File Permissions in Linux
Overview
Linux is an open-source operating system that is widely used for servers, desktops, and embedded devices. One of the key features of Linux is its security and permissions model, which is based on users and roles. A good understanding of Linux users and permissions model is essential for system administrators and users who want to control access to files and directories.
Introduction
In Linux, each file and directory has an owner and a particular set of permissions. The owner is the user who has created the file or directory and has permission to determine who can read, write, or execute the file or directory. The Linux users and permissions model is basically designed to provide a secure and controlled environment where users can access and modify files and directories based on the privileges they have.
Linux File Ownership
Controlling access to sensitive data and ensuring that only authorized users can edit or view files depend on the file ownership and permission system. Linux users can safeguard their data and keep their systems secure by understanding how file ownership and permissions function in the operating system.
Based on the ownership, we can categorize the Linux file owners into 3 categories:
- User
- Groups
- Others
Now, let's understand each of them in detail:
User
The user refers to the owner of the file or the one who has created the file. The user category is denoted by the username of the owner. Only the owner of the file has the right to modify or delete the file by default.
Groups
The group refers to a group of users who have the same permissions to access the file. The group category is denoted by the group name of the users. Consider a project where several people need access to a file. You could add all users to a group and give the group read/write access to all files instead of giving each user their own individual permissions. This would prevent anyone outside of the group from reading or changing the files and also will reduce the time for manually adding permissions to each user.
Others
The others category refers to all other users who are not the owner of the file or a member of the group. The others category is denoted by the keyword "others". By default, other users have no permission to access the file. Hence, when we set permissions for others, it is also referred to as a set of permissions for the outside world.
Linux File Permissions
File Permissions in Linux refer to the access rights assigned to files and directories in the Linux operating system. These file permissions in Linux can be used to control the ability of users and processes to read, write, and execute files on the system.
Three basic types of permissions can be assigned to a file or directory in Linux:
- Read Permission (r ):
This type of file permission in Linux grants the user or the group the ability to view the contents of a file or directory. - Write Permission (w):
This type of file permission in Linux grants the user or group the ability to modify or delete a file or directory. Users or a group can have the ability to add, remove, and rename files stored in a directory if they have write permission. Think about a situation where the user needs to have write access to a file but not to the directory where it is stored. The contents of the file can be changed. However, the user won't be able to rename the file, move it, or delete it from the directory. - Execute Permission (x):
This type of file permission in Linux grants the user or group the ability to execute a file or change it into a directory. If the read and write permissions are set, you might still be able to view and modify the program code without the execute permission, but in Linux, you won't be able to run it.
How to Manage Ownership and Groups?
Now, that we know what are ownerships and file permissions in Linux, let's take a look at how can we manage ownerships and groups for a particular file or directory. Let’s take an example for a directory that we have made named docs. First, let's display all the permissions, groups, and owners associated with the directory using the ls -l command.
The following permissions associated with the directory showed up
In the output code drwxr-xr-x:
- 1 represents directory
- r represents read permission
- w represents write permission
- x represents execute permission
- - represents no permission
rwxr-xr-x can be broken down in three parts here:
- First part rwx indicates that the user root can perform read, write, and execute operations.
- Second part r-x indicates that the user group root and the members can perform read and execute operations.
- Third part r-x indicates that the other members can perform read and execute operations.
Now let’s make a text file and display all the permissions for the particular file named myFile1.
The output code -rw-r--r-- can be broken down into these parts here:
- - represents the file.
- First part rw- indicates that the user root can perform read and write operations.
- Second part r-- indicates that the user group root and the members can perform read operations.
- Third part r-- indicates that the other members can perform read operations.
Let us take an example where we are changing the user/owner associated with the file. We will be using the chown command.
Now it's showing the owner of the file as the user taran
Let's add the owner group for this file using the same command.
Now it's showing the owner group of the file is myGroup
Now, let's add both the owner and group in one go.
Now, we have made owner and group as the root for myFile1
There is also a specific chgrp command for changing the owner group of a particular file, the syntax is simple:
Hence, now we have added myGroup as the owner group of our file. There, we saw examples of adding groups and users for a particular file.
How to Manage Permissions?
Now, let's take a look at some examples of how can we manage permissions for a particular resource. We will be using chmod command for adding permissions for a file.
Let’s take some examples where we are managing the permissions of the file using chmod command.
Example 1
In this example, we are changing the user permission of a file by setting the numeric values to the file.
Output:
Here we have given read write and execute permissions to the root user, myGroup group, and other users also.
Example 2
In this example, we are changing the user permission of a file by setting the file permissions to users, groups, and others.
Output:
Here we have given read write and execute permissions to the root user, myGroup group, and other users also using the other command.
Managing Permissions in Absolute Mode in Linux
Linux provides the absolute (Numeric) mode as a means of modifying file and directory permissions. Each file permission (read, write, and execute) is given a number using this method, which sets file permissions using numerical values. The level of permission for a file is determined by adding the values of its permissions.
In Linux, there are three different kinds of permissions: read, write, and execute. Each of the three permissions — read (4), write (2), and execute (1) has a corresponding numerical number. The level of permission for a file is determined by adding the values of its permissions.
Each access level (read, write, execute) has an octal value:
| Access level | Octal Value |
|---|---|
| Read | 4 |
| Write | 2 |
| Execute | 1 |
Each Entity has a particular position in the code:
| Entity | Position |
|---|---|
| User | left |
| Group | middle |
| Other | right |
Now, let's take a look at some examples of how to set the file permissions using numeric mode in Linux.
Example 1
In this example, we are changing the user permission of a file by using the octal values.
Output:
Let's break down the octal value 741 we have provided:
- The first digit, 7, specifies the permissions for the owner of the file. In this case, the owner has read, write, and execute permissions .
- The second digit, 4, specifies the permissions for the group that the file belongs to. In this case, the group has read permission only (4).
- The third digit, 1, specifies the permissions for all other users. In this case, all other users have execute permission only (1).
In summary, after running the command chmod 741 myFile1, the file myFile1 will have the following permissions:
- The owner of the file will have read, write, and execute permissions.
- The group that the file belongs to will have read permission only.
- All the other users will have execute permission only.
Example 2
In this example, we are changing the user permission for a directory by using the octal values.
Output:
Let's break down the above statement:
- The -R option means that the command will be applied recursively to all files and subdirectories within the docs directory.
- The 444 specifies the permission for all users, including the owner, group, and other users. In this case, all users will have read-only permissions (4 = read).
Therefore, after running the command chmod -R 444 docs, all files and subdirectories within the docs directory will have the following permissions:
- The owner of the file or directory will have read-only permission.
- The group of the file or directory will have read-only permission.
- All other users will have read-only permission.
Managing Permissions in Symbolic Mode in Linux
In Linux, we can also set permissions in symbolic mode by combining letters and symbols. The symbols denote the action to be made (+ to add permission, - to remove permission, and = to set the permission), while the letters denote the degree of authorization (u for the owner, g for group, o for others, and a for all).
Each access level (read, write, execute) has a symbol:
| Access level | Symbol |
|---|---|
| Read | r |
| Write | w |
| Execute | x |
Each Entity has a Symbol:
| Entity | Symbol |
|---|---|
| User | u |
| Group | g |
| Other | o |
There are operators that are used to manipulate the permissions.
| Task | Operator |
|---|---|
| Grant Access | + |
| Remove Access | - |
| Set a level of Access | = |
Now, let's take a look at some examples of how to set the file permissions using symbolic mode in Linux.
Example 1
In this example, we are adding the permissions to the file for the user using symbolic mode syntax.
Output:
Let's break down the above command:
In this specific command, u stands for user which means that the command will modify the permissions for the owner of the file. r, w, and x are shorthand for read, write, and execute, respectively. Therefore, the u+rwx part of the command means that the owner of the file will be granted read, write, and execute permissions.
Example 2
In this example, we are removing some the user permission for a directory by using the octal values.
Output:
Let's break down the above statement:
In this specific command, a stands for all (owner, groups, and others), and -rwx stands for removing read, write, and execute permissions from all users, groups, and others. Therefore, the a-rwx part of the command means that all users and groups will have their read, write, and execute permissions revoked.
By running this command, all users and groups will be denied access to the file myFile1. This means that no one will be able to read, write, or execute the file, regardless of their current permissions and ownership status.
Special Permissions and Access Control Lists
Linux has additional rights and access control lists (ACLs) for more sophisticated control over file and directory access in addition to the fundamental read, write, and execute permissions.
Special permissions consist of:
- SetUID (SUID):
Assigns the same rights as the file owner to a user that executes a file. - SetGID (SGID):
Assigns the same rights as the group that created the file to the person who executes it.
ACLs in Linux provide a more fine control over the access to files and directories. ACLs allow you to grant permissions to specific users and groups beyond the basic owner, group, and others categories.
Example 1
To view the ACLs of a file or directory, you can use the getfacl command. The output will display the ACLs in the following format:
Output:
- The user::--- indicates that the file owner (in this case, root) has no permission for reading, writing, or executing the file.
- The group::--- indicates that the group members (in this case, myGroup) have no permission for reading, writing, or executing the file
- The other::--- line indicates that all the other users who are not the file owner or members of the group have no permission for reading, writing, or executing the file.
Example 2
To add an ACL entry, we can use the setfacl command followed by the user or group name and the desired permissions.
Output: Here is a breakdown of the above command:
- setfacl:
This is used set or modify the ACL of a file or directory. - -m:
This is used to modify an existing ACL entry or add a new one. - u:taran:
This part specifies the user for which the new ACL entry will be created. In this case, the user is taran here for which we will be creating the entry. - rwx:
This part specifies the permissions that the user taran will have on the file. The permissions are read (r), write (w), and execute (x). - myFile1:
This is the name of the file on which the ACL entry will be applied.
Hence, we can see that from the above command, the user taran will be having to read, write, and execute permissions on myFile1.
Conclusion
- In this article, we learned everything about Linux file user and permissions model.
- We learned about Linux file ownership.
- Based on the ownership, we learned about Users, Groups, and Others.
- We understood Linux file permissions: Read permissions, Write permissions, Execute permissions
- We understood how to manage permissions, ownership, and groups.
- We understood how to manage permissions.
- We discussed what is the Absolute(Numeric) mode and Symbolic mode in Linux.
- Finally, learned about special permissions and Access Control Lists