Every directory and file on the system has an owner, and also an associated group. It also has a set of permission flags which specify separate read, write and execute permissions for the 'user' (owner), 'group', and 'other' (everyone else with an account on the computer) The 'ls' command shows the permissions and group associated with files when used with the -l option. On some systems (e.g. Coos), the '-g' option is also needed to see the group information.
An example of the output produced by 'ls -l' is shown below.
drwx------ 2 richard staff 2048 Jan 2 1997 private drwxrws--- 2 richard staff 2048 Jan 2 1997 admin -rw-rw---- 2 richard staff 12040 Aug 20 1996 admin/userinfo drwxr-xr-x 3 richard user 2048 May 13 09:27 publicUnderstanding how to read this output is useful to all unix users, but especially people using group access permissions.
Field 1:   a set of ten permission flags.
Field 2:   link count (don't worry about this)
Field 3:   owner of the file
Field 4:   associated group for the file
Field 5:   size in bytes
Field 6-8: date of last modification (format varies, but always 3 fields)
Field 9:   name of file (possibly with path, depending on how ls was called)
The permission flags are read as follows (left to right)
|1||directory flag, 'd' if a directory, '-' if a normal file, something else occasionally may appear here for special devices.|
|2,3,4||read, write, execute permission for User (Owner) of file|
|5,6,7||read, write, execute permission for Group|
|8,9,10||read, write, execute permission for Other|
|-||in any position means that flag is not set|
|r||file is readable by owner, group or other|
|w||file is writeable. On a directory, write access means you can add or delete files|
|x||file is executable (only for programs and shell scripts - not useful for data files). Execute permission on a directory means you can list the files in that directory|
|s||in the place where 'x' would normally go is called the set-UID or set-groupID flag.|
On an executable program with set-UID or set-groupID, that program runs with the effective permissions of its owner or group.
|For a directory, the set-groupID flag means that all files created inside that directory will inherit the group of the directory. Without this flag, a file takes on the primary group of the user creating the file. This property is important to people trying to maintain a directory as group accessible. The subdirectories also inherit the set-groupID property.|
Typically the default configuration is equivalent to typing 'umask 22' which produces permissions of:
-rw-r--r-- for regular files, or drwxr-xr-x for directories.In other words, user has full access, everyone else (group and other) has read access to files, lookup access to directories.
When working with group-access files and directories, it is common to use 'umask 2' which produces permissions of:
-rw-rw-r-- for regular files, or drwxrwxr-x for directories.For private work, use 'umask 77' which produces permissions:
-rw------- for regular files, or drwx------ for directories.The logic behind the number given to umask is not intuitive.
The command to change the permission flags is "chmod". Only the owner of a file can change its permissions.
The command to change the group of a file is "chgrp". Only the owner of a file can change its group, and can only change it to a group of which he is a member.
See the online manual pages for details of these commands on any particular system (e.g. "man chmod").
Examples of typical useage are given below:
chmod g+w myfile
chmod g-rw myfile
chmod g+rwxs mydir
chmod u=rw,go= privatefile
chmod -R g+rw .
chgrp -R medi .
Putting 'umask 2' into a startup file (.login or .cshrc) will make these settings apply to everything you do unless manually changed. This can lead to giving group access to files such as saved email in your home directory, which is generally not desireable.
Making a file group read/write without checking what its group is can lead to accidentally giving access to almost everyone on the system. Normally all users are members of some default group such as "users", as well as being members of specific project-oriented groups. Don't give group access to "users" when you intended some other group.
Remember that to read a file, you need execute access to the directory it is in AND read access to the file itself. To write a file, your need execute access to the directory AND write access to the file. To create new files or delete files, you need write access to the directory. You also need execute access to all parent directories back to the root. Group access will break if a parent directory is made completely private.
For details see the man pages for: fs_setacl, fs_listacl, fs_cleanacl, fs_copyacl
For brief help, do (e.g.) "fs help setacl"
The default is to give the same permissions to a new directory as are on the parent directory. In practice, this is usually to give complete rights to the owner of the directory, and lookup rights to any other user (equivalent to execute attribute on a directory).
To render a directory private, the simplest command is:
fs setacl -d DIRNAME -clear -a MYNAME all
- replace DIRNAME with the appropriate directory name (or "." for the current directory, and MYNAME with your login name.
Check it with:
fs listacl DIRNAME
It should reply with:
Access list for DIRNAME is Normal rights: USERNAME rlidwka
(see man fs_setacl for a description of the meaning of the flags "rlidwka")
To explicitly give public read/lookup access, use:
fs setacl -d DIRNAME -a system:anyuser read
This can be abbreviated to
fs sa DIRNAME system:anyuser read
If "fs" is not found, or the man pages are not found, your paths are not set up correctly. I recommend you run /usr/local/bin/mknewdotfiles to correct that.