Since very early in its history, Unix systems have supported file and directory permissions. This security mechanism allow users to make their files private from other users, and for administrators to protect system configuration information from unauthorized changes.

In this tutorial we’ll go over the basics of Unix file permissions.

Users and Groups

All files are owned by both a person and a group. Using “ls -l” it’s possible to see who the owner and group is. Here is an example:

# ls -l
-rw-rw-r-- 1 frank team 2205 Aug 05 2017 /home/frank/project.txt

In this case, the user ‘frank’ is the owner and “team” is the group. Multiple users may be members of the group “team”.

The Three Types

All files and directories have three different classes of users: owner, group, and other. For example, here is /etc/passwd on a Debian 10 system:

# ls -l /etc/passwd
-rw-r--r-- 1 root root 3140 Sep 21 2019 /etc/passwd

The permissions are shown on the extreme left of that output:

-rw-r--r--

The first character indicates the type of filesystem entry. In this case, a “-” indicates that it’s a normal file. If it was a directory, this would be a “d”.

Next are three groups of permissions for owner, group, and other. Think of the line as divided this way:

-    rw-    r--    r--
     owner  group  others

In this case, we see for the first group (owner, characters 2-4) “rw-“. This means “read” and “write” permissions have been granted to the owner. The other possible permission, execute, has not been granted. For both group and others, only read permission is granted. In short, root can read/write the file, and everyone else can read but cannot write.

Let’s take some more examples:

-rw------- 1 frank frank 2205 Aug 05 2017 /home/frank/secret_diary.txt

In this case, the file is owned by frank and the group “frank”. It’s common on Unix systems for each user to also have his or her own group. It’s likely the only member of the “frank” group is frank. In this example, only frank has read and write permissions on the files and no one else has any permissions.

Let’s look at the project.txt file mentioned above:

-rw-rw-r-- 1 frank team 2205 Aug 05 2017 /home/frank/project.txt

Here, user “frank” has read/write permissions, and so do the members of the “team” group. All other users can read the file but cannot change it.

What about executable files? Here is /bin/ls, the ls command itself:

# ls -l /bin/ls
-rwxr-xr-x 1 root root 130736 Feb 22 2017 /bin/ls

Here, we see that the owner (root) has read, write, and execute, as does the “root” group. Other users on the system have read and execute, so everyone can execute it. Generally, read permission goes with execute.

Often when you create a shell script, you want to execute it. For example:

# cat script.sh 
#!/bin/bash

echo "here is my script executing"

# ./script.sh
-su: ./script.sh: Permission denied

The problem is that the you don’t have execute permissions on the script:

# ls -l script.sh 
-rw-r--r-- 1 root root 49 May 25 15:09 script.sh

How to add them? The chmod command.

The chmod Command

chmod has two forms. The more common is in the form

chmod {which type}{+ or -}{permission} file...

For example, to make the above script.sh executable by the owner:

# chmod u+x script.sh 
# ls -l script.sh 
-rwxr--r-- 1 root root 49 May 25 15:09 script.sh
# ./script.sh 
here is my script executing
#

The types are:

u = user (owner)
g = group
a = all (everyone)

If we later want to remove the permission, we can use chmod again:

# ls -l script.sh 
-rwxr--r-- 1 root root 49 May 25 15:09 script.sh
# chmod u-x script.sh 
# ls -l script.sh 
-rw-r--r-- 1 root root 49 May 25 15:09 script.sh
#

The other form of chmod is to use numbers. Each permission has a value:

4 = read
2 = write
1 = execute

Simply add up the permissions you want for each type and use the result. For example, to set a file with read, write, and execute for the owner (4+2+1=7), and read an execute for group and other (4+1=5), we would issue this command:

# ls -l script.sh 
-rw-r--r-- 1 root root 49 May 25 15:09 script.sh
# chmod 755 script.sh 
# ls -l script.sh 
-rwxr-xr-x 1 root root 49 May 25 15:09 script.sh

Directories

One final important thing to learn is that directories are a little special. For example, here is the /etc directory:

# ls -ld /etc
drwxr-xr-x 169 root root 12288 May 25 09:50 /etc

The execute permissions mean that users can enter into that directory. In general, directories always have both read and execute, and they are either both turned on for a type or turned off. For example, a directory that only frank and team can get into would look like this:

drwxrwx--- 169 frank team 12288 May 25 09:50 /project/private

Also, if a user does not have write permission in a directory, they cannot create files in that directory. However, if the user has write permission on exiting files, they can modify those files.

• Author
• Recent Posts

raindog308

Dread Lord of LowEnd Content at LowEndBox

I'm raindog308, techno polymath and long-time LowEndTalk community Administrator. My technical interests include all things Unix, perl, python, golang, shell scripting, vintage operating systems such as MVS, and relational database systems such as Oracle, PostgreSQL, and MySQL.

I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.

I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308

Latest posts by raindog308 (see all)

• COMMUNITY NEWS: RackNerd LLC, Global IaaS Provider, Expands European Footprint with New Dublin, Ireland Datacenter - November 16, 2024
• Hey Providers – Want Some FREE Advertising During the SuperBowl? - November 14, 2024
• Inception Hosting is Closing Its Doors - November 12, 2024