What are File Permissions and Why do they Matter?

Each and every file on a computer has what we call file permissions. These are attributes of the file that determine who has permission to access that file and what they can do to that file.

To understand what file permissions are we first need to determine what exactly a file is.

What is a Computer File?

A computer file is just like a piece of paper. It could be printing paper, red paper, letterhead, construction paper, or any other kind you can imagine. This paper can have anything written on it. From an essay to a letter, or even a painting. A computer file acts in the same way—the type of file could vary from a text file (txt), to a file consisting of python code (.py), to a jpeg image file, and could have anything written on it. Just like paper files in real life, we need a filing system to keep track of all these different files.

A computer usually has an operating system (os) that handles files in much the same way as a filing cabinet would. Each file is put into directories (which are like folders), that could be named something like “Documents, Downloads, Applications, etc.”, and these directories could be inside even larger, more general directories (like drawers in a filing cabinet) called "Desktop" or "Home".

Each and every file on a computer has what we call file permissions. These are attributes of the file that determine who has permission to access that file and what they can do to that file.

File permissions are determined by the System Administrator—who is simply a user of the administrator account on a computer (most of you are the sys admin if it is your personal computer), or a user who manages the system of a network of computers, such as an IT Administrator in an organization.

The System Administrator has complete access to all the files on the computer and can change the permissions on these files. So he or she has the power to determine who can access which files in a network.

There are three types of file permissions:

1. Readable (r) – allows the user to read the file but not make any other edits.

2. Writable (w) – allows the user to read and write the files, so they can make changes to the file, but they cannot execute a file if it is a program.

3. Executable (x) – allows the user to execute the file. So if this file is a python code or bash script the user would have to have execute permissions to be able to run that program.

Most files have default read permissions for most or all users. To determine what the file permissions are of a file on your computer first open the Terminal. Then navigate to the directory that holds a file you are curious about. Next you could type "ls -l file" into the command line. For example, we could type

ls -l test.txt

("test.txt" is simply a test file we created to demonstrate the process). It might return something like this:

Users-MacBook-Pro:~username$ ls -l test.txt
-rw-r--r--  1 username admin 18 Nov 7 10:35 test.txt

Let’s break down the different parts of that output:

The first dash (-) is for the file type. The file type has three possibilities: regular file (-), a directory (d), or a link (i). The next three spaces (rw-) are the file permissions of the user. They can be either r, w, or x, for read, write, or execute. The three characters after that are the file permission’s of the owner’s group. Then the final three characters (r--) are the file permissions of other users.

The number after the permissions and before the username (1) is the number of links in a file, or number of entries in a directory when referring to a directory. Next, the output lists the username of the current user and then the group the user is in. The group could be admin, staff, users, etc. The number right before the date (18) represents the file’s size. This one refers to the number of characters in the file. The date (Nov 7 10:35) indicates the date and time the file was last modified. Then finally the output indicates the name of your actual file.

How To Change File Permissions

We can change a file's read permissions with this command:

chmod

Read (r)

We may not want this file to read by anyone except us (admin), so to take away read permissions we type the following command:

Users-MacBook-Pro:~username$ chmod -r text.txt

Now when we enter the list command, we can see our file no longer has read permissions:

Users-MacBook-Pro:~username$ ls -l test.txt
--w------- 1 username admin 18 Nov 7 10:35 test.txt

To restore read permissions we can type

chmod +r text.txt

("+" for adding permissions "-" for removing them). We can see our file now looks like it originally did:

Users-MacBook-Pro:~username$ chmod +r test.txt
Users-MacBook-Pro:~username$ ls -l test.txt
-rw-r--r-- 1 username admin 18 Nov 7 10:35 test.txt

Write (w)

Next, we come to the most commonly changed file permission, the write file permissions. This file permissions allows users to edit the contents of the file. For obvious reasons we might want some users to only have read permissions. They can view the file, but they cannot change its content. This can prevent accidental changes to files, or even malicious behavior.

We remove write file permissions by typing

chmod -w test.txt

into the command line . It is the exact same as changing the read file permissions except that instead of using "r" we use "w" for write. Similarly, we can add write file permissions by typing

chmod +w test.txt

Things can get a little tricky here because we might want to change file permissions for specific users, not just the entire group. To specify which users permissions we want to change we must add another element to our command.

Specifying The Class of a User

There are three classes of users that we can identify when dealing with file permissions. The owner of the file can change permissions for:

1. The user (u) - meaning the person using the account (yourself)

2. The group (g) - The second set of three permissions

3. The others (o) - The final set of three permissions

4. All (a) - This is u, g, and o. This changes the permissions for all classes of users.

In our test file above the user is the only person who has write permissions. If we wanted to enable the group to have write permissions as well we could enter the following command:

Users-MacBook-Pro:~username$ chmod g+w test.txt
Users-MacBook-Pro:~username$ ls -l test.txt
-rw-rw-r-- 1 username admin 18 Nov 7 10:35 test.txt

To remove those write permissions from the group we would simply type

chmod g-w test.txt

into the command line.

Execute (x)

The final type of file permission is the executable file permission. This allows us to execute a file from the command line. It is normally files that contain programs. And it is really only essential for files that need to be run from anywhere in the system, such as bash scripts and personal commands, or commands that need to be accessed by the Operating System. Because of this, normal users don’t always need to focus on this one as much.

However, here is an example of what changing the executable permissions for every class of users would look like:

Users-MacBook-Pro:~username$ chmod +x test.txt
Users-MacBook-Pro:~username$ ls -l test.txt
-rwxr-x--x 1 username admin 18 Nov 7 10:35 test.txt

To remove the executable file permission we would enter

chmod -x test.txt

, and to change only our user's executable file permissions we would enter

chmod u+x test.txt

What if we wanted to turn on all the permissions for every user?

We could enter:

Users-MacBook-Pro:~username$ chmod a+r+w+x test.txt
Users-MacBook-Pro:~username$ ls -l test.txt
-rwxrwxrwx 1 username admin 18 Nov 7 10:35 test.txt

Shortcut

I’m going to show you a shortcut so you can change file permissions quickly anytime you need to. You can make your own command that you can call from anywhere in the terminal to change the file permissions. This little code you write can be applied to automating any command.

If you're using a Linux/Unix operating system this will be the easiest way to automate small tasks like this.

We are going to make a shortcut for changing file permissions. Our example will be making a shortcut for adding executable file permissions. Normally to change our files execute permissions we type

chmod +x test.txt

, but that can be a lot to repeat over and over again. To make it easier we create a shortcut like this:

Users-MacBook-Pro:~username$ echo 'chmod +x$*' > cx

The

echo

command allows us to put the command inside the parenthesis inside of the

cx

script. The

$*

is used as a placeholder. Now all we have to do is enable executable permissions on

cx

and move it to the

/bin

folder (this allows us to run the script from the command line). The test file is currently not executable:

Users-MacBook-Pro:~username$ ls -l test.txt
-rw-r--r-- 1 username admin 18 Nov 7 10:35 test.txt

But now we can run our new script:

Users-MacBook-Pro:~username$ cx test.txt
Users-MacBook-Pro:~username$ ls -l test.txt
-rwxr-xr-x 1 username admin 18 Nov 7 10:35 test.txt

We can create a terminal command and for any process we want to run and store it any placeholder we want to (doesn't have to

cx

). It just makes the process easier when you start using these commands over and over.

Why Change File Permissions?

Why would we even need to change file permissions in the first place?

The general answer is that we don’t need every user to have full access to every file in a network.

But why would we not want every user to have full access to every file?

The first reason is for privacy and efficiency. The second reason is for protection.

Privacy and Efficiency

As a disclaimer I just want to mention that I am not a cyber security professional or an IT professional. I just want to show the importance of file permissions to normal people.

Many organizations will have an IT department or even an outside company that handles all the IT and system administration issues, but sometimes in small businesses there may not be IT personnel to handle these tasks, and you will need to know about it. The most basic issue is for efficiency reasons. The system administrator might write scripts that only he or she needs to be able to run on the network. There is no reason any other user should have execution permissions on these files. They don’t need to execute these scripts, and keeping these permissions on could result in accidental execution of these files at times when you do not want it to happen (maybe there is a script to remove certain types of data, and you don’t want anyone accidentally deleting data).

Other times we may not want certain employees to have access to certain documents, such as company plans, client lists, formation documents, or contracts. We may want to only restrict write permissions so that no one can change or alter these documents. Or we may even want to restrict all permissions—read permissions included—so that no one except specific employees or members can view these documents. There are just some things that should remain private and not everyone in the organization needs access to them.

On another note, there could even be sensitive information on our personal computers such as credit card numbers, social security numbers, addresses, etc. that we do not want other users on our computer or network to have access to.

Protection

The most important reason for organizations to practice good file permission management is to protect their data. Hacks, data leaks, and ransomware attacks are becoming more common and more advanced everyday. At this point in time even small businesses cannot afford to be vulnerable to these attacks. These malicious actors are not just targeting large companies and groups, but small businesses that handle sensitive or large amounts of information, such as law firms or healthcare companies.

One example where file permissions could come into play is a ransomware attack. A ransomware attack is where an outside party puts malicious software on your computer or a computer in your network and it encrypts all of your files so that you do not have access to them. Then the attacker(s) usually demand a ransom for the encryption key. This malware can encrypt any files that the user who was infected has write permissions on. These attacks are very common and can happen in the simplest of ways such as clicking on links in emails or even losing a laptop.

There are many simple ways to protect yourself against situations like this such as having good backups, avoiding unknown email links or phishing scams, and not connecting foreign or unknown devices to your computer.

The most overlooked way to prevent widespread data loss in this situation is to manage your file permissions. If users do not have write permissions on certain files those files will not be encrypted. To do this you must implement appropriate file permissions throughout your network. That means a secretary or a sales person probably doesn’t need complete access to all of the files the CFO does. And an engineer and a marketer probably don’t need write or even read permissions on the all the same files. It may seem exclusionary, but in reality most of these people don’t have significant overlap in the types of files used anyway. Everyone should have access to only what is necessary.

It may seem like a lot of work or even unnecessary, but I assure you it is much easier than having to decide whether to pay a ransom after an attack, or having to contact all of your clients to let them know you can’t access their data or that it may have even been compromised.

Conclusion

I am not an expert, so I'm sure I missed a few things. Don't be afraid to look stuff up on your own. My goal is to give a basic overview of file permissions and why they may be necessary for the average user.

To get a more in-depth understanding you should practice and explore on your own and read more articles. There are many available sources dealing with file permissions and systems administration.