PMEve--Everyone is a Product Manager

Home >> Tech Dev >> Backend & Servers

Linux File Permissions

Time: Column:Backend & Servers views:268

File permissions are at the core of the security model used by Linux systems. They determine who can access files and directories on the system and how they can access them. This article provides an overview of Linux file permissions, how they work, and how to modify them.

1. How to View Linux File Permissions?

The ls command with its -l (long listing) option shows metadata about Linux files, including the permissions set on the files.

$ ls -l
drwxr-xr-x. 4 root root    68 Jun 13 20:25 tuned
-rw-r--r--. 1 root root  4017 Feb 24 2022 vimrc

In this example, you see two different entries. The first field of the ls -l output is a set of metadata, including the permissions for each file. Here's a breakdown of the vimrc entry:

  1. File Type: -

  2. Permissions: rw-r--r--

  3. Extended Attributes: Dot (.)

  4. User Owner: root

  5. Group: root

The "File Type" and "Extended Attributes" fields are beyond the scope of this article. In the vimrc entry above, the file is a regular file, indicated by the - symbol (i.e., not a special file type).

The tuned entry is for a directory, indicated by d. There are other file types, but these two are the most common. Available attributes depend on the file system format in use. For Red Hat Enterprise Linux 7, 8, and 9, the default file system format is XFS.

2. How to Read File Permissions?

This section explains the file permission settings. The interesting permission string in the vimrc entry is:

rw-r--r--

This string actually represents three different sets of permissions:

  1. rw- (for the owner)

  2. r-- (for the group)

  3. r-- (for others)

Each group represents permissions for different categories of users:

  • The first group is for the file's owner.

  • The second group is for the user group that owns the file.

  • The third group is for others.

When permissions and users are represented by letters, this is called symbolic mode. For users, u stands for the owner, g for the group, and o for others. For permissions, r means read, w means write, and x means execute.

When the system checks file permissions to determine what access to grant, it performs a series of checks:

  1. It first checks if you are the file's owner. If yes, it grants the owner's permissions and stops further checks.

  2. If you are not the file's owner, it checks if you belong to the group that owns the file. If yes, it grants the group owner's permissions and stops further checks.

  3. If the account interacting with the file is neither the owner nor a group member, the "others" permissions are applied.

Permissions are not just about who can interact with the file but also what actions they can perform. Each user will have a set of three basic permissions. In the example above, the file owner has the following permissions:

rw-

Each character in the expression represents whether a specific permission is granted. In the example, read (r) and write (w) permissions are granted, but execute (x) is not, which is why there is a dash (-) in that position.

3. What Are Octal Values?

When Linux file permissions are represented by numbers, this is called numeric mode. Numeric mode uses a three-digit value to represent specific file permissions (e.g., 744). These are known as octal values. The first digit represents owner permissions, the second digit represents group permissions, and the third digit represents other users' permissions. Each permission is assigned a value:

  1. r (read) = 4

  2. w (write) = 2

  3. x (execute) = 1

For example, a file might have read, write, and execute permissions for the owner but only read permissions for others. Here's how it would break down:

  1. Owner: rwx = 4 + 2 + 1 = 7

  2. Group: r-- = 4 + 0 + 0 = 4

  3. Others: r-- = 4 + 0 + 0 = 4

The result is the three-digit value 744.

4. What Do Linux File Permissions Actually Do?

Now that we've discussed how to view file permissions, the types of users they apply to, and how to check which permissions are enabled or disabled, what do these permissions actually do in practice?

  • Read (r): Allows access to the file's content. You can use tools like cat or less to view the contents of the file. You also need read permissions to copy a file because you need access to its content.

  • Write (w): Allows modification or alteration of the file's content. Write permissions also allow you to use shell redirection operators (>, >>) to change the file's content. Without write permission, you cannot modify the file.

  • Execute (x): Allows execution of the file. Executable files are usually commands or compiled binary programs. Execute permissions also allow someone to run shell scripts, Python programs, and other interpreted languages.

There are other ways to execute file content without execute permissions. For example, you can use an interpreter with execute permissions to read and execute the file's content. A common example is running a shell script:

$ bash script.sh

In this case, the Bash interpreter executes the script even though the script itself might not have execute permissions.

5. How Do Directory Permissions Work?

Directory files are represented by d. Conceptually, permissions operate the same way, but directories interpret these operations differently.

  • Read (r): Similar to regular files, this permission allows you to read the contents of the directory. It means you can list the files or directories contained within the directory (using commands like ls).

  • Write (w): Allows modification of the directory's contents. This means you can add or remove files from the directory. To move (mv) or delete (rm) files from the directory, you need write permissions. You also need write permissions to create new files (using touch or file redirection operators) or copy (cp) files into the directory.

  • Execute (x): The permission for directories works very differently. It essentially grants access to the directory. Having execute permission on a directory not only allows you to view the extended file details (e.g., ls -l), but also allows you to change the current working directory (cd) or traverse into subdirectories.

Without execute permission on a directory, other permissions may be restricted in interesting ways. For example, without access to the directory's metadata, you cannot add new files to it, even if you have write permissions.

6. How to Modify Linux File Permissions?

You can modify file and directory permissions using the chmod command (which stands for "change mode"). To change file permissions in numeric mode, simply enter the desired octal value alongside the filename (e.g., 744). To change permissions in symbolic mode, enter the user category and the permissions you wish to grant. For example:

$ chmod ug+rwx example.txt
$ chmod o+r example2.txt

This will grant read, write, and execute permissions to the user and group, and read permissions to others. In symbolic mode, u represents the user owner, g represents the group owner, and o represents others. Use a for all users.

You might also want to change the file owner. You can use the chown command for this. Similarly, you can use chgrp to change the group ownership of a file.

7. What Are Special File Permissions?

Files and directories have special permissions that provide additional privileges beyond the standard set of permissions we've covered.

  • SUID: A special permission for user-level access. When set, it causes the file to always execute as the file's owner, regardless of who runs the command.

  • SGID: Allows execution of a file as the group owner. For directories, files created inside the directory inherit the group ownership of the directory.

  • Sticky Bit: A special permission that limits file deletion in a directory. Only the file owner can delete files within a directory, even if others have write access to the directory.

Recommended