Controlling Access to Files
1. Chmod
Chmod - This command is used to change the permissions of a file/folder.
The command ls -l
, can be used to see the permissions on the file and its owner. For example, ls -l file1.txt
it will display:
-rwxr–rw- 1 user user 0 Sep 24 12:59 file1.txt
On each line, the first character identifies the type of entry that is being listed. If it is a dash (-) it is a file. If it is the letter d it is a directory.
-rwxr–rw- 1 user user 0 Sep 24 12:59 file1.txt
|[-][-][-]- [------] [---]
| | | | | | |
| | | | | | +-----------> 7. Group
| | | | | +-------------------> 6. Owner
| | | | +--------------------------> 5. Alternate Access Method
| | | +----------------------------> 4. Others Permissions
| | +-------------------------------> 3. Group Permissions
| +----------------------------------> 2. Owner Permissions
+------------------------------------> 1. File Type
The next nine characters represent the settings for the three sets of permissions.
The first three characters show the permissions for the user who owns the file (user permissions).
The middle three characters show the permissions for members of the file’s group (group permissions).
The last three characters show the permissions for anyone not in the first two categories (other permissions).
There are three characters in each set of permissions. The characters are indicators for the presence or absence of one of the permissions. They are either a dash (-) or a letter. If the character is a dash, it means that permission is not granted. If the character is an r, w, or an x, that permission has been granted.
The letters represent:
r: Read permissions. The file can be opened, and its content viewed.
w: Write permissions. The file can be edited, modified, and deleted.
x: Execute permissions. If the file is a script or a program, it can be run (executed).
For example:
- --- means no permissions have been granted at all.
- rwx means full permissions have been granted. The read, write, and execute indicators are all present.
-rwxr–rw- This section will display the permissions.
1 – Number of hard links. Usually a hard link is an additional name for a file.
user user – Displays the owner and group owner of the file.
0 – Displays the file size.
Sep 24 12:59 – Displays the last time the file was modified.
file1.txt – Name file/folder
Changing Permissions with the Symbolic Method
To use chmod
to set permissions, we need to tell it:
Who: Who we are setting permissions for.
What: What change are we making? Are we adding or removing the permission?
Which: Which of the permissions are we setting?
We use indicators to represent these values, and form short permissions statements such as u+x
, where u
means user (who), +
means add (what), and x
means the execute permission (which).
Who is u, g, o, a (for user, group, other, all)
What is _+, -, _= (for add, remove, set exactly)
Which is r, w, x (for read, write, execute)
Examples
Remove read and write permission for group and other on file1.txt
:
chmod go-rw file1.txt
-
Add execute permission for everyone on
file2.txt
:
chmod a+x file2.txt
Changing Permissions with the Numeric Method
You may have seen chmod
being used with numbers, rather than letters. The numbers ultimately follow the same convention as above, but are much simpler to write out. Each user permission in rwx
is given a certain value:
- r is given a value of 4
- w is given a value of 2
- x is given a value of 1
That means a total value of 7
means 4 + 2 + 1
, or rwx
. A value of 5
would mean 4 + 1
, or r-
x. We can assign the owner, group, and other users a number each. So given a permission set like this:
rwx r-x --x
^ ^ ^
| | |
| | └ - - the permission of "others", i.e. anyone who is not an owner or a group
| └ - - the group's permissions
└ - - the owner's permissions
The owner has a permission value of 7
, the group has 5
, and any other users have a permission of 1
. So we can write this as 751
.
To apply these permissions to our file, file.txt
, then, we can write the following:
chmod 751 file.txt
To add a sticky bit to a numeric permission, we just add a a 1
to the start, so permissions 755
with a sticky bit become 1755
.
2. Chown
chown – This command is used to change the owners of files/folders. The basic command is:
chown [owner/group owner] [name file]
Basically, if we have a file.txt
file and we want to make the owner of this file xitjkt2
and the group owner to clients
, then the command we will use is:
chown xitjkt2:clients file.txt
So, as you can see, we separated the owner and group owner with the symbol :
(colon). If we only want to change the file owner, we can use:
chown xitjkt2 file.txt
We omit the group owner and just type in the new file owner, under such conditions, the group owner will remain unchanged. Another similar example is if we want to change the group owner of a file, the command would be as follows:
chown :clients file.txt
In this condition, only the group owner will change to clients (the owner remains unchanged).
3. Umask
The user file-creation mode mask umask
is used to determine the file permission for newly created files. It can be used to control the default file permission for new files. It is a four-digit octal number. A umask
can be set or expressed using:
Symbolic values
Octal values
Use theumask
command to set default file permissions on Linux and Unix-like machines.
The umask
command without any arguments will display the current value of the shell’s umask
. Example:
[user@host ~]$ umask
0002
A
umask
of 022 allows only you to write data, but anyone can read data.A
umask
of 077 is good for a completely private system. No other user can read or write your data ifumask
is set to 077.A
umask
of 002 is good when you share data with other users in the same group. Members of your group can create and modify data files; those outside your group can read data file, but cannot modify it. Set yourumask
to 007 to completely exclude users who are not group members.
umask Example
The following example explains how the umask
affects the permissions of files and directories. Look at the default umask
permissions for both files and directories in the current shell. The owner and group both have read and write permission on files, and other is set to read. The owner and group both have read, write, and execute permissions on directories. The only permission for other is read.
[user@host ~]$ umask
0002
[user@host ~]$ touch default
[user@host ~]$ ls -l default.txt
-rw-rw-r--. 1 user user 0 May 9 01:54 default.txt
[user@host ~]$ mkdir default
[user@host ~]$ ls -ld default
drwxrwxr-x. 2 user user 0 May 9 01:54 default
By setting the umask
value to 0, the file permissions for other change from read to read and write. The directory permissions for other changes from read and execute to read, write, and execute.
[user@host ~]$ umask 0
[user@host ~]$ touch zero.txt
[user@host ~]$ ls -l zero.txt
-rw-rw-rw-. 1 user user 0 May 9 01:54 zero.txt
[user@host ~]$ mkdir zero
[user@host ~]$ ls -ld zero
drwxrwxrwx. 2 user user 0 May 9 01:54 zero
To mask all file and directory permissions for other, set the umask
value to 007.
[user@host ~]$ umask 007
[user@host ~]$ touch seven.txt
[user@host ~]$ ls -l seven.txt
-rw-rw----. 1 user user 0 May 9 01:55 seven.txt
[user@host ~]$ mkdir seven
[user@host ~]$ ls -ld seven
drwxrwx---. 2 user user 0 May 9 01:54 seven
A umask
of 027 ensures that new files have read and write permissions for user and read permission for group. New directories have read and write access for group and no permissions for other.
[user@host ~]$ umask 027
[user@host ~]$ touch two-seven.txt
[user@host ~]$ ls -l two-seven.txt
-rw-r-----. 1 user user 0 May 9 01:55 two-seven.txt
[user@host ~]$ mkdir two-seven
[user@host ~]$ ls -ld two-seven
drwxr-x---. 2 user user 0 May 9 01:54 two-seven
The default umask
for users is set by the shell startup scripts. By default, if your account's UID is 200 or more and your username and primary group name are the same, you will be assigned a umask of 002. Otherwise, your umask will be 022.
As root, you can change this by adding a shell startup script named /etc/profile.d/local-umask.sh
that looks something like the output in this example:
[root@host ~]# cat /etc/profile.d/local-umask.sh
# Overrides default umask configuration
if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
umask 007
else
umask 022
fi
The preceding example will set the umask
to 007 for users with a UID greater than 199 and with a username and primary group name that match, and to 022 for everyone else. If you just wanted to set the umask
for everyone to 022, you could create that file with just the following content:
# Overrides default umask configuration
umask 022
To ensure that global umask
changes take effect you must log out of the shell and log back in. Until that time the umask
configured in the current shell is still in effect.
The chmod
command in Linux works in a similar way to the umask
command. It too is used to define permissions for files and folders.
The difference between umask
and chmod
is that umask
changes the default permissions and thus the permissions for all newly created files and folders, while chmod
sets permissions for files and folders that already exist
Top comments (0)