An intro to Linux file and directory permissions
No, everyone should not be root.
We know that the root user can basically do anything on the system. Other users have more limitations and are usually collected into groups. You put users with similar needs into a group that is granted relevant permissions, each member inherits the group permissions.
Let's take a look at:
- Checking permissions
- Changing permissions
- Default permissions
- Special permissions
Granting Permissions
The three levels of permission are:
- r: Permission to read.
- w: Permission to write.
- x: Permission to execute.
When a file is created, typically the user who created it is the owner of it and the owning group is the user's current group. We can move ownership of a file to a different user by using the chown
command.
chown gps /tmp/file.txt
Here we are giving the user gps ownership of the file.txt from the /tmp directory.
We can also move ownership of a file from one group to another, we use the chgrp
for that.
chgrp cloudadmins newIDS
Say we have an application called newIDS
, here we are giving group ownership to the cloudadmins
group of newIDS
.
Checking Permissions
ls -l
The ls command with the -l
(long) switch will display the contents of a directory, containing the permissions. Let's break this down a bit more.
drwxr-xr-x 2 azureuser azureuser 4096 Feb 14 22:31 Videos
The first character is the file type, in this case it's a d, which means it's a directory. This character can be:
- (-) regular file
- (d) directory
- (c) character special
- (b) block special
- (p) fifo
- (l) symbolic link
- (s) socket
You' typically see d
,`-` or l
. In this post we'll focus on -
and d
, I'll have another one on symbolic links, here's a great post on it, they are sort of like links to files.
Next we have
rwxr-xr-x
Nine characters, the first three are the permissions of the user, the next three are the permissions for the group, and the last three are the permissions for others.
- So in our case, the group user has
rwx
(read, write, and execute) permissions. - The group has
r-x
(read, no write, and execute) the-
means the respective permission hasn't been given. - The others column has
r-x
(read, no write, and execute)
2 azureuser azureuser 4096 Feb 14 22:31 Videos
What's left is the number of links, the user (azureuser) the size, date created, and name.
We can change permissions if we need to.
Changing Permissions
Only a root user or the file's own can change permission, we use the chmod
command for that and we can use Decimal notation or or UGO, let's look at Decimal notation first.
Changing permission with Decimal Notation
This table contains all possible permission combinations and their octal and binary representatives.
Binary | Octal | rwx |
---|---|---|
000 | 0 | --- |
001 | 1 | --x |
010 | 2 | -w- |
011 | 3 | -wx |
100 | 4 | r-- |
101 | 5 | r-x |
110 | 6 | rw- |
111 | 7 | rwx |
If we wanted to represent all permission for owner, group, and others, we could use
777
Each digit, in this case, each one is a 7, represents the permissions for user, group, others. In the table, we see that 7 in octal is rwx
, which is all permissions. So how do we use chmod
with this?
chmod 777 sample.txt
This would give the owner all permission, the group all permissions, and everyone else (other) all permissions.
chmod 700 sample.txt
chmod 774 sample.txt
chmod 755 sample.txt
- The first one would give the owner all permissions, the group no permissions, and other no permissions.
- The second one would give the owner all permissions, the group all permissions, and other only read permissions.
- The third one would give the owner all permissions, the group read and execute permissions, and other read and execute permissions.
Changing Permissions with UGO
The numeric method of changing permissions is the most used, but we can still use the symbolic method, UGO.
-
Removes a permission.+
Adds a permission.=
Sets a permission.
Let's remove the write permission from the user that owns sample.txt
chmod u-w sample.txt
We can change multiple permissions at once
chmod u-rw sample.txt
chmod u+rwx,o+rwx sample.txt
Default permissions (umask)
Linux automatically assigns all files and directories default permissions. 666 for files and 777 for directories. By default you won't be able to execute a file immediately after downloading it.
You can change the default permissions with the umask
(user file-creation mask) method. This method represents the permissions you want to remove from the base permissions on a file or directory.
The umask
is a three-digit octal number corresponding to the three permissions digits. In most Debian systems, the umask
is set to 022. It is subtracted from the permissions number to give the new permissions status.
New Files | New Directories | Permissions |
---|---|---|
666 | 777 | Linux base permissions |
-022 | -022 | umask |
644 | 755 | Resulting permissions |
Each user can set a personal default umask
value for the files and directories in their personal .profile file.
To view the current value of your umask
umask
Special Permissions
set user ID (SUID)
set group ID (SGUID)
sticky bit
SUID
The SUID
bit says any user can execute the file with the permissions of the owner but those permissions don't extend beyond the use of that file. To change this bit, you change the first value after chmod
to a 4, typically you only use 3 digits, because the first one is implied as a 0. If you see an s in place of an x in the owner permissions of a file, that means the SUID
bit is set.
chmod 4644 sample.txt
SGID (Set Group ID up on execution)
SGID
assigns group ownership to files. Useful for shared group directories. You can apply SGID
to directories and files.
With an SGID
bit set on a file, someone without execute permissions can execute a file if the owner belongs to the group that has permissions to execute that file.
With an SGID
bit set on a directory, ownership of new files created in that directory goes to the directories creator's group, rather that the file creator's group.
The SGID
bit is represented as a 2 before the regular permissions. If you see an s in place of an x in the group permissions of a file or directory, that means the SGID
bit is set.
chmod 2644 sample.txt
Sticky Bit
This permission has a t
in place of an x
in the other's column. When you set the sticky bit on a directory, people can only delete files that belong to them within that directory. They can’t delete files that belong to someone else, no matter which combination of file permissions are set on the files. You can only apply the sticky bit to directories. If you see an t in place of an x in the other's permissions of a directory, that means the sticky bit is set.
chmod 1777 sample.txt
The sticky bit is ignored by modern Linux systems, but you should be familiar with the term at least.