Select Page

Linux is a multiuser operating system. In a multiuser environment, it is necessary to ensure that a user cannot access or modify files or directories that they aren’t supposed to. File permissions provide a protection mechanism for controlling access to files and directories.

Linux’s file security model is based on that of Unix. Each file or directory can be accessed or modified by the user who created it, or a group of users who have been given permission to do so. Permissions can also be defined for other users that do not belong to either of these two categories.

In this guide, we will go over how file permissions work in Linux for beginners. We’ll cover how you can view the permissions associated with files and directories and also how you can change them.

Requirements

To follow this guide, you’ll need access to a Linux or Mac machine. You’ll need some familiarity with using the terminal to execute commands.

Getting Started

Before we delve deeper into permissions, there are a few concepts to cover. As mentioned before, the file or directory can be accessed or modified by the user who created it (the owner), a group of users who are allowed to do so, or other users who aren’t either of the two. There are three types of permissions — read, write, and execute. Let’s look at all of these in detail.

USERS

Users are people who use the operating system. The operating system recognizes each user by their unique user ID or uid. This information is stored in the /etc/passwd file. Each line in this file contains information about the users of system such as their username, uid, group ID, their home directory, etc.

GROUPS

Groups are a collection of users. For example, the users from the accounts department can be added to the accounts group. Grouping users together makes it easier to manage permissions. For example, when the accounts group is given read-only access to a certain file, all the users in that group are automatically given that access. This is simpler than having to individually assign permissions to each user who is in the accounts department.
Information about groups is stored in /etc/group file. Each line of this file contains information like the name of the group, the ID of the group or gid, the username of the members, etc.

TYPES OF PERMISSIONS

There are three types of permissions – read, write, and execute. Read permission allows the user to view the contents of a file. Write permission allows the user to overwrite or append new data to the file or delete it. The execute permission allows the user to execute the code contained in the file.

Now that we have covered some of the basics, let’s go ahead with viewing and modifying permissions.

VIEWING PERMISSIONS

Open your terminal and execute the following command:

passwd is a regular file so the first character is a dash. The next three characters show the permissions for the owner – read, write, but not execute. The next three characters show the permission for the group – only read. All other users can only read the file. The first ‘root’ is the name of the owner and the second ‘root’ is the name of the group whose users can read this file.

Now execute the following command:

The command executed above shows the permissions associated with the ls command. The last r-x means that everybody is allowed to execute the code inside it. Finally, execute the following command:

We’re listing everything in the / directory. The output shows the permissions for the /bin directory. Since it is a directory, the first character is “d”.

The permissions are stored in the inode associated with the file or directory. The permissions take 9 bits; 3 for each of user, owner, and others.

CHANGING PERMISSIONS

chmod (change mode) command is used to change the permissions associated with a file or directory. The permissions can be changed either by using numeric or alphanumeric options along with chmod. Let’s begin by creating a file and changing its permissions. Execute the following commands:

The touch command made an empty file named script.sh. The file has been created with permissions rw-rw-r–. This is a script file in which we’ll write some commands a little later. To execute the script, we need to add the execute permission. Execute the following commands:

To use chmod, you specify the permissions to be associated with the file and the path to the file. Since the file is in the same directory as we are, we just specify the name. The permissions here are represented by 755. This gives read, write, and execute permission to the owner, and read and execute permissions to the group and others. Here’s what the numbers mean:

0 – No permissions granted.

4 – Read permission granted.

2 – Write permission granted.

1 – Execute permission granted.

Since we want to give the owner read, write, and execute permissions, we add together 4, 2, and 1 and specify a 7 in the first place. Similarly, we specify a 5 for group and others to give them read and execute permission.

The permissions always follow the order of user, group, and others. So the first 7 applies to the user, the 5 applies to the group and the last 5 applies to others.

Permissions can be written using the alphanumeric options as:

The + and – operators are used to either add or remove permissions. The different combinations can be separated by commas or can be grouped together. The above command can be written more compactly as:

Here, group and others will be given the read and execute permission. When using alphanumeric options, user is represented by u, group by g, and others by o. The read permission is represented by r, write by w, and execute by x.

What style you use is just a matter of preference.

Now, execute the following:

Without the appropriate permissions, you wouldn’t have been able to execute the script.

We’ve only modified the permissions associated with the file script.sh. Permissions are also associated with directories. However, since directories are different from files, each of the permissions means something different. Here’s a quick comparison of how the permissions differ in meaning when associated with a file or a directory:

Read

File – View the contents of the file.

Directory – See the files, directories, and subdirectories.

Write

File – Overwrite or append new content. Delete the file.

Directory – Add or remove files and directories.

Execute

File – Run the code within the file.

Directory – Navigate into the directory, execute program within a directory.

DEFAULT PERMISSIONS

When we create a file, it’s given a permission of rw-rw-r– by default and a directory is given the permissions rwxrwxr-x. These permissions are determined by umask. The umask command is used to view or set the file creation mask. Execute the following command to view the default umask:

Ignoring the first 0, the umask value of 002 maps to the permission 755 (rwxrwxr-x) for a directory and 644 (rw-rw-r–) for a file. We can also change the default permissions associated with files and directories by using the umask command. Execute the following commands:

As you can see, the default permissions have changed. These changes to default permission, however, are temporary. If you close and reopen the terminal to create a new file or directory, they will be created with the default permissions that were mentioned earlier. If you want to make the umask permanent, add it to your ~/.bashrc file.

ACCESS CONTROL LISTS

Sometimes, basic file and directory permissions aren’t enough and you need a more flexible way to set permissions. Access Control Lists, or ACL for short, provide a more robust and flexible way to assign permissions. ACL allow a user to give permissions to other

setfacl is used to set an ACL for a file and getfacl is used to view it. Only the owner of the file can change the ACL associated with it.

Note that the file system must be mounted with ACL enabled for them to be used.

VIEWING ACL

To view the ACL associated with the script file, execute the following command:

SETTING ACL

To set the ACL for the file, use the setfacl command. You modify the ACL by using the -m flag and remove the ACL using the -x flag.

The following command gives the user john read, write, and execute access to the script file.

The u indicates that the ACL permissions are being modified for a user. This is followed by the username and the permissions to grant.

You can also set group permissions using setfacl using the g flag. The following command gives the accounts group read, write, and execute access to the script file.

Running ls -l on the script file will show you an additional + being displayed along with the permissions. This indicates that an ACL is associated with this file

REMOVING ACL

You can remove an existing permission using the -x flag. To remove the user john, execute the following command:

Similarly, you can remove a group using the g option followed by the name of the group.

This brings us to the end of the guide on Linux permissions.