I found myself reading over and over in different times about linux file permissions. I decided I will write a memo to myself to avoid spending time reading about this in the future looking for a place that clearly explains them.
Let’s start with the basics.
Basics: users and groups
In linux you are a user, and a user is also inside a group.
If you have an identity crisis and you don’t know anymore who you are, you can type in the terminal:
The operating system will kindly remind you your identity.
If you want to know if you are part of the cool groups you can figure out what groups you are in typing
And to know who are all your friends in the same group
cat /etc/groups | grep <group_name>
However the command above shows only local groups.
In linux there are 3 basic permissions that a file or a directory can have:
- read (r),
- write (w),
- execute (x).
Each file or directory has 3 sets of permissions and are respectively: the permission of the file owner, the permission of the group to which the file belongs and the permissions to all the other users.
To check which permissions has a file type:
An example of the output is showed in the image below.
In the example, the file “test” can be read, modified and executed by the user walbert. All the users that are part of the support group can read and execute the file but NOT modify it. The rest of the user can’t perform any action on the file test.
The permissions of a file can be codified using a three digit number. Each digit represent the permissions relative respectively to the user (u), group (g) and the others (o). It can assume values between 0 and 7 and the meaning of the value is described in the image below.
Figure 1: Permissions codes
Each type of permission – read, write or execute – is associated with a number:
- read 4
- write 2
- execute 1
The permissions are codified in a single digit by summing the associated number of the type of permissions we want to grant. For example
rwx = 4+2+1 = 7
r-x = 4+0+1 = 5
Changing owner and group of a file
It should be clear by now that the permission system that linux adopts heavily relies on the concepts of users and groups. It is therefore crucial to be able to change the owners of a file.
This operation is strait forward using the chown command. If we want to change the user owning the file test to fuffy and the group of the file to dogs we can type in the terminal
chown fuffy:dogs test
Afterwards the permissions granted to the user ( first digit ) will specifies what can fuffy do with the test file, the one granted to the group will describe what the users in group dogs can do, and the last digit will refer to what all the other users can do.
Changing the permissions of a file
There are mainly two ways to specify the permissions of a file, and both use the chmod command.
The first way uses the coding scheme explained above.
Lets say that we want to set the permissions of the file test to: rwx r-w r– ( like in Figure 1 )
We can simply fire the terminal and type
chmod 754 test
The second way to specify the permissions of a file is more human readable. Using u, g and o we refer respectively to user, group and others. Using + or – we specify if we want to add or remove a permission. With r, w, x, we refer to read, write, execute.
The same permissions set in the previous example can be specified therefore with
chmod u+rwx,g+rx,o+r test
If we now want to remove the reading permissions from the ‘other’ users we can simply use
chmod o-r test
All the other permissions will be unmodified.
Why would I ever want to execute a directory?
The main reason why I wrote this post it is because stuff get a bit confusing when we talk about directories. It makes of course no sense to execute a directory. The ‘x’ permission when dealing with directories should be instead thought of as ‘is this directory traversable?’.
Lets do a concrete example and assume we have the following folder structure.
Supposing that we want to grant the permissions to all the users on the system to check out our ‘Barcelona June 2016’ pictures but not the ‘Barcelona Sep 2013’, also we do not want them to snoop around the Europe, Spain and Barcelona folders.
First of all all the directory containing ‘Barcelona June 2016’ will need to be traversable by all the users, therefore the x flag of Europe, Spain and Barcelona folders needs to be granted to the other (o) users. This allows them to ‘cd’ in those directories. By not granting the read (r) permissions on Europe, Spain and Barcelona folders we prevent the other users from seeing the content of those folders ( no snooping around ). This means that ‘ls’ in those folders will not work for the ‘other’ users ( I remind you that ‘other’ users are the users not in the group that owns the file and that are different from the user that owns the file ). By not granting the (w) permission on those folders we prevent the ‘other’ users from creating or modifying files in those directories.
By not granting any permissions to the ‘other’ users over the ‘Barcelona Sep 2013’ we prevent them from cd in that directory or in any subdirectory ( that would be possible with the x permission ), we prevent them from looking at the content this directory using ‘ls’ ( which would be possible with the r permission ) and we prevent them from modifying the directory ( w flag ).
I hope that by reading this post you’ll be now a jedi of linux permissions. There are other two notions that might be useful in some cases not discussed here: sticky bit (https://en.wikipedia.org/wiki/Sticky_bit) and sig bit ( https://en.wikipedia.org/wiki/Setuid)