There are plenty of features that make Linux special, but one of them that makes it so secure is its permissions system. You can have fine-grain control over all the files in your system and assign permissions to users, groups, and everyone else. The terminal utility “chmod” helps you control all the permissions on your system, so it’s vital to know how chmod works in order to get the most use out of this feature, especially if you’re planning on building your own Linux server.
There’s plenty of information that you’ll need to know in order to understand the mechanics of the permissions system and control it as you please, so get ready to take some notes. Additionally, for starters, it’s best to take a look at 40 terminal commands that you should be familiar with before diving in.
Components Of Permissions
The Linux permissions system is configured in such a way that you can assign file and directory permissions to three different categories – the user, the group, and everyone else. Each file or directory is owned by a user and group, and these fields cannot be empty. If only the user should own the file, then the group name is often the same as the username of the owner.
You can assign specific permissions to the owner, different permissions to the group, and even other permissions to every other user. The different permissions which you can assign to any of these three categories are:
- read – 4 – ‘r’
- write – 2 – ‘w’
- execute – 1 – ‘x’
The numbers 4, 2, and 1 as well as the letters r, w, and x are different ways in which you can assign permissions to a category. I’ll get to why these numbers and letters important later on.
Permissions are important because, as you might assume, they allow certain people to do certain things with the file. Read permissions allow the person or group to read the contents of the file, and copy it if they wish. Write permissions allows the person or group to write new information into the file, or overwrite it completely. In some cases this can also control who is allowed to delete the file; otherwise a sticky bit must be used that won’t be covered here. Finally, execute permissions allow the person or group to run the file as an executable, whether it’s a binary file, an .sh file, or anything else.
Understanding Assigned Permissions
Let’s go in your terminal to any folder on your system – say your Home folder. Go ahead and type in the command
ls -l and hit enter. This command lists out all of the files and directories found in whatever folder you’re currently in.
Each line represents a file or directory, and it begins with something that might look like -rw-rw-r–. This shows you the permissions of the file or directory. In this case, the first dash shows us that you’re looking at a file. If it were a directory, there would be a “d” in this spot. The next three spots, rw-, shows us that the user who owns the file has read and write permissions (rw), but no executable permissions as there’s a dash instead of an “x”. The same is repeated for the next three spots, which represents the permissions of the group that owns the file.
Finally, the last three spots are r–, which means that everybody else can only read the file. As a reference, the possible permissions are drwxrwxrwx. It’s also important to note the “dmaxel dmaxel” that you see after the permissions. This shows that the user owner of the file is dmaxel and the group owner is dmaxel. For files that really are only supposed to belong to one user, this is default behavior, but if you’re sharing with a group that has multiple members, then you’ll be able to see that.
Assigning New Permissions
Remember the numbers and letters I mentioned earlier? Here’s where you’ll need them. Let’s say you have a file called “important_stuff” that’s located at the path /shared/Team1/important_stuff. As the team leader, you’ll want to be able to read and write to the file, your group members should only be allowed to read the file, and everyone else shouldn’t have any permissions at all.
In order to make sure that you and your group own the file, you’ll need to run the command
chown. An appropriate command for this situation would be
chown me:Team1 /shared/Team1/important_stuff. That command runs chown, and tells it that the file at path /shared/Team1/important_stuff should belong to the user “me” and the group “Team1″.
It’s assumed that the desired group has been created and that members have the group added as a secondary group in the system (also not covered here). Now that you have set the owner and group, you can set the permissions. Here, you can use the command
chmod 640 /shared/Team1/important_stuff. This starts chmod, and assigns the permissions 640 to the file at path /shared/Team1/important_stuff.
Where did 640 come from? You look at the numbers represented by the different commands – for read and write permissions, you have 4 + 2 = 6. The 6 represents the permissions for the user. The 4 comes from just the read permissions for the group, and the 0 comes from no permissions for everyone else. Therefore, you have 640. The number system is very good because you can have a number for all possible combinations: none (0), x (1), w (2), r (4), rx (5), rw (6), and rwx (7).
As an example, full permissions for everyone would be 777. However, if you have security in mind, its best to assign only the permissions that you absolutely need – 777 should be used rarely, if at all.
While I prefer the number method of assigning permissions, you can increase your flexibility and also add or remove permissions using the representative letters. For the above situation, the command used could also be
chmod u=rw,g=r,o= /shared/Team1/important_stuff. Here, u=rw assigns read and write permissions to the user, g=r assigns read permissions to the group, and o= assigns no permissions to everyone else. There’s also ‘a’ which can assign the same permissions for all categories.
You can also combine different combinations for varying permissions, as well as + or – signs instead of =, which would simply add or remove permissions if they haven’t already been added/removed instead of completely overwriting the permissions that you’re changing.
So, different examples can include:
chmod a+x /shared/Team1/important_stuffassigns execute permissions to everyone if they don’t have it already
chmod ug=rw o-w /shared/Team1/important_stuffforces the user and group to just have read and write permissions, and takes away writing permissions for everyone else in case they had it.
Applying Permissions To Multiple Files
Additionally, you can add the -R flag to the command in order to recursively apply the same permissions to multiple files and directories within a directory. If you wanted to change the permissions of the Team1 folder and all files and folders within, you can run the command
chmod 640 -R /shared/Team1.
Applying the same permissions to multiple, but individually picked files can be done with a command such as
chmod 640 /shared/Team1/important_stuff /shared/Team1/presentation.odp.
Hopefully, these tips have helped you improve your knowledge of the permissions system found in Linux. Security is an important matter to consider, especially on mission-critical machines, and using chmod is one of the best ways to keep security tight. While this is a fairly in-depth look at using chmod, there’s still a bit more that you can do with it, and there are plenty of other utilities that complement chmod. If you need a place to start, I would suggest doing more research on all of the things you can do with chown.
If you’re just getting started with Linux, have a look at our Getting Started Guide to Linux.
Are file permissions important for you? What permissions tips do you have for others? Let us know in the comments!
Image Credit: Eduardo Amorim