Linux File Permissions
PERMISSIONS AND OWNERSHIP - WHY?
If you can't access some of the files on your very own Linux system, it's usually because of misconfigured file access permissions. If you are the only user on your Linux box, you may be wondering what's the point of having all these permissions (or lack thereof) that restrict your access to your very own penguin OS. However, before pulling your hair off, you must keep in mind Linux is designed to be a multi-user environment. In an environment with more than one users, it is crucial to have a secure system for deciding which files are yours and who can fiddle with them.Even if you're the only user on an ordinary desktop system, file permissions help keeping your important files safe, both from outsiders and your own mistakes. :)
UNDERSTANDING FILE OWNERSHIP
Every file on your Linux system, including directories, is owned by a specific user and group. Therefore, file permissions are defined separately for users, groups, and others.User: The username of the person who owns the file. By default, the user who creates the file will become its owner.
Group: The usergroup that owns the file. All users who belong into the group that owns the file will have the same access permissions to the file. This is useful if, for example, you have a project that requires a bunch of different users to be able to access certain files, while others can't. In that case, you'll add all the users into the same group, make sure the required files are owned by that group, and set the file's group permissions accordingly.
Other: A user who isn't the owner of the file and doesn't belong in the same group the file does. In other words, if you set a permission for the "other" category, it will affect everyone else by default. For this reason, people often talk about setting the "world" permission bit when they mean setting the permissions for "other."
UNDERSTANDING FILE PERMISSIONS
There are three types of access permissions on Linux: read, write, and execute. These permissions are defined separately for the file's owner, group and all other users.Read permission. On a regular file, the read permission bit means the file can be opened and read. On a directory, the read permission means you can list the contents of the directory.
Write permission. On a regular file, this means you can modify the file, aka write new data to the file. In the case of a directory, the write permission means you can add, remove, and rename files in the directory. This means that if a file has the write permission bit, you are allowed to modify the file's contents, but you're allowed to rename or delete the file only if the permissions of the file's directory allow you to do so.
Execute permission. In the case of a regular file, this means you can execute the file as a program or a shell script. On a directory, the execute permission (also called the "search bit") allows you to access files in the directory and enter it, with the
cd
command, for example. However, note that although the execute bit lets you enter the directory, you're not allowed to list its contents, unless you also have the read permissions to that directory.HOW TO VIEW FILE PERMISSIONS
You can view the access permissions of a file by doing the long directory listing with thels -l
command. This is what a long directory listing might look like:me@puter: /home/writers$ ls -l
total 17
drwxr-xr-x 3 nana writers 80 2005-09-20 21:37 dir
-rw-r----- 1 nana writers 8187 2005-09-19 13:35 file
-rwxr-xr-x 1 nana writers 10348 2005-07-17 20:31 otherfile
ls -l
mean? The very first column, the one that looks like a bunch of mumbo jumbo, shows the file type and permissions. The second column shows the number of links (directory entries that refer to the file), the third one shows the owner of the file, and the fourth one shows the group the file belongs to. The other columns show the file's size in bytes, date and time of last modification, and the filename.The first column, the one that shows the file's permissions and looks like mumbo jumbo, is organized into four separate groups, although it certainly doesn't look very organized.
The first group consists of only one character, and it shows the file's type. For example,
d
means a directory and -
means a normal file, so if you take a look at our example output, you'll notice dir
is a directory, whilefile
and otherfile
are regular files.The first character can be any of these:
d = directory
- = regular file
l = symbolic link
s = Unix domain socket
p = named pipe
c = character device file
b = block device file
The next nine characters show the file's permissions, divided into three groups, each consisting of three characters. The first group of three characters shows the read, write, and execute permissions for user, the owner of the file. The next group shows the read, write, and execute permissions for the group of the file. Similarly, the last group of three characters shows the permissions for other, everyone else. In each group, the first character means the read permission, the second one write permission, and the third one execute permission.- = regular file
l = symbolic link
s = Unix domain socket
p = named pipe
c = character device file
b = block device file
The characters are pretty easy to remember.
r = read permission
w = write permission
x = execute permission
- = no permission
What does this mean in practice? Let's have an example. Remember the imaginary directory listing we did at the beginning? The output looked like this:w = write permission
x = execute permission
- = no permission
drwxr-xr-x 3 nana writers 80 2005-09-20 21:37 dir
-rw-r----- 1 nana writers 8187 2005-09-19 13:35 file
-rwxr-xr-x 1 nana writers 10348 2005-07-17 20:31 otherfile
dir
is a directory, because the first column begins with a d
. The owner of this directory is user nana
and the group owner is writers
. The first three characters, rwx
, indicate the directory's owner,nana
in this case, has full access to the directory. The user nana
is able to access, view, and modify the files in that directory. The next three characters, r-x
, indicate that all users belonging to group writers
have read and execute permissions to the directory. They can change into the directory, execute files, and view its contents. However, because they don't have write permissions, they can't make any changes to the directory content. Finally, the last three characters, r-x
, indicate that all the users who are not nana
or don't belong into group writers
, have read and execute permissions in the directory.How about
file
? Because the first column begins with a -
, the file is a regular file, owned by user nana
and group writers
, just like the directory in our example. The first three characters, rw-
, indicate the owner has read and write access to the file. According to the next three characters, r--
, the users belonging to groupwriters
can view the file but not modify or execute it. The final three characters, ---
, indicate no one else has any access to the file.Similarly, you can see
otherfile
is a regular file and its owner has full access to it, while everyone else can read and execute the file but not modify it.HOW TO SET FILE PERMISSIONS - SYMBOLIC MODE
You can set file permissions with thechmod
command. Both the root user and the file's owner can set file permissions. chmod
has two modes, symbolic and numeric.The symbolic mode is pretty easy to remember. First, you decide if you set permissions for the user (u), the group (g), others (o), or all of the three (a). Then, you either add a permission (+), remove it (-), or wipe out the previous permissions and add a new one (=). Next, you decide if you set the read permission (r), write permission (w), or execute permission (x). Last, you'll tell
chmod
which file's permissions you want to change.Let's have a couple of examples. Suppose we have a regular file called
testfile
, and the file has full access permissions for all the groups (long directory listing would show -rwxrwxrwx
as the file's permissions).Wipe out all the permissions but add read permission for everybody:
$ chmod a=r testfile
After the command, the file's permissions would be -r--r--r--
Add execute permissions for group:
$ chmod g+x testfile
Now, the file's permissions would be -r--r-xr--
Add both write and execute permissions for the file's owner. Note how you can set more than one permission at the same time:
$ chmod u+wx testfile
After this, the file permissions will be -rwxr-xr--
Remove the execute permission from both the file's owner and group. Note, again, how you can set them both at once:Now, the permissions are$ chmod ug-x testfile
-rw-r--r--
As a summary, have a look at this quick reference for setting file permissions in symbolic mode:
Which user? | |
u | user/owner |
g | group |
o | other |
a | all |
What to do? | |
+ | add this permission |
- | remove this permission |
= | set exactly this permission |
Which permissions? | |
r | read |
w | write |
x | execute |
HOW TO SET FILE PERMISSIONS - NUMERIC MODE
The other mode in whichchmod
can be used is the numeric mode. In the numeric mode, the file permissions aren't represented by characters. Instead, they are represented by a three-digit octal number.
4 = read (r)
2 = write (w)
1 = execute (x)
0 = no permission (-)
To get the permission bits you want, you add up the numbers accordingly. For example, the rwx permissions would be 4+2+1=7, rx would be 4+1=5, and rw would be 4+2=6. Because you set separate permissions for the owner, group, and others, you'll need a three-digit number representing the permissions of all these groups.2 = write (w)
1 = execute (x)
0 = no permission (-)
Let's have an example.
$ chmod 755 testfileThis would change the
testfile
's permissions to -rwxr-xr-x
. The owner would have full read, write, and execute permissions (7=4+2+1), the group would have read and execute permissions (5=4+1), and the world would have the read and execute permissions as well.Let's have another example:
$ chmod 640 testfileIn this case,
testfile
's permissions would be -rw-r-----
. The owner would have read and write permissions (6=4+2), the group would have read permissions only (4), and the others wouldn't have any access permissions (0).The numeric mode may not be as straightforward as the symbolic mode, but with the numeric mode, you can more quickly and efficiently set the file permissions. This quick reference for setting file permissions in numeric mode might help:
Which number? | |
0 | --- |
1 | --x |
2 | -w- |
3 | -wx |
4 | r-- |
5 | r-x |
6 | rw- |
7 | rwx |
No comments:
Post a Comment
Leave the comments