LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Guide to Understanding File Permissions in Linux

Understanding File Permissions in Linux GuideSince very early in its history, Unix systems have supported file and directory permissions. This security mechanism allow users to make their files private from other users, and for administrators to protect system configuration information from unauthorized changes.

In this tutorial we’ll go over the basics of Unix file permissions.

Users and Groups

All files are owned by both a person and a group. Using “ls -l” it’s possible to see who the owner and group is. Here is an example:

# ls -l
-rw-rw-r-- 1 frank team 2205 Aug 05 2017 /home/frank/project.txt

In this case, the user ‘frank’ is the owner and “team” is the group. Multiple users may be members of the group “team”.

The Three Types

All files and directories have three different classes of users: owner, group, and other. For example, here is /etc/passwd on a Debian 10 system:

# ls -l /etc/passwd
-rw-r--r-- 1 root root 3140 Sep 21 2019 /etc/passwd

The permissions are shown on the extreme left of that output:

-rw-r--r--

The first character indicates the type of filesystem entry. In this case, a “-” indicates that it’s a normal file. If it was a directory, this would be a “d”.

Next are three groups of permissions for owner, group, and other. Think of the line as divided this way:

-    rw-    r--    r--
     owner  group  others

In this case, we see for the first group (owner, characters 2-4) “rw-“. This means “read” and “write” permissions have been granted to the owner. The other possible permission, execute, has not been granted. For both group and others, only read permission is granted. In short, root can read/write the file, and everyone else can read but cannot write.

Let’s take some more examples:

-rw------- 1 frank frank 2205 Aug 05 2017 /home/frank/secret_diary.txt

In this case, the file is owned by frank and the group “frank”. It’s common on Unix systems for each user to also have his or her own group. It’s likely the only member of the “frank” group is frank. In this example, only frank has read and write permissions on the files and no one else has any permissions.

Let’s look at the project.txt file mentioned above:

-rw-rw-r-- 1 frank team 2205 Aug 05 2017 /home/frank/project.txt

Here, user “frank” has read/write permissions, and so do the members of the “team” group. All other users can read the file but cannot change it.

What about executable files? Here is /bin/ls, the ls command itself:

# ls -l /bin/ls
-rwxr-xr-x 1 root root 130736 Feb 22 2017 /bin/ls

Here, we see that the owner (root) has read, write, and execute, as does the “root” group. Other users on the system have read and execute, so everyone can execute it. Generally, read permission goes with execute.

Often when you create a shell script, you want to execute it. For example:

# cat script.sh 
#!/bin/bash

echo "here is my script executing"

# ./script.sh
-su: ./script.sh: Permission denied

The problem is that the you don’t have execute permissions on the script:

# ls -l script.sh 
-rw-r--r-- 1 root root 49 May 25 15:09 script.sh

How to add them? The chmod command.

The chmod Command

chmod has two forms. The more common is in the form

chmod {which type}{+ or -}{permission} file...

For example, to make the above script.sh executable by the owner:

# chmod u+x script.sh 
# ls -l script.sh 
-rwxr--r-- 1 root root 49 May 25 15:09 script.sh
# ./script.sh 
here is my script executing
#

The types are:

u = user (owner)
g = group
a = all (everyone)

If we later want to remove the permission, we can use chmod again:

# ls -l script.sh 
-rwxr--r-- 1 root root 49 May 25 15:09 script.sh
# chmod u-x script.sh 
# ls -l script.sh 
-rw-r--r-- 1 root root 49 May 25 15:09 script.sh
#

The other form of chmod is to use numbers. Each permission has a value:

4 = read
2 = write
1 = execute

Simply add up the permissions you want for each type and use the result. For example, to set a file with read, write, and execute for the owner (4+2+1=7), and read an execute for group and other (4+1=5), we would issue this command:

# ls -l script.sh 
-rw-r--r-- 1 root root 49 May 25 15:09 script.sh
# chmod 755 script.sh 
# ls -l script.sh 
-rwxr-xr-x 1 root root 49 May 25 15:09 script.sh

Directories

One final important thing to learn is that directories are a little special. For example, here is the /etc directory:

# ls -ld /etc
drwxr-xr-x 169 root root 12288 May 25 09:50 /etc

The execute permissions mean that users can enter into that directory. In general, directories always have both read and execute, and they are either both turned on for a type or turned off. For example, a directory that only frank and team can get into would look like this:

drwxrwx--- 169 frank team 12288 May 25 09:50 /project/private

Also, if a user does not have write permission in a directory, they cannot create files in that directory. However, if the user has write permission on exiting files, they can modify those files.

raindog308

2 Comments

  1. Good post, although I’m surprised it doesn’t even touch on ACLs and the getfacl and setfacl commands.

    May 16, 2021 @ 2:23 pm | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *