Since very early in its history, Unix systems have supported file and directory permissions. This security mechanism allow users to make their files private from other users, and for administrators to protect system configuration information from unauthorized changes.
In this tutorial we’ll go over the basics of Unix file permissions.
Users and Groups
All files are owned by both a person and a group. Using “ls -l” it’s possible to see who the owner and group is. Here is an example:
# ls -l -rw-rw-r-- 1 frank team 2205 Aug 05 2017 /home/frank/project.txt
In this case, the user ‘frank’ is the owner and “team” is the group. Multiple users may be members of the group “team”.
The Three Types
All files and directories have three different classes of users: owner, group, and other. For example, here is /etc/passwd on a Debian 10 system:
# ls -l /etc/passwd -rw-r--r-- 1 root root 3140 Sep 21 2019 /etc/passwd
The permissions are shown on the extreme left of that output:
-rw-r--r--
The first character indicates the type of filesystem entry. In this case, a “-” indicates that it’s a normal file. If it was a directory, this would be a “d”.
Next are three groups of permissions for owner, group, and other. Think of the line as divided this way:
- rw- r-- r-- owner group others
In this case, we see for the first group (owner, characters 2-4) “rw-“. This means “read” and “write” permissions have been granted to the owner. The other possible permission, execute, has not been granted. For both group and others, only read permission is granted. In short, root can read/write the file, and everyone else can read but cannot write.
Let’s take some more examples:
-rw------- 1 frank frank 2205 Aug 05 2017 /home/frank/secret_diary.txt
In this case, the file is owned by frank and the group “frank”. It’s common on Unix systems for each user to also have his or her own group. It’s likely the only member of the “frank” group is frank. In this example, only frank has read and write permissions on the files and no one else has any permissions.
Let’s look at the project.txt file mentioned above:
-rw-rw-r-- 1 frank team 2205 Aug 05 2017 /home/frank/project.txt
Here, user “frank” has read/write permissions, and so do the members of the “team” group. All other users can read the file but cannot change it.
What about executable files? Here is /bin/ls, the ls command itself:
# ls -l /bin/ls -rwxr-xr-x 1 root root 130736 Feb 22 2017 /bin/ls
Here, we see that the owner (root) has read, write, and execute, as does the “root” group. Other users on the system have read and execute, so everyone can execute it. Generally, read permission goes with execute.
Often when you create a shell script, you want to execute it. For example:
# cat script.sh #!/bin/bash echo "here is my script executing" # ./script.sh -su: ./script.sh: Permission denied
The problem is that the you don’t have execute permissions on the script:
# ls -l script.sh -rw-r--r-- 1 root root 49 May 25 15:09 script.sh
How to add them? The chmod command.
The chmod Command
chmod has two forms. The more common is in the form
chmod {which type}{+ or -}{permission} file...
For example, to make the above script.sh executable by the owner:
# chmod u+x script.sh # ls -l script.sh -rwxr--r-- 1 root root 49 May 25 15:09 script.sh # ./script.sh here is my script executing #
The types are:
u = user (owner) g = group a = all (everyone)
If we later want to remove the permission, we can use chmod again:
# ls -l script.sh -rwxr--r-- 1 root root 49 May 25 15:09 script.sh # chmod u-x script.sh # ls -l script.sh -rw-r--r-- 1 root root 49 May 25 15:09 script.sh #
The other form of chmod is to use numbers. Each permission has a value:
4 = read 2 = write 1 = execute
Simply add up the permissions you want for each type and use the result. For example, to set a file with read, write, and execute for the owner (4+2+1=7), and read an execute for group and other (4+1=5), we would issue this command:
# ls -l script.sh -rw-r--r-- 1 root root 49 May 25 15:09 script.sh # chmod 755 script.sh # ls -l script.sh -rwxr-xr-x 1 root root 49 May 25 15:09 script.sh
Directories
One final important thing to learn is that directories are a little special. For example, here is the /etc directory:
# ls -ld /etc drwxr-xr-x 169 root root 12288 May 25 09:50 /etc
The execute permissions mean that users can enter into that directory. In general, directories always have both read and execute, and they are either both turned on for a type or turned off. For example, a directory that only frank and team can get into would look like this:
drwxrwx--- 169 frank team 12288 May 25 09:50 /project/private
Also, if a user does not have write permission in a directory, they cannot create files in that directory. However, if the user has write permission on exiting files, they can modify those files.
Related Posts:
- Is Your Soul as Dark as a Christmas Stocking’s Coal?Make Your Online World Match - December 20, 2024
- Hosteroid has a HOT, Limited Stock Offer in Vienna or Amsterdam! - December 19, 2024
- Cheap Dedi Alert! LinkSecured Has an e3-1240 for $18.88/Month in LA, Dallas, or Phoenix! - December 18, 2024
Good post, although I’m surprised it doesn’t even touch on ACLs and the getfacl and setfacl commands.
That’d be a good followup.