File Permissions and Ownership
In the previous lesson, you learned how to manage users and groups on your Linux system. Now we'll explore how to control access to files and directories using Linux's robust permission system. Understanding file permissions is crucial for maintaining system security and ensuring that only authorized users can access sensitive data.
Learning Goals:
- Understand Linux file permission notation
- Use
chmod,chown, andchgrpcommands - Work with symbolic and numeric permission modes
- Manage special permissions and default permissions
Understanding Linux File Permissions
When you list files with ls -l, you'll see permission strings like this:
ls -l /home/
The output shows permission strings like drwxr-xr-x or -rw-r--r--. Let's break down what this means:
- First character: File type (
-for regular file,dfor directory,lfor symbolic link) - Next 9 characters: Three sets of permissions (user, group, others)
- Each set: Read (
r), Write (w), Execute (x) permissions
-rwxr-xr-- # Regular file
drwxr-x--- # Directory
lrwxrwxrwx # Symbolic link
Permission Categories
Linux organizes permissions into three categories:
User (Owner) Permissions
These apply to the file's owner - the user who created the file.
Group Permissions
These apply to members of the file's group.
Other (World) Permissions
These apply to all other users on the system.
# Create a test file and check its permissions
echo "Test content" > myfile.txt
ls -l myfile.txt
Changing Permissions with chmod
The chmod command changes file permissions. You can use either symbolic or numeric notation.
Symbolic Notation
Symbolic notation uses letters to represent who and what to change:
- Who:
u(user),g(group),o(others),a(all) - What:
+(add),-(remove),=(set exactly) - Permissions:
r(read),w(write),x(execute)
# Add execute permission for user
chmod u+x script.sh
# Remove write permission for group and others
chmod go-w sensitive_file.txt
# Set exact permissions: user=rwx, group=rx, others=-
chmod u=rwx,g=rx,o= myprogram
# Make file readable by all
chmod a+r document.txt
Numeric (Octal) Notation
Numeric notation uses three-digit octal numbers:
- 4 = Read
- 2 = Write
- 1 = Execute
- 0 = No permission
Add the values for each permission set:
# 755: user=rwx(7), group=rx(5), others=rx(5)
chmod 755 executable_file
# 644: user=rw(6), group=r(4), others=r(4)
chmod 644 regular_file.txt
# 700: user=rwx(7), group=-(0), others=-(0)
chmod 700 private_directory/
# 600: user=rw(6), group=-(0), others=-(0)
chmod 600 secret_file.txt
Use numeric notation for precise control and symbolic notation for quick adjustments. Many administrators prefer numeric notation in scripts for consistency.
Changing Ownership with chown
The chown command changes file ownership:
# Change owner to user 'john'
chown john file.txt
# Change owner and group simultaneously
chown john:developers script.sh
# Change ownership recursively for a directory
chown -R alice:staff /home/alice/documents/
Changing Group with chgrp
The chgrp command specifically changes the group ownership:
# Change group to 'developers'
chgrp developers project_files/
# Change group recursively
chgrp -R www-data /var/www/html/
Directory Permissions
Directory permissions work differently from file permissions:
- Read: List directory contents
- Write: Create, rename, delete files in directory
- Execute: Access (cd into) the directory
# Create a shared directory with proper permissions
mkdir shared_folder
chmod 775 shared_folder # rwxrwxr-x
# Create a private directory
mkdir private_folder
chmod 700 private_folder # rwx------
Be careful with directory write permissions! Giving write access to a directory allows users to delete files they don't own, even if they can't modify the file contents directly.
Special Permissions
Linux includes three special permissions:
Set User ID (SUID)
When set on an executable, it runs with the owner's privileges.
Set Group ID (SGID)
When set on an executable, it runs with the group's privileges. When set on a directory, new files inherit the directory's group.
Sticky Bit
When set on a directory, only file owners can delete or rename their files (common in /tmp).
# Set SUID (add 4000 to permissions)
chmod 4755 /usr/bin/passwd
# Set SGID on directory (add 2000)
chmod 2775 shared_directory/
# Set sticky bit (add 1000)
chmod 1777 /tmp/
Default Permissions with umask
The umask command sets default permissions for new files and directories:
# Check current umask
umask
# Set new umask (common values: 022, 002, 077)
umask 002
# Calculate actual permissions: 666 - umask for files, 777 - umask for directories
Practical Examples
Let's work through some common scenarios:
# Create web directory structure
sudo mkdir -p /var/www/example.com
sudo chown www-data:www-data /var/www/example.com
sudo chmod 755 /var/www/example.com
# Create a script with proper permissions
cat > backup.sh << 'EOF'
#!/bin/bash
echo "Backup simulation"
EOF
chmod 744 backup.sh # User: rwx, Group: r, Others: r
# Create shared workspace
mkdir /opt/team_workspace
chgrp developers /opt/team_workspace
chmod 2775 /opt/team_workspace # SGID set for group inheritance
# Test file creation - notice group inheritance
touch /opt/team_workspace/test_file.txt
ls -l /opt/team_workspace/test_file.txt
Common Pitfalls
- Overly permissive files: Avoid using
chmod 777- it's a security risk - Wrong directory permissions: Remember that execute permission is needed to access directories
- SUID misuse: Be cautious with SUID as it can create security vulnerabilities
- umask confusion: Files can never have execute permission by default due to umask calculation
- Recursive changes: Double-check before using
-Rflag to avoid unintended permission changes - Root ownership: Don't run applications as root unless necessary
Summary
File permissions and ownership are fundamental to Linux security. You've learned to:
- Read and interpret permission strings using
ls -l - Modify permissions with
chmodusing both symbolic and numeric notation - Change file ownership with
chownand group ownership withchgrp - Understand directory permissions and special permissions (SUID, SGID, sticky bit)
- Set default permissions using
umask
Mastering these concepts ensures you can properly secure files and directories while allowing appropriate access for users and applications.
Show quiz
-
What does the permission string
drwxr-xr--mean?- A) A directory where the owner has full access, group can read and execute, others can only read
- B) A file where the owner has full access, group can read and write, others can only read
- C) A directory where everyone has full access
- D) A symbolic link with read and execute permissions for all
-
Which command would give the owner read/write/execute, group read/execute, and others no permissions?
- A)
chmod 755 file - B)
chmod 750 file - C)
chmod 700 file - D)
chmod 770 file
- A)
-
What is the purpose of the sticky bit on a directory?
- A) It makes files in the directory executable
- B) It allows only file owners to delete their own files
- C) It hides the directory from listings
- D) It compresses directory contents automatically
-
If your umask is 022, what permissions will a new directory have?
- A) 755 (rwxr-xr-x)
- B) 644 (rw-r--r--)
- C) 755 (rwxrwxrwx)
- D) 600 (rw-------)
-
Which command changes both the owner and group of a file simultaneously?
- A)
chown user:group file - B)
chmod user:group file - C)
chgrp user:group file - D)
chown user file && chgrp group file
- A)
Answers:
- A - The 'd' indicates a directory, 'rwx' for owner, 'r-x' for group, 'r--' for others
- B - 750 = user=rwx(7), group=rx(5), others=-(0)
- B - Sticky bit prevents users from deleting others' files in shared directories
- A - Directory default 777 - 022 = 755 (rwxr-xr-x)
- A -
chown user:group filechanges both owner and group in one command