filepermissions

Introduction
Linux is a multi-user OS that is based on the Unix concepts of file ownership and permissions to provide security, at the file system level. If you are planning improving your Linux skills, it is essential that have a decent understanding of how ownership and permissions work. There are many intricacies when dealing with file ownership and permissions, but we will try our best to distill the concepts down to the details that are necessary for a foundational understanding of how they work.

About Users
As mentioned in the introduction, Linux is a multi-user system. We must understand the basics of Linux users and groups before we can talk about ownership and permissions, because they are the entities that the ownership and permissions apply to. Let’s get started with the basics of what users are.

In Linux, there are two types of users: system users and regular users. Traditionally, system users are used to run non-interactive or background processes on a system, while regular users used for logging in and running processes interactively. When you first log in to a Linux system, you may notice that it starts out with many system users that run the services that the OS depends on–this is completely normal.

An easy way to view all of the users on a system is to look at the contents of the /etc/passwd file. Each line in this file contains information about a single user, starting with its user name (the name before the first :). Print the passwd file with this command:

cat /etc/passwd

######################################################
Superuser

In addition to the two user types, there is the superuser, or root user, that has the ability to override any file ownership and permission restrictions. In practice, this means that the superuser has the rights to access anything on its own server. This user is used to make system-wide changes, and must be kept secure.

It is also possible to configure other user accounts with the ability to assume “superuser rights”. In fact, creating a normal user that has sudo privileges for system administration tasks is considered to be best practice.

About Groups
Groups are collections of zero or more users. A user belongs to a default group, and can also be a member of any of the other groups on a server.

An easy way to view all the groups and their members is to look in the /etc/group file on a server. We won’t cover group management in this article, but you can run this command if you are curious about your groups:

cat /etc/group

####################################################

Viewing Ownership and Permissions
In Linux, each and every file is owned by a single user and a single group, and has its own access permissions. Let’s look at how to view the ownership and permissions of a file.

The most common way to view the permissions of a file is to use ls with the long listing option, e.g. ls -l myfile. If you want to view the permissions of all of the files in your current directory, run the command without an argument, like this:

ls -l

#####################################################

Here is an example screenshot of what the output might look like, with labels of each column of output:

Note that each file’s mode (which contains permissions), owner, group, and name are listed. Aside from the Mode column, this listing is fairly easy to understand. To help explain what all of those letters and hyphens mean, let’s break down the Mode column into its components.

Understanding Mode
File Type
Permissions Classes
Reading Symbolic Permissions
Understanding Read, Write, Execute
Read
Write
Execute
Examples of Modes (and Permissions)
Modifying Ownership and Permissions

[root@machine1 ~]# lsattr | grep my
————-e- ./myfile
————-e- ./mydir
[root@machine1 ~]# rm -rf myfile mydir/
###########################################################
[root@machine1 ~]# chattr +a myfile
chattr -R +i mydir
To help explain what all the groupings and letters mean, take a look at this closeup of the mode of the first file in the example above
In Linux, there are two basic types of files: normal and special. The file type is indicated by the first character of the mode of a file–in this guide, we refer to this as the file type field.
Normal files can be identified by files with a hyphen (-) in their file type fields. Normal files are just plain files that can contain data. They are called normal, or regular, files to distinguish them from special files.
Special files can be identified by files that have a non-hyphen character, such as a letter, in their file type fields, and are handled by the OS differently than normal files. The character that appears in the file type field indicates the kind of special file a particular file is. For example, a directory, which is the most common kind of special file, is identified by the d character that appears in its file type field (like in the previous screenshot). There are several other kinds of special files but they are not essential what we are learning here.
From the diagram, we know that Mode column indicates the file type, followed by three triads, or classes, of permissions: user (owner), group, and other. The order of the classes is consistent across all Linux distributions.
Let’s look at which users belong to each permissions class:
  • User: The owner of a file belongs to this class
  • Group: The members of the file’s group belong to this class
  • Other: Any users that are not part of the user or group classes belong to this class.
The next thing to pay attention to are the sets of three characters, or triads, as they denote the permissions, in symbolic form, that each class has for a given file.
In each triad, read, write, and execute permissions are represented in the following way:
  • Read: Indicated by an r in the first position
  • Write: Indicated by a w in the second position
  • Execute: Indicated by an x in the third position. In some special cases, there may be a different character here
A hyphen (-) in the place of one of these characters indicates that the respective permission is not available for the respective class. For example, if the group triad for a file is r–, the file is “read-only” to the group that is associated with the file.
Now that you know how to read which permissions of a file, you probably want to know what each of the permissions actually allow users to do. We will explain each permission individually, but keep in mind that they are often used in combination with each other to allow for meaningful access to files and directories.
Here is a quick breakdown of the access that the three basic permission types grant a user.
For a normal file, read permission allows a user to view the contents of the file.
For a directory, read permission allows a user to view the names of the file in the directory.
For a normal file, write permission allows a user to modify and delete the file.
For a directory, write permission allows a user to delete the directory, modify its contents (create, delete, and rename files in it), and modify the contents of files that the user can read.
For a normal file, execute permission allows a user to execute a file (the user must also have read permission). As such, execute permissions must be set for executable programs and shell scripts before a user can run them.
For a directory, execute permission allows a user to access, or traverse, into (i.e. cd) and access metadata about files in the directory (the information that is listed in an ls -l).
Now that know how to read the mode of a file, and understand the meaning of each permission, we will present a few examples of common modes, with brief explanations, to bring the concepts together.
  • -rw——-: A file that is only accessible by its owner
  • -rwxr-xr-x: A file that is executable by every user on the system. A “world-executable” file
  • -rw-rw-rw-: A file that is open to modification by every user on the system. A “world-writable” file
  • drwxr-xr-x: A directory that every user on the system can read and access
  • drwxrwx—: A directory that is modifiable (including its contents) by its owner and group
  • drwxr-x—: A directory that is accessible by its group
As you may have noticed, the owner of a file usually enjoys the most permissions, when compared to the other two classes. Typically, you will see that the group and other classes only have a subset of the owner’s permissions (equivalent or less). This makes sense because files should only be accessible to users who need access to them for a particular reason.
Another thing to note is that even though many permissions combinations are possible, only certain ones make sense in most situations. For example, write or execute access is almost always accompanied byread access, since it’s hard to modify, and impossible to execute, something you can’t read.
To keep this tutorial simple, we will not cover how to modify file ownership and permissions here. To learn how to use chown, chgrp, and chmod
#######################################################
————————————————————————————————————————-
                                                   chmod
[root@machine2 ~]# touch one
[root@machine2 ~]# ls -l | grep one
-rw-r–r–. 1 root root          0 Feb  8 12:15 one
[root@machine2 ~]# chmod 444 one
[root@machine2 ~]# ls -l | grep one
-r–r–r–. 1 root root          0 Feb  8 12:15 one
[root@machine2 ~]# chmod ugo=x one
[root@machine2 ~]# ls -l | grep one
—x–x–x. 1 root root          0 Feb  8 12:15 one
[root@machine2 ~]# chmod ugo+r one
[root@machine2 ~]# ls -l | grep one
-r-xr-xr-x. 1 root root          0 Feb  8 12:15 one
[root@machine2 ~]# chmod u-x one
[root@machine2 ~]# ls -l | grep one
-r–r-xr-x. 1 root root          0 Feb  8 12:15 one
[root@machine2 ~]# chmod 0 one
[root@machine2 ~]# ls -l | grep one
———-. 1 root root          0 Feb  8 12:15 one
[root@machine2 ~]# chmod a+x one
[root@machine2 ~]# ls -l | grep one
—x–x–x. 1 root root          0 Feb  8 12:15 one
[root@machine2 ~]# mkdir sample
[root@machine2 ~]# touch sample/file{1..5}
[root@machine2 ~]# ls -l sample
total 0
-rw-r–r–. 1 root root 0 Feb  8 12:28 file1
-rw-r–r–. 1 root root 0 Feb  8 12:28 file2
-rw-r–r–. 1 root root 0 Feb  8 12:28 file3
-rw-r–r–. 1 root root 0 Feb  8 12:28 file4
-rw-r–r–. 1 root root 0 Feb  8 12:28 file5
[root@machine2 ~]# chmod -R 444 sample
[root@machine2 ~]# ls -l sample
total 0
-r–r–r–. 1 root root 0 Feb  8 12:28 file1
-r–r–r–. 1 root root 0 Feb  8 12:28 file2
-r–r–r–. 1 root root 0 Feb  8 12:28 file3
-r–r–r–. 1 root root 0 Feb  8 12:28 file4
-r–r–r–. 1 root root 0 Feb  8 12:28 file5
[root@machine2 ~]# touch sample/file6
[root@machine2 ~]# cd sample
[root@machine2 sample]# ls -l
total 0
-r–r–r–. 1 root root 0 Feb  8 12:28 file1
-r–r–r–. 1 root root 0 Feb  8 12:28 file2
-r–r–r–. 1 root root 0 Feb  8 12:28 file3
-r–r–r–. 1 root root 0 Feb  8 12:28 file4
-r–r–r–. 1 root root 0 Feb  8 12:28 file5
-rw-r–r–. 1 root root 0 Feb  8 12:30 file6
[root@machine2 sample]# chmod –reference=file1 file6
[root@machine2 sample]# ls -l
total 0
-r–r–r–. 1 root root 0 Feb  8 12:28 file1
-r–r–r–. 1 root root 0 Feb  8 12:28 file2
-r–r–r–. 1 root root 0 Feb  8 12:28 file3
-r–r–r–. 1 root root 0 Feb  8 12:28 file4
-r–r–r–. 1 root root 0 Feb  8 12:28 file5
-r–r–r–. 1 root root 0 Feb  8 12:30 file6
————————————————————————————————————————
                                                               chown
[root@machine2 ~]# ls -l sample
-r–r–r–.  1 root root    0 Feb  8 12:28 file4
-r–r–r–.  1 root root    0 Feb  8 12:28 file3
-r–r–r–.  1 root root    0 Feb  8 12:28 file2
-r–r–r–.  1 root root    0 Feb  8 12:28 file1
-r–r–r–.  1 root root    0 Feb  8 12:28 file5
-r–r–r–.  1 root root    0 Feb  8 12:30 file6
[root@machine2 ~]# ls -l /home/
total 4
drwx——. 4 mohammedrafi mohammedrafi 4096 Oct 24 00:58 mohammedrafi
[root@machine2 ~]# chown mohammedrafi sample/file6
[root@machine2 ~]# ls -lart sample
-r–r–r–.  1 root         root    0 Feb  8 12:28 file4
-r–r–r–.  1 root         root    0 Feb  8 12:28 file3
-r–r–r–.  1 root         root    0 Feb  8 12:28 file2
-r–r–r–.  1 root         root    0 Feb  8 12:28 file1
-r–r–r–.  1 root         root    0 Feb  8 12:28 file5
-r–r–r–.  1 mohammedrafi root    0 Feb  8 12:30 file6
————————————-
[root@machine2 ~]# chown mohammedrafi:mohammedrafi sample/file1
[root@machine2 ~]# ls -l sample
total 0
-r–r–r–. 1 mohammedrafi mohammedrafi 0 Feb  8 12:28 file1
-r–r–r–. 1 root         root         0 Feb  8 12:28 file2
-r–r–r–. 1 root         root         0 Feb  8 12:28 file3
-r–r–r–. 1 root         root         0 Feb  8 12:28 file4
-r–r–r–. 1 root         root         0 Feb  8 12:28 file5
-r–r–r–. 1 mohammedrafi root         0 Feb  8 12:30 file6

[root@machine2 ~]# chown :mohammedrafi sample/file3

[root@machine2 ~]# ls -l sample
-r–r–r–. 1 mohammedrafi mohammedrafi 0 Feb  8 12:28 file1
-r–r–r–. 1 root         root         0 Feb  8 12:28 file2
-r–r–r–. 1 root         mohammedrafi 0 Feb  8 12:28 file3
-r–r–r–. 1 root         root         0 Feb  8 12:28 file4
-r–r–r–. 1 root         root         0 Feb  8 12:28 file5
-r–r–r–. 1 mohammedrafi root         0 Feb  8 12:30 file6
——————————
                             Change owner only if a file is owned by a particular user
[root@machine2 ~]# ls -l sample
-r–r–r–. 1 mohammedrafi mohammedrafi 0 Feb  8 12:28 file1
-r–r–r–. 1 root         root         0 Feb  8 12:28 file2
-r–r–r–. 1 root         mohammedrafi 0 Feb  8 12:28 file3
-r–r–r–. 1 root         root         0 Feb  8 12:28 file4
-r–r–r–. 1 root         root         0 Feb  8 12:28 file5
-r–r–r–. 1 mohammedrafi root         0 Feb  8 12:30 file6
[root@machine2 ~]# useradd jack
[root@machine2 ~]# ls -l /home/
drwx——. 4 jack         jack         4096 Feb  8 12:52 jack
drwx——. 4 mohammedrafi mohammedrafi 4096 Oct 24 00:58 mohammedrafi
[root@machine2 ~]# cd sample
[root@machine2 sample]# chown –from=mohammedrafi jack file4
[root@machine2 sample]# ls -l
-r–r–r–. 1 mohammedrafi mohammedrafi 0 Feb  8 12:28 file1
-r–r–r–. 1 root         root         0 Feb  8 12:28 file2
-r–r–r–. 1 root         mohammedrafi 0 Feb  8 12:28 file3
-r–r–r–. 1 root         root         0 Feb  8 12:28 file4
-r–r–r–. 1 root         root         0 Feb  8 12:28 file5
-r–r–r–. 1 mohammedrafi root         0 Feb  8 12:30 file6
[root@machine2 sample]# chown –from=root jack file4
[root@machine2 sample]# ls -l
-r–r–r–. 1 mohammedrafi mohammedrafi 0 Feb  8 12:28 file1
-r–r–r–. 1 root         root         0 Feb  8 12:28 file2
-r–r–r–. 1 root         mohammedrafi 0 Feb  8 12:28 file3
-r–r–r–. 1 jack         root         0 Feb  8 12:28 file4
-r–r–r–. 1 root         root         0 Feb  8 12:28 file5
-r–r–r–. 1 mohammedrafi root         0 Feb  8 12:30 file6
——————————-
                           Change group only if a file already belongs to a certain group
[root@machine2 sample]# chown –from=:root :jack file4
[root@machine2 sample]# ls -l
-r–r–r–. 1 mohammedrafi mohammedrafi 0 Feb  8 12:28 file1
-r–r–r–. 1 root         root         0 Feb  8 12:28 file2
-r–r–r–. 1 root         mohammedrafi 0 Feb  8 12:28 file3
-r–r–r–. 1 jack         jack         0 Feb  8 12:28 file4
-r–r–r–. 1 root         root         0 Feb  8 12:28 file5
-r–r–r–. 1 mohammedrafi root         0 Feb  8 12:30 file6
————————————————————————————————————————
                                                              chgrp

[root@machine2 ~]# touch one
[root@machine2 ~]# ls -l | grep one
—x–x–x. 1 root root          0 Feb  8 13:34 one
[root@machine2 ~]# chgrp mohammedrafi one
[root@machine2 ~]# ls -l | grep one
—x–x–x. 1 root mohammedrafi          0 Feb  8 13:34 one

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s