# File Permissions

Before we start editing files with the command line, it is useful to understand a little about file permissions. 

>File permissions are rules that dictate who can look at, change, or run a file on a computer. They are used to prevent unauthorised users from taking certain actions. They help improve system security making sure that only the right people can look at or modify sensitive information, and also prevent users from accidentally or intentionally messing up or deleting important files.

In short you may not be able to edit, move or even read from a file unless the correct permissions are set, so it is important to understand how to understand and change them when necessary.

## Motivation





## File Permissions in Unix-Based Systems (Mac and Linux)

Unix-based systems have a simple but flexible permissions system. For each file, there will be permissions settings for each of three groups: 
- **The Owner**: The person who owns the file
- **The Group**: A group of users that the owner belongs to 
- **The Others**: Everybody else using the computer
 
Each group can have different rules. For example, if you (the owner) had a file which acted as a personal diary, you might let your friends (the group) look at your diary but not write in it, while not letting anyone else (others) even see it. 

> Another related category of user on Unix systems is the *superuser*, also often called *root*. This is a special user account which has full administrative privileges and unrestricted access to all commands, files, and resources on the system.

Unlike regular users who are restricted to making changes within their own directories and files, the root user can read, modify, and delete any file on the system, stop and start services, install and uninstall applications, manage user accounts, and change ownership of files. This makes the root account incredibly powerful, but also potentially dangerous if used improperly.

If you are logged in under a user account, but need to make changes at superuser level, you can do so by using the command [`sudo`](https://xkcd.com/149/), followed by the command-line instruction you wish to execute. You will then be prompted for the password of the root account, to prove that you have permission to use it.

### Types of Permission

For each user group, three types of permissions can be set on a file or directory: `read` (r), `write` (w), and `execute` (x).

- **`read` (r):** The read permission allows a user to list the files in the directory or read the contents of the file
- **`write` (w):** The write permission allows a user to add, remove, or modify files in the directory or modify the contents of the file. Note that write permission on a directory allows the user to delete any file within that directory, regardless of the file's own permissions.
- **` execute` (x):** For a directory, the execute permission allows a user to enter the directory, and access files and directories inside. For a file, it allows the user to run the file as a program or script.

### Setting File Permissions

In Unix systems, file permissions are set using the `chmod` (change mode) command. Permissions can be set in symbolic mode or numeric mode.

 ####  1. Symbolic Mode:

The syntax for symbolic mode is `chmod [ugoa][+-=][rwx] filename`.

- The users are represented as:
    - u (user/owner) 
    - g (group)
    - o (others) 
    - a (all: user, group, and others)

- The operations are represented as 
    - \+ (add permission)
    - \- (remove permission)
    - = (set exact permission)

- The permissions are:
    - r (read)
    - w (write) 
    - x (execute)

For example , with the file `myfile.txt`:

- `chmod u=rw,go=r myfile.txt` -  user can read and write, group and others can only read
- `chmod a+rwx` - add read, write and execute permissions for everyone
- `chmod u=rwx, g-x, o+r` - user can read, write and execute. Remove execute permission for group, add read permission to others.



#### 2. Numeric Mode:

Alternatively, you can set permissions using numeric mode (also known as octal mode), which uses a three-digit number. The digits are the sum of: 4 for "read", 2 for "write", and 1 for "execute". A setting of 'read (4), write (2) and execute (1)' would be 7: 4 + 2 + 1 .

For example, to set read, write, execute permissions for the owner, read and execute permissions for the group, and read-only for others, you'd use `chmod 754 filename`, while the command `chmod 777 filename` would set it so that anyone can read, write or execute.

Other commonly-used numeric permissions:

- `chmod 600` - owner can read and write, nobody else can do anything to the file
- `chmod 400` - owner can read, nobody else can do anything to the file
- `chmod 700` - owner can read, write and execute, nobody else can do anything to the file


If you need to set permissions on a directory and all of its subfolders, you can use `chmod` with the `-R` flag.



## File Permissions on Windows Machines

Windows uses a more complex *Access Control List* (ACL) system. In addition to basic read, write, and execute permissions, ACLs allow for more granular control over file permissions, including permissions for specific actions like deletion, and can specify permissions for individual users and groups. 

It is therefore harder to give a complete account of the possibilities, but for every file or folder, there is an ACL, which consists of a series of *Access Control Entries* (ACE), each of which describes a set of permissions for that object. 

Types of permissions in the ACL system include:
- **Full control (F):** The user can read, write, execute, and change permissions on the file or directory
- **Modify (M):** The user can read, write, and execute the file or directory, but cannot change its permissions
- **Read & execute (RX):** The user can read and run the file or directory, but cannot modify it
- **Read (R):** The user can only read the file or directory
- **Write (W):** The user can write to the file or directory, but cannot read it
- **Special permissions:** These include more granular control like delete, change owner, etc.



> For Windows machines, even when using Bash for Windows, your operating system is still Windows, so your file permissions will still be ACL rather than Unix-type. The `chmod` command will have no effect. 

Windows file permissions can be modified via the GUI (right-click on a file or folder, select **Properties**, then **Security**).

<p align="center">
    <img src="images/file_permissions.gif"  width="500"/>
</p>

You can also get permissions via the command line in Powershell using the `Get-Acl` command, and set them with `Set-Acl`
To display the permissions for an object (ie. a file or folder):

`(Get-Acl <path/to/file_or_folder).Access | Format-Table`

To set a file permissions it is necessary to craft a new access rule, before applying it with `Set-Acl`.This is relatively long-winded compared to `chmod` but it does allow for significantly more fine-grained control over permissions. Here is a simple example to set full permissions for all users:

```Powershell
# Path to the file you want to modify permissions for
$file = "C:\path\to\your\file.txt"

# Get the current ACL of the file
$acl = Get-Acl $file

# Create a new access rule
$permission = "Everyone","FullControl","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission

# Add the access rule to the ACL
$acl.SetAccessRule($accessRule)

# Apply the modified ACL to the file
Set-Acl -Path $file -AclObject $acl

```

## Key Takeaways

- File Permissions Systems are rules that define who can edit or otherwise interact with a file
- Unix-type systems have a simple permissions system, with three user groups (owner, group and others), and three states (read, write, execute)
- The root user or superuser is a special type of user that has all privileges over all files on the system
- You can temporarily access root user privileges using the `sudo` command, if you know the password
- File permissions are edited on Unix systems using the `chmod` command
- The Windows permissions system is called  Access Control List (ACL). It is more complex than the Unix system, but also more flexible
- You can edit Windows ACL permissions either in the GUI, or by using the `Get-Acl` and `Set-Acl` commands to apply a new ACL rule
