NOTE: This is an archived copy of the Dragonfire
Internet Services website. Dragonfire is no longer in operation; please
do not attempt to contact any of the addresses listed on this site.
FTP file permission modes
A file mode on a Unix system, such as Dragonfire, consists of three or four
digits. The last (or only) three describe who is allowed what kind of
access to the file. Each can range from zero to seven, and is actually a
sum of zero or more of the values 4, 2, and 1, which have different
meanings for files and for directories:
- 4 - file can be read
- 2 - file can be written to
- 1 - file can be executed (e.g. a CGI script)
- 4 - directory contents can be viewed
- 2 - files can be added to or removed from directory
- 1 - files in directory can be accessed
The first of the three digits represents the permissions you (the owner
of the file) have; the second represents the permissions granted to
everyone besides you your user group (in the case of Dragonfire, that's
anyone with a Dragonfire account); and the third represents the permissions
granted to all users not in your user group (i.e. anonymous FTP users and
Useful file modes:
- Private file: no one besides you can read the file.
- World-readable file: anyone can read the file, but only you are
allowed to modify it. This is the default file mode.
- World-writable file: anyone can read or write to the file.
- Executable file: anyone can read or execute the file. This is
the proper mode for CGI scripts.
Useful directory modes:
- Private directory: only you have access to the directory
contents. (Note that the permissions of files inside such a
directory don't matter; they could all be world-writable, but
because of the directory protection, only you would be able
to read from or write to the files.)
- Semi-private directory: the directory's contents can only be
seen by you, but files in the directory can be accessed by
anyone (assuming the files' modes permit such access). This
mode can be used to implement a crude form of password
protection. If you create a directory with mode 711, then
create another directory inside that directory with mode 755,
people who know the inner directory's name will be able to
view its contents, but people who don't know the inner
directory's name will have no way of finding it out.
- Upload directory: people other than you will not be able to
see the directory's contents, but they can create or delete
files in the directory. A mode similar to this (1703;
see the description of the fourth digit
below) is used for incoming directories created with FTP
Note: you may not create your own
anonymous-FTP upload directories in this manner. In order to add
an upload directory to your account (you can only have one), you
must submit an account change request as described in
the FAQ. Directories with this
mode can be written to only by other Dragonfire users and CGI
- World-readable directory: files in the directory can be
accessed by anyone, but only you can create or delete files in
the directory. This is the default directory mode.
- World-writable directory: as above, but anyone can create or
delete files in the directory. This directory mode is primarily
useful for CGI scripts that need their own data directories, since
the scripts normally run with no priviliges.
What about that fourth digit?
Warning: this section is fairly technical. The file modes described
below are not needed for most uses, and this section may be skipped
without loss of important information.
The fourth digit, which is optional, describes special modes that have
certain effects on directories or executable files. (None of these affect
regular files.) It is also composed of a sum of values.
- Set user ID. An executable file with this mode set will, when
run, have the same permission to access files that you do; in
other words, it will be able to write to your world-readable
files, create files in your world-readable directories, and so
on. Normally, a program will have the same access permission
to files that its "parent" program (the program that started
it) does; in the case of the web server and CGI scripts, those
are the "other user" permissions, i.e. the last digit of the
- Set group ID. As above, but for the user group instead of the
user ID. Generally not very useful; but see the description of
set-group-ID for directories, and you may come up with
- No meaning.
- No meaning.
- Set group ID. For directories, this causes all files and
subdirectories created in the directory to be owned by the same
group as the directory itself is owned by. Additionally, any
directories will inherit this mode by default, so
their files and subdirectories will be owned by the
same group, and so on. For example, you could use this mode to
force all files in a directory to be owned by your user group.
(Currently, this mode is not particularly useful, as all users
on Dragonfire are in the same user group.)
- "Sticky". Where the name for this mode came from seems to have
been lost in the mists of time, but in a directory with the
sticky mode set, files can only be deleted by their owners.
(Normally, anyone with write access to the directory can delete
files in it.)
The default value for the fourth digit is zero, and it can be omitted if
How do I interpret the mode characters?
When in FTP, particularly with command-line clients, you'll often see a
string like "-rw-r--r--" at the beginning of the line. This is a symbolic
representation of the file's modes, and is interpreted as follows:
So the mode string "-rw-r--r--" corresponds to a regular file with mode
644, and "drwx----wt" corresponds to a directory with mode 1703 (the
default for incoming directories on FTP accounts).
- The first character describes the file type. A "-" means a regular
files; a "d" means a directory; other letters indicate special types
- The second through fourth characters represent the user mode; that is,
the first of the three numeric digits described at the top of this
document. The first of these three chracters can be either "r" or
"-", indicating that you either do or do not have read access to the
file respectively. The second character can be "w" or "-", for write
access; the third can be "x" or "-", for execute access. (If the
set-user-ID mode is set, this will be "s" or "S" instead,
- The fifth through seventh characters represent the group mode in the
same way as described for the user mode above.
- The eighth through tenth characters represent the other-user mode in
the same way as described above; however, the last character will be
"t" or "T" instead of "x" or "-" if the "sticky" mode is set.
Last update: 17 March 1997