Demystifying Linux File Permissions

Linux file permissions are a cornerstone of its security model, dictating who can read, write, or execute files and directories. Understanding them is crucial for system administrators, developers, and even regular users to maintain a secure and functional system. This guide will break down the core concepts and common commands.

The Basics: Users, Groups, Others (UGO) and Permissions (rwx)

Every file and directory in Linux has an owner user, an owner group, and permissions for three distinct categories:
1. User (u): The owner of the file.
2. Group (g): Members of the file's owner group.
3. Others (o): Everyone else on the system.

For each of these categories, there are three basic permissions:

• Read (r):

* For files: Ability to view the file's content.
* For directories: Ability to list the directory's contents (filenames).

• Write (w):

* For files: Ability to modify or delete the file.
* For directories: Ability to create, delete, or rename files within the directory.

• Execute (x):

* For files: Ability to run the file (if it's a script or executable program).
* For directories: Ability to enter or traverse the directory.

These permissions are often represented by letters (r, w, x) or their numerical (octal) equivalents:

• r = 4
• w = 2
• x = 1
• - (no permission) = 0

Reading Permissions with ls -l

The ls -l command provides a long listing of files and directories, including their permissions.


Example output:

Let's dissect the first column (-rw-r--r--):

1. First character (- or d): Indicates the file type.
* -: Regular file
* d: Directory
* l: Symbolic link
* c: Character device
* b: Block device
* p: Named pipe
* s: Socket
2. Next nine characters (rw-r--r--): These are the permissions, grouped into three sets of three.
* rw-: Permissions for the User (owner). Here, the owner has read and write permissions, but not execute. (4+2+0 = 6)
* r--: Permissions for the Group. Here, the group has only read permission. (4+0+0 = 4)
* r--: Permissions for Others. Here, others also have only read permission. (4+0+0 = 4)

So, for myfile.txt, the permissions in octal are 644.

Changing Permissions with chmod

The chmod (change mode) command is used to modify file and directory permissions. It can be used in two main ways: symbolic mode or octal mode.

1. Symbolic Mode

This mode uses u, g, o, a (all) for categories and +, -, = for operations.

• +: Add a permission
• -: Remove a permission
• =: Set permissions exactly

Examples:

• chmod u+x myfile.sh: Add execute permission for the owner.
• chmod g-w myfile.txt: Remove write permission for the group.
• chmod o=r mydirectory/: Set others' permission to only read.
• chmod a+rwx mypublicfile.txt: Give read, write, execute to all (user, group, others).
• chmod u=rw,go=r myfile.txt: Set owner to read/write, group/others to read.

2. Octal Mode

This is often preferred for its conciseness. You sum the numerical values (r=4, w=2, x=1) for each UGO category.

Common Octal Permissions:

• 777: rwxrwxrwx (read, write, execute for everyone - generally unsafe for files)
• 755: rwxr-xr-x (owner rwx, group rx, others rx - common for directories and scripts)
• 644: rw-r--r-- (owner rw, group r, others r - common for files)
• 600: rw------- (owner rw, no access for group/others - private files)

Examples:

• chmod 755 myscript.sh: Make a script executable for owner, readable/executable for group/others.
• chmod 640 myprivatefile.txt: Owner can read/write, group can read, others have no access.
• chmod 700 mysecretfolder/: Owner has full access, no one else can even list contents.

Changing Ownership with chown and chgrp

• chown (change owner): Changes the owner user and/or owner group of a file.

* chown newuser myfile.txt: Change owner to newuser.
* chown :newgroup myfile.txt: Change group to newgroup (owner remains same).
* chown newuser:newgroup myfile.txt: Change both owner and group.
* chown -R newuser:newgroup mydirectory/: Recursively change owner/group for a directory and its contents.
* *Note: Only root can change the owner of a file.*

• chgrp (change group): Specifically changes the owner group of a file.

* chgrp newgroup myfile.txt: Change the group to newgroup.
* chgrp -R newgroup mydirectory/: Recursively change group for a directory.
* *Note: A non-root user can only change a file's group to a group they are a member of.*

Special Permissions

Beyond rwx, there are three special permissions that add extra functionality, primarily for security:

1. SetUID (SUID):
* Applies to executable files.
* When an SUID file is executed, it runs with the permissions of the file's owner, not the user who ran it.
* Represented by s in the owner's execute position (rwsr-xr-x). If execute isn't set, it's S.
* Octal value: 4000
* Example: passwd command, which allows users to change their password by writing to /etc/shadow (owned by root, only writable by root).
* chmod 4755 /usr/bin/some_tool

2. SetGID (SGID):
* Applies to executable files: Similar to SUID, but the program runs with the permissions of the file's owner group.
* Applies to directories: New files/subdirectories created within an SGID directory automatically inherit the parent directory's group rather than the primary group of the user who created them. This is very useful for shared directories.
* Represented by s in the group's execute position (rwxr-sr-x). If execute isn't set, it's S.
* Octal value: 2000
* chmod 2775 /shared_project_folder

3. Sticky Bit:
* Applies only to directories.
* When applied to a directory, users can create files within it, but they can only delete or rename files they own (even if they have write permission to the directory). This prevents users from deleting others' files in a shared writable directory.
* Represented by t in the others' execute position (rwxrwxrwt). If execute isn't set, it's T.
* Octal value: 1000
* Example: /tmp directory, where anyone can create files, but not delete files created by others.
* chmod 1777 /public_upload_area

Applying Special Permissions with chmod:
You prepend the octal value for the special permission to the standard three-digit octal permission.

• chmod 4755 myscript.sh (SUID)
• chmod 2770 shared_docs/ (SGID on directory)
• chmod 1777 /tmp_folder/ (Sticky Bit)

Best Practices

• Principle of Least Privilege: Grant only the necessary permissions. Don't give 777 unless absolutely required and understood.
• Default Permissions: Understand your system's umask (user file-creation mask), which determines default permissions for new files and directories.
• Directories vs. Files: Remember that x means "traverse" for directories and "execute" for files. w for directories means "create/delete files," not "modify directory name."
• Regular Audits: Periodically review permissions on critical files and directories, especially after software installations or user changes.

Mastering Linux permissions is fundamental for maintaining a secure and stable environment. Take your time to practice with these commands in a safe environment, and you'll quickly become proficient.