Permissions – How Are File Permissions Applied to Newly Created Files?

permissions

I have a directory that has the following permissions set:

drwxr-s---. user group folder

On the desktop, I access this folder and right click to create a new file call foo.txt. Then using the terminal, I created another file using the command $ touch bar.txt.

When I check the permissions for these files, I have:

-rw-r--r--. user group foo.txt
-rw-rw-r--. user group bar.txt

I was expecting -rw-r-----. user group. How did the extra write permission for group and read permission for others come about?

Best Answer

setguid

There are 2 forces here at work. The first is the setgid bit that's enabled on the folder, folder.

drwxr-s---. user group folder

That's the s in the pack of characters at the beginning of this line. They're grouped thusly:

d - directory
rwx - read/write/execute bits for user
r-s - read/execute/setuid bits for group
--- - nothing for other users

The r-s means that any files or directories created inside this folder will have the group automatically set to the group group.

That's what caused the files foo.txt and bar.txt to be created like so:

-rw-r--r--. user group foo.txt
-rw-rw-r--. user group bar.txt

permissions & umask

The permissions you're seeing are another matter. These are governed by the settings for your umask. You can see what your umask is set to with the command umask:

$ umask
0002

NOTE: these bits are also called "mode" bits.

It's a mask so it will disable any of the bits related to permissions which are enabled. In this example the only bit I want off is the write permissions for other.

0 - skipping for this conversation
0 - value of user bits
0 - value of group bits
2 - value of other bits

The representation of the "bits" in this command are in decimal form. So a 2 equates to 010 in binary form, which is the write bit. A 4 (100) would mean you want read disabled. A 7 (111) means you want read/write/execute all disabled. Building it up from here:

$ umask 007

Would disable the read/write/execute bits for other users.

So then what about your files?

Well the umask governs the permissions that will get set when a new file is created. So if we had the following umask set:

$ umask 007

And started touching new files, we'd see them created like so:

$ touch newfile1.txt newfile2.txt
$ ls -l |grep newfile
-rw-rw----   1 saml saml        0 Nov  3 22:34 newfile1.txt
-rw-rw----   1 saml saml        0 Nov  3 22:34 newfile2.txt

If we changed it to something else, say this:

$ umask 037
$ ls -l |grep newfile
-rw-rw----   1 saml saml        0 Nov  3 22:36 newfile1.txt
-rw-rw----   1 saml saml        0 Nov  3 22:36 newfile2.txt
-rw-r-----   1 saml saml        0 Nov  3 22:35 newfile3.txt
-rw-r-----   1 saml saml        0 Nov  3 22:35 newfile4.txt

It won't have any impact on files that we've already created though. See here:

$ umask
0037
$ touch newfile1.txt newfile2.txt
$ ls -l | grep newfile
-rw-rw----   1 saml saml        0 Nov  3 22:37 newfile1.txt
-rw-rw----   1 saml saml        0 Nov  3 22:37 newfile2.txt
-rw-r-----   1 saml saml        0 Nov  3 22:35 newfile3.txt
-rw-r-----   1 saml saml        0 Nov  3 22:35 newfile4.txt

So then what's going on with the file browser?

The umask is what I'd called a "soft" setting. It is by no means absolute and can be by-passed fairly easily in Unix in a number of ways. Many of the tools take switches which allow you to specify the permissions as part of their operation.

Take mkdir for example:

$ umask
0037

$ mkdir -m 777 somedir1
$

$ ls -ld somedir1
drwxrwxrwx 2 saml saml 4096 Nov  3 22:44 somedir1

With the -m switch we can override umask. The touch command doesn't have this facility so you have to get creative. See this U&L Q&A titled: Can files be created with permissions set on the command line? for just such methods.

Other ways? Just override umask. The file browser is most likely either doing this or just completely ignoring the umask and laying down the file using whatever permissions it's configured to do as.

Related Solutions

Ubuntu – How to configure permissions to allow gedit, apache, and an IDE play together

What I recommend doing has been mostly described in this Ask Ubuntu question.

For this particular case I would install suPHP which in short allows you to execute PHP scripts as your user under Apache.

By doing the following:

sudo chown -R youruser:youruser /var/www
find /var/www/ -type d -exec chmod 0755 {} \;
find /var/www/ -type f -exec chmod 0644 {} \;

Install suphp-common and libapache2-mod-suphp from this ppa (What are PPAs and how do I use them?)

Disable mod_php5 and enable mod_suphp

sudo a2enmod suphp
sudo a2dismod php5

Update your virtual hosts to include this line at the bottom of them:

suPHP_UserGroup youruser youruser

Replacing youruser with the user you use to edit files on the server. Restart Apache.

From this point forward Apache will execute all php scripts are your user, which means they can be owned by your user/group and there is no need to use crazy permissions like 777. Since everything is run as your user all files created by the php scripts will be owned by your user as well! There are many other cool things you can do with suPHP; however, from what it sounds like this is all you'll need to get started.

Linux – Keep same file owner for newly created files

Folder b and c are owned by user b and c. A file created by a user will belong to that user.

You can use the user permission for b and c, and the group permissions for a. If you set the SGID bit (g+s) on a folder, created files will get the group permission of that folder.

mkdir a
chown a:a a
chmod g+s a

mkdir b
chown b:a b

mkdir c
chown c:a c

(assuming all users are in a group of the same name.)