Linux file permissions

Linux is UNIX clone. For effective security, Linux divides authorization into 2 levels, Ownership and Permission.

Every file and directory is assigned 3 types of owner; User, Group and Other.

  1. User is the owner of the file. By default, the person who creates a file becomes its owner. A logged-in user sometimes called an owner.
  2. A user-group can contain multiple users. All users belonging to a group can have similar permissions. In this case the ownership belong to a group.
  3. Other means setting permissions to the world. This person has neither create a file, nor belongs to a user group.

How Linux distinguish between these three users? This is where permissions comes in. Permission defines the user behavior.

Every file and directory has 3 permissions defined for 3 owners.

  1. Read permission gives the authority to open and read a file. Read permission on directory gives the ability to lists its content.
  2. Write permission gives the authority to modify the contents of a file. The write permission on a directory gives the authority to add, remove and rename files. Consider a scenario where you have to write permission on file but do not have write permission on the directory where the file is stored. You will be able to modify the file contents. But you will not be able to rename, move or remove the file from the directory.
  3. Execute permission gives the authority to execute a program. In Windows, an executable program usually has an extension “.exe” and which you can easily run. In Unix/Linux, you cannot run a program unless the execute permission is set. If the execute permission is not set, you might still be able to see/modify the program code (provided read & write permissions are set), but not run it.

To summarize this, the Owner assigned permissions on every File and Directory.

Some Examples

ls -l

The highlighted “-rw-rw-r–“ code is the one that tells us the permission given to owner, group or the world.

The first ‘‘ tells us that we have selected a file.

If this were a directory, d would be shown here;

The characters are pretty easy to remember.

r = read permission
w = write permission
x = execute permission
 = no permission

Let’s read and understand our sample file;

The first part of the code is ‘rw-‘. This is for the user. This tells us that the user can:

  • Read the file
  • Write or edit the file
  • He cannot execute the file since the execute bit is set to ‘-‘.

The second part is ‘rw-‘. This is for the user group for example ‘Home’. Group-members can:

  • Read the file
  • Write or edit the file

The third part is for the world which means any user. It says ‘r–‘. This means the user can only:

  • Read the file

Changing file/directory permission using ‘chmod’ command

To restrict user access (owner, group and the world) to files and folders we will use permissions (read, write, execute) using chmod  (change mode) command.

chmod permissions filename

We can use Absolute (Numeric) mode or Symbolic mode to do this.

In Absolute mode, file permissions are not represented as characters but three-digit octal number. Here is a table that shows all possible permission types.

NumberPermission TypeSymbol
0No Permission
1Execute–x
2Write-w-
3Execute + Write-wx
4Readr–
5Read + Executer-x
6Read +Writerw-
7Read + Write +Executerwx

Some Example

Checking current file permission;

chmod 764 and checking permission again;

chmod 764 MySmpleFile.txt

764 absolute code means;

Owner can read, write and execute (7). Usergroup can read and write (6). World can only read (4). This is shown as ‘-rwxrw-r–. In this mode we change permission for all 3 owners.

In Symbolic mode we change permissions of specific owner. It uses mathematical symbols.

OperatorDescription
+Adds permission to a file or directory
Removes the permission
=Sets the permission and overrides earlier permissions set

The owners are represented as;

uuser/owner
ggroup
oother
aall
  

Permission is set using characters like rwx. Here is an example;

Reset permission for this step;

chmod 664 MySmpleFile.txt

Current file permission

Setting permission to ‘other users’ AKA ‘world’ users

chmod o=rwx MySmpleFile.txt

Adding ‘Execute’ permission to usergroup.

chmod g+x MySmpleFile.txt

Removing ‘read’ permission for ‘user’

chmod u-r MySmpleFile.txt

For changing ownership and group of a file/directory, we use this command;

chown user filename

If we want to change the user and group for a file / directory, we use this command;

chown user:group filename

Here are examples;

Reset permission for this step;

chmod 664 MySmpleFile.txt

Check the current file ownership

Change file owner to pihole.

chown tanolis MySmpleFile.txt

Change file group to tanolis

In case, you don’t have the group, use this command to create one;

groupadd tanolis

change user and group back to root

In case we want to change group-owner only, we use this command;

chgrp group_name filename

‘chgrp’ stands for change roup.

Check current file group owner

Change the group owner to tanolis

Some key commands

The file /etc/group contains all the groups defined in the system

cat /etc/group

You can use the command “groups” to find all the groups user is member of.

You cannot have 2 groups owning the same file.

You do not have nested groups in Linux. One group cannot be sub-group of other

x- eXecuting a directory means Being allowed to “enter” a dir and gain possible access to sub-dirs.