How to manage permissions in Linux – guide for beginners

In Unix and Linux, there are many security built-in features. One such feature is related to files and who should be allowed to manipulate them. Since everything is a file in Unix and Linux, a potential security threat can arise if incorrect file permissions are assigned to classified files, be it a directory, a device or a file. Each file on a system has access restrictions to control who can view, modify or execute a specific file. The root user or superuser can access all files on a system. Each user on a system has some restrictions on specific files. This is to prevent such users from carrying out unauthorized operations on important files.
In the guide you will learn how to handle permissions, manage ownerships and restrict access to files and directories.

File permission types

Before delving deeper into the realm of file permissions using the terminal, let us see a simple file access restriction using a graphical user interface.

Using GUI

If you select a given file on your system and right-click on it , you will see the following pop-up :

Now click on the second tab which is entitled Permissions as shown below :

Linux file permissions

You can see that there are three types of user restrictions :

  • Owner (the user who created the file)
  • Group (the group the owner belongs to)
  • Others (all other users)

For any of his files, the owner has the ability to grant specific permissions or to restrict access to groups or other users.

In the example above, the owner has the access “Read and write”. The members of the group net2_admin have also the same access type. Other users however have “Read-only” access which means that they can only read/open the file, but they cannot modify it.

The owner can open the drop-down menu for each access type and assign the permission he sees fit for the corresponding group/user.

Read: How to create a Sudo user on Ubuntu

Using the terminal

Using the command line, you can find the permission settings of a file with the ls command. Using ls alone however does not give any information about the type of access of a given file since by default, ls command lists the names of files. By using the -l option you would be able to see additional information on files. Let’s run the command below :

ls -l

In the snapshot above, we can see the following information on each line:

1 The first character is either a ‘-‘ or a ‘d’ where a ‘-’ refers to a file and ‘d’ refers to a directory (we can also have a symbolic link ‘l’).

2 The nine characters (rwxr–xr–x) indicate permission settings (-,r,w or x) where :

– The first three characters (rwx) designates the owner permissions

  • The next set of three characters (r-x) designates the Group permissions
  • The final set of three characters (r-x) designates all other Users permissions.

See following sections below for more details.

3 The owner of the file is specified in the next column.

4 The following column designates the file owner’s group.

5 Next we find the size of the file in bytes.

6 The date and time at which the file was last modified is shown in this column.

7 Finally the filename is specified in the last column.

Permission types

For files : Each file (device, file) has basically three permission types:

read (r) – Read permission : when granted, the assignee (owner, user or group) can read the corresponding file content.

write (w) –Write permission : when granted, the assignee (owner, user or group) can modify the corresponding file.

execute (x) – Execute permission: allows the assignee (owner, user or group) to execute a file.

dash (-) : Unassigned permission : shows that a particular permission has not been granted.

For directories : Directories have permissions which restrict different actions than with regular files or devices (nodes) :

read (r) – Read permission : read allows or restricts assignees from viewing the contents of the corresponding directories i.e. ls command .

write (w) – Write permission : write allows or restricts assignees from creating or deleting new files in the directory.

execute (x) – Execute permission: execute allows or restricts assignees from changing into the corresponding directory, i.e. cd command.

Read: Linux directories explained

Let’s return to our snapshot above and try to decipher the permissions of the file lion.

This reads :

rw-rw-r–

This can be explained simply as follows:

owner = Read & Write (rw-)

group = Read & Write (rw-)

other users = Read (r–)

In other words: The file’s owner (net2_admin) has permission to both read and write to the file. The group,(net2_admin) has permission to both read and write to the file as well. All other users have permissions to only read it. Since it is It is not a program,neither the group or the owner or other users have permission to execute it.

You might want to compare this with the popup that we displayed earlier when we used GUI.

In a nutshell a permission -rwxr–r– can be explained as follows :

Modifying Permissions

The command chmod is used to modify permissions of files and directories with either letters or numbers. This might create security issues when incorrectly used . This is because some specific files have standard restrictive permissions in order not to allow unauthorized access. For instance some files that are accessed/used by the kernel do not have read/write permissions for normal users.

For example the file rsyslog.conf below :

Has the following permissions :

owner = Read & Write (rw-)

group = Read (r–)

other = Read (r–)

Whereas the file permissions below (shadow) does not allow other users to even read it :

Read: How to speed up Linux


Using chmod with numbers

The basic syntax of the command chmod is :

chmod {options} file_name

Where options can take on any of the values below :

Since the owner, the group and other is represented by three numbers, you would need to read the appropriate values from the options column above which match the required type of access needed and then add them up.

Example 1 :

To clarify this, let’s study an example of a chmod command to assign the permission rw-r–r–:

chmod 644 lion.jpg

The 644 means the following :

6 : For the owner, we need a Read(4) + Write(2) permissions. These will add up to 6

4 : For the group, we require a Read(4) only permission. This will remain 4

4 : For other users, we require a Read(4) only permission. This will remain 4

Example 2 :

As a second example, let us assign the permission -rw-rw-rwx to our file lion.jpg :

chmod 667 lion.jpg

6 : For the owner, we need a Read(4) + Write(2) permissions. These will add up to 6

6 : For the group, we need a Read(4) + Write(2) permissions. These will add up to 6

7 : For other users, we require a Read(4) + Write(2) + Execute(1) permissions. These will add up to 7.

Example 3

Let’s consider another example in which we assign the permission rwxr–r– to the file lion.jpg :

chmod 744 lion.jpg

7 : For the owner, we require a Read(4) + Write(2) + Execute(1) permissions. These will add up to 7.

4 : For the group, we require a Read(4) only permission. This will remain 4

4 : For other users, we require a Read(4) only permission. This will remain 4

Example 4

To assign the permission r-x—w- to the file lion.jpg

chmod 502 lion.jpg

5 : For the owner, we require a Read(4) + Execute(1) permissions. These will add up to 5.

0 : For the group, we require no permissions.

2 : For other users, we require a Write(2) only permission. This will remain 2

The table below summarizes the additions of these values :

Using chmod with symbolic mode

Using symbolic mode is completely different from using numbers and is not so straightforward to implement for beginners. The syntax is the following :

[ugoa…][[+-=][rwxXstugo…]…]

[ugoa…] : This group of characters specifies the new permissions’ assignees or to whom should the new permissions apply:

– u : For the user
– g : For the group

– o : For others

– a : For all of the above (u+g+o)

[+-=] : This group of symbols are used to add or subtract permissions to the existing permissions as well as for setting permissions:

(+) : Used to add the permission to existing ones

(-) : Used to subtract the permission from existing ones

(=) : set the permissions to the desired value . The object will therefore have this single value as a permission.

[rwxXstugo] : This third and last group of symbols defines the permission to assign. There are additional values besides the rwx ones. These are:

– X : Used to assign execute permissions. This applies only if the file is :

– A directory
or
– if it had execute permissions already
– s : Sets the user ID (UID) or group ID (GID) on execution
– t : To save program text
– u : Permissions assigned (or granted) to the owner of the file (user who owns the file)
– g : Permissions assigned (or granted) to the users who are already members of the file’s group
– o : Permissions assigned (or granted) to the users who do not belong to either of the two preceding categories

Let’s study some examples to get the concept.

Example 1:

Say we want to grant execute permission to everyone (“other”) for file lion.jpg, we should write :

chmod o+x lion.jpg

where o stands for ‘others’ and the (+) says that we are adding a permission and finally, you guessed it, we are adding execute permission. This results in the new permission, rwx—–x instead of the previous one rwx—— .

Example 2:

Let’s consider the command :

chmod o-wx lion.jpg

Where we want to revoke wx permissions from everyone :

As you can see, the new permission results in rwx—— .

Example 3:

The following command

chmod ugo+rwx lion.jpg

Will grant all possible permissions to all:

The new permission is now rwxrwxrwx .

Adding multiple permissions

It is also possible to grant many permissions at once. For instance, the command :

chmod g+x,o+x lion.jpg

Will grant Execute permission to the group and also to other users.

Changing permissions recursively

The command chmod has an option ‘-R’ which enables users to assign permissions to a each file and directory within a specified directory. For instance :

chmod 777 -R /path_to_directory

To change the permission of only files within a given directory, you can use the command below :

find /path_to_directory -type f -print0 | xargs -0 chmod 644

To change the permission of directories only within a specified directory, run the command :

find /path_to_directory -type d -print0 | xargs -0 chmod 755

Note that the common permission for a file is 644 whereas that for a directory is 755.

Cloning permissions from one file to another

To copy the permissions of one file to another, you can use the reference option of the chmod command. As an example, let’s clone the permissions of file1 to file2 using the following command:

chmod –reference=file1 file2

As you can see in the snapshot above, the file tst.txt has now the same permission , .i.e. -w–wx-wx as the file lion.jpg after it initially had the value : rw-r–r–

Read: Ubuntu/Debian monitoring tools guide for system administrators

Changing file ownership

To change the owner of a file, you can use two commands: chown and chgrp. The chown allows to easily change the owner of a file whereas the chgrp enables users to change the group of file.

chown

The syntax of chown command is the following :

chown options User[.Group] File

User : Username or user ID (UID) of the new owner.
Group : New group’s name or group ID (GID).
File(s) : Name of one or more files or directories (or links).

If only the user is provided, it will become the owner of the file(s) and if the user specified is followed by a colon sign ‘:’ .i.e ‘user:’ , it will become the owner of the file(s) and the user’s login group will take ownership of the file(s).

If however both user and group are provided .i.e. user:group, the user and group ownership of the file(s) is changed to the specified user and group ownership respectively.

If the group is prefixed with a colon : .i.e. ‘:group’ and user is omitted then only the group ownership of the file(s) is changed to the specified group.

Note that only the root user or a user with sudo privileges can change the owner of a file.

Read: How to use sudo without having to enter a password in Ubuntu

Changing the owner of a file

Let’s now take an example in which we change the owner of a file using chown simple command :

chown USER FILE

To change the ownership of a file with the name myfile to a new owner named net2_adm, run the command below:

chown net2_adm myfile

It is also possible to change the ownership of several files or directories. This can be achieved by space separating them. The command below for instance changes the ownership of a file with the name myfile and directory mydirectory to a new owner net2_adm:

chown net2_adm myfile mydirectory

As mentioned above, you can also specify the UID instead of the username.

Changing the group of a file

Changing the group of a file only can be done by using chown followed by a colon (:) and the name of the new group along with the file:

chown :new_group myfile

For instance the command below will change the group owner to normal_users of a file myfile:

chown :normal_users myfile

The group ownership can be changed using chgrp as shown further below.

Changing the owner and the group of a file

The command below will change the owner and the group of a file. Make sure not to input spaces though :

chown USER:GROUP FILE

As an example, let’s change the ownership of a file with the name myfile to a new owner net2_adm and group admins:

chown net2_adm:admins myfile

Changing file ownership recursively

The -R switch of chown allows you to recursively manage ownership through subdirectories and files. This is written as follows :

chown -R user:group directory

For instance the example below :

sudo chown -R net2_adm:admins documents

This will change the ownership of directory documents along with files and subdirectories therein to user net2_adm and group admins.

Cloning group and user ownerships

Much like chmod command, you can assign the same user and group ownership of a specified file to those of the provided reference file. The command goes as follows :

chown –reference=reference_file

For instance, the command below will assign the user and group ownership of the first_file to second_file :

chown –reference=first_file second_file

chgrp

While chown command allows you to change both user and group ownerships, the chgrp command is used to only change the group ownership.

The chgp command has the following syntax :

chgrp [options] new_group file(s)

Where new_group is the name of the new group or group ID (GID). If you want to use GID, you would need to prefix it with the + sign and file(s) is the name of one or several files.

For instance, to modify the group of the file my_file to admins, run the command below:

chgrp admins my_file

To consider multiple files, use the command as follows:

chgrp admins first_file first_directory second_directory second_file

As it was the case with chown, you can also recursively modify the group ownership of all files and subdirectories by using the -R option.

Conclusion

All users both beginners and advanced should grasp the concept of permissions in Linux and learn how to manage permissions and ownerships of Linux files and directories. This can be achieved by using basic commands like chmod, chown and chgrp.

You have seen how to modify permissions using Linux chmod command with both numbers and symbolics. You also have learned how to change file ownership using chown and chgrp.

We hope that this article has helped you better understand file permissions in Linux.


If you like the content, we would appreciate your support by buying us a coffe. Thank you so much for your visit and support.

 

ziad nahdy

Ziad Nahdy, fan of open source and programming languages. He is a technical writer, blogger and Linux enthusiast. He loves to read and help others with their problems. He is addicted to open source software but he also loves other technology related subjects.

Leave a Reply

Close Menu