The Linux security starts with file permissions. On the very basic level, file and directory permissions play a vital role in the security of a system. When you create a file or directory on Linux systems, it comes with default permissions.
The file permissions are applied on three levels: the owner, group members and others. The chmod command is used to change these permissions. This article discusses how these file permissions can be changed with chmod command.
File permissions basics
Permissions determine how users can access resources on the system. System security is configured by the user’s UID (user ID), his GIDs (group ID, both primary and secondary), and the permissions on the object he is attempting to access. These permissions may allow a user to view a file but not modify it or to open and modify a file. These permissions are assigned to each of three different entities for each file and directory in the file system:
- User owner : This is the user account that has been assigned to be the file or directory’s owner. By default, it is the user who created the file or the directory.
- Group owner : This is the group that has been assigned ownership of the file or directory. Permissions assigned to the group apply to all user accounts that are members of that group. By default, it's the primary group of the user who created the file
- Other : This entity refers to all other users who have successfully authenticated to the system. Permissions assigned to this entity apply to these user accounts.
It exists three types of permissions:
- Read (r) : allows a user to open and view a file but does not allow a file to be modified or saved. For directories, it allows a user to list the contents.
- Write (w) : allows a user to open, modify, and save a file. For directories, it allows a user to add or delete files from it.
- Execute (x) : allows a user to run an executable file and to enter a directory.
To have the detail of file/directory permissions, we use
ls -l command as below:
$ ls -l total 140436 drwxrwxr-x 2 linoadmin linoadmin 4096 Mar 9 2013 asciiquarium_1.1 -rw-r--r-- 1 linoadmin linoadmin 15436 Mar 9 2013 asciiquarium.tar.gz drwxr-xr-x 2 root root 4096 Apr 13 01:35 baba -rwxr-xr-x 1 root root 5747 Apr 25 01:45 bootstrap lrwxrwxrwx 1 root root 20 Apr 7 06:08 filesync -> /home/bobbin/sync.sh drwxrwxrwx 3 root root 4096 Apr 25 02:21 script-test
We will use the second line of the result to explain the basics.
The first column displayed is the mode for each file and directory where the first character can be
d for directory, a
- for normal file or
l for symbolic link. This simply indicates whether or not the associated entry is a directory or a file.
- The first three characters are the permissions assigned to the entry’s owner (rw-). If the file was an executable, the execute permission (x) would have replaced the -.
- The second next three characters are the permissions assigned to the owning group (r--).
- The last three characters in the mode are the permissions assigned to others (r--), meaning any legitimately authenticated user on the system who isn’t the owner and isn’t a member of the owning group.
- for each three characters indicates that no (more) permission has been set at this place.
The third column indicates the user owner of the file (linoadmin) and the fourth indicated the group owner (linoadmin).
1) Symbolic mode to change permissions
Permissions (access modes) can be changed with the chmod command by using some operators (-, + or =) to assign permissions (r, w or x) to a specific user (u, g, o or a). The command accepts either octal or symbolic access mode specifications. Octal access mode will be shown later but it is more preferred by some Linux users. However, some people prefer to use symbolic forms because they usually modify an existing mode instead of completely replacing it.
Symbolic mode is used as
chmod entity=permissions filename. Symbolic mode specifications have three parts, made up of individual characters and uses a letter to identify the part:
- Entity: User owner = u, group owner = g, other = o, and all = a
- Operation: + to add, - to remove, or = to assign (remove the other existing permissions)
- Permissions to set: r = read, w = write, and x = execute
Some examples to make you understand
chmod +x : Add execute permission for all the entity user, group and other. It is used to make a script or a program executable in order to run it
# chmod +x hello.sh
# ls -l hello.sh -rwxr-xr-x 1 root root 66 May 15 20:12 hello
Now you can run your script as below
# ./hello Hello... How are you ?
u+x : Add execute permission for the user only
# chmod u+x backupdb.sh
# ls -l backupdb.sh -rwxr--r-- 1 linoadmin linoadmin 15436 Mar 9 2013 backupdb.sh
go-w : Remove write permission from group and other classes only.
# chmod go-w script-test/
# ls -ld script-test/ drwxr-xr-x 3 root root 4096 Apr 25 02:21 script-test/
a=rw : Set read and write, but not execute, permissions for everyone.
# chmod a=rw bootstrap
# ls -l bootstrap -rw-rw-rw- 1 root root 5747 Apr 25 01:45 bootstrap
g-x,o-rx : Remove execute permission for the group and remove read+execute permission for the other
# chmod g-x,o-rx baba/
Please note don't use space after the comma (,) if you don't want an error message
# ls -ld baba/ drwxr----- 2 root root 4096 Apr 13 01:35 baba/
You see that it is possible to do combinations to manipulate some entities at the same time.
Keep in mind, when using the symbolic mode, the permissions that you are not specifying stay as they were before executing the chmod command
2) Numeric (octal) method to change permission
Finally, you can also use numeric permissions with chmod. This is the most commonly used way of setting permissions for file and directories. To do this, enter
chmod numeric_permission filename. Each permission is represented by a number and the permission for a specific entity is finally represented by a set of three columns.
In the above diagram
"User" is given (4 2 1 ) permission where user has read, write and execute.
"Group" is given (4 2 0) permission where group members can read and write.
"Other" is given (4 0 0) permission where others can only read.
In the numeric method, all the permissions are changed at once.
755 : set read+write+execute permission to the user, set read+execute permission to the group and set read+execute permission to the others
# chmod 755 asciiquarium.tar.gz
# ls -l asciiquarium.tar.gz -rwxr-xr-x 1 linoadmin linoadmin 15436 Mar 9 2013 asciiquarium.tar.gz
476 : set only read permission to the user, set read+write+execute permission to the group and set read+write permission to the others
# chmod 476 bootstrap
# ls -l bootstrap -r--rwxrw- 1 root root 5747 Apr 25 01:45 bootstrap
500 : set read+execute permission to the user, set no permissions to the group and set no permissions to the others
# chmod 500 asciiquarium_1.1/
# ls -ld asciiquarium_1.1/ dr-x------ 2 linoadmin linoadmin 4096 Mar 9 2013 asciiquarium_1.1/
When using the numeric method, you should always specify three values (owner, group, and others).
3) Change permissions recursively
When you use chmod command on a folder without a special option, it doesn't affect the content of the directly. It means that the permissions are only applied on the folder itself but not to its content. To change permissions of a directory with its contents (recursively), we use the
For example, look our asciiquarium_1.1 folder above on which we apply
500 permissions. Let's check if its contents as the same permissions
# ls -l asciiquarium_1.1/ total 60 -rw-rw-r-- 1 linoadmin linoadmin 27679 Mar 9 2013 asciiquarium -rw-rw-r-- 1 linoadmin linoadmin 228 Mar 9 2013 CHANGES -rw-rw-r-- 1 linoadmin linoadmin 18092 Mar 9 2013 gpl.txt -rw-rw-r-- 1 linoadmin linoadmin 45 Mar 9 2013 MANIFEST -rw-rw-r-- 1 linoadmin linoadmin 1060 Mar 9 2013 README
We can that the permissions are not identical. Now let's use our
chmod -R command with the same permissions
# chmod -R 500 asciiquarium_1.1/
Now let's check again its content:
# ls -l asciiquarium_1.1/ total 60 -r-x------ 1 linoadmin linoadmin 27679 Mar 9 2013 asciiquarium -r-x------ 1 linoadmin linoadmin 228 Mar 9 2013 CHANGES -r-x------ 1 linoadmin linoadmin 18092 Mar 9 2013 gpl.txt -r-x------ 1 linoadmin linoadmin 45 Mar 9 2013 MANIFEST -r-x------ 1 linoadmin linoadmin 1060 Mar 9 2013 README
You can see that permissions have changed.
4) Special bit permissions
Most of the tasks you will complete with permissions will be with the read, write, and execute permissions. However, there are several other special permissions that you can assign to files and directories in your file system. These special permissions are referenced as an extra digit added to the beginning of the file or directory’s mode.
The following special bits are available for Linux file system use:
- SUID: the Set User ID permission allows users to run a program as if they were the user owner of the program; in most cases the user owner is the root user. The numeric value of this permission set is 4XXX (where “XXX” is replaced by the numeric values for the set of three mentioned previously).
- SGID: When set on a directory, the Set Group ID permission automatically gives group ownership of all new files created in the directory to the group owner of the directory (numeric = 2XXX). When set on a file, the SGID allows users to run a program as if they were the group owner of the file.
- Sticky bit: this permission set is used to keep “nonowners” from deleting files in a common directory (numeric = 1XXX). In a sticky bit directory, only the owner of the file or the owner of the directory can delete the file (root always can delete files as well).
We will apply SUID permission on a file
# chmod 4755 bootstrap
# ls -l bootstrap -rwsr-xr-x 1 root root 5747 Apr 25 01:45 bootstrap
Of course, as with all commands, chmod has --help option to print the brief help about the command.
$ chmod --help
You can use the
--version option to output the version of command as well as the author
$ chmod --version
When changing permissions you can always use either the numeric method or the symbolic method. Numeric permissions are the most often used, and they appear every time. As a rule, I recommend using the numeric mode to set or force permissions on an object, as opposed to making small changes to permissions. You should have sudo/root access to change permissions for files/directories owned by others otherwise its only possible to change permissions of files/directories you own.