Linux File-system Permissions
Files have three user categories to which permissions apply. The file is owned by a user, normally the one who created the file. The file is also owned by a single group, usually the primary group of the user who created the file, but this can be changed. Different permissions can be set for the owning user, the owning group, and for all other users on the system that are not the user or a member of the owning group.
r = read
w = write
x = execute
The read permission on a directory in Linux is roughly equivalent to List folder contents in Windows.
The write permission on a directory in Linux is equivalent to Modify in Windows; it implies the ability to delete files and subdirectories. In Linux, if write and the sticky bit are both set on a directory, then only the file or subdirectory owner may delete it, which is similar to the Windows Write permission behavior.
Changing Permissions with the Symbolic Method
Who is u, g, o, a (for user, group, other, all)
What is +, -, = (for add, remove, set exactly)
Which is r, w, x (for read, write, execute)
Examples
- Remove read and write permission for group and other on file1:
[hafidzul@12-xitjkt2 ~]$ chmod go-rw file1
- Add execute permission for everyone on file2:
[hafidzul@12-xitjkt2 ~]$ chmod a+x file2
Changing Permissions with the Numeric Method
In the example below the # character represents a digit.
chmod ### file|directory
Each digit represents permissions for an access level: user, group, other.
The digit is calculated by adding together numbers for each permission you want to add, 4 for read, 2 for write, and 1 for execute.
Using the numeric method, permissions are represented by a 3-digit (or 4-digit, when setting advanced permissions) octal number. A single octal digit can represent any single value from 0-7.
In the 3-digit octal (numeric) representation of permissions, each digit stands for one access level, from left to right: user, group, and other. To determine each digit:
- Start with 0.
- If the read permission should be present for this access level, add 4.
- If the write permission should be present, add 2.
- If the permission should be present, add 1.
Example
- Set read and write permissions for user, read permission for group and other, on myfile:
[hafidzul@12-xitjkt2 ~]$ chmod 644 myfile
- Set read, write, and execute permissions for user, read and execute permissions for group, and no permission for other on mydir:
[hafidzul@12-xitjkt2 ~]$ chmod 750 mydir
Changing File and Directory User or Group Ownership
File ownership can be changed with the chown (change owner) command. For example, to grant ownership of the my_file file to the student user, use the following command:
[root@12-xitjkt2 ~]# chown student my_file
chown can be used with the -R option to recursively change the ownership of an entire directory tree. The following command grants ownership of my_dir and all files and subdirectories within it to student:
[root@12-xitjkt2 ~]# chown -R student my_dir
The chown command can also be used to change group ownership of a file by preceding the group name with a colon (:). For example, the following command changes the group ownership of the my_dir directory to admins:
[root@12-xitjkt2 ~]# chown :admins my_dir
Default File Permissions
If you create a new directory, the operating system starts by assigning it octal permissions 0777 (drwxrwxrwx). If you create a new regular file, the operating system assignes it octal permissions 0666 (-rw-rw-rw-). You always have to explicitly add execute permission to a regular file. This makes it harder for an attacker to compromise a network service so that it creates a new file and immediately executes it as a program.
However, the shell session will also set a umask to further restrict the permissions that are initially set. This is an octal bitmask used to clear the permissions of new files and directories created by a process. If a bit is set in the umask, then the corresponding permission is cleared on new files. For example, the umask 0002 clears the write bit for other users. The leading zeros indicate the special, user, and group permissions are not cleared. A umask of 0077 clears all the group and other permissions of newly created files.
The umask command without arguments will display the current value of the shell's umask:
[hafidzul@12-xitjkt2 ~]$ umask
0002
umask Example
The following example explains how the umask affects the permissions of files and directories. Look at the default umask permissions for both files and directories in the current shell. The owner and group both have read and write permission on files, and other is set to read. The owner and group both have read, write, and execute permissions on directories. The only permission for other is read.
[hafidzul@12-xitjkt2 ~]$ umask
0002
[hafidzul@12-xitjkt2 ~]$ touch default
[hafidzul@12-xitjkt2 ~]$ ls -l default.txt
-rw-rw-r--. 1 user user 0 May 9 01:54 default.txt
[hafidzul@12-xitjkt2 ~]$ mkdir default
[hafidzul@12-xitjkt2 ~]$ ls -ld default
drwxrwxr-x. 2 user user 0 May 9 01:54 default
THANK YOU
Top comments (0)