Linux file permissions


To understand and work with Linux file permissions you need to know about:

  • files and directories
  • file owner
  • file group
  • how to use the ls command and interpret its output

view what the drwxrwxr-x string means. That string is called "the permission bits" though it gives a little more info than just the permissions.

Files and directories

Files contain stuff. Stuff like text, encoded video, program instructions, picture data, etc. Directories are just special files that contain a list of the files in the directory. Since directories are vital, we use special commands like mkdir to create them and other commands to modify them rather than using a text editor. Thus we distinguish between directories and regular files. Music, text and binary (executable) files all fall into the category we will call "regular files" or "normal files" for the purposes of this discussion.

Owners and groups

Linux is a multi-user system. That means at any given time there can be more than 1 user logged on and using the computer. Users can be either human or system users. As much as possible, users are kept separate so they cannot interfere with each other. System users are not human, they are simply identities the operating system creates for various reasons such as to prevent the human users from messing around with things they don't need to access and to prevent one failing part of the system from taking down all the other parts of the system. Thus you own your own files while other users own theirs. Often you do not want other users to be able to access your files at all. Sometimes you want others to be able to read your files but not be able to write to (modify) your files.

It is not required but usually every user has at least 1 group associated with his account. That group is usually given the user's username but not always. The system administrator or anybody that knows the root password can add users to your group(s). You can be made a member of various other users' groups. Furthermore if you create a file then you own it. If you own it then you can allow or disallow members of your group(s) to have read and/or write permission to files you own. You can even allow all other users to have read and/or write permission for your files.

Working with owners, groups and permissions

The quick yet safe way to become familiar with owners, groups and permissions is to create a junk file and a junk directory that you don't really need, something you can play with, experiment with and safely "mess up" if you make a mistake and throw away later when you are done with it. To do that open a terminal and enter the following command sequence (type carefully, check your typing before hitting the ENTER key or else cut and paste the command sequence): cd ~ && echo junk text > xx_testfile && mkdir xx_testdir

The above command sequence is actually 3 commands all on one line. First it changes current directory to your home directory. Next it creates a file named xx_testfile and writes the words "junk test" into xx_testfile. Finally it creates a directory named xx_testdir. Since the names start with xx_, they will appear at the end of directory lists where they are easy to spot.

Now let's examine and play with the owner, group and permissions for xx_testfile and xx_testdir. We will use the ls command which starts with the letter "el", not the number one. The command ls -l. The ls is short for "list". the -l parameter specifies the long version of the list as opposed to the shorter and less detailed version. Do ls -l testfile. Near the bottom of the list you should see something like:

drwxrwxr-x 2 bobo bobo 4096 Feb 11 11:36 xx_testdir -rw-rw-r-- 1 bobo bobo 10 Feb 11 11:36 xx_testfile

The above example is for a user named bobo. The columns are as follows:

  1. permissions string - for example drwxrwxr-x
  2. file count - ignore this number for now, it's not important to this discussion
  3. owner - bobo in this example, you should see your username (login name) instead of bobo
  4. group - usually the same as the owner but not always
  5. file size - not important for the purpose of this discussion
  6. created date-time
  7. filename

Permissions string

Every file has a permissions string. It is stored in the files attributes and as we have seen you can use the ls -l command to see the permissions.

The first letter on the left is not really a permission but it is included in the permissions anyway. It is either d, l or -:

  • d means the file named in the right-most column is a directory
  • l means the file is a link (like a Windows shortcut, not the actual file just a link to the actual file)
  • - means the file is a regular file (in other words it's NOT a directory)

The remaining 9 bits are divided into triads (groups of 3). The left-most triad is for the file's owner (user), the middle triad is for the file's group, the right-most triad is for others. Others means all those who are neither the file's owner nor in the file's group, in other words the rest of the users on the system.

Since owner and others both start with letter o, we refer to the owner as user so that we can refer to the 3 groups with 3 letters, for brevity, as follows:

  • u = owner
  • g = group
  • o = others

Now we can show the relationship between the triads and the people this way:

   u   g   o

Each triad designates 3 permissions in the following order from left to right:

  • r = read = can read the file or directory
  • w = write = can write to the file or directory, if the file is a directory then can create and delete files in that directory
  • x = executable = can execute it if it's an executable file, if it's a directory then can view the contents of that directory

The bits in the triads are either "on" (an r, w or x) or "off" (a -).

Some examples:

  • -rw-rw-rw- means everybody can read and write to the file, not very secure but you might find a use for it
  • -rw-r-r- means everybody can read the file but only the owner can write to it, more secure but not what you would want for a file containing a password
  • -r-------- means only the owner can read and NOBODY can write, very secure, so secure even the owner must jump through some hoops just to write to it (you have to become root and give yourself write permission first) but if you need to hide something important this helps
  • -rw-rw---- means the owner and members of the group can read and write, good for files that a team collaborates on; the administrator simply gives membership in the group to trusted users, the rest of the world is blocked

Returning now to the permissions for the xx_testfile you created, we see:

-rw-rw-r-- 1 bobo bobo 10 Feb 11 11:36 xx_testfile

Since all three read bits are set (turned on), all users have permission to read the file. The write bits are set for bobo and members of group bobo but not set for others. Anybody can open the file in a text editor but only bobo and members of group bobo can save the file to /home/bobo/xx_testfile. Others can save it to a file they own in a directory for which they have write permission. For example, mary could open /home/bobo/xx_testfile in a text editor and save it to /home/mary/stolen_text because she owns /home/mary/ directory and any file she chooses to create there. Or she could just copy it to /home/mary/stolen_text via the cp command rather than opening the file in a text editor.

drwxrwxr-x 2 bobo bobo 4096 Feb 11 11:36 xx_testdir -rw-rw-r-- 1 bobo bobo 10 Feb 11 11:36 xx_testfile

Returning now to the permissions for the xx_testdir you created, we see:

All users can view the contents of the directory. All users can read any of the regular files in the directory. Only owner bobo and members of group bobo can write in that directory.

Altering permissions

Changing permissions is easy with the chmod command. Only the file's owner and root can change permissions, group members cannot. Some examples:

  • chmod g-rw foo - removes read and write permissions for groups for the file named foo
  • chmod g+r foo - adds read permissions for groups for the file named foo
  • chmod o-rw foo - removes read and write permissions for others for the file named foo

It is not an error to turn on a permission that is already turned on or turn one off that is already off.

The preceding paragraphs explain what the owner, group and permissions concepts but you need some hands-on experience to help you remember it