Understanding Linux File Permissions for Beginners

Posted on : September 10, 2012 , Last Updated on : May 17, 2017 By
| Reply More

linux file permissionsIn Linux operating system, everything is organized in the form of files and directories. By setting permissions on files and directories, one can make sure that only authorized users are allowed to access a specific data. Each file in Linux is owned by a user and group. The user is the one that creates the file and group is the one to which the user (owner of the file) belongs to.

Understand file permission

File permissions consist of three permissions that you can apply to files and directories. In this section, you’ll learn how the system works and how to modify these permissions. Before doing this, let’s have a look at how to read the current permissions. The best method to do so is by using ls -l, which will show you a list of all files and directories in the current directory

For example, you can list the files under the directory /home/sam as follows.

ls -l /home/sam
 drwxrwxrwx 3 sam admin 80    2012-08-20 21:37 tmp
 -rw-rw-r-- 1 sam admin 8187  2012-08-25 13:35 file1
 -rwxr-x--- 1 sam admin 10348 2012-08-21 20:31 file2

The result is displayed on 7 columns but we will just concentrate on the first, the third and the fourth column.

  • the first column shows the file permissions,
  • the third column shows the user owner of the file,
  • the fourth column shows the group owner of the file.

To understand the file permissions easily, we need to understand the first column which is on this form

[d][rwx][rwx][rwx]

Here the first character indicates the type of file. For instance, it gives

  • d : directory
  • - : regular file
  • l : symbolic link
  • p : named pipe
  • s : Unix domain socket
  • c : character device file
  • b : block device file

Next are nine characters to specify the permissions that are set to the file or directory:

  • the first set of three are the user owner permissions,
  • the next set of three are the group owner permissions,
  • the last set of three refers to the permissions granted to others.

The three basic permissions allow you to read, write, and execute files but it also exist special permissions. The effect of these permissions will be different when applied to files or directories. There are:

  • read permission (r or 4): means you will be able to read a file and list the content of a directory
  • write permission (w or 2): means you will be able to edit a file and add, delete or rename files in a directory.
  • execute permission (x or 1): means you will be able to execute a program or shell script and move to a directory (cd to the directory).
  • Set User ID (SUID) permission (u+s or 4): can only be set to a user. It means that any user can execute program/script with permissions of file owner.
  • Set Group ID (GUID) permission (g+s or 2): can only be set to a group. It means that any user can execute a program/script with permissions of group owner and any file created in a directory gets the same group owner.
  • Sticky bit permission (t or 1): can only be applied on directory and prevent users from deleting files from other users.

For mode detail on chmod concept command, you can read this article for newbies and advanced Linux users.

1. Symbolic chmod permission examples

The linux command chmod can be used to change the permission of a file or directory. When you want to set permissions, you can use the symbolic mode (r, w, x, s, t). To apply it to a directory with its content (recursive), you use -R option of chmod command.

a. chmod +x

To add an execute permission on a script or a program in order to run it, we can use chmod +x command which will set the permission to user, group and the other. The + operator add a permission to the existing ones. For example :

# ./hello
bash: ./hello: Permission denied

Now let's apply the permission

# chmod +x hello
# ./hello 
Hello... How are you ?

To access (move) on a directory, we use execute permission

$ cd test/
-bash: cd: test/: Permission denied
$ chmod -R +x test
$ cd test/
[papso@centos-01 test]$

b. chmod u=rx

You can just change the user owner’s permissions with = operator followed by the permission. This operator replaces the last permissions by the newest permissions. For example

$ ls -ld test/
drwxrwxr-x 2 papso papso 4096 May 15 20:18 test/

You can see that the user owner has the w permission. Now let's apply the permission below

$ chmod -R u=rx test
$ ls -ld test/
dr-xrwxr-x 2 papso papso 4096 May 15 20:18 test/

c. chmod g+w,o-x

It is possible to add permission to an entity and remove (- operator) permission to another entity on a single command. For example, we will add write permission to group entity and remove only execute permission to the others

# chmod g+w,o-x hello
# ls -l hello 
-rwxrwxr-- 1 root root 66 May 15 20:12 hello

2. Numeric or octal chmod permission examples

You can also use numeric mode (4, 2, 1) when you want to set permissions. But with this mode, you use three digits and you need to calculate the value of each entity in order to set the good permissions.

a. chmod 755

If you want to set permission to a directory such that the user should be able to read, write and execute the directory, the group and the others should be only able to read and execute it, the permission should be like drwxr-xr-x. We can now find the octal value to use

For user part -> rwx = 4+2+1 = 7
For Group -> r-x = 4+0+1 = 5
For others -> r-x = 4+0+1 = 5

In some case, it's the default permission when you create a folder.

# chmod -R 755 folder1/
# ls -ld folder1/
drwxr-xr-x 2 root root 4096 May 16 01:54 folder1/

It is possible to combine chmod command with another command. for example, we will find all 777 permission directories and set permissions to 755.

# find /home -type d -perm 777 -print -exec chmod -R 755 {} \;
/home/papso/script-test/folder1
/home/papso/course
/home/patrick/toto

b. chmod 754

It is possible to make a program readable by the other to limit danger, give read and execute permission to group and all the permission to the user.

# chmod 754 hello

It is possible to set the permission to all script files on the current folder supposing you gave .sh extension to theses files

# chmod 754 *.sh

c. chmod 640

If you want to set the permission of a file such that the user should be able to read and write the file, the group should be able to read the file and others should not have any access to the file, permission should be like -rw-r-----.

# chmod 640 bootstrap

We will find all 777 permission files and use chmod command to set permissions to 640.

# find /home -type f -perm 0777 -print -exec chmod 640 {} \;
/home/papso/script
/home/papso/script-test/recovery
/home/patrick/compta/finances

3. Special bit chmod permission examples

We can use the SUID, GUID and sticky bits to apply special permission on Linux file with chmod command. We will see some examples below

a. chmod u+s and chmod 4655

You can permit any user to run a program as if he was the user owner with the SUID permission. You can use the symbolic mode as below

# chmod u+s hello
# ls -l hello 
-rwsr-xr-x 1 root root 66 May 15 20:16 hello

If you want to set the permission with numeric mode, you will four digits and you need to begin with the SUID value (4) followed by the set of three to set permission to the file as below

# chmod 4655 hello

b. chmod +t and chmod 1777

We will now prevent users from deleting file from the others user with the sticky bit. It is only set on folder, not file. Suppose that the folder has already all the permissions applied to any entity. You can use it as below

$ chmod +t test1

To use the numeric method, we need to begin with numeric sticky bit value (1) followed by the set of three to set

$ chmod 1777 -R test1

Let's check the result

$ ls -ld test1
drwxrwxrwt 2 papso papso 4096 May 16 18:54 test1

Now will log as patrick user and we will  try to delete a file

# su patrick
[patrick@centos-01 test1]$ ls -l proj
-rwxrwxrwx 1 papso papso 0 May 16 19:00 proj
$ rm file
rm: cannot remove ‘file’: Operation not permitted

You can see that in spite of all rwxrwxrwx permission, patrick user was not able to delete papso's file

c. chmod g+s and chmod 2664

You can set SGID permission to set default group ownership on files and sub-directories created in that directory. For example, if you have a shared group environment, this is not very useful, because no one else will be able to modify the files you’re creating, even if they’re member of the same group.

$ chmod g+s rh_department
$ ls -ld rh_department/
drwxrwsr-x 2 papso papso 4096 May 16 20:19 rh_department/

The numeric mode of SGID permission is set as below

$ chmod 2755 rh_departement

Conclusion

When using chmod, you can set permissions for user, group, and others. You can use this command in two modes: symbolic mode (relative mode) and numeric mode (absolute mode). In absolute mode, three or four digits (depending on special bit or not) are used to set the basic permissions and remember that you should calculate the value that you need.

Filed Under : LINUX HOWTO, USER MANAGEMENT

Tagged With : ,

Free Linux Ebook to Download

Leave a Reply

All comments are subject to moderation.