Linux file permissions may seem like arcane number theory hieroglyphics to some and it’s understandable. Linux’s filesystem permission model stems from the legacy of UNIX. However, they are quite easy to grasp, once you understand the logic behind them.
Permission groups and types
All file and folder access control is defined in the filesystem using the following information:
- Three permission groups: u for owner, g, group, o or a, all users.
- Three permission types: r, read, x, execute, w, write.
The permission types are the characters “r”, ”x” and “w” , called flags, and are displayed as such if you list the file’s or folder’s permissions in some way. Unset flags are depicted with a “-” character. The permission group ones are used in commands that change the ownership and group of a file, which we will delve into shortly.
You can view a file or folder’s permissions by either using a GUI file manager or by inspecting the output of the ls command in the console terminal.
Open your terminal and type the following command:
$ touch test
$ ls -la test
-rw-r--r-- 1 yorgos staff 0 Feb 23 17:07 test
The string "-rw-r--r--” contains the file system permission information that we are interested in. The rest of the fields from left to right display the following information:
- how many links there are to this file (1)
- the owner userid (yorgos)
- The group id (staff)
- File length in bytes (0)
- Created date (Feb 23)
- Created time (17:07)
- Filename (test)
You will notice that there are 9 different combinations of permission groups and types, but 10 flag positions. The first one shows the file type flag while the latter indicate the permissions themselves. The file types can be: “-” for files, “l” for symbolic links (these are file system links that just point to another file) and “d” for directories. Since the first character/flag in our example is “-”, we are talking about a simple file. Continuing, let’s break down the permissions field:
- : Filetype (this can contain l, -, or d)
rw- : read and write permissions (no execute). These permissions are for the owner.
r-- : read permission, no write and execute permission. These permissions regard users belonging to a group.
r-- : read permission, no write and execute. Lastly, these permissions concern everyone else.
So in effect, this just means “this file can be read and written by the owner, and it is read-only by everyone else". The group shares the same permissions.
In order to modify the permissions of a file or folder, again, you either use a GUI command (this is outside the scope of this article, so we won’t go there) or use certain linux commands in your terminal. The command we are going to use is called chmod (change file mode).The chmod command accepts a variety of parameters that change its behaviour in many different ways, but its general use is the following:
$ chmod <mode> <file>
The <mode> is specified by the following symbols:
r the read flag
w the write flag
x the execute flag
u the user/owner permission flag
g the group permission flag
o the other users permission flag
There are a couple of others, but we will discuss those in the final section of our article.
So, let's say that you want to give execute permissions to the users belonging to the group (but make sure you are the owner of the file first!):
$ chown g+x test
$ ls -l test
-rwxrwxrwx 1 yorgos staff 0 Feb 23 17:07 test
Or maybe you need to lock out everyone else completely. They would not be able to either read, write or execute the file:
$ chown o-rwx test
$ ls -l test
-rwxrwx--- 1 yorgos staff 0 Feb 23 17:07 test
Here we see the last flags all unset to “-”.
If you want to see more examples, do consult the manual page for chmod by issuing the following command:
$ man chmod
Owners and groups
You can also change file and group ownership of a file by using the chown command.
The chown command accepts various parameters that alter its behaviour in some way, but the most commonplace usage is the following:
# chown <owner> <file>
# chown <owner:group> <file>
The first example is used to change the owner of a file to another one. Have in mind, though, that you must have root access in order to change the ownership of a file. So, by executing the following:
# chown nobody test
# ls -l test
-rwxrwxrwt 1 nobody staff 0 Feb 23 17:07 test
it is revealed now that the file is owned by the userid ‘nobody’ and not by ‘yorgos’ anymore.
Similarly the command:
# chown nobody:wheel test
# ls -l test
-rwxrwxrwt 1 nobody wheel 0 Feb 23 17:07 test
Changes the ownership of the file to nobody and the group to wheel.
If you want to find out more about the command and its various parameters, consult the chown manual page by issuing the command:
$ man chown
Besides the permissions types and groups we've already mentioned in the article, there are a couple of other ones, called "special permissions".
These are the following:
s The Set User ID and Set Group ID flag.
t The sticky flag.
The first is set by using the "s" flag in the chmod command in the usual manner, as such:
$ chmod u+s test
$ ls -l test
-rwsrwx--- 1 yorgos staff 0 Feb 23 17:07 test
This flag is also called the SUID (Set User ID) or SGID (Set Group ID) flag. If this bit is set, then the file inherits the access rights of its owner. This means that anyone who executes the file, is doing so as the owner. The SGID is similar, but the file inherits the access right of its group. This, of course, can lead to security issues, so care must be taken.
The sticky bit, or "t" is particularly useful. When set in a directory, that is usually shared like /tmp, files created there can only be renamed or deleted by their respective owners. If the sticky bit is not set, the owner of the directory does not have control over them.
You can make a directory "sticky" by issuing the following command:
$ chmod +t /directory
Besides using flags to define permissions such as "r" and "w", you can also use numerical values. The chmod command assigns the following values to permissions:
"r" = 4
"w" = 2
"x" = 1
So in order to set a file to have read/write/execute for the owner, and read/execute for everyone else, meaning "-rwxr-xr-x", we compute the numerical value as such:
rwx = 4+2+1 = 7
rx = 4+1 = 5
We finally issue the command:
$ chmod 755 test
$ ls - test
-rwxr-xr-x 1 yorgos staff 21 Feb 24 02:08 test
Practice on your own by using different permissions and numerical values to get the hang of it!