Linux is a multi-user operating system with good built-in features for security. To enhance security it uses permissions and ownership for files and directories.
In this tutorial, we learn about Linux file permissions in detail.
Linux File Permissions
In Linux, file and directories (internally its file as well) access is controlled by permissions. These access permissions are granted to 3 user categories: owner, group, and others.
Permissions in Linux are read, write and execute. Let's define each permission:
- Read: The read permission for a file means the user can open and view the content. For a directory (folder) the user can list the contents of the directory.
- Write: This allows the user to modify or delete files. For directories, it enables users to add or remove files and subdirectories.
- Execute: This enables user to run executable files. For example for programs and shell scripts.
Permissions are represented by 3 different characters. In addition, there are special permissions as well. These permissions are represented by symbolic or numeric notations.
Symbolic notations
The symbolic notations (relative mode) are represented by characters. The following represent the characters and its permissions:
- r - read permission.
- w - write permission.
- x - execute permission.
- - (hyphen) - when permission is not granted.
These permissions are applied individually or combined for each user category (owner, group, and others).
Numerical notations
Chmod numerical mode is also known as an absolute mode. This is represented by 3-digit octal numbers.
- 4 - read permission.
- 2 - write permission.
- 1 - execute permission.
This permission is set individually or sum of the numbers for the user category.
User category
In Linux users who interact with the system are classified into 3 categories. Permissions are added or removed to the required user category. Now let's define each category:
- owner - The owner is user who owns the file or directory. By default when a user creates a file or directory the same user will become the owner.
- Group - The group is a collection of users. All the users in the group will have the same access permission on the files or directories.
- Other - Other users who are not the owner or in the group. This means "everyone" or in other way say the "world".
Special Permission Modes
In addition to read, write and execute - in Linux there are special permissions that can be assigned using chmod command. The special permissions are sticky bit, setuid (SUID) or setgid (SGID). This permission can also be represented by symbolic or numerical notations.
Numerical values for respective special permissions are:
- 4 = SUID
- 2 = SGID
- 1 = sticky bit
- 0 = zero effect
The symbolic notations to represent special permissions are 's' for SUID and SGIG and 't' for sticky bit.
Note: Apart from traditional file permission and special permissions Linux supports additional controls on file which are called file attributes. Some of the common attributes are immutable (i), append-only (a), and undeletable (u).
Display Linux Permissions
The most common command to check the permission of files and directories is ls -l. This command list files and directories in a long format which includes permissions, ownerships, modification date, etc. You may also use stat command.
$ ls -l
Each column in the output:
| No | Column | Description |
|---|---|---|
| 1 | File Permissions | Contains 10 characters. The first character denotes the file type and the remaining 9 character represents the file permissions. |
| 2 | Number of links | shows the number of hard links the content file or directory has |
| 3 | Owner | The owner of the file or directory |
| 4 | Group | Group owner of file or directory |
| 5 | Size | Content size, by default in bytes |
| 6 | Date | The last modification date of the file or directory. |
| 7 | Time | the modification time of the file or directory. |
| 8 | Filename/Directory name | The actual name of the file or directory. |
Default Permissions
The default permissions for the newly created files or directories depend on umask value. The default permissions are calculated by subtracting the default mask from the system's default permission values.
System default permissions for directories is 777 and for files is 666. The default mask for the regular user is 002 and the root user is 022.
- When a regular user creates a new directory, the default permission will be 777 - 002. That means 775.
- When a regular user creates a new file, the default permission will be 666 - 002. That means 664.
- When a root user creates a new directory, the default permission will be 777 - 022. That means 755.
- When a root user creates a new file, the default permission will be 666 - 022. That means 644.
So the default mask determines the file and directory default permissions. You can use umask command to set a new mask value. This way you can mask permissions in Linux.
Modify File Permissions
To modify Linux permissions on files and directories use chmod command. Users with appropriate privileges can only change permissions such as a user who owns a file/directory or the superuser (root).
Be careful when performing change in file permissions. Accidental modification of sensitive files and directories can cause disruption to normal operations or security risks.
Let's look into a few practical examples of symbolic and numerical methods to modify file permissions.
Using numerical values:
To give full (4+2+1) permissions to owner, group, and others on the directory named hello-programs, type:
chmod 777 hello-programs
Note: Granting such broad permissions (777) should be used with caution, as it gives unrestricted access to the directory and its contents.
This gives the owner of "file1.txt" read and write permissions, while the group and others have read-only permissions.
chmod 644 file1.txtThis gives /tmp directory sticky bit special permission and has full read, write, and execute permissions for the owner, group, and others.
chmod 1777 /tmp
To remove permission you can subtract the values of permission you want - that will override the current permissions.
Using symbolic Values:
To give full permission assign all symbolic permission characters (rwx) to the owner (u), group (g) and other (o) on the directory.
chmod u=rwx,g=rwx,o=rwx directory-nameorchmod ugx+rwx directory-nameorchmod a+rwx directory-name
This set the same 644 for permission - set read and write for the owner, only read for group and others on the file.
chmod u=rw,go=r file1.txtTo remove permission use - (hyphen) followed by the specific permission. Example - The following command removes execute permission for the group on the directory.
chmod g-x directory1To make new files inherit the group permissions of their parent directory:
chmod g+s parent-directoryHere we have used the setgid bit functionality.
Change Ownership
We talked about Linux file permissions and how to change it. What about changing user category - traditionally known as ownership?
By default when a regular user creates a file or directory, the owner of the file is the user who created it and the group ownership is set to the primary group of that user. Same case for the directory.
To assign a new owner and groups to files or directories use chown command. You need appropriate permissions to modify ownership.
For example to change ownership of the "projects" directory to the user "developer" and group to "devteam", type:
sudo chown developer:devteam projects
You can use -R option to change owner or group recursively.
Comments