Can you explain briefly the main concepts and command line tools used to manage file permissions?
2 Answers 2
Each file has rights for three different categories:
- the owner of the file,
- the group associated with the file, and
- everybody else.
Rights mean the right to read the file, the right to write to the file, or the right to execute the file in case of a script or program.
On the CLI, you may
- change the owner with chown , e.g. chown guillermooo
- change the group with chgrp , e.g. chgrp root
- change the rights with chmod , e.g. chmod u+w filename.ext (Adds writing permission for the owner of the file filename.ext )
If you’d like to know more about each of these tools, open a terminal and type man [tool] , e.g. man chmod .
Warning: Changing permissions of files and directories is potentially harmful and may render your system unusuable. When run recursively as root on the wrong path we may come to a point from where we will have to reinstall Ubuntu. It is therefore a good idea to not change permissions outside of HOME directories, and running the commands recursively as root should be avoided whenever possible.
Ubuntu has inherited the concept of permissions from Unix when for files or directories there are three tasks we can permit or deny:
- r (read) file/directory may be opened for read access.
- w (write) file/directory may be opened for write/edit access.
- x (execute) file may be executed as a program/directory may be traversed.
(Traversing a directory essentially means using it as part of a path name. See https://unix.stackexchange.com/a/13891 or https://unix.stackexchange.com/questions/21251 for more explanations.)
In addition we have three cases as to whom we grant a permission:
- u (user) the owner of a file is granted any of the permissions.
- g (group) group the file belongs to is granted a permission.
- o (other) all others are granted a permission.
Now to get the combination of these sorted we use a binary system where each bit defines a permission. This can be best shown in the following Table
Now if we want for example
a) the owner of a file (= user) has read, write, and execute permission,
b) the file’s group granted read and execute permissions, and
c) all others should only have read access.
Then the resulting file permission will be:
To get this in the octal numbers, eg. for the chmod command or when we have to understand an error message we need to fill above table as below:
Each permission number needs to be added to sum up for a user (4+2+1=7), group (4+0+1=5), and other (4+0+0=4). The resulting number then is:
We now have two options to change the permission bits with chmod :
or much simpler with
Both commands will do the same.
The default permission of a newly created file in our home will be 664 (-rw-rw-r–).
If we want files to be executable as programs we will have to change this permission.
Note that we will also have to change the permission of the directory this executable may be in. Only if both, the file’s and the directory’s executable bit are set we will be allowed to run this file as a program.
When copying a file to our home it will lose it’s permissions which will be replaced by our own default permissions (unless we copy using advanced options e.g. an archive option).
Also note that file may inherit their permission from their mount point, resp. mount options. This is important when mounting Windows formatted drives which do not support Unix permissions.
Users and Groups
We soon realize that this was only half of the story. We also need to sort out belongings. To do this each file or folder has a defined owner, and a defined group membership.
Each time we create a file we will be the owner of a file, and the file’s group will also be us. With ls -l we can see permissions, ownership, and group as seen from the following example output:
- We are only allowed to change permissions, groups or ownership of a file that is our’s.
If we are not the file owner we will get a Permission denied error. Only root can change this for all files. This is why we have to use sudo when editing permission of files that are not ours. There are two commands to do so chown for users and groups and chgrp for groups only.
To change a file ownership from anybody to user takkat and – optionally – the group takkat we may issue this command:
To only change a file’s group to takkat we issue
Read the manpages of the commands for more details and options. There also is this nice more elaborate guide recommended for further reading:
Permissions in Linux plays an important part in administration as well as application configuration. Whether you are a system administrator or a developer, it is mandatory to understand how permissions work in Linux systems.
Linux File Permissions
At times, even will get confused about the numbers and notations used for setting up file permissions. In this article, we will learn the concepts and commands involved in Linux file permissions from a beginner perspective.
Before diving into commands, you should understand the basic notations used for representing permissions.
Read, Write and Execute
The read, write and execute Permissions are denoted by letters r, w and x
Read, Write and Execute can also be denoted using Octal.
Read (r) – 4
Write (w) – 2
Execute (1) – 1
Let’s say a file has read, write and execute permissions, then you can denote that in a number as 7 (ie, 4+2+1=7). You will understand about this more in the following sections.
User, Group and Others (UGO)
User – The owner of the file. Mostly, one who created the file.
Group – The group which the file belongs to.
Others – Everyone other than the user and the group.
Every file has a permission associated with it. To list the assigned permissions for files (also hidden files) in your current directory, use the following command.
Now, lets dissect the output and see how to understand the permissions of files.
-rw-rw-r–. represents the file permissions. if the line starts with “-” it means it is a regular file. If it starts with “d” then it is a directory. Followed by that, you have three sets of “rwx”.
1. The first set represents the permission for the user (who created or owns the file).
2. The second set represents the permissions for the group the file is associated with.
3. The third set represents anyone other than the user and group.
In the above output, the first line shows the permissions of the demo.sh file. It shows that it is a regular file and permissions as follows.
1. first set(rw-) -> the user has only read and write permissions.
2. The second set(rw-) -> the group has read and write permissions.
3. The third set(r–) –> Other have only read access to the file.
Have a look at the following image for better understanding.
Changing permissions of a file
“chmod” command is used for changing the permission of a file/directory. You need two parameters for chmod command as shown below.
Permissions can be assigned using “+” and “-” symbols. Lets look at some examples.
1. To assign user permissions use “u+”” (eg: u+x, u+xw, u+rwx) with the chmod command as shown below.
2. To revoke the access given to the user, you can use “u-” command as shown below. This will unset all the given permissions.
In the same way, you can replace “u” with “g” and “o” for assigning permissions to groups and others.
3. To assign permissions for ugo at the same time, you can use the following syntax.
Changing permissions Using Octals
We have seen how octal can be user to represent permissions. Have a look at the image below to get more ideas about octal representation.
While using octal, we represent the permissions using three numbers. First for the user, second for the group and the third one for others.
1. To give the user all permissions use the following form.
2. To give the user all permissions, the group just read/write and others only read, use the following command.
In this manner, you can assign different permissions to users, groups and others.
Change Permissions Recursively
At some point, you might want to change the permissions of the folder, its subfolder, and files. For example, you uploaded the website files to apache webserver and you want to change the permissions of all the files and folders in the images folder. In this case, you have to apply the permission change Recursively using “-R” flag with the “chmod” command as shown below.
Sticky bit Permission
The sticky bit is a Permission bit for a file or a folder. It is set, only the file or directory owner and the root will be able to delete it. This permission is very useful in scenarios where you want to share a folder with multiple users. Sticky bit avoids deliberate and accidental deletion of files by other users.
setting Up Stickybit
You can set a sticky bit on a file or a folder using “t” or “1”. Here is an example.
In the above command, 1 represents sticky bit and 755 represents the normal file permissions. To ensure that sticky bit is assigned, user “ls -la” command and see if a T flag is added to the permission block as shown below.
I have the following file:
I switched the user to root in the terminal, and I have noticed the following behaviors:
I can read this file and write to it.
I can’t execute this file.
If I set the x bit in the user permissions ( —x—— ) or the group permissions ( ——x— ) or the others permissions ( ———x ) of the file, then I would be able to execute this file.
Can anyone explain to me or point me to a tutorial that explains all of the rules that apply when the root user is dealing with files and directories?
5 Answers 5
Privileged access to files and directories is actually determined by capabilities, not just by being root or not. In practice, root usually has all possible capabilities, but there are situations where all/many of them could be dropped, or some given to other users (their processes).
In brief, you already described how the access control checks work for a privileged process. Here’s how the different capabilities actually affect it:
The main capability here is CAP_DAC_OVERRIDE , a process that has it can “bypass file read, write, and execute permission checks”. That includes reading and writing to any files, as well as reading, writing and accessing directories.
It doesn’t actually apply to executing files that are not marked as executable. The comment in generic_permission ( fs/namei.c ), before the access checks for files, says that
Read/write DACs are always overridable. Executable DACs are overridable when there is at least one exec bit set.
And the code checks that there’s at least one x bit set if you’re trying to execute the file. I suspect that’s only a convenience feature, to prevent accidentally running random data files and getting errors or odd results.
Anyway, if you can override permissions, you could just make an executable copy and run that. (Though it might make a difference in theory for setuid files of a process was capable of overriding file permissions ( CAP_DAC_OVERRIDE ), but didn’t have other related capabilities ( CAP_FSETID / CAP_FOWNER / CAP_SETUID ). But having CAP_DAC_OVERRIDE allows editing /etc/shadow and stuff like that, so it’s approximately equal to just having full root access anyway.)
There’s also the CAP_DAC_READ_SEARCH capability that allows to read any files and access any directories, but not to execute or write to them; and CAP_FOWNER that allows a process to do stuff that’s usually reserved only for the file owner, like changing the permission bits and file group.
Overriding the sticky bit on directories is mentioned only under CAP_FOWNER , so it seems that CAP_DAC_OVERRIDE would not be enough to ignore that. (It would give you write permission, but usually in sticky directories you have that anyway, and +t limits it.)
(I think special devices count as “files” here. At least generic_permission() only has a type check for directories, but I didn’t check outside of that.)
Of course, there are still situations where even capabilities will not help you modify files:
A question that occurred to me earlier: are file permissions/attributes OS- (and therefore kernel-) dependent or are they filesystem-dependent? It seems to me that the second alternative is the more logical one, yet I never heard of reiserfs file permissions, for example: only “Unix file permissions”. On the other hand, to quote from a Wikipedia article:
As new versions of Windows came out, Microsoft has added to the inventory of available attributes on the NTFS file system
which seems to suggest that Windows file attributes are somehow tied to the filesystem.
Can someone please enlighten me?
4 Answers 4
Both the kernel and the filesystem play a role. Permissions are stored in the filesystem, so there needs to be a place to store the information in the filesystem format. Permissions are enforced and communicated to applications by the kernel, so the kernel must implement rules to determine what the information stored in the filesystem means.
“Unix file permissions” refer to a traditional permission system which involves three actions (read, write, execute) controlled via three role types (user, group, other). The job of the filesystem is to store 3×3=9 bits of information. The job of the kernel is to interpret these bits as permissions; in particular, when a process attempts an operation on a file, the kernel must determine, given the user and groups that the process is running as, the permission bits of the file, and the requested operation, whether to allow the operation. (“Unix file permissions” also usually includes setuid and setgid bits, which aren’t strictly speaking permissions.)
Modern unix systems may support other forms of permissions. Most modern unix systems (Solaris, Linux, *BSD) support access control lists which allow assigning read/write/excecute permissions for more than one user and more than one group for each file. The filesystem must have room to store this extra information, and the kernel must include code to look up and use this information. Ext2, reiserfs, btrfs, zfs, and most other modern unix filesystem formats define a place to store such ACLs. Mac OS X supports a different set of ACL which include non-traditional permissions such “append” and “create subdirectory”; the HFS+ filesystem format supports them. If you mount an HFS+ volume on Linux, these ACLs won’t be enforced since the Linux kernel doesn’t support them.
Conversely, there are operating systems and filesystems that don’t support access control. For example, FAT and variants were designed for single-user operating systems and removable media and its permissions are limited to read/read-write and hidden/visible. These are the permissions enforced by DOS. If you mount an ext2 filesystem on DOS, it won’t enforce the ext2 permissions. Conversely, if you access a FAT filesystem on Linux, all files will have the same permissions.
Successive versions of Windows have added support for more permission types. The NTFS filesystem was extended to store those extra permissions. If you access a filesystem with the newer permissions on an older operating system, the OS won’t know about these newer permissions and so won’t enforce them. Conversely, if you access an older filesystem with a newer operating system, it won’t have contain of the new permissions and it is up to the OS to provide sensible fallbacks.
Linux Permissions, How Do They Work?
The Linux permission system for files can appear somewhat confusing to new Linux users. There’s a system of letters or numbers all jumbled together in a seemingly unordered mess.
In reality, it’s quite simple, once you understand how it’s broken down.
Directories, Links, Read, Write, and Execute
Start off by going to a folder in your home directory. The Downloads folder is usually a good option. Once you’re there, run ls -lah . You’ll see a listing of all of the files and folders in Downloads To the far left is a column of letters and dashes. That is the notation for permissions.
That glob of letters and dashes can be broken down into four distinct sections. The dashes mean that there isn’t a value there or that particular permission isn’t enabled.
The first section lets you know if the file is a folder or a symbolic link. This is also the only section that only has one character, the first one. For regular files, that first character is a dash. For folders, it’s a d , and for links, its an l .
The remaining three sections of three values represent the actual permissions. The first grouping handles the file owner’s permissions. The second section is the file’s group permissions. The last set of three is the file’s public permissions.
It might be somewhat apparent, but each of the permission sections has an r , a w , and an x value or a dash signifying that that group doesn’t have that permission.
Of course, r corresponds to “read,” w is “write,” and x means “execute.”
For a better picture of how it works, take a look at this permission listing. In this case, it’s a regular file. The owner can read, write and execute the file. The group can read and write. All other users can only read it.
Take a look at a directory. By default, the files in this directory can be read, written, and executed by the owner. The group and anyone else can read and execute.
The chmod utility can change the permissions of your files and folders. You need to own the files in order to change them with chmod , unless you are using it as root or with sudo .
chmod uses the u , g , and o options to change the permissions for the owning user, group, and others respectively. Take a look at how it works. The command above adds write permissions for the group on the file, somefile.txt .
chmod can also remove permissions. That command removes write and execute permissions for other users.
You don’t have to add or subtract to get the permissions that you want. You can also set the permissions equal to what you need. There is also an a option to apply a change to all groups simultaneously.
Linux is a multi-user operating system, so it has security to prevent people from accessing each other’s confidential files.
When you execute an “ls” command, you are not given any information about the security of the files, because by default “ls” only lists the names of files. You can get more information by using an “option” with the “ls” command. All options start with a ‘-‘. For example, to execute “ls” with the “long listing” option, you would type ls -l
When you do so, each file will be listed on a separate line in long format. There is an example in the window below.
There’s a lot of information in those lines.
- The first character will almost always be either a ‘-‘, which means it’s a file, or a ‘d’, which means it’s a directory.
- The next nine characters (rw-r–r–) show the security; we’ll talk about them later.
- The next column shows the owner of the file. In this case it is me, my userID is “aditya314”.
- The next column shows the group owner of the file. In my case I want to give the “aditya314” group of people special access to these files.
- The next column shows the size of the file in bytes.
- The next column shows the date and time the file was last modified.
- And, of course, the final column gives the filename.
Deciphering the security characters will take a bit more work.
Understanding the security permissions
First, you must think of those nine characters as three sets of three characters (see the box at the bottom). Each of the three “rwx” characters refers to a different operation you can perform on the file.
Read, write, execute and –
The ‘r’ means you can “read” the file’s contents.
The ‘w’ means you can “write”, or modify, the file’s contents.
The ‘x’ means you can “execute” the file. This permission is given only if the file is a program.
If any of the “rwx” characters is replaced by a ‘-‘, then that permission has been revoked.
User, group and others
user – The user permissions apply only the owner of the file or directory, they will not impact the actions of other users.
group – The group permissions apply only to the group that has been assigned to the file or directory, they will not effect the actions of other users.
others – The others permissions apply to all other users on the system, this is the permission group that you want to watch the most.
Reading the security permissions
For example, consider that the user’s permissions for some files is “rw-” as the first three characters. This means that the owner of the file (“aditya314”, i.e. me) can “read” it (look at its contents) and “write” it (modify its contents). I cannot execute it because it is not a program; it is a text file.
If “r-x” is the second set of 3 characters it means that the members of the group “aditya314” can only read and execute the files.
The final three characters show the permissions allowed to anyone who has a UserID on this Linux system. Let us say we have the permission (“r–“). This means anyone in our Linux world can read, but they cannot modify the contents of the files or execute it.
Changing security permissions
The command you use to change the security permissions on files is called “chmod”, which stands for “change mode”, because the nine security characters are collectively called the security “mode” of the file.
- The first argument you give to the “chmod” command is ‘u’, ‘g’, ‘o’. We use:
u for user
g for group
o for others,
you can also use a combination of them (u,g,o).
This specifies which of the three groups you want to modify.
- After this use
a ‘+’ for adding
a ‘-‘ for removing
and a “=” for assigning a permission.
- Then specify the permission r,w or x you want to change.
Here also you can use a combination of r,w,x.
This specifies which of the three permissions “rwx” you want to modify
- use can use commas to modify more permissions
- Finally, the name of the file whose permission you are changing
An example will make this clearer.
For example, if you want to give “execute” permission to the world (“other”) for file “xyz.txt”, you would start by typing
Now you would type a ‘+’ to say that you are “adding” a permission.
Then you would type an ‘x’ to say that you are adding “execute” permission.
Finally, specify which file you are changing.
You can see the change in the picture below.
You can also change multiple permissions at once. For example, if you want to take all permissions away from everyone, you would type
The code above revokes all the read(r), write(w) and execute(x) permission from all user(u), group(g) and others(o) for the file xyz.txt which results to this.
Another example can be this:
The code above adds read(r) and write(w) permission to both user(u) and group(g) and revoke execute(x) permission from others(o) for the file abc.mp4.
Something like this:
assigns read(r) and execute(x) permission to both user(u) and group(g) and add read permission to others for the file abc.c.
There can be numerous combinations of file permissions you can invoke, revoke and assign. You can try some in your linux system.
The octal notations
You can also use octal notations like this.
Using the octal notations table instead of ‘r’, ‘w’ and ‘x’. Each digit octal notiation can be used of either of the group ‘u’,’g’,’o’.
So, the following work the same.
Both of them provides full read write and execute permission (code=7) to all the group.
Same is the case with this..
Both the codes give read (code=4) permission to user, write and execute (code=3) for group and read and execute (code=5) for others.
Both the commands give all permissions (code=7) to user and group, read and execute (code=5) for others.
The default Linux security model is a bit inflexible. To give special access (such as modification privileges) to a group of people, you have to get your system administrator to create a group with those people in it. Furthermore, if you would like to give a different set of access privileges (such as read access) to another group of people, you can’t do it because you can only assign one group owner per file or directory. To solve this problem, you can use ACLs (Access Control Lists). You can learn more about them from this link: ACLs
This article is contributed by Aditya Nihal Kumar Singh. If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to [email protected] See your article appearing on the GeeksforGeeks main page and help other Geeks.
Please write comments if you find anything incorrect, or you want to share more information about the topic discussed above.
In my CMS, I noticed that directories need the executable bit ( +x ) set for the user to open them. Why is the execute permission required to read a directory, and how do directory permissions in Linux work?
8 Answers 8
When applying permissions to directories on Linux, the permission bits have different meanings than on regular files.
- The read bit ( r ) allows the affected user to list the files within the directory
- The write bit ( w ) allows the affected user to create, rename, or delete files within the directory, and modify the directory’s attributes
- The execute bit ( x ) allows the affected user to enter the directory, and access files and directories inside
- The sticky bit ( T , or t if the execute bit is set for others) states that files and directories within that directory may only be deleted or renamed by their owner (or root)
First, think: What is a directory? It’s just a list of items (files and other directories) that live within. So: directory = list of names.
Read bit = If set, you can read this list. So, for example, if you have a directory named poems :
- You can ls poems and you’ll get a list of items living within ( -l won’t reveal any details!).
- You can use command-line completion i.e. touch poems/so poems/somefile .
- You cannot make poems your working directory (i.e. cd into it).
Write bit = If set, you can modify this list i.e. you can
Execute bit = Make this directory your working directory i.e. cd into it. You need this permission if you want to:
- access (read, write, execute) items living within.
- modify the list itself i.e. add, rename, delete names on it (of course the write bit must be set on the directory).
Interesting case 1: If you have write + execute permissions on a directory, you can
Interesting case 2: If you have execute (but not write) permission on a directory AND you have write permission on a file living within, you cannot delete the file (because it involves removing it from the list). However, you can erase its contents e.g. if it’s a text file you can use vi to open it and delete everything. The file will still be there, but it will be empty.
Read bit = You can read the names on the list.
Write bit = You can
Execute bit = You can make this directory your working directory.
PS: The article mentioned by Kusalananda is a good read.
In Linux, file permissions determine the levels of privilege for file owners and everyone else. It’s important to make sure any web-facing files have their permissions set correctly, so that a compromised process can’t write to places it shouldn’t.
What Are File Permissions?
File permissions track the permissions for three different groups. Each group is represented by three bits:
- r: The “Read” permission allows a process to read the contents of that file into memory.
- w: The “Write” permission gives a process access to overwrite the physical location on disk where that file is stored.
- x: The “Execute” permission is for programs and allows that file to be executed.
In the terminal, permissions are displayed like so:
The first “d” signifies whether the file is a directory. The first group of three is for the file owner. In this case, the file owner has full read, write, and execution access. The next group of three is “group owners,” which denotes the access rights for the group the file belongs to, in this case, read only. The next group is everyone else, which is read only.
Generally, files with open “everyone” permissions are not very secure. You will want to make sure the last group is set to read-only or no access for most files.
Under the hood, these are stored in binary, with each permission representing a bit. For example, rw- is 110 in binary, which is 6 in decimal. So, the permission string:
…could be stored as “764.” File permissions will often be referred to this way; “777” denotes full access, “700” is private, “644” is read-only. Technically, this is known as octal, not decimal, because there are eight possible values for each digit.
For directories, the permissions use the same characters, but are a bit different:
- r: List permission. Allows the directory to be opened, and allows the use of ls . Requires the x attribute to be set.
- w: Write permission. Allows creation of new files, deletion of file, and renaming files. Does not prevent changing the contents of existing write-enabled files within the directory.
- x: Enterability. Allows the use of cd . This is respected system wide, and will prevent the folder from being opened in a GUI file explorer.
On some systems, particularly macOS, there may be a “@” after the file permission string. This means the file has extended attributes, which you can check with ls [email protected] . For example, the com.apple.quarantine attribute is assigned to executables that have not been opened yet, so that Gatekeeper can block you from double-clicking it, force you to right-click > open and then needlessly prompt you if you’re really sure you want to open it.
What Are File Owners and Groups?
The file owner is just a particular user, but users in Unix systems don’t work the same way they do in Windows. Unix can have different users for individual processes like mysql and nginx . This can make permissions very detailed; for example, an instance of MySQL running under the mysql user can access its own database, but the nginx user cannot.
User groups work in a similar manner but support having multiple users with the same permissions. Users can be added and removed from the group, and they’re optional for setting file permissions.
How to Check File Permissions of Directories
You can view file and directory permissions by running ls -l in your terminal. File permissions are displayed on the far right:
If you want to display the file permissions for a specific file or directory, you’ll need to pipe the ls output to grep :
Note that the current folder and parent folder have their permissions displayed as . and .. when using the -a flag. However, even this only displays two levels of permissions. To display permissions for every parent folder, you’ll need to use the namei command:
This command may not be installed on every Linux distribution. On macOS, you’ll have to install it from brew.
To search for individual files within those folders that may have errant permissions, you can use the find command with the -perm flag:
This searches recursively, and may take some time if you’re running it on the root directory.
How to Change File Permissions and Ownership
Changing file permissions is simple with the chmod command:
You can also add permissions without specifying a full permission string. This is a shortcut, but can save some time. For example, if you can’t open a script file, you can add permission for the owner to execute with:
This adds the execute (x) permission for the current owner (u, for “user”).
Changing owners works similarly with the chown command:
The “:group” is optional. Both chmod and chown can be run recursively on directories, to change file permissions for everything within those directories. To do this, use the uppercase -R flag:
You can also use chmod as the -exec option for find , which lets you change file permissions throughout the system. For example, this command will find files that have open write permissions, and set them to read-only:
How do unix file permissions work?
What unix file permissions are
At their most basic, unix file permissions are a set of bits which control who has the permission to read from, write to and execute files. They have similar, but slightly different meanings as applied to directories. The mode is normally expressed either as a symbolic string of gibberish or as a numeric mode.
Numeric file permissions
A numeric mode is normally expressed as set of three or four octal digits but can be any length up to four. Any ommitted digits are assumed to be leading zeroes. The first digit is the sum of the “set uid” (4), “set gid” (2), and “sticky” (1) attributes. If you need these you know what they mean. Otherwise, move along please. The second digit sets permissions for the owner of the file to read(4), write(2), and execute(1) the file. The third sets permissions for members of the group specified as the group owner of the file and the fourth for people not in the file’s group, with the same values for read, write and execute as the user permission digit. You figure out what permissions you need by adding the bits together. If I want a file to be readable and writeable by me and its group and just readable by others, I might run chmod 664 file to change the mode of the file.
Symbolic file permissions
commands which deal with file permissions often allow you to specify symbolic permissions as follows: u user g group o other r read w write x execute + add specified permission – remove specified permission = make permission exactly equal to this
So in the example above, I could achieve the results I wanted by chmod ug=rw,o=r file or by looking at the current file mode and using “+” or “-” as appropriate. For example, to remove group and world write and execute permissions on a file I might do chmod go-wx file . See man chmod for more details. On linux boxes you may have to do info chmod to get all the details because the GNU project don’t like manual pages.
Finding out file permissions
You can see a symbolic representation of the permissions on a file or directory by using ls -l . If you want to understand why files you create get the permissions they do, read about how umasks work.
Special file permissions
I said “move along please”, but to reward you for your persistence, these are the meanings of the leftmost digit of four-digit octal file permissions. Note: Do not use these unless you really know what you are doing. The setuid and setgid bits on files in particular have been responsible for many serious security breaches when thoughtlessly applied to unworthy programs.
When set on files:
When applied to directories, the meanings of these bits are subtly different and more system- and filesystem-dependent:
Introduction to Linux File Permissions
Linux is a multi-user operating system i.e. many users can access it simultaneously. It can be used in servers and mainframes without any need for modification. Linux has great security features but being a multi-user operating system it is prone to a security threat. Unsolicited users may corrupt, remove or change the important data. So it is necessary to avoid a user accessing any other user’s confidential or crucial files and data. To implement this security, permission must be granted before the user can access the file. Here permission specifies what a particular user can or cannot do with respective files and directories. These permissions help to create a secure environment for the users. In this article, we will discuss Linux File Permission in detail.
Linux File Permission
Linux systems consist of a file control mechanism that determines who has the right to access a file and what steps or actions he/ she can perform on it. The file control mechanism has two components
Web development, programming languages, Software testing & others
- Classes or Ownership: It refers to those who can access the particular file.
- Permissions: It refers to the actions that can be performed on the file by that particular user.
Classes or Ownership of Linux Files
There are three types of classes:
1. Owner or User
A person who creates a file is called a user or an owner of that particular file. User has no impact on the actions of other users. The ownership can be specifically transferred or granted to any other user also.
A group can have multiple users. Every user belonging to a particular group would have the same privileges and access permissions for a particular file. A group does not affect the actions of other groups. Consider your team is making a project and every member of your team need to access the file so instead of granting permissions to every member individually, you can create a group of all team members and grant permission to the group i.e. every member belonging to that group can access that file.
It refers to all other users that can access the file. Setting permission for others refers to setting permission to the world. It simply refers to those who are not the owners or not in a group i.e. the general public.
Permissions for Linux Files
For every file, there are three types of permissions that are applicable to all classes.
1. Read (r):
The read permission allows the user to open the file and read its contents. The user is not allowed to modify or change the contents of the file.
2. Write (w):
The write permission allows the user to modify or change the contents of the file.
3. Execute (x):
This permission allows the user to execute the program or the code. If a user is not permitted to execute then he/ she may read or modify code but they would not be able to execute it.
- _: no permission
- d: directory
- l: The file is a symbolic link
- s: This indicates setuid/ setgid permissions. These permissions are used to announce to the system to run an executable as an owner with the respective owner’s permission.
- t: This refers to sticky bit permissions. These permissions restrict the renaming and deletion of a file i.e. only the owner can delete or rename the particular file.
There are some cases for the permissions that are most frequent.
- rwx: This is the permission that allows the user to read, write as well as execute the program. Execute permission is applicable only is the file is a program.
- rw-: This is the permission that allows the user to read and modify the contents of the file but the user does not have the authority to execute it.
- r-x: This is the permission that allows the user to read and execute the program but he has no authority to make modifications in the program code.
- r–: This permission allows the user only to read the contents of the file. He/ she is neither allowed to modify the file nor execute it (in case it is a program).
Now lets us see how to read the permissions that appeared on the terminal.
The ls – l command gives the file type and access permissions related to a particular file.
The above screenshot depicts the file permissions.
- The first – depicts that a file is selected.
- Then there are nine characters in which r refers to read permission, w refers to write permission, x refers to execute permission and – refers to no permission.
- The first three characters depict the permission given to the owner. In the above screenshot, rw- refers that the owner can read the contents of the file, change or modify the file but cannot execute it.
- The next three characters depict the permission given to the group. In the above screenshot rw- refers that the group members can read the file, modify or change the file but cannot execute the file.
- The last three characters depict the permission given to the world or other users. In the above screenshot r- – shows that other users can only read the file. They can neither modify nor execute the file or program.
Changing Security Permission
1. We can change the permission by using chmod.
Syntax: chmod [permission] [path]
Example: chmod o+x abc.txt (here + shows adding and – shows the removal of permission)
2. We can also change multiple permissions at a time.
Example: chmod ugo-rwx abc.txt
In this article, we have discussed the file permissions in Linux. This is to be kept in mind that the security of files is important. Malicious users will target the files and would try to change, remove or delete the file or its content. So setting the permission must be carefully done so that the tasks could run smoothly.
This is a guide to Linux File Permissions. Here we discuss an introduction to Linux File Permission, Classes or Ownership of Linux Files, Advanced Permissions along with the example. You can also go through our other suggested articles –
Linux Training Program (16 Courses, 3+ Projects)