Goal	Set Linux file-system permissions on files and to interpret the security effects of different permission settings.
Objectives	Change the permissions and ownership of files using command-line tools. Control the default permissions of new files created by users, explain the effect of special permissions, and use special permissions and default permissions to set the group owner of files created in a particular directory.
Sections	Managing File System Permissions from the Command Line (and Guided Exercise) Managing Default Permissions and File Access (and Guided Exercise)
Lab	Controlling Access to Files

Managing File System Permissions from the Command Line

Objectives

After completing this section, you should be able to change the permissions and ownership of files using command-line tools.

Changing File and Directory Permissions

The command used to change permissions from the command line is chmod, which means "change mode" (permissions are also called the mode of a file). The chmod command takes a permission instruction followed by a list of files or directories to change. The permission instruction can be issued either symbolically (the symbolic method) or numerically (the numeric method).

Changing Permissions with the Symbolic Method

chmod WhoWhatWhich file|directory

Who is u, g, o, a (for user, group, other, all)
What is +, -, = (for add, remove, set exactly)
Which is r, w, x (for read, write, execute)

The symbolic method of changing file permissions uses letters to represent the different groups of permissions: u for user, g for group, o for other, and a for all.

With the symbolic method, it is not necessary to set a complete new group of permissions. Instead, you can change one or more of the existing permissions. Use + or - to add or remove permissions, respectively, or use = to replace the entire set for a group of permissions.

The permissions themselves are represented by a single letter: r for read, w for write, and x for execute. When using chmod to change permissions with the symbolic method, using a capital X as the permission flag will add execute permission only if the file is a directory or already has execute set for user, group, or other.

Note

The chmod command supports the -R option to recursively set permissions on the files in an entire directory tree. When using the -R option, it can be useful to set permissions symbolically using the X option. This allows the execute (search) permission to be set on directories so that their contents can be accessed, without changing permissions on most files. Be cautious with the X option, however, because if a file has any execute permission set, X will set the specified execute permission on that file as well. For example, the following command recursively sets read and write access on demodir and all its children for their group owner, but only applies group execute permissions to directories and files that already have execute set for user, group, or other.

[root@host opt]# chmod -R g+rwX demodir

Examples

Remove read and write permission for group and other on file1:
```
[user@host ~]$ chmod go-rw file1
```
Add execute permission for everyone on file2:
```
[user@host ~]$ chmod a+x file2
```

Changing Permissions with the Numeric Method

In the example below the # character represents a digit.

chmod ### file|directory

Each digit represents permissions for an access level: user, group, other.
The digit is calculated by adding together numbers for each permission you want to add, 4 for read, 2 for write, and 1 for execute.

Using the numeric method, permissions are represented by a 3-digit (or 4-digit, when setting advanced permissions) octal number. A single octal digit can represent any single value from 0-7.

In the 3-digit octal (numeric) representation of permissions, each digit stands for one access level, from left to right: user, group, and other. To determine each digit:

Start with 0.
If the read permission should be present for this access level, add 4.
If the write permission should be present, add 2.
If the execute permission should be present, add 1.

Examine the permissions -rwxr-x---. For the user, rwx is calculated as 4+2+1=7. For the group, r-x is calculated as 4+0+1=5, and for other users, --- is represented with 0. Putting these three together, the numeric representation of those permissions is 750.

This calculation can also be performed in the opposite direction. Look at the permissions 640. For the user permissions, 6 represents read (4) and write (2), which displays as rw-. For the group part, 4 only includes read (4) and displays as r--. The 0 for other provides no permissions (---) and the final set of symbolic permissions for this file is -rw-r-----.

Experienced administrators often use numeric permissions because they are shorter to type and pronounce, while still giving full control over all permissions.

Examples

Set read and write permissions for user, read permission for group and other, on samplefile:
```
[user@host ~]$ chmod 644 samplefile
```
Set read, write, and execute permissions for user, read and execute permissions for group, and no permission for other on sampledir:
```
[user@host ~]$ chmod 750 sampledir
```

Changing File and Directory User or Group Ownership

A newly created file is owned by the user who creates that file. By default, new files have a group ownership that is the primary group of the user creating the file. In Red Hat Enterprise Linux, a user's primary group is usually a private group with only that user as a member. To grant access to a file based on group membership, the group that owns the file may need to be changed.

Only root can change the user that owns a file. Group ownership, however, can be set by root or by the file's owner. root can grant file ownership to any group, but regular users can make a group the owner of a file only if they are a member of that group.

File ownership can be changed with the chown (change owner) command. For example, to grant ownership of the test_file file to the student user, use the following command:

[root@host ~]# chown student test_file

chown can be used with the -R option to recursively change the ownership of an entire directory tree. The following command grants ownership of test_dir and all files and subdirectories within it to student:

[root@host ~]# chown -R student test_dir

The chown command can also be used to change group ownership of a file by preceding the group name with a colon (:). For example, the following command changes the group ownership of the test_dir directory to admins:

[root@host ~]# chown :admins test_dir

The chown command can also be used to change both owner and group at the same time by using the owner:group syntax. For example, to change the ownership of test_dir to visitor and the group to guests, use the following command:

[root@host ~]# chown visitor:guests test_dir

Instead of using chown, some users change the group ownership by using the chgrp command. This command works just like chown, except that it is only used to change group ownership and the colon (:) before the group name is not required.

Important

You may encounter examples of chown commands using an alternative syntax that separates owner and group with a period instead of a colon:

[root@host ~]# chown owner.group filename

You should not use this syntax. Always use a colon.

A period is a valid character in a user name, but a colon is not. If the user enoch.root, the user enoch, and the group root exist on the system, the result of chown enoch.root filename will be to have filename owned by the user enoch.root. You may have been trying to set the file ownership to the user enoch and group root. This can be confusing.

If you always use the chown colon syntax when setting the user and group at the same time, the results are always easy to predict.

References

ls(1), chmod(1), chown(1), and chgrp(1) man pages

Revision: rh199-8.2-3beeb12

RHCSA Rapid Track

Chapter 4. Controlling Access to Files