All files and directories in Linux have a standard set of access permissions. These access permissions control who can access what files, and provides a fundamental level of security to the files and directories in a system.
Viewing Permissions
To view the permissions for files and directories, use the ls -l or ls –n commands.
# ls -l file -rw-r--r-- 1 root root 0 Nov 19 23:49 file
The first field of information displayed by the ls -l command is the file type. The file type typically specifies whether it is a file or a directory. A file is represented by a hyphen (-). A directory is represented by the letter d.
The remaining fields represent the permission groups: owner, group, and other.
Permission Groups
There are three permissions groups:
- Owner
- Group
- Other
The table describes the permission groups and their scope:
| Permission | Description |
|---|---|
| Owner | Permissions used by the assigned owner of the file or directory |
| Group | Permissions used by members of the group that owns the file or directory |
| Other | Permissions used by all users other than the file owner, and members of the group that owns the file or the directory |
Permission Set
– Each permission group has three permissions, called a permission set.
– Each set consists of read, write, and execute permissions.
– Each file or directory has three permission sets for the three types of permission groups.
– The first permission set represents the owner permissions, the second set represents the group permissions, and the last set represents the other permissions.
– The read, write, and execute permissions are represented by the characters r, w, and x, respectively.
– The presence of any of these characters, such as r, indicates that the particular permission is granted.
– A dash (–) symbol in place of a character in a permission set indicates that a particular permission is denied.
– Linux assigns initial permissions automatically when a new file or directory is created.
| Permission | Access for a file | Access for a directory |
|---|---|---|
| Read (r) | You can display file contents and copy the file. | You can list the directory contents with the ls command. |
| Write (w) | You can modify the file contents. | You can modify the contents of a directory, such as by deleting a file. You must also have the execute permission for this to happen. |
| Execute (x) | You can execute the file if it is an executable. You can execute a shell script if you also have read and execute permissions. | You can use the cd command to access the directory. If you also have read access, you can run the ls -l command on the directory to list contents. If you do not have read access, you can run the ls command as long as you know the file name. |
File Ownership
Every file is owned by a specific user (or UID) and a specific group (or GID). The chown command can be used to change just the user, or the user and group of a file. Here is an example of changing the owner of file test to user and its group to user.
# ls -l test -rw-r--r-- 1 root root 0 Nov 20 00:43 test
# chown user:user test
# ls -l test -rw-r--r-- 1 user user 0 Nov 20 00:43 test
The basic format for the chown command is as follows:
# chown user:group filename
A period (.) can be used in place of the colon (:) separator character. Also, either the user or group name can be omitted. If the username is omitted (but the separator character is present), then the chown command behaves like the chgrp command, and only the group ownership is changed. If the group name is omitted (but the separator character is present, then the group will be set to the login group of the specified user. If both the group name and the separator character are omitted, then only the username is changed. For example, to change only the owner you could run the following:
# chown user filename
An alternate command to change only the group of a file is the chgrp command. For example:
# chgrp group filename
The chgrp command is commonly used by normal users to change the group ownership of their files. The chown command is normally used only by the root user.
Default Group Ownership
Each user can be a member of many groups (listed in the /etc/group file under several groups). Only one group will be a user’s primary group (listed in the user’s entry in /etc/password). When a user creates a file, by default the file will be owned by the user’s primary group. If they want the file to be owned by one of their other groups, they must use the chgrp command to modify the group membership. For Example :
$ id uid=1001(user) gid=1001(user) groups=1001(user),10(wheel)
$ touch file
$ ls -lrt file -rw-rw-r-- 1 user user 0 Nov 20 00:52 file
As shown above the newly created file (file) automatically gets the group as “user”.
File and Directory Permissions
Below is sample output from ls -l command; you can see from the first character of each line that dir1 and dir2 are directories (indicated by the d) and that file1 and file2 are a regular file (indicated by the –).
$ ls -l total 0 drwxrwxr-x 2 user user 6 Nov 20 00:55 dir1 drwxrwxr-x 2 user user 6 Nov 20 00:55 dir2 -rw-rw-r-- 1 user user 0 Nov 20 00:55 file1 -rw-rw-r-- 1 user user 0 Nov 20 00:55 file2
The next nine characters show the file’s permissions for user, group, and others (or everyone else) as shown below, with parentheses added for clarity:
-(rw-)(rw-)(r--) 1 user user 0 Nov 20 00:55 file1
Now the owner has read and write permissions (rw-), the group has read and write permissions (rw-), and everyone else has only read permissions (r–). This is called symbolic representation because letters such as r, w, and x, are used to indicate permissions.
Permissions can also be represented numerically:
r = 4; w = 2; x = 1
Add each section so that the permissions of the file meta (from the example above) would be 664. Here is another way to look at how we come to that number:
-(rw-)(rw-)(r--) -(42-)(42-)(4--) 664
Adding the numbers in each section results in permissions of 664.
Changing File Permissions
The chmod command is used to alter the permissions of a file. It may be used to add or remove permissions symbolically. For example, to add execute permissions for the owner of a file you would run:
$ chmod u+x file_name
Or, to add read and write permissions for the group that owns the file, you would run:
$ chmod g+rw file_name
Instead of adding permissions, the symbolic syntax of chmod can also be used to subtract or set to some absolute value as shown in these examples:
$ chmod o-w file_name $ chmod u=rwx,g=rx,o= file_name
The chmod command can also explicitly set permissions using a numerical representation. For example, to set permissions on a file to rwxrwxr–, you would run:
$ chmod 774 file_name
In addition to the standard read, write, and execute permissions, chmod can also set special permissions. These are the setuid bit, the setgid bit, and the sticky bit. The following examples show setting each of these special permissions along with brief descriptions of the effect of those permissions.
$ chmod u+s file_name
Adds the setuid bit so that, if executable, this file will execute with the permissions of its owner.
$ chmod g+s file_name
Adds the setgid bit so that, if executable, this file will execute with the permissions of its group. When this is set on a directory, all files created in the directory will have the same group as the directory.
$ chmod o+t directory_name
Adds the sticky bit so that users can only delete files from this directory that they created.