Beginners Guide to Basic file and directory permissions in Linux/UNIX
Viewing File and Directory Permissions
All files and directories in the Linux OS have a standard set of access permissions. These access permissions control which files can be accessed by whom, and provides a fundamental level of security for the system. You can use the ’ls -l’ command and the ’ls -n’ command to view the permissions for a given file or directory. You can also change the permissions for certain files.
One of the important functions of a secure system is to limit access to authorized users and prevent unauthorized users from accessing the files. Although the system administrator maintains the primary security of a system, users also play a role in keeping the system secure.
The Linux OS uses two basic measures to prevent unauthorized access to a system and to protect data:
- The first measure is to authenticate a user’s login by verifying that the user name and password exist in the /etc/passwd and /etc/shadow files.
- The second measure is to protect file and directory access automatically. The Linux OS assigns a standard set of access permissions at the time of the creation of files and directories.
Viewing Permission Categories
To view the permissions for files and directories, perform the ’ls -l’ command. The figure below shows the information displayed for the dante file.
The first field of the information displayed by the ls -l command is the file type. The file type typically specifies whether it is a file or a directory. A file is represented by a hyphen (-). A directory is represented by the letter d. The remaining fields represent three types of users: owner, group, and other. Table 7-1 describes each type of user with a brief description of each.
|Owner||Permissions used by the assigned owner of the file or directory.|
|Group||Permissions used by members of the group that owns the file or directory.|
|Other||Permissions used by all users other than the file owner, and members of the group that owns the file or the directory.|
Each type of user has three permissions, called a permission set. Each permission set consists of read, write, and execute permissions. Each file or directory has three permission sets for the three types of users. The first permission set represents the owner permissions. The second permission set represents the group permissions. The last permission set represents the other users’ permissions.
The read, write, and execute permissions in the owner, group, and other permission sets are represented by the characters r, w, and x respectively. The presence of any of these characters, such as r, indicates that the particular permission is granted. The dash (-) symbol in place of a character indicates that a particular permission is denied.
The owner permission set determines the type of access the owner has for the file or directory. The three characters in this set of permissions represent read, write, and execute permissions for the owner.
The group permission set determines the type of shared file access for each user belonging to the file owner’s group. A group is a collection of users who can access files owned by the group, based on the permission set. The three characters in this set of permissions represent read, write, and execute permissions.
The other permission set determines the type of access for all other users who have access to the system, but who do not own the file or directory, and are not a member of the file’s or directory’s group.
Permission Characters and Sets
The read, write and execute permissions are interpreted differently when assigned to a file than when assigned to a directory.
The table below shows the permission definitions.
|Permission||Character||Access for a File||Access for a Directory|
|Read||r||You can display file contents and copy the file.||You can list the directory contents with the ls command.|
|Write||w||You can modify the file contents.||You can modify the contents of a directory, such as deleting a file. You must also have the execute permission for this to happen.|
|Execute||x||You can execute the file if it is an executable. You can execute a shell script if you also have read and execute permissions.||You can use the cd command to access the directory. If you also have read access, you can run the ls -l command on the directory to list contents. If you do not have read access you can run the ls command as long as you know the file name.|
**NOTE:**For a directory to be of general use, it must at least have read and execute permissions.
The table below shows examples of different permission sets for files and directories.
|-rwx——||This file has read, write, and execute permissions set for the file owner only. Permissions for group and other are denied.|
|dr-xr-x—||This directory has read and execute permissions set for the directory owner and the group only.|
|-rwxr-xr-x||This file has read, write, and execute permissions set for the file owner. Read and execute permissions are set for the group and other.|
When you create a new file or directory, the Linux OS assigns initial permissions automatically. The initial default permissions for a file and directory are then modified based on the default umask value.
Determining File or Directory Access
The following sections describe how to use the ls -n command in the Linux/UNIX OS to determine ownership of files and directories.
Using the ls -n Command
All files and directories have an associated user identification number (UID) and a group identification number (GID). The UID identifies the user who owns the file or directory. The GID identifies the group of users who own the file or directory. A file or directory can belong to only one group at a time. The Linux/UNIX OS uses these numbers to track ownership and group membership of files and directories.
To view the UIDs and GIDs, perform the ls -n command on the /var/adm directory.
$ ls -n /var/adm total 244 drwxrwxr-x 5 4 4 512 Nov 15 14:55 acct -rw------- 1 5 2 0 Jun 7 12:28 aculog drwxr-xr-x 2 4 4 512 Jun 7 12:28 exacct -r--r--r-- 1 0 0 308056 Nov 19 14:35 lastlog drwxr-xr-x 2 4 4 512 Jun 7 12:28 log -rw-r--r-- 1 0 0 6516 Nov 18 07:48 messages ... (output truncated)
The figure below describes the fields in the output of the ls -n command.
When a user attempts to access a file or directory, the Linux/UNIX OS compares the UID of the user to the UID of the file or directory. If the UIDs match, the permission set for the owner determines whether the owner has access to the file or directory. If the UIDs do not match, the Linux OS compares the user’s GID and the GID of the file or directory. If these numbers match, the group permissions apply. If the GIDs do not match the Linux OS uses the other category of permissions to determine file or directory access.
Changing the Permissions
You can change the permissions set for files or directories by using the chmod command. Either the owner of the file or directory or the root user can use the chmod command to change permissions.
The chmod command can change permissions specified in either symbolic mode or octal mode.
- Symbolic mode — uses combinations of letters and symbols to add or remove permissions for each type of user.
- Octal mode — uses octal numbers to represent each permission. The octal mode is also referred to as absolute mode
Changing Permissions in Symbolic Mode
The syntax for the chmod command in the symbolic mode is:
# chmod symbolic_mode filename
The symbolic_mode option consists of three parts: the user category (owner, group, or other) affected, the function performed, and the permissions affected. For example, if the option is g+x, the executable permission is added for the group.
The figure below shows the symbolic_mode options.
The following examples show you how to modify permissions on files and directories using symbolic mode. To remove the read permission for other users, perform the following commands:
$ ls -l dante -rw-r--r-- 1 user1 staff 1319 Mar 22 14:51 dante $ chmod o-r dante $ ls -l dante -rw-r----- 1 user1 staff 1319 Mar 22 14:51 dante $
To remove the read permission for the group, perform the following commands:
$ chmod g-r dante $ ls -l dante -rw------- 1 user1 staff 1319 Mar 22 14:51 dante $
To add an execute permission for the owner (user) and a read permission for the group and other, perform the following commands:
$ chmod u+x,go+r dante $ ls -l dante -rwxr--r-- 1 user1 staff 1319 Mar 22 14:51 dante $
To assign read and write permissions for owner, group, and other, perform the following commands:
$ chmod a=rw dante $ ls -l dante -rw-rw-rw- 1 user1 staff 1319 Mar 22 14:51 dante $
Changing Permissions in Octal Mode
The chmod command syntax in octal mode is:
$ chmod octal_mode filename
The octal_mode option consists of three octal numbers, from 0–7, which represent a combination of permissions for the file or directory.
The table below shows the octal numbers for each individual permission.
These numbers are combined into one number for each permission set. The table below shows the octal numbers that represent a combined set of permissions.
|Octal Value||Permission Sets||Binary|
You can modify the permissions for each category of users by combining octal numbers. The first octal number defines owner permissions, the second octal number defines group permissions, and the third octal number defines other permissions.
The table below shows the permission sets for the three-digit octal numbers.
The chmod command enables you to fill in automatically any missing digits to the left with zeros. For example:
$ chmod 44 dante $ ls -l dante $ ---r--r-- 1 user1 staff 1319 Mar 22 14:51 dante $
The previous example shows that the chmod 44 dante command is interpreted as the chmod 044 dante command.
The following examples show how to modify permissions on files and directories by using the octal mode.
To set permissions so that the owner, group, and other have read and execute access only, perform the following commands:
$ chmod 555 dante $ ls -l dante -r-xr-xr-x 1 user1 staff 1319 Mar 22 14:51 dante $
To change owner and group permissions to include write access, perform the following commands:
$ chmod 775 dante $ ls -l dante -rwxrwxr-x 1 user1 staff 1319 Mar 22 14:51 dante $
To change the group permissions to read and execute only, perform the following commands:
$ chmod 755 dante $ ls -l dante -rwxr-xr-x 1 user1 staff 1319 Mar 22 14:51 dante $