Understanding Linux File Permissions: The Complete Guide

In this lesson we’re going to talk about permissions.

Now understand that managing ownership of files and directories only represents a part of what you have to do in order to control access to the Linux file system.

Basically, ownership only specifies who owns what.

Ownership does not say what that person can or can’t do with those files or directories that they own.

In order to do this, you have to set up and manage permissions.

So, in this lesson we’re going to talk about how permissions work and we’re going to talk about how to manage permissions from the command line.

So, let’s begin by discussing how permissions function.

How permissions function

Permissions basically specify what a particular user may do with the files and directories in the file system.

For example, these permissions may allow a user to view a file but not modify it, they could allow a user to open and also modify that file and save the changes, permissions may even allow a user to run an executable file.

In fact, permissions can even be configured to prevent a user from even seeing a file within a directory in the file system.

Understand that each file and directory in your Linux file system stores the specific permissions that have been assigned to it in the mode of the file.

So, if you hear someone refer to a file or directories mode, we’re talking about the permissions that have been assigned to that file or directory.

List of the possible permissions

A list of the possible permissions that can be assigned to either a file or to a directory are listed here.

PermissionSymbolEffect when assigned to a FileEffect when assigned to a Directory
ReadrAllows a user to open a file.Allows a user to list the contents of a directory.
WritewAllows a user to edit and save changes a file.Allows a user to add or remove files from the directory.
ExecutexAllows a user to run an executable file.Allows a user to enter a directory.

Read Permission

The first one is the read permission you’ll see the read permission represented by the r symbol.

if you assign the read permission to a user to a file it will allow that user to open and view the file, but it does not allow that user to actually modify and save changes to that file.

On the other hand, if we were to assign the read permission for a user to a directory instead of a file then it allows the user to actually list the contents of that directory.

Essentially it allows them to see what files and subdirectories exist within a given directory.

Write Permission

You can also assign the write permission which uses a symbol of w.

If you grant a user Write permission to a file it allows that user to open modify and save changes to that file.

Whereas the read permission allowed them to look at the contents of the file, the Write permission allows them to modify the contents of a file.

On the other hand, if you grant the Write permission to a user to a particular directory in the Linux file system then that user is allowed to either add or remove files from that directory.

Execute Permission

The last permission you need to be familiar with is the execute permission and it’s represented by the letter x.

If you grant a user, the execute permission to a file then that user is allowed to execute or run that file.

On the other hand, if you grant a user execute permission to a directory something totally different happens.

It just allows the user to actually enter into that directory safe with the cd command.

So, we’re pretty good thus far we have the read permission, the write permission, and the execute permission and each of these three different permissions can be assigned to either a file or to a directory in the file system.

Different Entities

Here’s where things get a little bit confusing.

Understand that these three permissions read, write and execute can be assigned to three different entities for each and every file and each and every directory in the file system.

File System Entities:

  • Owner
  • Group
  • Others

Owner:

The first entity is the owner.

The owner is the user account that has been assigned to be either a file or a directories owner.

So, we can assign read, write or execute permissions to the owner and those permissions will be applied only to that user account, no one else.

Group:

In addition to owner you can also assign permissions to group.

Now the group is the group that’s been assigned ownership of a particular file or directory.

So, we can assign group read, write or execute permissions as well.

Any permissions that are assigned to group will be automatically applied to all user accounts that are members of that group.

Others:

And then the last one and the one that folks frequently forget from a security perspective but really shouldn’t because it’s very important is others.

Now others refer to all other authenticated users on the Linux system.

Anyone who is logged in who is not the files owner or directories owner and is not a member of the group that owns a file or directory someone who falls into this category is considered an other.

And you can actually assign read, write and execute permissions to others as well.

Now remember I said a minute ago that a lot of times we forget about others from a security perspective and we should not.

That’s because you need to be very careful about what permissions you assign to others.

Basically, every user on the system in one fashion or another belongs to others.

Therefore, any permission you assign to others basically gets assigned to anybody who authenticates to the system.

Now in some situations this can be really useful but in other cases it creates a security hole and can get you in a lot of trouble.

Basically, others should have minimal permissions assigned only enough to do what they need to do.

if every authenticated user on the system does not need access to a particular file or directory that don’t grant the necessary permissions to others.

How to check permissions in Linux

If you want to view the permissions that have been assigned to a particular file or directory in the file system you use the ls -l command.

# ls -l
-rw-r--r--. 1 root       root      0 Mar 16 02:50 file1.txt
-rw-rw-r--. 1 linuxadmin developer 0 Mar 16 02:50 file2.txt
-rw-r--r--. 1 linuxadmin developer 0 Mar 16 02:50 file3.txt
-rw-r--r--. 1 linuxadmin developer 0 Mar 16 02:50 file4.txt
-rw-r--r--. 1 helpdesk   helpdesk  0 Mar 16 02:50 file5.txt
-rwxr--r--. 1 linuxadmin developer 0 Mar 16 02:51 file.sh
-rw-r--r--. 1 root       root      0 Mar 16 02:50 file.txt
drwxr-xr-x. 2 linuxadmin developer 6 Mar 16 02:56 mydata1
drwxr-xr-x. 2 linuxadmin developer 6 Mar 16 02:56 mydata2
drwxr-xr-x. 2 root       root      6 Mar 16 02:56 mydata3
Linux Permission Structure
Linux Permission Structure

Read Also: ls Command Examples in Linux (The Complete Guide)

When you do the permissions for each directory or file are displayed and they’re displayed on the left.


drwxr-xr-x. 2 linuxadmin developer 6 Mar 16 02:56 mydata1
-rw-rw-r--. 1 linuxadmin developer 0 Mar 16 02:50 file2.txt
Linux Permissions
Linux Permissions

File types in Linux

Now this first column is the mode that we talked about earlier for the particular file or directory.

Now the very first character in the mode identifies whether it is a file or whether it’s a directory or whether it’s a symbolic link.

if you see a d as in the case for this entity in the file system then we know that it’s a directory on the other hand if we see a dash(-) then we know that this entity is a file and if you see an lowercase l then it’s a symbolic link.

File Types
File Types

Linux has many file types. Refer to the list below:

  • - – Regular file
  • d – Directory
  • n – Network file
  • l – Symbolic Link
  • c – Character Special File
  • s – Socket
  • b – Block Special File
  • p – Pipe (FIFO)

Identify the permissions assigned to the Owner

Then after that first character the next three characters identify the permissions that have been assigned to the owner of that directory or file.

-rw-rw-r--. 1 linuxadmin developer 0 Mar 16 02:50 file2.txt

So, for the file2.txt file the owner of that file has been granted r and w but not x.

That means that the owner of the file named file2.txt has read(r) and write(w) permissions to that file but because there’s a dash(-) in the third spot that means that execute hasn’t been assigned and that’s really not a problem because this is a text file.

It contains data it’s not an executable, so it’s not needed anyway but if this file were an executable then we would want the owner to be able to execute it.

An example of that is shown down here for the file named file.sh.

-rwxr--r--. 1 linuxadmin developer 0 Mar 16 02:51 file.sh

file.sh is an executable therefore the file owner needs read(r), write(w) and execute(x) permissions to this file.

So that the file owner can not only read it and write to it but can also execute it when necessary.

Now if you aren’t sure who the owner of the file is, you can jump over one column right here that tells us the name of the owning user and the next column tells us the name of the owning group.

-rw-rw-r--. 1 linuxadmin developer 0 Mar 16 02:50 file2.txt
-rw-r--r--. 1 helpdesk   helpdesk  0 Mar 16 02:50 file5.txt

In this case file2.txt owned by the linuxadmin user and is also owned by a group named are developer.

By way of comparison the file5.txt is owned by helpdesk user and the name of the owning group is also helpdesk.

Identify the permissions assigned to the Group

This is important because the next three characters in a files mode are the permissions that are assigned to that owning group or the file2.txt file the owning group which is the developer group has read and write permissions to that file as well.

-rw-rw-r--. 1 linuxadmin developer 0 Mar 16 02:50 file2.txt
-rw-r--r--. 1 linuxadmin   helpdesk  0 Mar 16 02:50 file6.txt

So, with this particular file the user that owns the file can open the file access it modify it and save changes.

in addition, any user that’s a member of the owning group can also open the file modify it and save the changes.

But notice for the file6.txt file, the owning group only has the Read(r) permission assigned.

It does not have the w permission assigned, where as the owning user has both read and write permissions assigned.

Therefore the user of the file6.txt can edit the file and save changes but any user who’s a member of the helpdesk group will only be able to look at the contents of the file they will not be allowed to edit it.

Identify the permissions assigned to the Others

Finally, the last three characters in the mode are the permissions that are assigned to others.

-rw-rw-r--. 1 linuxadmin developer 0 Mar 16 02:50 file2.txt
-rw-r--r--. 1 linuxadmin   helpdesk  0 Mar 16 02:50 file6.txt

Which is basically any legitimately authenticated user on the system who is not the owner and is not a member of the owning group.

So for the file5.txt file every user on the system has read access to this file and the same is true for the file6.txt file.

All authenticated users on the system who are not the owner and not a member of the owning group will be able to look at the contents of this file.

Remember I said earlier that you need to be very careful about managing the permissions that are assigned to others.

What if this document is very sensitive? what if we don’t want every other user on the system to be able to read its contents.

We might want to consider removing the read permission to prevent prying eyes from seeing what’s in this file.

Numeric Permissions Notation

Now before we go any further you need to be aware that these permissions for each entity can also be represented numerically.

PermissionValue
Read4
Write2
Execute1

This is done to save space.

Because as we saw previously specifying the three different permissions for each of the three different entities takes up a little bit of space.

To make things a little more concise we can represent permissions by a number.

The read permission is assigned a value of 4, the write permission is assigned a value of 2 and the execute permission is represented by a value of 1.

Now using these numbers we can then represent all of the permissions that are assigned to owner, all of the permissions that are assigned to group, and all of the permissions that are assigned to others with a single number.

All you have to do is add up the value of each permission that’s been assigned.

Numeric Permissions
Numeric Permissions

In this example the owner of a file has been assigned the read and write permissions.

Read has a value of 4, Right has a value of 2, we add the two together and we get a value of 6.

If you see 6 you know that the entity represented by that permission has read and write permissions.

And whenever you see numeric permissions identified in this way remember that the first digit represents owner, the second digit represents group, and the third digit represents others.

In this case the owning group only has the read permission assigned therefore we don’t have to add anything up there’s just a value of 4.

Same for others has the read permission assigned so it has a value of 4 as well.

So, the mode of the file with these permissions assigned to it can be represented more concisely by just the number 644.

If we were looking at this mode in the output of the ls -l command, we would see it represented in this way -rw-r--r-- for user group and others.

How to modify permissions using chmod command

So, what do you do if the permissions that have been assigned to a file or directory aren’t correct?

Well you can modify them using this utility chmod which stands for Change Mode.

You must follow the syntax given below to use the chmod command.

chmod [OPTION]... MODE[,MODE]... FILE...

Now be aware that in order to do this you must either already be the owner of a file or directory or you must be logged in as the root user.

Any other user will not be allowed to change the mode of a file.

Imagine the situation you would cause if any user could go into any file and change its mode.

That would be a security nightmare.

Now there are different syntaxes that can be used with chmod command.

The first one is shown here where we enter chmod and then we enter the entity we want to assign permissions to and then an equal sign(=) and then the permissions that we want to assign to that entity(user/group/others) followed by the name of the file or directory whose mode we want to change.

An example is shown down here.

# chmod u=rw,g=rw,o=r file1.txt

We run chmod and we say u=rw which grants the owner of the directory read/write permissions.

Now because we used an equal sign (=) whatever we specify here overwrites what already may be in the mode for user.

So if the user had say rwx permissions to this file for some reason then by using u=rw the owner would then only have read/write permissions and the execute permission would be removed.

We also specify that the owning group gets read/write permissions and then o over here refers to others and others get the read permission.

Now this is a point of confusion right here because o makes us think of owner right, well owner is not o, owner is u,  others is o don’t get tripped up by that.

And then we specify the name of the file whose mode we want to modify.

Toggle permission on or off using plus(+) or the minus(-) sign

Now you can also use the chmod command to simply toggle one particular permission off or on using either the plus(+) or the minus(-) sign for a particular entity.

Toggle Permission
Toggle Permission

For example, let’s suppose that I want to turn off the write permission that we just gave to the owning group for the file1.txt file in the previous example.

To do this I would enter the following command to turn off the write permission.

# chmod g-w file1.txt

If I’d decided later that that was the wrong thing to do and I need to turn the write permission back on for group I would enter the same command again.

But this time I would use a plus sign between g and w to tell the chmod command that we want to turn on the write permission for the owning group.

# chmod g+w file1.txt

Now if I wanted to toggle a permission for the owner of the file I would have used u instead of g, if on the other hand I wanted to toggle permission for others I would have used an o instead of g in the command.

And of course, if I wanted to add the read permission instead of write I would have added r and If I wanted to manipulate the execute permission I would have used an x instead of w.

Change the permissions using Numeric mode

There’s a third syntax that you can use with the chmod command and this is one where we represent the entire mode that we want to assign to a particular file or directory’ numerically.

chmod [numerical permisson] [filename]

To do this we enter chmod followed by a numeric representation of the mode that we want to assign to either the file or directory.

For example, here we enter chmod and then we enter the numeric mode 660 and then the name of the file file1.txt.

Numeric representation of the mode
Numeric representation of the mode

So, 660 what permissions are being assigned to the three entities.

Well the first number is user(Owner). if we have 6 and we know that, that’s 4+2=6, that means we have read(4) and write(2) permission.

The second digit applies to group, again we have 6 and as we know that, that’s 4+2=6, that means we have read(4) and write(2) permission.

Then others gets 0 that means others gets nada i.e. no permissions at all.

Change permissions recursively

Now before we end, I want to make you aware that you can use the -R option with the chmod command that is extremely useful.

In the examples we’ve been assigning a particular mode to one file at a time.

May be situations where you need to change the mode of many files within a directory structure all at once.

And if you had to go through and manually assign the mode to every single file and directory it would take you very long time.

If you want to do an entire directory structure all at once add the -R option to the command and then it will recursively apply the permissions you specify to every file in every subdirectory within the directory that you specify.

# chmod -R 660 data/

Basically, it takes care of it all at once, but you use it with caution.

You can visit at following website to get more information on Linux file permissions.

Conclusion

I hope that now you have a good understanding of how the Linux Permission works and you have some ideas for how you can use this within your workflow.

If anyone does have any questions about what we covered in this guide then feel free to ask in the comment section below and I will do my best to answer those.

Leave a Comment