An introduction to Linux permissions
Linux holds a huge advantage against other operating systems: a multi-user concept – a feature that enables many different users to use the same computer, or one user to use the same system for different tasks. That’s where the system of file permissions comes in help.
A clear understanding the ownership and permissions of files and folders in Linux operating system is very important. If you have never run a computer or server shared by more than one user, you need to read this tutorial very carefully because any mistake on file ownership and permissions can make your system vulnerable. After reading this tutorial you will learn how file and folder ownership and permissions work in UNIX based systems and how to manage them.
All files and folders have 3 user based permissions groups:
owner (u) – Owner permissions only apply to the owner of the file or directory and will not impact the actions of other users. This group is marked by letter u.
group (g) – Group permissions only apply to the group that has been assigned to the file or directory and will not affect the actions of other users. This group is marked by letter g.
all users (a or o) – All Users permissions apply to all other users on the system. This is the permission group that you need to watch the most. It is marked as a or o letter.
All files and folders also have three basic permission types:
read (r) – Read permission refers to a user’s capability to read the contents of the file.
write (w) – Write permission refers to a user’s capability to write or modify a file or directory.
execute (x) – Execute permission affects a user’s capability to execute a file or view the contents of a directory.
File and folder ownership and permissions can be easily checked from Linux command line. To do that, just type ls –la command, which displays all files (even hidden) of the directory you are at the moment.
The permissions in the command line are displayed in the following manner:
_rwxrwxrwx 1 owner:group
root@server:/var/log# ls -la
drwxrwxr-x 7 root syslog 4096 Sep 29 04:20 .
drwxr-xr-x 12 root root 4096 Jun 15 12:45 ..
drwxr-x— 2 root adm 4096 Sep 27 04:20 apache2
drwxr-xr-x 2 root root 4096 Sep 24 10:56 apt
-rw-r—– 1 syslog adm 726 Sep 30 05:12 syslog
Let’s analyze the information we have retrieved about syslog file:
-rw-r----- 1 syslog adm 726 Sep 30 05:12 syslog
1. The first sign (or a letter) shows the type of file or folder. In this case a sign means that syslog file type is a file.
2. The next three letters (bolded) -rw-r—– mean owner permissions for this file. In this case the owner has permissions to read and write this file (rw-).
3. The fifth – eighth letters mean permission type for the group (the group can only read this file because r–).
4. The last three letters -rw-r—– mean permissions for all users. In this case all users do not have any permissions for this file, so they cannot even access it for reading (—).
5. The number 1 means the number of hardlinks to the file.
6. The last piece is the Owner and Group section formatted as Owner:Group. Syslog file is accessible for USER syslog and GROUP adm.
As you may have understood before, the type of file is described by the first letter of file permissions rule. There are 3 different types of files in UNIX based systems (special files have 5 subtypes):
1. Regular files (-)
2. Directory files (d)
3. Special files:
a. Block files (b)
b. Character device files (c)
c. Pipe files (p)
d. Symbolic link files (l)
e. Socket files (s)
Binary permissions marking
Now you are familiar with ownership and permissions in Linux system, however user and group permissions can also be used in binary mode where they have a marking system in numbers.
For example, you may often see file permissions set to 644. The FIRST letter refers to the permissions for USER/OWNER (u), SECOND – for GROUP (g) and THE LAST one for ALL USERS (u or o).
These numbers are the representation of the rwx (read, write, execute) string:
Read (r) = 4
Write (w) = 2
Execute (x) = 1
In order to understand binary references of the permissions, you have to sum the values of permissions, for example, if a file has permissions set to 751:
Read (4) + write (2) + execute (1) = 7 – means that USER has permissions to READ, WRITE and EXECUTE.
Read (4) + execute (1) = 5 – means that GROUP has permission to READ and EXECUTE the file
Read (4) = 4 – means that ALL OTHER USERS have permission to READ the file.
Modifying ownership and permissions
File and folder permissions and ownership in Linux systems can be easily changed using command line. The ownership of the files can be changed with chown command using the following syntax:
chown user:group filename
For example, if you want to change syslog file’s owner to root and assign it to root group, you have to type:
chown root.root syslog
Check newly set permissions:
root@server:/var/log# ls -la | grep syslog
-rw-r—– 1 root root 27042 Oct 1 02:49 syslog
The ownership of the file has been successfully changed. Now you will learn how to change file permissions and you will have to use
chmod command for this objective. As you have read before, file permissions can be described in letters as well as in numbers.
When changing permissions using letters you will have to use the potential Assignment Operators are
+ (plus) and
- (minus); these are used to inform the system whether to add or remove specific permissions:
chmod a (group) + (operator) rw (permissions) filename
If you want to allow to add write and execute permissions for group members of
syslog file, type the following command:
chmod g+wx syslog
If you want to remove all permissions for group for syslog file, the command should be:
chmod g-rwc syslog
As you can see, the permissions can be added using plus (+) sign, and removed using minus (-) sign.
The permissions can also be changed using number references. It is recommended to use this method for permissions as it is more comfortable to use – permissions for all groups can be changed by just a single command –
chmod – and numerical values of permissions:
chmod 644 syslog
Sets permissions to:
-rw-r--r-- 1 root adm 27042 Oct 1 02:49 syslog
Despite basic file permissions, there are two special permission types: setuid/setgid and sticky bit.
The setuid/setguid permissions are used to tell the system to run an executable as the owner with the owner’s permissions. You should not set these special permissions unless you really know what you are doing. If you set setuid/setguid permissions for the file which is owned by root, you will definitely open your system for intruders.
Setuid/setguid permissions are marked with letter s and can be assigned for the file using the following command:
chmod g+s filename
The sticky bit can be very useful in shared environment because after it is assigned to permissions on a directory, it sets it so only the file owner can rename or delete the file.
Sticky bit permissions are marked with the letter t and set as follows:
chmod g+t filename
You should be very careful while setting permissions for files and folders because any mistake can make your system vulnerable and cause a lot of damage for you and other users running on your system. You should never set 777 permissions for any files, unless you really have a deep understanding of what you are doing.