File permissions are the core security mechanism that controls who can do what with a file or directory.
They answer three questions:
- Who can access this?
- What can they do with it?
- How do we change it?
File permissions in Linux and Unix-like systems are fundamental to controlling who can access files and directories, and what actions they can perform. They are a core component of the traditional Unix access control model.
Here’s a detailed explanation of file permissions:
Purpose and Overview
Every file and directory in Linux possesses a set of permissions that dictate who can access them and how. These permissions limit access in three main ways:
Restrict access to the owner alone.
Allow users in a predesignated group to have access.
Permit anyone on the system to have access (referred to as “others” or “the world”).
Permission Categories
Permissions are defined for three distinct categories of users:
Owner (u): The user who created the file or directory. Any file you create, you own.
Group (g): A collection of users. The system administrator can form users into groups (e.g., for a class or project). An owner can grant access to members of a designated group.
Others (o): All other users on the system who are not the owner and do not belong to the file’s group.
The symbol a can represent all categories (owner, group, and others).
| Class | Symbol | Description |
|---|
| User | u | The owner of the file or directory. |
| Group | g | Other users who are in the file’s group. |
| Other | o | Everyone else on the system. |
Types of Permissions (Read, Write, Execute)
Each category of user can be granted read ®, write (w), and execute (x) permissions. An empty permission is represented by a dash (-).
For Files:
- Read ®: Allows the file to be opened, displayed, or printed.
- Write (w): Allows the file’s contents to be modified or truncated. This attribute alone does not allow renaming or deleting the file; that is determined by directory attributes.
- Execute (x): Allows the file to be treated as a program and executed. For shell scripts, it means the script can be run directly. Non-binary executable files (scripts) must also be readable to be executed.
For Directories:
- Read ®: Allows the list of files and subdirectories within the directory to be displayed.
- Write (w): Allows a user to create, delete, and rename files and subdirectories within that directory.
- Execute (x): Allows a user to “enter” or “pass through” the directory (e.g., using
cd to change into it). Without execute permission, you cannot access files within it, even if you have read permission on the files themselves
| Permission | Symbol | On a File | On a Directory |
|---|
| Read | r | Can view the file’s contents. | Can list the directory’s contents (e.g., with ls). |
| Write | w | Can modify or overwrite the file. | Can create, delete, or rename files within the directory. |
| Execute | x | Can run the file as a program/script. | Can access the directory (e.g., use cd to enter it). |
Displaying Permissions
The ls -l command displays detailed information about files, including their permissions.
The first 10 characters of the output represent file attributes:
- First character: Indicates the file type.
◦ -: Regular file.
◦ d: Directory.
◦ l: Symbolic link (symbolic links usually show rwxrwxrwx as dummy values; the real permissions are on the target file).
◦ c: Character special file (device that handles data as a stream of bytes, like a terminal).
◦ b: Block special file (device that handles data in blocks, like a hard drive).
◦ s: Local domain socket.
◦ p: Named pipe (FIFO).
- Next nine characters: Represent the read, write, and execute permissions for the owner, group, and others, in three sets of three characters each.
◦ r: Read permission.
◦ w: Write permission.
◦ x: Execute permission.
◦ -: Permission not granted.
Example ls -l output: -rw-r--r-- 1 chris weather 207 Feb 20 11:55 mydata
- : Regular file.
rw-: Owner (chris) has read and write permission.r--: Group (weather) has read permission.r--: Others have read permission.
Changing Permissions
Changing Permissions ()
The chmod command is used to change permission configurations. Only the file’s owner or the superuser (root) can change a file’s mode.
There are two primary methods for specifying permission changes:
- Symbolic Method:
◦ Uses characters u (owner), g (group), o (others), and a (all).
◦ Uses + to add a permission, - to remove a permission, and = to assign an entire set of permissions (removing any others not specified).
◦ Permissions are r (read), w (write), x (execute).
◦ Examples:
▪ chmod u+x lsc: Adds execute permission for the owner to lsc.
▪ chmod g+rw mydata: Grants read and write permission to the group for mydata.
▪ chmod o+r-wx mydata: Grants read, but removes write and execute, for others on mydata.
▪ chmod a-x file: Removes execute permission for all categories.
▪ chmod u+x,go=rx: Adds execute for owner, sets group and others to read and execute.
◦ The -R option (recursive) can update permissions within a directory and its contents. It is particularly useful with mnemonic syntax as it preserves bits whose values are not explicitly set. However, caution is advised as it is “blind” to the different interpretations of the execute bit for files and directories.
- Absolute (Octal) Method:
◦ Uses a three-digit octal number, where each digit corresponds to a user category (owner, group, others).
◦ Each octal digit (0-7) is a binary mask for rwx (4 for read, 2 for write, 1 for execute).
▪ 0: — (no permissions)
▪ 1: –x (execute only)
▪ 2: -w- (write only)
▪ 3: -wx (write and execute)
▪ 4: r– (read only)
▪ 5: r-x (read and execute)
▪ 6: rw- (read and write)
▪ 7: rwx (read, write, and execute)
◦ Examples:
▪ chmod 600 foo.txt: Owner gets read/write, no access for group/others.
▪ chmod 700 myprog: Owner gets full (rwx), no access for group/others.
▪ chmod 755 myprog: Owner gets full (rwx), group and others get read and execute (r-x).
Ownership and Group Ownership ( )
Files and directories are owned by both a user and a group.
- chown (change owner): Transfers control over a file or directory to another user. It can also change the group owner if a group is specified after a colon (e.g.,
chown user:group file).
◦ Example: chown robert mydata: Changes the owner of mydata to robert.
◦ Example: chown tony: ~tony/myfile.txt: Changes owner to tony and group to tony's login group.
- chgrp (change group): Changes the group for a file or directory. To change a file’s group, you must be the file’s owner and belong to the new group, or be the superuser.
◦ Example: chgrp forecast today: Changes the group of today to forecast.
- System files are typically owned by the
root user and root group, with restricted permissions for modification. Files and directories for services (e.g., Squid proxy server, FTP) are often owned by a special user and group associated with that service, not root, to provide access without full root privileges. The R option can be used recursively.
Default Permissions ()
The umask command controls the default permissions assigned to a file or directory when it is created. It uses octal notation to specify a mask of bits to be removed from the file’s default maximum permissions.
- Displaying umask: Running
umask with no arguments shows the current value. The S option displays it in symbolic format.
◦ Example: $ umask 0002.
◦ Example: $ umask -S u=rwx,g=rx,o=rx.
