In this lesson we’re going to talk about permissions.
Now understand that managing ownership of files and directories only represents a part of what you have to do in order to control access to the Linux file system.
Basically, ownership only specifies who owns what.
Ownership does not say what that person can or can’t do with those files or directories that they own.
In order to do this, you have to set up and manage permissions.
So, in this lesson we’re going to talk about how permissions work and we’re going to talk about how to manage permissions from the command line.
So, let’s begin by discussing how permissions function.
Table of Contents
How permissions function
Permissions basically specify what a particular user may do with the files and directories in the file system.
For example, these permissions may allow a user to view a file but not modify it, they could allow a user to open and also modify that file and save the changes, permissions may even allow a user to run an executable file.
In fact, permissions can even be configured to prevent a user from even seeing a file within a directory in the file system.
Understand that each file and directory in your Linux file system stores the specific permissions that have been assigned to it in the mode of the file.
So, if you hear someone refer to a file or directories mode, we’re talking about the permissions that have been assigned to that file or directory.
List of the possible permissions
A list of the possible permissions that can be assigned to either a file or to a directory are listed here.
|Permission||Symbol||Effect when assigned to a File||Effect when assigned to a Directory|
|Read||r||Allows a user to open a file.||Allows a user to list the contents of a directory.|
|Write||w||Allows a user to edit and save changes a file.||Allows a user to add or remove files from the directory.|
|Execute||x||Allows a user to run an executable file.||Allows a user to enter a directory.|
The first one is the read permission you’ll see the read permission represented by the
if you assign the read permission to a user to a file it will allow that user to open and view the file, but it does not allow that user to actually modify and save changes to that file.
On the other hand, if we were to assign the read permission for a user to a directory instead of a file then it allows the user to actually list the contents of that directory.
Essentially it allows them to see what files and subdirectories exist within a given directory.
You can also assign the write permission which uses a symbol of
If you grant a user Write permission to a file it allows that user to open modify and save changes to that file.
Whereas the read permission allowed them to look at the contents of the file, the Write permission allows them to modify the contents of a file.
On the other hand, if you grant the Write permission to a user to a particular directory in the Linux file system then that user is allowed to either add or remove files from that directory.
The last permission you need to be familiar with is the execute permission and it’s represented by the letter
If you grant a user, the execute permission to a file then that user is allowed to execute or run that file.
On the other hand, if you grant a user execute permission to a directory something totally different happens.
It just allows the user to actually enter into that directory safe with the cd command.
So, we’re pretty good thus far we have the read permission, the write permission, and the execute permission and each of these three different permissions can be assigned to either a file or to a directory in the file system.
Here’s where things get a little bit confusing.
Understand that these three permissions read, write and execute can be assigned to three different entities for each and every file and each and every directory in the file system.
File System Entities:
The first entity is the owner.
The owner is the user account that has been assigned to be either a file or a directories owner.
So, we can assign read, write or execute permissions to the owner and those permissions will be applied only to that user account, no one else.
In addition to owner you can also assign permissions to group.
Now the group is the group that’s been assigned ownership of a particular file or directory.
So, we can assign group read, write or execute permissions as well.
Any permissions that are assigned to group will be automatically applied to all user accounts that are members of that group.
And then the last one and the one that folks frequently forget from a security perspective but really shouldn’t because it’s very important is others.
Now others refer to all other authenticated users on the Linux system.
Anyone who is logged in who is not the files owner or directories owner and is not a member of the group that owns a file or directory someone who falls into this category is considered an other.
And you can actually assign read, write and execute permissions to others as well.
Now remember I said a minute ago that a lot of times we forget about others from a security perspective and we should not.
That’s because you need to be very careful about what permissions you assign to others.
Basically, every user on the system in one fashion or another belongs to others.
Therefore, any permission you assign to others basically gets assigned to anybody who authenticates to the system.
Now in some situations this can be really useful but in other cases it creates a security hole and can get you in a lot of trouble.
Basically, others should have minimal permissions assigned only enough to do what they need to do.
if every authenticated user on the system does not need access to a particular file or directory that don’t grant the necessary permissions to others.
How to check permissions in Linux
If you want to view the permissions that have been assigned to a particular file or directory in the file system you use the
ls -l command.
# ls -l -rw-r--r--. 1 root root 0 Mar 16 02:50 file1.txt -rw-rw-r--. 1 linuxadmin developer 0 Mar 16 02:50 file2.txt -rw-r--r--. 1 linuxadmin developer 0 Mar 16 02:50 file3.txt -rw-r--r--. 1 linuxadmin developer 0 Mar 16 02:50 file4.txt -rw-r--r--. 1 helpdesk helpdesk 0 Mar 16 02:50 file5.txt -rwxr--r--. 1 linuxadmin developer 0 Mar 16 02:51 file.sh -rw-r--r--. 1 root root 0 Mar 16 02:50 file.txt drwxr-xr-x. 2 linuxadmin developer 6 Mar 16 02:56 mydata1 drwxr-xr-x. 2 linuxadmin developer 6 Mar 16 02:56 mydata2 drwxr-xr-x. 2 root root 6 Mar 16 02:56 mydata3
When you do the permissions for each directory or file are displayed and they’re displayed on the left.
drwxr-xr-x. 2 linuxadmin developer 6 Mar 16 02:56 mydata1 -rw-rw-r--. 1 linuxadmin developer 0 Mar 16 02:50 file2.txt
File types in Linux
Now this first column is the mode that we talked about earlier for the particular file or directory.
Now the very first character in the mode identifies whether it is a file or whether it’s a directory or whether it’s a symbolic link.
if you see a
d as in the case for this entity in the file system then we know that it’s a directory on the other hand if we see a dash(
-) then we know that this entity is a file and if you see an lowercase
l then it’s a symbolic link.
Linux has many file types. Refer to the list below:
-– Regular file
n– Network file
l– Symbolic Link
c– Character Special File
b– Block Special File
p– Pipe (FIFO)
Identify the permissions assigned to the Owner
Then after that first character the next three characters identify the permissions that have been assigned to the owner of that directory or file.
-rw-rw-r--. 1 linuxadmin developer 0 Mar 16 02:50 file2.txt
So, for the
file2.txt file the owner of that file has been granted
w but not
That means that the owner of the file named
file2.txt has read(
r) and write(
w) permissions to that file but because there’s a dash(
-) in the third spot that means that execute hasn’t been assigned and that’s really not a problem because this is a text file.
It contains data it’s not an executable, so it’s not needed anyway but if this file were an executable then we would want the owner to be able to execute it.
An example of that is shown down here for the file named
-rwxr--r--. 1 linuxadmin developer 0 Mar 16 02:51 file.sh
file.sh is an executable therefore the file owner needs read(
w) and execute(
x) permissions to this file.
So that the file owner can not only read it and write to it but can also execute it when necessary.
Now if you aren’t sure who the owner of the file is, you can jump over one column right here that tells us the name of the owning user and the next column tells us the name of the owning group.
-rw-rw-r--. 1 linuxadmin developer 0 Mar 16 02:50 file2.txt -rw-r--r--. 1 helpdesk helpdesk 0 Mar 16 02:50 file5.txt
In this case
file2.txt owned by the
linuxadmin user and is also owned by a group named are
By way of comparison the
file5.txt is owned by
helpdesk user and the name of the owning group is also
Identify the permissions assigned to the Group
This is important because the next three characters in a files mode are the permissions that are assigned to that owning group or the
file2.txt file the owning group which is the
developer group has read and write permissions to that file as well.
-rw-rw-r--. 1 linuxadmin developer 0 Mar 16 02:50 file2.txt -rw-r--r--. 1 linuxadmin helpdesk 0 Mar 16 02:50 file6.txt
So, with this particular file the user that owns the file can open the file access it modify it and save changes.
in addition, any user that’s a member of the owning group can also open the file modify it and save the changes.
But notice for the
file6.txt file, the owning group only has the Read(
r) permission assigned.
It does not have the
w permission assigned, where as the owning user has both read and write permissions assigned.
Therefore the user of the
file6.txt can edit the file and save changes but any user who’s a member of the
helpdesk group will only be able to look at the contents of the file they will not be allowed to edit it.
Identify the permissions assigned to the Others
Finally, the last three characters in the mode are the permissions that are assigned to others.
-rw-rw-r--. 1 linuxadmin developer 0 Mar 16 02:50 file2.txt -rw-r--r--. 1 linuxadmin helpdesk 0 Mar 16 02:50 file6.txt
Which is basically any legitimately authenticated user on the system who is not the owner and is not a member of the owning group.
So for the
file5.txt file every user on the system has read access to this file and the same is true for the
All authenticated users on the system who are not the owner and not a member of the owning group will be able to look at the contents of this file.
Remember I said earlier that you need to be very careful about managing the permissions that are assigned to others.
What if this document is very sensitive? what if we don’t want every other user on the system to be able to read its contents.
We might want to consider removing the read permission to prevent prying eyes from seeing what’s in this file.
Numeric Permissions Notation
Now before we go any further you need to be aware that these permissions for each entity can also be represented numerically.
This is done to save space.
Because as we saw previously specifying the three different permissions for each of the three different entities takes up a little bit of space.
To make things a little more concise we can represent permissions by a number.
The read permission is assigned a value of 4, the write permission is assigned a value of 2 and the execute permission is represented by a value of 1.
Now using these numbers we can then represent all of the permissions that are assigned to owner, all of the permissions that are assigned to group, and all of the permissions that are assigned to others with a single number.
All you have to do is add up the value of each permission that’s been assigned.
In this example the owner of a file has been assigned the read and write permissions.
Read has a value of 4, Right has a value of 2, we add the two together and we get a value of 6.
If you see 6 you know that the entity represented by that permission has read and write permissions.
And whenever you see numeric permissions identified in this way remember that the first digit represents owner, the second digit represents group, and the third digit represents others.
In this case the owning group only has the read permission assigned therefore we don’t have to add anything up there’s just a value of 4.
Same for others has the read permission assigned so it has a value of 4 as well.
So, the mode of the file with these permissions assigned to it can be represented more concisely by just the number
If we were looking at this mode in the output of the
ls -l command, we would see it represented in this way
-rw-r--r-- for user group and others.
How to modify permissions using chmod command
So, what do you do if the permissions that have been assigned to a file or directory aren’t correct?
Well you can modify them using this utility
chmod which stands for Change Mode.
You must follow the syntax given below to use the
chmod [OPTION]... MODE[,MODE]... FILE...
Now be aware that in order to do this you must either already be the owner of a file or directory or you must be logged in as the root user.
Any other user will not be allowed to change the mode of a file.
Imagine the situation you would cause if any user could go into any file and change its mode.
That would be a security nightmare.
Now there are different syntaxes that can be used with
The first one is shown here where we enter
chmod and then we enter the entity we want to assign permissions to and then an equal sign(
=) and then the permissions that we want to assign to that entity(
others) followed by the name of the file or directory whose mode we want to change.
An example is shown down here.
# chmod u=rw,g=rw,o=r file1.txt
chmod and we say
u=rw which grants the owner of the directory read/write permissions.
Now because we used an equal sign (
=) whatever we specify here overwrites what already may be in the mode for user.
So if the user had say
rwx permissions to this file for some reason then by using
u=rw the owner would then only have read/write permissions and the execute permission would be removed.
We also specify that the owning group gets read/write permissions and then
o over here refers to others and others get the read permission.
Now this is a point of confusion right here because
o makes us think of owner right, well owner is not
o, owner is
u, others is
o don’t get tripped up by that.
And then we specify the name of the file whose mode we want to modify.
Toggle permission on or off using plus(+) or the minus(-) sign
Now you can also use the
chmod command to simply toggle one particular permission off or on using either the plus(
+) or the minus(
-) sign for a particular entity.
For example, let’s suppose that I want to turn off the write permission that we just gave to the owning group for the
file1.txt file in the previous example.
To do this I would enter the following command to turn off the write permission.
# chmod g-w file1.txt
If I’d decided later that that was the wrong thing to do and I need to turn the write permission back on for group I would enter the same command again.
But this time I would use a plus sign between
w to tell the
chmod command that we want to turn on the write permission for the owning group.
# chmod g+w file1.txt
Now if I wanted to toggle a permission for the owner of the file I would have used
u instead of
g, if on the other hand I wanted to toggle permission for others I would have used an
o instead of
g in the command.
And of course, if I wanted to add the read permission instead of write I would have added
r and If I wanted to manipulate the execute permission I would have used an
x instead of
Change the permissions using Numeric mode
There’s a third syntax that you can use with the
chmod command and this is one where we represent the entire mode that we want to assign to a particular file or directory’ numerically.
chmod [numerical permisson] [filename]
To do this we enter
chmod followed by a numeric representation of the mode that we want to assign to either the file or directory.
For example, here we enter
chmod and then we enter the numeric mode
660 and then the name of the file
660 what permissions are being assigned to the three entities.
Well the first number is user(Owner). if we have
6 and we know that, that’s
4+2=6, that means we have read(
4) and write(
The second digit applies to group, again we have
6 and as we know that, that’s
4+2=6, that means we have read(
4) and write(
Then others gets
0 that means others gets nada i.e. no permissions at all.
Change permissions recursively
Now before we end, I want to make you aware that you can use the
-R option with the
chmod command that is extremely useful.
In the examples we’ve been assigning a particular mode to one file at a time.
May be situations where you need to change the mode of many files within a directory structure all at once.
And if you had to go through and manually assign the mode to every single file and directory it would take you very long time.
If you want to do an entire directory structure all at once add the
-R option to the command and then it will recursively apply the permissions you specify to every file in every subdirectory within the directory that you specify.
# chmod -R 660 data/
Basically, it takes care of it all at once, but you use it with caution.
You can visit at following website to get more information on Linux file permissions.
I hope that now you have a good understanding of how the Linux Permission works and you have some ideas for how you can use this within your workflow.
If anyone does have any questions about what we covered in this guide then feel free to ask in the comment section below and I will do my best to answer those.