How are file permissions applied to newly created files?

up vote6down votefavorite

I have a directory that has the following permissions set: drwxr-s---. user group folder On the desktop, I access this folder and right click to create a new file call foo.txt. Then using the terminal, I created another file using the command $ touch bar.txt. When I check the permissions for these files, I have: -rw-r--r--. user group foo.txt -rw-rw-r--. user group bar.txt I was expecting -rw-r-----. user group. How did the extra write permission for group and read permission for others come about? permissions shareimprove this question asked Nov 4 '13 at 2:51 Question Overflow 1,54363459

add a comment

1 Answer

activeoldestvotes

up vote6down voteaccepted

setguid There are 2 forces here at work. The first is the setgid bit that's enabled on the folder, folder. drwxr-s---. user group folder That's the s in the pack of characters at the beginning of this line. They're grouped thusly: d - directory rwx - read/write/execute bits for user r-s - read/execute/setuid bits for group --- - nothing for other users The r-s means that any files or directories created inside this folder will have the group automatically set to the group group. That's what caused the files foo.txt and bar.txt to be created like so: -rw-r--r--. user group foo.txt -rw-rw-r--. user group bar.txt permissions & umask The permissions you're seeing are another matter. These are governed by the settings for your umask. You can see what your umask is set to with the command umask: $ umask 0002 NOTE: these bits are also called "mode" bits. It's a mask so it will disable any of the bits related to permissions which are enabled. In this example the only bit I want off is the write permissions for other. 0 - skipping for this conversation 0 - value of user bits 0 - value of group bits 2 - value of other bits The representation of the "bits" in this command are in decimal form. So a 2 equates to 010 in binary form, which is the write bit. A 4 (100) would mean you want read disabled. A 7 (111) means you want read/write/execute all disabled. Building it up from here: $ umask 007 Would disable the read/write/execute bits for other users. So then what about your files? Well the umask governs the permissions that will get set when a new file is created. So if we had the following umask set: $ umask 007 And started touching new files, we'd see them created like so: $ touch newfile1.txt newfile2.txt $ ls -l |grep newfile -rw-rw---- 1 saml saml 0 Nov 3 22:34 newfile1.txt -rw-rw---- 1 saml saml 0 Nov 3 22:34 newfile2.txt If we changed it to something else, say this: $ umask 037 $ ls -l |grep newfile -rw-rw---- 1 saml saml 0 Nov 3 22:36 newfile1.txt -rw-rw---- 1 saml saml 0 Nov 3 22:36 newfile2.txt -rw-r----- 1 saml saml 0 Nov 3 22:35 newfile3.txt -rw-r----- 1 saml saml 0 Nov 3 22:35 newfile4.txt It won't have any impact on files that we've already created though. See here: $ umask 0037 $ touch newfile1.txt newfile2.txt $ ls -l | grep newfile -rw-rw---- 1 saml saml 0 Nov 3 22:37 newfile1.txt -rw-rw---- 1 saml saml 0 Nov 3 22:37 newfile2.txt -rw-r----- 1 saml saml 0 Nov 3 22:35 newfile3.txt -rw-r----- 1 saml saml 0 Nov 3 22:35 newfile4.txt So then what's going on with the file browser? The umask is what I'd called a "soft" setting. It is by no means absolute and can be by-passed fairly easily in Unix in a number of ways. Many of the tools take switches which allow you to specify the permissions as part of their operation. Take mkdir for example: $ umask 0037 $ mkdir -m 777 somedir1 $ $ ls -ld somedir1 drwxrwxrwx 2 saml saml 4096 Nov 3 22:44 somedir1 With the -m switch we can override umask. The touch command doesn't have this facility so you have to get creative. See this U&L Q&A titled: Can files be created with permissions set on the command line? for just such methods. Other ways? Just override umask. The file browser is most likely either doing this or just completely ignoring the umask and laying down the file using whatever permissions it's configured to do as. ===================================== Command line method: Just run: chmod +x /path/to/your/file.txt Note that chmod does also have some more advanced options. It accepts three groups of options, represented as --- --- ---. The first set of --- is User. The second is Group and the last is Other (everyone else). r stands for Read, w for Write and x for eXecute. To allow everyone to read it, but only Group to execute and User to read and write it would be -rw- rx- r--. This would be added to the command as: chmod +rw-rx-r-- /path/to/file.extension chmod also can do this in numbers. It is based on binary. So there are these numbers: Execute by user is 100. Execute by group is 010. Execute by other is 001 Write by user is 200. Write by group is 020. Write by other is 002. Read by user is 400. Read by group is 040. Read by other is 004. Then you add these together to get the desired combination. So to allow everyone to read it, but only Group to execute and User to write it would be 400 + 040 + 004 and 010 and 200 That adds up to 600 + 050 + 004 = 654. You could then run the command. chmod +654 /path/to/file.extension to set it. So to set all permissions you can run: chmod +rwxrwxrwx /path/to/file.extension or chmod +777 /path/to/file.extension Finally, you can do: chmod -777 /path/to/file.extension To take all permissions away from everyone. And: chmod +300 /path/to/file.extension To add read and write for the user, without affecting any other permissions (e.g. Execute permissions). This website has a very useful little tool, whereby you can tick the options you want and it gives you the command: However, not all the possible combinations are sensible to use; the main ones that are used are the following: 755 - Owner has all, and Group and Other can read and execute 700 - Owner has all 644 - Owner can read and write, and Group and Other can read 600 - Owner can read and write And, if you're using non-trivial user groups: 775 - Owner can read and write, and Group and Other can read 770 - Owner and Group have all, and Other can read and execute 750 - Owner has all, and Group can read and execute 664 - Owner and Group can read and write, and Other can just read 660 - Owner and Group can read and write 640 - Owner can read and write, and Group can read 777 and 666 are rarely used, except in /tmp.