Understanding File Permissions

Access to every file/directory in Linux is beautifully controlled by permissions. Many times we are not able to wrap our heads around file permissions (in the beginning stages anyway), but it’s not all that complicated. So let’s see what the fuss is about.

The ls -l command provides a line like the following for each file or directory.

drwxr-xr-x 4 nits nits    4096 2011-11-27 20:48 Documents/

The first column lists the permissions of the file/directory. Here we see that there are 10 characters in whole. The first character shows the file type, the next three characters show what permissions the user owning the file has, the three characters after that show what permissions the group owning the file has and the last three characters what permissions everyone else has.

File Permissions in Linux

There are three types of permissions – read, write and execute. If read, write or execute permissions are enabled we see a r, w, x respectively present. A - indicates that the permission ain’t enabled. Another way to put it is,

r – -  means only read
- w –  means only write
- – x  means only execute
r w -  means read and write
r – x  means read and execute
- w x  means write and execute
r w x  means read, write and execute

Now, let’s look at the permissions of the file we viewed earlier

drwxr-xr-x 4 nits nits    4096 2011-11-27 20:48 Documents/

So, what are the permissions for this directory called documents?

The user owning the file has read, write and execute permissions.
The group owning the file has read and execute permissions
Rest of the users and groups have read and execute permissions.

The permissions can also be described by their octal values. Take a look at the image below to understand better, after all a picture IS worth a thousand words.

Octal Permissions image

Let’s take a brief look at the character describing the file type before proceeding onwards. In our example, the first character, the character describing the file type, it reads d. That means that it is a directory. These are the other file types and their corresponding characters:

-  for files
l  for links
n for network devices
c for character devices
b for block devices

So now we have deciphered the file permissions but what next? Modifying them ofcourse. Let’s get the cannons out – chmod, chown and the water pistol – chgrp :P Just kidding.

chmod:

chmod is used to change the permissions of a file or a directory. You can combine it with octal as well as alphabets to change the permissions. Let’s see something with octal.

nits@nits-excalibur:~$ ls -la an_example.txt
-rw-rw-r-- 2 nits nits 0 2011-12-26 02:42 an_example.txt
nits@nits-excalibur:~$ chmod 760 an_example.txt
[sudo] password for nits:
nits@nits-excalibur:~$ ls -la an_example.txt
-rwxrw---- 2 nits nits 0 2011-12-26 02:42 an_example.txt

Here, the file called an_example.txt which earlier allowed the user and the group to read and write whereas others could only read the file has been modified to allow the user to be able to read, write, execute and the group to read and write and not allowing others to do anything.

We can also use the chmod with some alphabets,

u for user
g for group
o for others
a for all

The alphabets representing the permissions are

r for read
w for write
x for execute

Now the permissions can be applied to each category of users (user, group and others) by some symbols

+ to enable/add the permissions
- to disable/remove the permissions
= to set the permissions.

For example, if we want to change the permissions of the file, an_example.txt so that others have the permission to read and execute the file, we could do chmod o=rx an_example.txt. Here are a few examples to help you understand better on how you can use the chmod command and what affects it has.

nits@nits-excalibur:~$ ls -l an_example.txt
-rwxrw-rwx 2 nits nits 0 2011-12-26 02:42 an_example.txt

nits@nits-excalibur:~$ chmod u-x an_example.txt
nits@nits-excalibur:~$ ls -l an_example.txt
-rw-rw-rwx 2 nits nits 0 2011-12-26 02:42 an_example.txt

nits@nits-excalibur:~$ chmod g-w an_example.txt
nits@nits-excalibur:~$ ls -l an_example.txt
-rw-r--rwx 2 nits nits 0 2011-12-26 02:42 an_example.txt

nits@nits-excalibur:~$ chmod o-xrw an_example.txt
nits@nits-excalibur:~$ ls -l an_example.txt
-rw-r----- 2 nits nits 0 2011-12-26 02:42 an_example.txt

nits@nits-excalibur:~$ chmod a+x an_example.txt
nits@nits-excalibur:~$ ls -l an_example.txt
-rwxr-x--x 2 nits nits 0 2011-12-26 02:42 an_example.txt

nits@nits-excalibur:~$ chmod o=rwx,ug-x an_example.txt
nits@nits-excalibur:~$ ls -l an_example.txt
-rw-r--rwx 2 nits nits 0 2011-12-26 02:42 an_example.txt

In the last example, we have also combined parameters to change the permissions of the file to enable others to have read, write and execute permissions and disabling the execution permissions for the user and group, all at the same time! How awesome was that! Go ahead, try some combos and go nuts, just make sure that you test and practice with permissions before changing permissions of some important files like system files and such.

Note: You will have to prepend the command with sudo if you are not the owner of the file. Example: sudo chmod a+x an_example.txt

chown:

chown is the command we use to alter the ownership of the file. It’s used to change the user ownership and group ownership of the file. The format to use it is sudo chown username.groupname filename

In the following example, I change the group ownership of the file an_example.txt to the group called padma

nits@nits-excalibur:~$ ls -l an_example.txt
-rw-rw-r-- 2 nits nits 0 2011-12-26 02:42 an_example.txt

nits@nits-excalibur:~$ sudo chown nits.padma an_example.txt
nits@nits-excalibur:~$ ls -l an_example.txt
-rw-rw-r-- 2 nits padma 0 2011-12-26 02:42 an_example.txt

This same action can also be achieved by sudo chown .padma an_example.txt The . (dot) before the group name means that the user ownership remains the same whereas only the group ownership is being changed.

nits@nits-excalibur:~$ ls -l an_example.txt
-rw-rw-r-- 2 nits nits 0 2011-12-26 02:42 an_example.txt

nits@nits-excalibur:~$ sudo chown .padma an_example.txt
nits@nits-excalibur:~$ ls -l an_example.txt
-rw-rw-r-- 2 nits padma 0 2011-12-26 02:42 an_example.txt

The user ownership can also be changed while retaining the group ownership by placing the . (dot) after the username.

nits@nits-excalibur:~$ ls -l an_example.txt
-rw-rw-r-- 2 nits nits 0 2011-12-26 02:42 an_example.txt

nits@nits-excalibur:~$ sudo chown padma. an_example.txt
nits@nits-excalibur:~$ ls -l an_example.txt
-rw-rw-r-- 2 padma padma 0 2011-12-26 02:42 an_example.txt

Note: Both chmod and chown commands can be used on directories recursively, modifying every file/directory under the directory. This is achieved in both commands using the -R parameter.

Here, we change the permissions of all the files/directories present in the directory called Testing to allow everyone to be able to read, write and execute.

nits@nits-excalibur:~$ ls -lRF Testing
Testing:
total 16
-rw-rw-r-- 1 nits nits   47 2011-12-19 08:49 numericalfile
drwxrwxr-x 3 nits nits 4096 2011-12-26 02:28 test/
-rwxrwxr-x 1 nits nits  281 2011-12-25 23:21 test.sh*
-rw-rw-r-- 1 nits nits   84 2011-12-19 08:47 textfile

Testing/test:
total 4
-rw-rw-r-- 1 nits nits    0 2011-12-26 02:28 file1
-rw-rw-r-- 1 nits nits    0 2011-12-26 02:28 file2
drwxrwxr-x 2 nits nits 4096 2011-12-28 01:22 test2/

Testing/test/test2:
total 0
-rw-rw-r-- 1 nits nits 0 2011-12-26 02:28 file2_1
-rw-rw-r-- 1 nits nits 0 2011-12-26 02:28 file2_2

nits@nits-excalibur:~$ chmod -R 777 Testing
nits@nits-excalibur:~$ ls -lRF Testing
Testing:
total 16
-rwxrwxrwx 1 nits nits   47 2011-12-19 08:49 numericalfile*
drwxrwxrwx 3 nits nits 4096 2011-12-26 02:28 test/
-rwxrwxrwx 1 nits nits  281 2011-12-25 23:21 test.sh*
-rwxrwxrwx 1 nits nits   84 2011-12-19 08:47 textfile*

Testing/test:
total 4
-rwxrwxrwx 1 nits nits    0 2011-12-26 02:28 file1*
-rwxrwxrwx 1 nits nits    0 2011-12-26 02:28 file2*
drwxrwxrwx 2 nits nits 4096 2011-12-28 01:22 test2/

Testing/test/test2:
total 0
-rwxrwxrwx 1 nits nits 0 2011-12-26 02:28 file2_1*
-rwxrwxrwx 1 nits nits 0 2011-12-26 02:28 file2_2*

In the following example, we transfer the ownership of all files/directories present in the same Testing folder to the user padma and the group padma.

nits@nits-excalibur:~$ sudo chown -R padma.padma Testing
nits@nits-excalibur:~$ ls -lRF Testing
Testing:
total 16
-rwxrwxrwx 1 padma padma   47 2011-12-19 08:49 numericalfile*
drwxrwxrwx 3 padma padma 4096 2011-12-26 02:28 test/
-rwxrwxrwx 1 padma padma  281 2011-12-25 23:21 test.sh*
-rwxrwxrwx 1 padma padma   84 2011-12-19 08:47 textfile*

Testing/test:
total 4
-rwxrwxrwx 1 padma padma    0 2011-12-26 02:28 file1*
-rwxrwxrwx 1 padma padma    0 2011-12-26 02:28 file2*
drwxrwxrwx 2 padma padma 4096 2011-12-28 01:22 test2/

Testing/test/test2:
total 0
-rwxrwxrwx 1 padma padma 0 2011-12-26 02:28 file2_1*
-rwxrwxrwx 1 padma padma 0 2011-12-26 02:28 file2_2*

Pretty cool huh?

chgrp:

And now, for the water pistol – chgrp :P (just kidding, AGAIN.) chgrp changes the group ownership of a file/directory. Although the same can be achieved with the chown command, this is slightly easier. You can skip from having to remember this command if you wish as long as you have chown in your head :P The format of this command is sudo chgrp groupname filename

The -R parameter may also be used in this command to perform the operation recursively among directories, just like in the chmod and chown commands.

nits@nits-excalibur:~$ ls -l an_example.txt
-rw-rw-r-- 2 padma nits 0 2011-12-26 02:42 an_example.txt

nits@nits-excalibur:~$ sudo chgrp padma an_example.txt
nits@nits-excalibur:~$ ls -l an_example.txt
-rw-rw-r-- 2 padma padma 0 2011-12-26 02:42 an_example.txt

umask:

So, now how are the default file permissions set when you create a new file/directory on your system? The answer is umask. The default permissions for new directories is 777 (read, write and execute) whereas for new files it is 666 (read and write). But when you create new files and directories you notice that the permissions are not the default. The permissions are different beccause the umask comes into play.

nits@nits-excalibur:~$ umask
0002
nits@nits-excalibur:~$ mkdir umask_testing
nits@nits-excalibur:~$ touch umask_test.txt
nits@nits-excalibur:~$ ls -lF | grep umask
drwxrwxr-x 2 nits nits 4096 2011-12-31 08:10 umask_testing/
-rw-rw-r-- 1 nits nits 0 2011-12-31 08:10 umask_test.txt

This shows us that the umask is set to 0002 (write). When a new directory is created, we notice that the directory has the default 777 permissions except that write is disabled for Others. The same happens even when a new file is created. The default permissions of 666 becomes 664 (read and write for User and Group, read only for Others). I am guessing you have understood that the umask does infact mask its value from the default permissions. In other words, the umask value is deleted from the default permissions value when creating a new file/directory.

In the example below, I have set the umask value to 0000 (none). This as you can see, effectively retains the default permissions when creating a new file or directory without applying a mask to it.

nits@nits-excalibur:~$ umask 0000
nits@nits-excalibur:~$ umask
0000

nits@nits-excalibur:~$ mkdir new_testing
nits@nits-excalibur:~$ touch new_testing

nits@nits-excalibur:~$ ls -lF | grep new_testing
drwxrwxrwx 2 nits nits 4096 2011-12-31 08:21 new_testing/
-rw-rw-rw- 1 nits nits 0 2011-12-31 08:21 new_testing.txt

SUID/SGID:

There are also set user id (SUID) and set group id (SGID) commands. SUID allows files to be run under the file permissions of the owner of the file even when executed by other users. SGID on the other hand, allows files to be run under the owning group’s permissions when executed by other users, whereas SGID on a directory allows for creation of new files in that directory with directory group as its default group. SGID is useful when directories have to be shared. Look at the extra reading at the bottom of this post to read more about it.

And that’s pretty much it, we’ve covered basic file permissions in Linux! Woo-hoo!! Wasn’t as bad as you thought was it? Well, with that I am going to stop and wish you a very happy Linux-ful new year (a full day in advance :P ) !