How the hell do permissions work in linux?

I found myself reading over and over in different times about linux file permissions. I decided I will write a memo to myself to avoid spending time reading about this in the future looking for a place that clearly explains them.

Let’s start with the basics.

Basics: users and groups

In linux you are a user, and a user is also inside a group.

If you have an identity crisis and you don’t know anymore who you are, you can type in the terminal:

whoami

The operating system will kindly remind you your identity.

If you want to know if you are part of the cool groups you can figure out what groups you are in typing

groups

And to know who are all your friends in the same group

cat /etc/groups | grep <group_name>

However the command above shows only local groups.

Permissions

In linux there are 3 basic permissions that a file or a directory can have:

    • read (r),
    • write (w),
  • execute (x).

Each file or directory has 3 sets of permissions and are respectively: the permission of the file owner, the permission of the group to which the file belongs and the permissions to all the other users.

To check which permissions has a file type:

ls -l

An example of the output is showed in the image below.

File Permissions Explanation

In the example, the file “test” can be read, modified and executed by the user walbert. All the users that are part of the support group can read and execute the file but NOT modify it. The rest of the user can’t perform any action on the file test.

Permissions code

The permissions of a file can be codified using a three digit number. Each digit represent the permissions relative respectively to the user (u), group (g) and the others (o). It can assume values between 0 and 7 and the meaning of the value is described in the image below.

Figure 1: Permissions codes

Each type of permission – read, write or execute – is associated with a number:

  • read       4
  • write      2
  • execute 1

The permissions are codified in a single digit by summing the associated number of the type of permissions we want to grant. For example

rwx = 4+2+1 = 7

r-x = 4+0+1 = 5

Changing owner and group of a file

It should be clear by now that the permission system that linux adopts heavily relies on the concepts of users and groups. It is therefore crucial to be able to change the owners of a file.

This operation is strait forward using the chown command. If we want to change the user owning the file test to fuffy and the group of the file to dogs we can type in the terminal

chown fuffy:dogs test

Afterwards the permissions granted to the user ( first digit ) will specifies what can fuffy do with the test file, the one granted to the group will describe what the users in group dogs can do, and the last digit will refer to what all the other users can do.

Changing the permissions of a file

There are mainly two ways to specify the permissions of a file, and both use the chmod command.

The first way uses the coding scheme explained above.

Lets say that we want to set the permissions of the file test to: rwx r-w r– ( like in Figure 1 )

We can simply fire the terminal and type

chmod 754 test

Done.

The second way to specify the permissions of a file is more human readable. Using u, g and o we refer respectively to user, group and others. Using + or – we specify if we want to add or remove a permission. With r, w, x, we refer to read, write, execute.

The same permissions set in the previous example can be specified therefore with

chmod u+rwx,g+rx,o+r test

If we now want to remove the reading permissions from the ‘other’ users we can simply use

chmod o-r test

All the other permissions will be unmodified.

Why would I ever want to execute a directory?

The main reason why I wrote this post it is because stuff get a bit confusing when we talk about directories. It makes of course no sense to execute a directory. The ‘x’ permission when dealing with directories should be instead thought of as ‘is this directory traversable?’.

Lets do a concrete example and assume we have the following folder structure.

Supposing that we want to grant the permissions to all the users on the system to check out our ‘Barcelona June 2016’ pictures but not the ‘Barcelona Sep 2013’, also we do not want them to snoop around the Europe, Spain and Barcelona folders.

First of all all the directory containing ‘Barcelona June 2016’ will need to be traversable by all the users, therefore the x flag of Europe, Spain and Barcelona folders needs to be granted to the other (o) users. This allows them to ‘cd’ in those directories. By not granting the read (r) permissions on Europe, Spain and Barcelona folders we prevent the other users from seeing the content of those folders ( no snooping around ). This means that ‘ls’ in those folders will not work for the ‘other’ users ( I remind you that ‘other’ users are the users not in the group that owns the file and that are different from the user that owns the file ). By not granting the (w) permission on those folders we prevent the ‘other’ users from creating or modifying files in those directories.

By not granting any permissions to the ‘other’ users over the ‘Barcelona Sep 2013’ we prevent them from cd in that directory or in any subdirectory ( that would be possible with the x permission ), we prevent them from looking at the content this directory using ‘ls’ ( which would be possible with the r permission ) and we prevent them from modifying the directory ( w flag ).

Conclusion

I hope that by reading this post you’ll be now a jedi of linux permissions. There are other two notions that might be useful in some cases not discussed here: sticky bit (https://en.wikipedia.org/wiki/Sticky_bit) and sig bit ( https://en.wikipedia.org/wiki/Setuid)

Open file with custom extension using a python script in OSX

I created a custom file extension and a python script that enabled me to view the content of this file.

Normally to open the file using the python script I would have to go to the terminal and execute the script:

$ path/script.py file.newext

What I want is instead to be able to double click on the file and run the script giving it the filename I clicked on as argument.

It is possible to achieve this creating an Automator app:

After opening Automator select Application as document type.

 

Screen Shot 2016-08-05 at 16.15.03Add a Run Shell Script block using the list of item on the left column. Set Pass input to as argument

Write the command needed to open the file inside the for loop. Save and quit.

Lastly, go on a file with the extension you want to be opened with the script, right click on it and select Get Info.

Where is written “Open with” select Others and put the path to the Automator script you just saved.

For the setting to be applied to all the files with this extension click on the “Change all” button.