file cannot be executed by typing myfile at the Linux prompt since there is no execute permission. The group permissions are r--, which means that members of the group users can read the file but cannot change it or execute it. Likewise, the permissions for all others are r--, or read-only.

UMASK Settings

When you create a file (such as with redirection), how does Linux know which file permissions to assign? The answer is that a variable called the UMASK (user file creation mask) contains the instructions for every file you create. The system administrator can set the UMASK setting for any user or for the entire set of users on the whole system. You can change your own UMASK setting, but not that of others (unless you are logged in as root).

The value of UMASK can be shown at any time by typing the command umask (lowercase to distinguish it from the environment variable UMASK) at the shell prompt:

$ umask

022

You may have four numbers instead of three, but the first one doesn’t mean anything so simply ignore it. What do the numbers mean? They are a set of octal numbers which indicate the user, group, and other permissions. The valid set of numbers in the umask command are shown in Table 9.1.

In the UMASK setting of 022 shown earlier, the simple translation, according to this table, is that the user has read and write permissions (and execute for directories), while group and other have read-only (and execute for directories). This corresponds to the following directory block:

rw-r--r--

The column regarding execute for directories shows that if you were to create a directory with this UMASK setting, the permissions would include execute (which allows cd to be used to change that directory). The permission block for a directory created with this set of umask values would be as follows:

rwxr-xr-x

Note that there is no way to automatically assign execute permission to a file using the file creation mask. This was done intentionally so that you, the system administrator, have to manually set the execute permission on a file.

To change your UMASK setting, specify the three new values you want to use. For example, the setting 077 removes all permissions for group and other:

$ umask

0022

$ who > file1

$ ls -l

total 2

-rw-r--r--   1 tparker group     37 May 9 11:18 file1

$ umask 077

$ who > file2

$ ls -l

total 4

-rw-r--r--   1 tparker group     37 May 9 11:18 file1

-rw-------   1 tparker group     37 May 9 11:18 file2

Notice that the permissions of file2 have set no access for members of the group or for the other users on the system. Only the owner has access to this file. Your UMASK setting is in effect until you log out.

Changing File Permissions

You will probably be happy with the default permissions on your files for a while. Eventually, though, you will want to change them, either to add execute permission to a program that you own (so you can run it) or to let others have better or more restrictive access. To change file permissions, UNIX uses the chmod (change mode of a file) command.

The syntax of the chmod command is

chmod <specification> file.

There are two ways to write the permission specification. One is by using the numeric coding system for permissions (called absolute setting) or by using letters (called symbolic setting). The latter is easier to understand, so let’s start with that.

Using symbolic setting of permissions, you specify which of the permissions to change from the four possible sets of u (user), g (group), o (other), or a (all). You can use any combination of these as well, in order to change just group and other permissions and leave user alone. This set of letters is followed by a + to add permissions or a - to remove them. This in turn is followed by the permissions to be added or removed from the letter r (read), w (write), or x (execute), or any combination of the three letters.

The general syntax of this approach is

chmod [u|g|o][+|-][r|w|x] filename Ö

There is no space between the three parts of the symbolic permission section of the command, but there must be a space after chmod and before the filename. A few examples make this a little clearer. To add execute permissions for the group and others, type

chmod go+r myfile

To remove read and write permission from user, group, and other use one of the following commands:

chmod ugo-rw filename

chmod a-rw filename

A few important notes about changing these permissions: Not all systems support a for all. If they don’t, you will have to specify ugo, as shown in the preceding example. You can specify as many files as you want on the command line, either by listing them one after another separated by spaces or by using wildcards. Finally, when you change permissions using this method, it doesn’t matter whether a permission was on or off when the command started because the chmod command overrides those permissions. However, if you don’t specify a particular set of permissions (user, group, or other), those permissions are not touched. For example, look at the following commands:

$ l

total 4

-rwxrwxrwx   1 tparker group     37 May 9 11:18 file1

-rw-------   1 tparker group     37 May 9 11:18 file2

$ chmod go-rw file*

$ l

total 4

-rwx--x--x   1 tparker group     37 May 9 11:18 file1

-rw-------   1 tparker group     37 May 9 11:18 file2