Getting Started With Linux – Understanding File Permissions
The commands you’ll need to set-up Linux file permissions…
Unlike Windows, which has typically taken a laissez faire attitude towards protecting files, Linux has some basic but powerful file protection built-in from the start. This comes in the form of file permissions, allowing a user to decide whom on the system should have access to their files or directories. This can sometimes be a source of consternation for a Linux beginner as sometimes things can silently fail to work because of incorrect file permissions.
A file or directory will always have a specific user owner (commonly just referred to as owner) and a group owner (commonly just referred to as the group). By default, the owner and group of the file will match the user that creates the file and the default group that they are in. These can be amended using the chown command. The user to own the file must be provided and optionally a group can be provided. For example to set the permissions for the file filename.file to an owner of Alice and a group of testusers…
chown alice:testusers filename.file
Permissions can be allocated separately for the user owner of the file, the group and for all users. The permissions that can be assigned are…
read (4): Access to read the contents of the file.
write (2): Access to write to the file.
execute (1): Access to execute the file as a script/application.
The command chmod can be used to set the permissions on a file. This has a few methods of operation. A common one you will see is full permissions setting. For this, the numbers in the brackets are added together to get the number required to set the permissions required. So for full access you would use 7, for read and write access 6, and for read only just 4. Permissions are given in the order of permissions for owner, group and then all users. So to give read and write access to a file called filename.file for the owner, read access for the group and no access for all other users, the following command would be used…
chmod 640 filename.file
Alternately you can use it to add (+) or remove (-) specific permissions (r)ead, (w)rite and e(x)ecute for the owner (u), group (g) or all users (a). Here are a few examples, see if you can figure out what they do before the explanation:
chmod g+wx filename.file
chmod a+r filename.file
chmod u-wx filename.file
In the first example we add write and execute permissions for the group. In the second we add read permissions to all users. In the final example we remove write and execute permissions for the owner.
To view the permissions on a file or directory you can see them using the command ls -l, the output will be a lot of lines resembling the following:
-rwxrw-r– 1 user group 245 Mar 20 2012 filename.file
The first section shows the permissions assigned to the file, next is the number of hardlinks to the file, then we have the user that owns the file, the group that has access to the file, the file’s size, its last change date and finally, the filename.
As with setting permissions with chmod the r, w and x stand for read, write and execute permissions. And as when assigning permissions in the number format, they are ordered in the format of owner, group and all users.
As you can see, what can appear a complicated methodology at first glance is actually very simple to understand and use. Though it’s somewhat limited when it comes to group-based collaboration because multiple groups cannot have different access permissions to a file. So different groups are required for different tasks and users will need to be assigned membership of the various groups as required. Regardless of whatever permissions you set for individual users or groups, the root account has full access over all files.
The main thing to remember when setting permissions from a security standpoint is that you should always set the least permissive settings required to work. If you don’t require all users to access the files then remove permissions from all users. If you only require the group to be able to read the file then only set a maximum of read permission on the files. This can help prevent an attacker from causing chaos on a server should a user’s account become compromised.