Sign in Subscribe
By Gwyneth Peña-Siguenza in linux

An intro to Linux file and directory permissions

No, everyone should not be root.

An intro to Linux file and directory permissions

We know that the root user can basically do anything on the system. Other users have more limitations and are usually collected into groups. You put users with similar needs into a group that is granted relevant permissions, each member inherits the group permissions.

Let's take a look at:

  • Checking permissions
  • Changing permissions
  • Default permissions
  • Special permissions

Granting Permissions

The three levels of permission are:

  • r: Permission to read.
  • w: Permission to write.
  • x: Permission to execute.

When a file is created, typically the user who created it is the owner of it and the owning group is the user's current group. We can move ownership of a file to a different user by using the chown command.

chown gps /tmp/file.txt

Here we are giving the user gps ownership of the file.txt from the /tmp directory.

We can also move ownership of a file from one group to another, we use the chgrp for that.

chgrp cloudadmins newIDS

Say we have an application called newIDS, here we are giving group ownership to the cloudadmins group of newIDS.

Checking Permissions

ls -l

The ls command with the -l (long) switch will display the contents of a directory, containing the permissions. Let's break this down a bit more.

drwxr-xr-x 2 azureuser azureuser 4096 Feb 14 22:31 Videos

The first character is the file type, in this case it's a d, which means it's a directory. This character can be:

  • (-) regular file
  • (d) directory
  • (c) character special
  • (b) block special
  • (p) fifo
  • (l) symbolic link
  • (s) socket

You' typically see d,`-` or l. In this post we'll focus on - and d, I'll have another one on symbolic links, here's a great post on it, they are sort of like links to files.

Next we have 

rwxr-xr-x

Nine characters, the first three are the permissions of the user, the next three are the permissions for the group, and the last three are the permissions for others.

  • So in our case, the group user has rwx (read, write, and execute) permissions.
  • The group has r-x (read, no write, and execute) the - means the respective permission hasn't been given.
  • The others column has r-x (read, no write, and execute)
2 azureuser azureuser 4096 Feb 14 22:31 Videos

What's left is the number of links, the user (azureuser) the size, date created, and name.

We can change permissions if we need to.

Changing Permissions

Only a root user or the file's own can change permission, we use the chmod command for that and we can use Decimal notation or or UGO, let's look at Decimal notation first.

Changing permission with Decimal Notation

This table contains all possible permission combinations and their octal and binary representatives.

Binary Octal rwx
000 0 ---
001 1 --x
010 2 -w-
011 3 -wx
100 4 r--
101 5 r-x
110 6 rw-
111 7 rwx

If we wanted to represent all permission for owner, group, and others, we could use

777

Each digit, in this case, each one is a 7, represents the permissions for user, group, others. In the table, we see that 7 in octal is rwx, which is all permissions. So how do we use chmod with this?

chmod 777 sample.txt

This would give the owner all permission, the group all permissions, and everyone else (other) all permissions. 

chmod 700 sample.txt
chmod 774 sample.txt
chmod 755 sample.txt
  • The first one would give the owner all permissions, the group no permissions, and other no permissions.
  • The second one would give the owner all permissions, the group all permissions, and other only read permissions.
  • The third one would give the owner all permissions, the group read and execute permissions, and other read and execute permissions.

Changing Permissions with UGO

The numeric method of changing permissions is the most used, but we can still use the symbolic method, UGO.

  • - Removes a permission.
  • + Adds a permission.
  • = Sets a permission.

Let's remove the write permission from the user that owns sample.txt

chmod u-w sample.txt

We can change multiple permissions at once

chmod u-rw sample.txt
chmod u+rwx,o+rwx sample.txt

Default permissions (umask)

Linux automatically assigns all files and directories default permissions. 666 for files and 777 for directories. By default you won't be able to execute a file immediately after downloading it.

You can change the default permissions with the umask (user file-creation mask) method. This method represents the permissions you want to remove from the base permissions on a file or directory.

The umask is a three-digit octal number corresponding to the three permissions digits. In most Debian systems, the umask is set to 022. It is subtracted from the permissions number to give the new permissions status.  

New Files New Directories Permissions
666 777 Linux base permissions
-022 -022 umask
644 755 Resulting permissions

Each user can set a personal default umask value for the files and directories in their personal .profile file.

To view the current value of your umask

umask

Special Permissions

set user ID (SUID)
set group ID (SGUID)
sticky bit

SUID

The SUID bit says any user can execute the file with the permissions of the owner but those permissions don't extend beyond the use of that file. To change this bit, you change the first value after chmod to a 4, typically you only use 3 digits, because the first one is implied as a 0. If you see an s in place of an x in the owner permissions of a file, that means the SUID bit is set. 

chmod 4644 sample.txt

SGID (Set Group ID up on execution)

SGID assigns group ownership to files. Useful for shared group directories. You can apply SGID to directories and files.

With an SGID bit set on a file, someone without execute permissions can execute a file if the owner belongs to the group that has permissions to execute that file.

With an SGID bit set on a directory, ownership of new files created in that directory goes to the directories creator's group, rather that the file creator's group.

The SGID bit is represented  as a 2 before the regular permissions. If you see an s in place of an x in the group permissions of a file or directory, that means the SGID bit is set. 

chmod 2644 sample.txt

Sticky Bit

This permission has a t in place of an x in the other's column. When you set the sticky bit on a directory, people can only delete files that belong to them within that directory. They can’t delete files that belong to someone else, no matter which combination of file permissions are set on the files. You can only apply the sticky bit to directories. If you see an t in place of an x in the other's permissions of a directory, that means the sticky bit is set. 

chmod 1777 sample.txt

The sticky bit is ignored by modern Linux systems, but you should be familiar with the term at least.

Subscribe to madebygps

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe