Understanding Linux File Permissions
File permissions are probably one of the biggest difference between Windows and Unix-style operating systems. They make Linux much more secure when they are well used. However, they can also cause nightmare to the casual Linux administrator.
The first thing you need to know is that a Linux system has two way of
classifying users. There is, of course, the user name, but there is
also groups. Groups are, strictly speaking, only a way to share
permissions between the users. For example, all the member of the
admin
group on your system is able to use the command sudo
. As you
probably know, sudo
allows you to run a command as another user
(by default, the root
user).
Let me introduce you to your command-line friends that will help you to manage the permissions of your system.
adduser
: This command let you add new user on your system. It can also add a user into a group.addgroup
: Its name says it all. This command let you add new group on your system.chmod
: I believe this is the most widely known Unix command. It is even a verb in the world of server-side technology, like PHP. This command let you alter the permissions of a file. It is a swiss-army knife. Learn it, and use it well.chown
: Also a very important command,chown
can change the user and group ownership of a file.chgrp
: This ischown
‘s little brother. Unlikechown
, this command can only change the group ownership of a file.groups
: Somehow less important but still useful,groups
shows you the groups you are a member of.whoami
: Don’t know why, but I love the name of this command. Anyway, this command tells you who you are.who
: This command shows you who is login on your system. I never use it, since I findw
more useful for my usage.w
: And here our last little friend, thew
command. It displays a list of the logged users likewho
, but also display their attached process and the uptime of the machine you’re on.
Obviously if you want to learn to use those commands well, you will
need to do some homework and read their respective manual pages (with
man <command>
).
So, how permissions work? First, we need an example:
alex@helios /etc % ls -l
total 1548
-rw-r--r-- 1 root root 2584 2006-11-29 08:40 adduser.conf
drwxr-xr-x 4 root root 4096 2006-12-13 10:46 apt
drwxr-xr-x 2 root root 4096 2006-12-17 00:15 cron.d
drwxr-sr-t 5 cupsys lp 4096 2006-11-29 08:51 cups
-rw-r--r-- 1 root root 817 2006-11-29 08:39 fstab
-rw-r--r-- 1 root root 806 2006-12-17 00:15 group
-rw-r--r-- 1 root root 1430 2006-12-17 00:15 passwd
lrwxrwxrwx 1 root root 13 2006-11-29 08:40 motd -> /var/run/motd
drwxr-xr-x 2 root root 4096 2006-12-22 23:36 rc0.d
drwxr-xr-x 2 root root 4096 2006-12-19 12:06 rc1.d
drwxr-xr-x 2 root root 4096 2006-12-19 12:06 rc2.d
drwxr-xr-x 2 root root 4096 2006-12-19 12:06 rc3.d
drwxr-xr-x 2 root root 4096 2006-12-19 12:06 rc4.d
drwxr-xr-x 2 root root 4096 2006-12-19 12:06 rc5.d
drwxr-xr-x 2 root root 4096 2006-12-22 23:36 rc6.d
-rwxr-xr-x 1 root root 306 2006-11-29 08:40 rc.local
-rwxr-xr-x 1 root root 306 2006-11-29 08:40 rc.local
-rw-r----- 1 root shadow 873 2006-12-17 00:15 shadow
-rw-r--r-- 1 root root 214 2006-12-02 13:27 shell
-r--r----- 1 root root 403 2006-11-29 09:10 sudoers
Only the first, third and fourth column are interesting for us, right now. The first column gives us information about the file permissions. The third is the owner of the file and the fourth is the group.
So, what all this mess means? File permissions are like little switches you turn on and off. There is three types of permission: read, write, and execute. There’s also three types of ownership: owner (or user), group, and other. So, 3 times 3 equals 9 switches you can control.
That is exactly what we see in the first column. The first element of
this column is the type of the file. A -
means it’s a normal file;
a d
is for a directory and l
is for a link pointing to a file.
There is several other types of file, but they are much less useful to
know for the casual Linux system administrator.
You probably figured that the rest are the permissions. Here a legend of the symbol I will use for the rest of this post:
u - owner
g - group
o - others
r - read
w - write
x - execute
t - file type
As you will see, there is nothing complicated about the first column
in the output of the ls -l
command. It’s a simple representation
of the switches I mentioned earlier. So, let’s decrypt it:
tuuugggooo
That’s it. Just read it out loud: type, owner, group and others. So,
if you see something like -rwxr-xr-x
, you can read it as: “a
normal file which the owner has the read, write and execute permission
and which its group and others has the read and execute permission.”
That is extremely verbose, but correct.
You can change the permissions with the chmod
command:
alex@helios ~ % ls -l file
-rw-r--r-- 1 alex alex 0 2007-01-01 23:58 file
alex@helios ~ % chmod og+rw file
alex@helios ~ % ls -l file
-rw-rw-rw- 1 alex alex 0 2007-01-01 23:58 file
I won’t go in details here, because it’s quite simple to understand.
If you want to know more, The info
page of chmod is a great source
of information (info coreutils ls
).
If you already knew what are permissions, you are probably 1) rolling on the floor laughing, how I gone into the great details of that simple thing, or 2) grumbling that you want a refund because I wasted your bandwidth. So, hold on here the more advanced stuff.
You probably saw numerical (or should I say octal) permissions, like
777
. But, do you actually know how to read them? For example, what
645
means? Hopefully, you aren’t trying to remember all of them.
I going to give a trick.
As you probably know, each digit represents the permissions of one
type of ownership (owner, group and other). One thing you need to know
is they are not decimal digits; they are octal digits. So, something
like 855
is not a valid permission.
Now, here one interesting property of octal digit: you can write them all as three bits (binary digits) number. Here the full list:
Octal Binary
0 000
1 001
2 010
3 011
4 100
5 101
6 110
7 111
As you may know, bits are like switches you flip on and off. Sound
familiar? Right, they are exactly like permissions. Now imagine that
instead of letters, the permissions in the ls -l
were shown as
binary numbers:
alex@helios ~ % ls -l file
-110100100 1 alex alex 0 2007-01-01 23:58 file
110100100
is a perfectly legit binary number and in octal it is
644
. So, what happens if we chmod
our file to 644
? You
certainly deduced it:
alex@helios ~ % chmod 644 file
-rw-r--r-- 1 alex alex 0 2007-01-01 23:58 file
Pretty nice, eh? You been working with the binary system without
knowing it. Back to our problem, you need to change the permissions of
a file to 645
. So, how do you calculate what it means? That is
simple, now that you know it’s just a binary number:
Binary Octal English
100 4 read
010 2 write
001 1 execute
Therefore:
owner: 6 = 4+2 = read+write
group: 4 = 4 = read
other: 5 = 4+1 = read+execute
So, let’s check if we were right:
alex@helios ~ % chmod 645 file
alex@helios ~ % ls -l file
-rw-r--r-x 1 alex alex 0 2007-01-01 23:58 file
I bet you didn’t know it was that simple. Now, you can show to your geek friends how good you are by calculating any octal permissions in your head.
There is also some special permissions you can use too, like setuid, setgid, and sticky. I won’t cover them here, because they are pretty useless to the casual Linux system administrator.
I hope you enjoyed this introduction, because that’s all folks!