Understanding Linux File Permissions
One of the core aspects of the Linux filesystems is the notion of file permissions. These permissions are used to decide what a particular user is able to do with a file or directory. While the method of working is quite simple, it can be confusing at first to understand.
Users
Let’s start with users. This concept is fairly easy to understand, as each user will log into a system with a unique user account. Users may also be assigned to groups. There can be one primary group, and also many secondary ones. These groups are generally used to allow access to commands and files for multiple users with similar roles rather than having to adjust things on a per user basis.
Files
Now let’s look at files. Every file and directory on a Linux system is owned by a user and a group. Typically the owner will be the user that initially created the file, and the group will be that user’s primary group, though this can be changed. Files and directories have their permissions split into three levels: the owning user’s permissions, the owning group’s permissions, and others’ permissions. By ‘others’, we mean any user that is not the owner or is not a member of the owning group of the file.
File Permission Types
There are also three different permission types for a file:
- Read access, which allows a user with that permission to read the file or view the contents of a directory.
- Write access, which allows a user with that permission to modify a file or create files in a directory.
- Finally there’s execute access, which allows a user with that permission to run the file as a program.
These permissions are often abbreviated to r for read, w for write and x for execute, which is apparent when looking at a file using the ls command with the -l flag to specify a long output:
ls -l
-rwxrw-r– 1 hayden hayden 11895 Sep 28 22:23 testfile.sh
The first part of the output shows the permissions on the file in which there are 10 characters. The first is a special one used to identify a directory with a “d” or a link with an “l”. After that we have three groups of three letters in the order of “rwx”, showing which permissions are assigned to the file. The first set of three refer to the owner of the file, the second set to the owning group, and the third to others. Permissions granted are shown by the letter, permissions denied are replaced with a hyphen “-“. So in the example above the owner has read, write and execute permission on the file, the group has read and write permissions, and others have read permissions on the file.
These permissions also have a numeric equivalent: 1 for execute, 2 for write and 4 for read. These numbers can then be added together to combine access permissions. For example, 7 allows read, write and execute permission, while 6 is read and write permission.
To change the permissions on a file the chmod (short for change mode) command is used. There are two ways of using this: one is to use the numeric designations, and the other to use the alphabetical ones. The numeric designations are generally used to set all three groups of access permissions by providing three numbers. So to set the file permissions that the testfile.sh example above has you would use:
chmod 764 testfile.sh
The alphabetical mode is generally used to add or remove a permission from a set. It’s done in the format of <what to effect><add or remove><permission to set>. In what to effect the options are:
u for the owning user.
g for the owning group.
o for others.
a for all.
Here are some examples:
chmod a-r testfile.sh
chmod g+rw testfile.sh
chmod u-x testfile.sh
The first example removes read access for the owner, group and others from testfile.sh. The second adds read and write access for the group for testfile.sh. The last example removes execute permission for the owning user from testfile.sh.
As you can see, working with the file permissions is quite simple and very flexible.