Linux file permissions
Overview
Hi there fellow Linux explorers! Are you ready to take another dive into the depths of Linux waters? Hopefully you’re ready for today’s topic, because we’re about to dwell in linux file permissions and try to learn and explore as much as possible of this in-depth topic in a single post.
File permissions in Linux explained
As a beginner you’ve probably been puzzled the first time you listed files and folders.
Ok, everything seems comprehensible, except that sequence at the beginning.
You probably gazed into this and thought what exactly does it mean. You knew it’s not cheat codes for some video game, nor fatality for Mortal Kombat and also not the sequence to call your mothership to pick you up.
So what is it then? Once you decipher it you see it’s quite meaningful. So, let’s break it down to pieces and analyze it. First character. Right after that you have a sequence of three groups of three characters. They are, respectively, “r” (read), “w” (write) and “x” (execute) in that specific order.
Those triplets mentioned before are permission indicators where first triplet marks permissions for owner, second triplet permissions for group and third triplet permissions are for all other users that do not fall into first two categories.
Let’s see how that works in practice, shall we?
If we take for an example permission indicator drwxr-xr-x for Desktop, what can we read out of it? It starts with “d”, which indicates it’s folder/directory (like we didn’t knew that already). First triplet indicates author has rwx rights, which means it has all rights – to read, to write and to execute.
Well, that would be if it was a file. In folder’s case “r” actually means you can list folder’s content, “w” means you can modify folder’s content (add and remove files) and “x” means you can enter that folder. In practice that means that owner has all the permissions over that folder, he can enter that folder, list its content and modify it. Group users and other users can only enter folder and list its content, but cannot make any changes to it.
How to change file permissions in Linux
Now that we learned about how to view permissions, it’s time to see how can we change file permissions in Linux. To change current permissions on files and folders you can chose between two methods:
symbolic
numeric (absolute)
Symbolic method
To change permissions in Linux terminal, there is one command – chmod (shortened for change mode). It’s use is fairly simple and logical which will be shown through examples. But first, a quick recap so you grasp it fast. Like I’ve mentioned, permission indicator is made of 10 characters, first denotes whether it’s file (“-”) or folder (“d”) and if you happen to stumble upon character “l” than means you’re looking at symlink. The remaining 9 are divided in triplets – rwxrwxrwx, where:
“r” is for read,
“w” for write and
“x” for execute.
If there’s “-“ character instead of any above mentioned, that would mean that certain permission is not assigned or to put it more eloquently – certain user or group of users don’t have rights.
To complement story above, triplets are divided in next order:
first triplet is for user (u) permissions
second triplet is for group (g) permissions and
third triplet is for other (o) users permissions.
We can mark all three triplets with “a” (for all, logically), but it’s not necessary, it will work even if character “a” is omitted which will be shown through examples. For that matter, I’ve created testFolder and testFile.
As we can see, permission indicator for testFile is –rw-r—r–, from which we can read it’s file (“-“), user has read and write permissions (“rw-“), but group and others have just read permission (“r—r—“). Like I mentioned, to change that we use chmod command and we’ll add execute (“x”) permission for user (“u”):
chmod u+x testFile
Fairly easy, right? Similarly, to remove permission:
chmod g-r testFile
We can also make combos, either with permission groups:
chmod go+w testFile
chmod ou-r testFile
Or with permissions:
chmod g-w+x testFile
chmod o+rx testFile
Or you can even combine them in between:
chmod u+r,g+r-x,o-tw testFile
Besides “+” and “-“ operators to add or subtract permissions, we can use “=” operator to directly set permissions or override them it they were set earlier.
chmod a=r testFile
As I mentioned above, when you use character “a” it’s for all permission groups. But, it will work even if it’s omitted.
Numeric (absolute) method
The other method to change permissions is numeric. Instead of choosing which permission to add or subtract from specific group using characters, you’ll use numeric values. Permissions rwx are represented in binary code as shown in a table:
Permission | Binary value | Octal value |
---|---|---|
— | 000 | 0 |
–x | 001 | 1 |
-w- | 010 | 2 |
-wx | 011 | 3 |
r– | 100 | 4 |
r-x | 101 | 5 |
rw- | 110 | 6 |
rwx | 111 | 7 |
Table 1 Numeric values for Linux permissions
To change permissions on our testFile using numeric method we’ll use chmod with numeric representation of each triplet:
chmod 724 testFile
Voila! Quite simple, rwx=7 (because r=4, w=2, x=1 4+2+1=7), -w-=2 and r–=4, which results in 724. The result is the same as using “=” operator in symbolic method. Basicly, to remove all permissions (so be very cautious with it), you’ll use:
Yup, that’s certainly one way to put it. In reality, root user can still read and write in these cases.
Also, be careful with another borderline case you probably encountered at least once while surfing the web:
chmod 777 testFile
Yeah, it’s the opposite of previous so using this command would actually look like this:
Needless to say, be very very cautious about this one. Don’t say you weren’t warned about it.
Special permissions in Linux
Besides classic read, write and execute, we have special permissions:
setuid (SUID – Set User ID)
setgid (SGID – Set Group ID)
sticky bit
Now you’re probably wondering “what it could possibly be other than classic ones?” Well, to be precise, there are none per se. So, what exactly are they and what makes them special? Let me break it down for you.
Setuid
The first one mentioned is setuid. Basically, this permission gives user(s) capability to execute with an owner’s privileges. That certainly has no value to you in a home environment as you solve permission problem with sudo command.
But think about multi user environment where users sometimes need to do some simple action that requires superuser privileges. Let’s say an user wants to change a password. That would imply using passwd command. But changing password also changes hash in /etc/shadow file, which is, surprisingly, allowed to write only by root.
So, instead giving sudo privilege to a regular user and start cataclysm of epic proportions (there is a valid reason why regular users have limited rights) better solution is to give special permission on executable. And when we take a look at it, we can see the following:
On owner permissions you can see “s” (for special) instead of “x”. That’s SUID, special permission we were talking about. If you want some file or folder to give SUID, you can do it by:
- symbolic method –
chmod u+s testFile2
(or *u-*s if you decide to remove permission)
or
- numeric method by putting 4 in front of regular values –
chmod 4744 testFile3
(value 7 is a must in users permission, the rest two are random and depend on your needs and I decided not to change the current permissions for group and others)
Setgid
Similarly, setgid is special permission on group permissions. And you guessed it right it’s like copy-paste from SUID just for the group users. Character “s” replaces “x” in group permissions. To give that special permission on a file or folder you can, again, choose between both methods:
- symbolic method –
chmod g+s testFile4
(similarly, g-s to remove)
or
- numeric method by putting 2 in front of regular values –
chmod 2674 testFile5
(likewise, value 7 is a must in group permission, values 6 for user permissions and 4 for other permissions are also result of mine decision for not changing those two)
Sticky bit
Unlike previous two, this permission is not about giving special permission to users but rather to take it away or to be precise to prevent users from deleting files or folders. That’s why this permission is sometimes referred to as “restricted deletion bit”. Excellent choice to fend off those mindless lemmings before they make a mess.
Another difference compared to previous two is in bit character. First two had “s” instead of “x”, this one has “t” instead of “x”. You can add sticky bit choosing, yet again, between the two methods:
- symbolic method –
chmod +t testFile6
(since it’s only bit with character “t”, there’s no need to add anything before the “+” sign. Ofcourse, -t would be to remove sticky bit)
- numeric method by adding 1 in front of regular values –
chmod 1647 testFile7
(6 and 4 are to keep previous permissions, value 7 is a must to add sticky bit)
***CAUTION***
Using symbolic method to add some of special permissions can result in appearance of uppercase “s” (S) or “t” (T). If that is a case, just to notify you that they have opposite meaning of their lowercase counterparts. To avoid that mistake, before adding special permission(s) to a file or folder, make sure that file or folder have execute permission on needed permission location.
Ownership
Up to this point we were talking about changing permissions on files or folders which is great solution when you need to change them on a few files or folders. But imagine working in a company. There you have various types of employees divided in departments based on their job orientation, like administrators, developers, testers, management, HR, … Like in every company, people come and go or switch job positions, so it’s a lot faster and simpler to change ownership or change a group membership than go with changing permissions for every single file or folder.
How to change owner of files and directories in Linux
To change owner of a file or a directory in Linux you’ll have to use chown command. But first things first, let’s create some users and groups and some files and folders as well.
To check if everything is in place we type:
cat /etc/group
As we can see users are added to their respected groups.
Also, I had to use sudo to change ownership. I’ve changed owner of dev_file1 from my user to some fictional front-end dev named fe_developer. He is owner now and his permissions are to read and write, and group and other users have only read permission. And now let’s test what has been done, shall we?
I can read it alright. How about write in it?
Not a chance. So we can see that ownership permissions work quite good. Now I’ll log in as fe_developer to see if my owner permissions are working as planned.
Read permission works like a charm. How about write permission?
There is no warning that file is unwritable, so I’ll save it and read it again to see if changes were saved.
Excellent. We tested owner permissions out and saw they work as planned. For rest of files we can either choose to add same or another owner the same way we did first time…
…or we can update chown command to copy already set permissions:
That comes really handy when there is more newly created files.
How to change user group in Linux
When it comes to changing group permissions there are two options to do it, you can either do it with chown command or chgrp command. Synthax for chown command would look like this:
chown <user>:<group> file_name (or folder_name)
In my case, command was:
sudo chown fe_developer:developers dev_file4
With chown command you can also use reference to copy owner and group permissions from a file to folder and its content.
sudo chown --reference dev_file4 folder1 –R
And ownership over files in folder1 is:
As you can conclude, you set permissions and ownership over one file and use it as template for others.
For using chgrp command synthax would look like this:
sudo chgrp developers dev_test
Group for dev_test folder has been changed, but once inside we can see that it didn’t work on its subfolders.
To fix that, we have to add –R option:
sudo chgrp –R developers dev_test
This time, we see that subfolders of dev_test folder have changed group ownership. And just to see inside of subfolders content:
Summary
Magnificent. Now you are equipped with powerful tools on how to manage permissions and ownership over files and folders under your linux domain. With that this article has come to an end. We pretty much covered the majority of this rabbit hole with which you can handle most of the everyday tasks and needs regarding the permissions in Linux.
Thank you very much for your time…
PS. In Red Hat based distros (RHEL, Fedora, CentOS) permission indicator ends with dot and in case you wonder.