# Permissions

UNIX-like OSes were designed for multi-tasking, multi-user systems. Typically, there multiple users of the computer
at the same time where users are typically logged into the computer over a network.
For this to work, there need to be mechanisms in place that protect users from each other and that protect the OS from normal users. For example, 
a user should not be able to modify (or perhaps even see) another user's files, and
a normal user should not be able to modify critical OS files.

UNIX associates *access rights* or *permissions* with every file. Permissions are granted to three
classes called:

* *user* : the owner of the file. Every file has a username associated with it.
* *group* : multiple users can belong to a group. Every user belongs to a least one group and may
belong to multiple groups. Many Linux distributions create a group having the same name as the
user whenever a new user is added to the system. Every file has a groupname associated with it.
* *other* : Any user that is not the owner nor a member of the group is in this class.

<div class="alert alert-block alert-info">
    This code in this notebook assumes that the current working directory is 
    <code>./scripts/permissions</code>. Run the next cell once when using this notebook.
    <br /><br />
    If you see errors related to missing files then the working directory is probably incorrect.
</div>

In [None]:
# run this cell exactly once each time you open this notebook
cd ./scripts/permissions

The long listing output of `ls` shows the username and groupname of a file:

In [None]:
ls -l file1

You should see something resembling the following:

![](./images/long_listing.png)

The parts of the long listing output in this example are:

1. file type (leftmost symbol) and permissions (remaining symbols)
2. number of hard links
3. username
4. groupname
5. disk size in bytes
6. timestamp
7. filename

Note that the long listing format is not standardized and that you may need to consult your local
documentation for details.

#### 1. File type and permissions

The leftmost symbol denotes the file type of the file. There are seven standard file types
(https://en.wikipedia.org/wiki/Unix_file_types). Some of the file types that readers might encounter 
in this course are described in the following table.

| Symbol | File type |
| :--- | :--- |
| <code>-</code> | regular file |
| <code>d</code> | directory |
| <code>l</code> | symbolic link |
| <code>c</code> | device file: character special file (handles data as a stream of bytes such as a terminal) |
| <code>b</code> | device file: block special file (handles data as blocks such as a disk drive)  |

The remaining symbols indicate the *user* permissions, *group* permissions, and *other* permissions
on the file taken in groups of three symbols. From left to right, the example above reads:

* `rw-` the *user* permissions
* `rw-` the *group* permissions
* `r--` the *other* permissions

The symbols always appear in the same order: read-write-execute. An `r` indicates that read permission
is granted. A `w` indicates that write permission is granted. An `x` indicates that execute permission 
is granted. A `-` means that the particular permission is not granted. In the example, we can see that
the owner of the file has read and write permission, members of the group have read and write permission,
and all other users have read permission.

Permissions affect regular files and directories differently as shown in the following two tables:

| Permission | Regular files |
| :--- | :--- |
| read | File can be opened and read |
| write | File can be written to or truncated. Does not allow creation, deletion, or renaming |
| execute | File can be run like a program or executed as a script |

| Permission | Directories |
| :--- | :--- |
| read | Directory contents can be listed if execute permission is also granted |
| write | Files can be created, deleted, or renamed if execute permission is also granted |
| execute | Directory can be entered |

The symbol in the execute positions can also be `s`, `S`, `t`, or `T`, but these permissions
are beyond the scope of this notebook.

#### 2. Number of hard links

See the *Filesystem* and *Creating, moving, removing, and copying files* notebooks for details.

#### 3. Username

The username is name of the user that owns the file.

#### 4. Groupname

The groupname is name of the group that the file belongs to. On many Linux distributions, every
user has a group named after them called a *user private group* and the default group that a file is assigned to
is the user private group. The owner of the file may assign the file to a different group.

#### 5. Disk size 

The disk size on the author's computer is listed in bytes, but this can be changed by other
command line options.

#### 6. Timestamp

The timestamp is the modification time on the author's computer. The modification time is the last
time the file contents were modified.

#### 7. Filename

Self explanatory.

## Changing file permissions

The file owner can use the `chmod` command to change the permissions of a file.

#### Permissions as octal values

Each of the *user-group-other* permissions can be assigned an integer value between 0 and 7. The
following table illustrates the results:

| Octal value | Binary value | File permissions |
| :--- | :--- | :--- |
| 0 | 000 | --- |
| 1 | 001 | --x |
| 2 | 010 | -w- |
| 3 | 011 | -wx |
| 4 | 100 | r-- |
| 5 | 101 | r-x |
| 6 | 110 | rw- |
| 7 | 111 | rwx |

For example, to grant read access to *user* and remove all other permissions:

In [None]:
chmod 400 file1
ls -l

To grant read access to all users and remove all other permissions:

In [None]:
chmod 444 file1
ls -l

To grant all permissions to *user* and read and execute permissions to everyone else:

In [None]:
chmod 755 file1
ls -l

#### Permissions as symbolic values

The `chmod` command also accepts a sequence of symbols for setting permissions. There are three sets of symbols.
The first set of symbols indicate the user class to modify:

| Symbol | Meaning |
| :--- | :--- |
| u | *user* or owner |
| g | *group* |
| o | *other* |
| a | all users |

The second set of symbols indicate whether to add, remove,
or assign a permission:

| Symbol | Meaning |
| :--- | :--- |
| + | add a permission |
| - | remove a permission |
| = | assign a permission |

The last set of symbols indicate which permissions are affected:

| Symbol | Meaning |
| :--- | :--- |
| r | read |
| w | write |
| x | execute |

Suppose that we have a file with no permissions set:

In [None]:
chmod 000 file1
ls -l

We can add read permission for all users like so:

In [None]:
chmod a+r file1
ls -l

We can add write permission for the owner like so:

In [None]:
chmod u+w file1
ls -l

We can remove write permission for the owner like so:

In [None]:
chmod u-w file1
ls -l

We can assign all permissions for the owner like so:

In [None]:
chmod u=rwx file1
ls -l

Multiple changes can be performed using a comma to separate the different permission specifications.
For example, we can assign read and execute permissions for *group* and remove all permissions for *other* like so:

In [None]:
chmod g=rx,o-rwx file1
ls -l