Getting Started with Linux Fundamentals
File permissions are an important part of the Linux security model. File ownership and file permissions manage user access to file resources. The file permissions that are set on a file or a directory determine who can access it and how they can interact with the file.
In Linux, three types of file permissions determine the access for three sets of users: user, group, and others.
The user set, also known as owner, refers to only one user: the user that owns the file. By default, this user is the user that creates the file. The group set refers to all the users who are members of the group that owns the file. By default, this group is usually the primary group of the user that creates the file. The others set refers to any user who is not a member of the group, and who is not the user that owns the file.
Each set of users can have permissions to read, write, or execute a file or a directory. These permissions are represented by letters or octal values.
- read (
r) The read permission is the most basic permission on a file. The read permission allows the user set to view the file, but not to modify its contents. On a directory, the read permission allows the user to list the contents of that directory.
- write (
w) The write permission allows a user set to modify the contents of the file. On a directory, the write permission allows the user set to create files inside that directory. The read permission is implicit in the write permission.
- execute (
x) The execute permission allows a user set to execute the file. Executing or running a file means that the system executes a list of tasks that are coded into the executed file. In Linux, you commonly run shell scripts. These shell scripts are plain text files that contain a list of commands. On a directory, the execute permission allows the user to navigate to the directory. The read permission is implicit in the execute permission. The write permission is not implicit in the execute permission.
A set of permissions is a string of nine characters.
For example, the rwxrw-r-- string represents the permissions of a file.
To interpret the permissions, divide the string into three sets of three characters each.
The first set corresponds to user permissions, the second set corresponds to group permissions, and the third set corresponds to permissions for others.
user permissions: rwxgroup permissions: rw-
others permissions: r--
| The |
| The |
| The |
File permissions can also be represented by octal numbers, which is a number system that uses a range of eight digits (0 to 7). A full set of octal permissions is represented by four numbers. The first number represents special permissions. A leading zero in octal numbers represents no special permissions. The next three numbers are the permission numbers for each set of users. The read permission is represented by the number four, write is represented by a two, and execute is represented by a one.
From the previous example, the rwxrw-r-- string is represented as 0761 in octal numbers:
The first number (
0) represents no special permissions.The second number (
7) represents the user owner, and it is equivalent to therwxstring. The number7results from adding the permissions for read (4in octal value), write (2in octal value), and execute (1in octal value).The third number (
6) represents the group owner, and it is equivalent to therw-string. The number6results from adding the permissions for read (4in octal value) and write (2in octal value).The fourth number (
1) represents the others set, and it is equivalent to ther--string. The number1represents the execute permission in octal value.
The default file permission that is set for a new directory is rwxrwxr-x, which can be represented as the 0775 octal number.
To view the permissions of a file or directory in the Files application, right-click the target and then select . The drop-down list displays the permissions that are set on the file. The checkbox indicates whether the file has execute permissions.
In the following example, the Report.docx file has read and write permissions for the user, read and write permissions for the group, and only read permissions for others.
The checkbox is not selected, so the file does not have execute permissions.
On the command line, you view file permission by using the ls command with the -l option.
The first column of the output contains three attributes of the file: the file type, the file permissions, and the extended attributes.
The first character of the string represents the file type, the next nine characters represent the file permissions, and the last character represents the extended attributes.
In the following example, you examine the Report.docx file ownership and permissions.
The Report.docx file is a regular file, which is indicated by the leading hyphen on the first column.
The eprice user has read, write, and execute permissions (rwx).
Members of the finance group have read and write permissions (rw-).
All other users have read permissions (r--).
[user@host ~]$ ls -l
...output omitted...
-rwxrw-r--. 1 eprice finance 17 Nov 2 12:44 Report.docxEven if a file has read permissions for all users, you must have permission to view all directories in the path of the file. If you do not have permission to view a directory in the path, then you cannot view the file.
In the Files application, view the properties of the file and click . You can select the desired permission in the drop-down list for each user set.
On the command line, you use the chmod command to modify file permissions.
The chmod command requires two arguments: the new permission set, and the target file or directory.
Similar to the chown command, you can use the -R option with the chmod command to modify permissions recursively.
In the following example, you set permissions for the homework.doc file.
You set read and write permissions for the user set, and read permissions for the group set and the others set.
This command overwrites any previous permissions on the file.
[user@host ~]$chmod 0644 homework.doc[user@host ~]$ls -l homework.doc-rw-r--r--. 1 user user 45045 Nov 5 00:50 homework.doc
In the following example, you review the file permissions of the daily-tasks.sh script and then try to execute the script.
You execute a shell script by providing the script path.
If the script is in the current directory, then you can use a period followed by a forward slash (./) to refer to the current directory.
The daily-tasks.sh script does not have execute permissions, so the execution fails.
[aquincy@host ~]$ls -l daily-tasks.sh-rw-rw-r--. 1 aquincy finance 33 Nov 5 13:35 daily-tasks.sh [aquincy@host ~]$./daily-tasks.sh-bash: ./daily-tasks.sh: Permission denied
You then set execute permissions to the daily-tasks.sh shell script.
The 0750 permissions grant all read, write, and execute permissions to the aquincy user.
These permissions also set read and execute permissions to the finance group.
No permissions are set to the others set.
[aquincy@host ~]$chmod 0750 daily-tasks.sh[aquincy@host ~]$ls -l daily-tasks.sh-rwxr-x---. 1 aquincy finance 33 Nov 5 13:35 daily-tasks.sh [aquincy@host ~]$./daily-tasks.shAll tasks ran successfully
If the script is in a different directory, then you provide the full path of the script to execute it.
For example, the following command runs the /usr/local/bin/mytasks.sh script.
[user@host ~]$ /usr/local/bin/mytasks.sh
...output omitted...References
chmod(1) man pages
For more information, refer to Linux File Permissions Explained at https://learn.spidernet.pl/sysadmin/linux-file-permissions-explained