File Permissions
Each file in Linux has an associated permission level. This allows the user to prevent others from reading/writing/executing their files or directories.
To find the permission level for your file, type:
ls -l <filename>
For example, to find the permissions of test.txt
file, you simply type:
ls -l test.txt
Output:
-rw-r--r-- 1 <your-username> <username> 46 Jun 14 2020 test.txt
-rw-r—r--
can be analyzed as follows:
-
The first character (-) is the special permission flag that can vary.
-
The following set of three characters
rw-
is for the owner permissions. -
The second set of three characters
r--
is for the group permissions. -
The third set of three characters
r--
is for all users permissions.
For owner, group, and all users, the order of the permission type is important |
Permission Groups
Each file and directory has three user based permission groups:
-
Owner–The Owner permissions apply only to the owner of the file or directory, they won’t impact the actions of other users.
-
Group–The Group permissions apply only to the group that has been assigned to the file or directory, they won’t affect the actions of other users.
-
Others–The Others permissions apply to all other users on the system, this is the permission group that you want to watch the most.
The Permission Groups used are:
-
u–Owner
-
g–Group
-
o–Others
-
a–All users
Permission Types
Each file or directory has three basic permission types:
-
Read(r)–The Read permission refers to a user’s capability to read the contents of the file.
-
Write(w)–The Write permissions refer to a user’s capability to write or modify a file or directory.
-
Execute(x)–The Execute permission affects a user’s capability to execute a file or view the contents of a directory.
To change the permission of a file, use the following command:
chmod <permission groups> <assignment> <permission types> <file/directory name>
The chmod command allows to set permissions of files and directories. You can change permissions if you’re the file owner. |
The assignment can be:
-
Plus (+): Adds the designated permission(s) to a file or directory.
-
Minus (-): Removes the designated permission(s) from a file or directory.
-
Equal (=): Sets the designated permission(s).
In the case of the directory, you grant permissions to list directory contents. |
Changing Permissions using Numeric Code
Permissions can also be changed using the numeric format. This option is faster, as it requires less typing, although it’s not as straightforward as the previous method.
Instead of letters, numbers can be used to represent privileges as shown in the following table:
Number |
Permission Representation |
Letter Representation |
0 |
No permission |
|
1 |
Execute |
|
2 |
Write |
|
3 |
Execute and write : 1 (x) + 2 (w) = 3 |
|
4 |
Read |
|
5 |
Read and execute : 4 (r) + 1 (x) = 5 |
|
6 |
Read and write : 4 (r) + 2 (w) = 6 |
|
7 |
All permissions: 4 (r) + 2 (w) + 1 (x) = 7 |
|
Syntax:
chmod <numeric Representation> file/directory
For example, to give read, write, and execute permissions to only owner, and group on the test.txt
file, you would type:
chmod 770 test.txt
Examples
Example 1
For example, to make test.txt
executable for the owner only, you would type:
chmod u+x test.txt
If you check the permission of that file, you will find that file is executable by the owner only as shown in the following example.
-rwxr--r-- 1 <username> <username> 46 Jun 14 2020 test.txt
Example 2
Another example, to remove read, write, execute permissions from the test.txt
file for the group, and others, type:
chmod go-rwx text.txt
To represent this example using numbers, you would type:
chmod 700 test.txt
To make the file readable, writable, and executable by all users, type:
chmod a=rwx test.txt
This can be expressed using numbers as follows:
chmod 777 test.txt
Linux Access Control Lists (ACLs)
Access Control Lists (ACLs) is a powerful tool for managing permissions of files and directories. The read, write, execute permissions to specific users, and groups on any file/directory that the user owns can be modified using ACLs.
There are two main things that you can do using ACLs:
-
Viewing ACLs
-
Setting ACLs
Viewing ACLs
To view ACLs for a specific file or directory, use getfacl
command.
Syntax:
getfacl FileName/DirName
For example, to show ACLs of test.txt
file, you can type:
getfacl test.txt
Output:
# file: test.txt
# owner: <username>
# group: <username>
user::rw-
group::r--
other::r--
Setting ACLs
To modify and remove access control lists on a file or directory, use the setfacl
command.
Syntax:
setfacl {-m, -x} {u, g}:<username/groupname>:[r, w, x] <file, directory>
Where:
-
{-m, -x} means
-m
(modify one or several ACL entries), or-x
(remove one or several ACL entries ) -
{u, g} means
u
for user org
for group. -
[r, w, w] means one or several of them.
Examples
To make the test.txt
file accessible to the user "user1" in read, execute and write mode, you can simply type:
setfacl -m u:user1:rxw test.txt
Use the getfacl
command to check the current ACL on test.txt
file:
getfacl test.txt
Output:
# file: test.txt
# owner: <username>
# group: <username>
user::rw-
user:user1:rwx
group::r--
mask::rwx
other::r--
The output shows that user1
can now read, write, and execute the file.
To allow group1
to read file.txt
, you would type:
setfacl -m g:group1:r test.txt
Output:
# file: test.txt
# owner: <username>
# group: <username>
user::rw-
user:user1:rwx
group::r--
group:group1:r--
mask::rwx
other::r--
To remove ACL related to group1
on your file.txt
, type:
setfacl -x u:user1 test.txt
On viewing the current ACL of text.txt
, the user1
has been removed as shown in the following output:
# file: test.txt
# owner: <username>
# group: <username>
user::rw-
group::r--
mask::r--
other::r--
Specific rights from a single ACL entry can’t be removed. For example, write permissions can’t be removed by keeping the ACL read permissions active. |
Umask command
On Linux operating systems, all new files and directories are created with a default set of permissions. The umask
command allows you to view or to set the file mode creation mask,
which determines the permissions for newly created files or directories.
By default, on Linux systems, the default creation permissions are 666 for files, and 777 for directories. |
For example, when you create a directory named testdir
, it will have default permissions as shown below:
drwxr-xr-x 2 <username> <username> 4096 May 4 17:48 testdir/
You can see that write permission was removed from groups and others. This is because that the umask
value is used to get the right permission of newly created files and directories.
To view the current umask
value, you simply type:
umask
Output:
0022
The value 0022
means that the write permission will be removed from the group and others once files or directories are created.
Permissions of testdir
are rwxr-xr-x that can be represented numerically as 755 which can be computed as follows:
default permission - umask = 777 - 022 = 755
You can change the value of umask
to change the default permission of newly created files and directories.
To change the umask
setting of the current shell to something else, you type:
umask newvalue
For example, to change umask
to become 011, you simply type:
umask 011
Then, any newly created files will have numeric permission as 655
which can be computed as follows:
file default permission - umask = 777 - 011 = 655
.
The value of umask won’t be changed permanently, it will be changed for the current shell only.
|