File Permissions

Each file in Linux has an associated permission level. This allows the user to prevent others from reading/writing/executing their files or directories.

To find the permission level for your file, type:

ls -l <filename>

For example, to find the permissions of test.txt file, you simply type:

ls -l test.txt

Output:

-rw-r--r-- 1 <your-username> <username> 46 Jun 14  2020 test.txt

-rw-r—​r-- can be analyzed as follows:

  • The first character (-) is the special permission flag that can vary.

  • The following set of three characters rw- is for the owner permissions.

  • The second set of three characters r-- is for the group permissions.

  • The third set of three characters r-- is for all users permissions.

For owner, group, and all users, the order of the permission type is important rwx. When the value of a type is (-), this means that the file/directory doesn’t have that permission type. In the example above, -rw-r—​r--, the owner group has read and write permissions but doesn’t have execute permission.

Permission Groups

Each file and directory has three user based permission groups:

  • Owner–The Owner permissions apply only to the owner of the file or directory, they won’t impact the actions of other users.

  • Group–The Group permissions apply only to the group that has been assigned to the file or directory, they won’t affect the actions of other users.

  • Others–The Others permissions apply to all other users on the system, this is the permission group that you want to watch the most.

The Permission Groups used are:

  • u–Owner

  • g–Group

  • o–Others

  • a–All users

Permission Types

Each file or directory has three basic permission types:

  • Read(r)–The Read permission refers to a user’s capability to read the contents of the file.

  • Write(w)–The Write permissions refer to a user’s capability to write or modify a file or directory.

  • Execute(x)–The Execute permission affects a user’s capability to execute a file or view the contents of a directory.

To change the permission of a file, use the following command:

chmod <permission groups> <assignment> <permission types> <file/directory name>

The chmod command allows to set permissions of files and directories. You can change permissions if you’re the file owner.

The assignment can be:

  • Plus (+): Adds the designated permission(s) to a file or directory.

  • Minus (-): Removes the designated permission(s) from a file or directory.

  • Equal (=): Sets the designated permission(s).

In the case of the directory, you grant permissions to list directory contents.

Changing Permissions using Numeric Code

Permissions can also be changed using the numeric format. This option is faster, as it requires less typing, although it’s not as straightforward as the previous method.

Instead of letters, numbers can be used to represent privileges as shown in the following table:

Number

Permission Representation

Letter Representation

0

No permission

---

1

Execute

--x

2

Write

-w-

3

Execute and write : 1 (x) + 2 (w) = 3

-wx

4

Read

r--

5

Read and execute : 4 (r) + 1 (x) = 5

r-w

6

Read and write : 4 (r) + 2 (w) = 6

rw-

7

All permissions: 4 (r) + 2 (w) + 1 (x) = 7

rwx

Syntax:

chmod <numeric Representation> file/directory

For example, to give read, write, and execute permissions to only owner, and group on the test.txt file, you would type:

chmod 770 test.txt

Examples

Example 1

For example, to make test.txt executable for the owner only, you would type:

 chmod u+x test.txt

If you check the permission of that file, you will find that file is executable by the owner only as shown in the following example.

-rwxr--r-- 1 <username> <username> 46 Jun 14  2020 test.txt

Example 2

Another example, to remove read, write, execute permissions from the test.txt file for the group, and others, type:

chmod go-rwx text.txt

To represent this example using numbers, you would type:

chmod 700 test.txt

To make the file readable, writable, and executable by all users, type:

chmod a=rwx test.txt

This can be expressed using numbers as follows:

chmod 777 test.txt

Linux Access Control Lists (ACLs)

Access Control Lists (ACLs) is a powerful tool for managing permissions of files and directories. The read, write, execute permissions to specific users, and groups on any file/directory that the user owns can be modified using ACLs.

There are two main things that you can do using ACLs:

  • Viewing ACLs

  • Setting ACLs

Viewing ACLs

To view ACLs for a specific file or directory, use getfacl command.

Syntax:

getfacl FileName/DirName

For example, to show ACLs of test.txt file, you can type:

getfacl test.txt

Output:

# file: test.txt
# owner: <username>
# group: <username>
user::rw-
group::r--
other::r--

Setting ACLs

To modify and remove access control lists on a file or directory, use the setfacl command.

Syntax:

setfacl {-m, -x}  {u, g}:<username/groupname>:[r, w, x] <file, directory>

Where:

  • {-m, -x} means -m (modify one or several ACL entries), or -x (remove one or several ACL entries )

  • {u, g} means u for user or g for group.

  • [r, w, w] means one or several of them.

Examples

To make the test.txt file accessible to the user "user1" in read, execute and write mode, you can simply type:

setfacl -m u:user1:rxw test.txt

Use the getfacl command to check the current ACL on test.txt file:

getfacl test.txt

Output:

# file: test.txt
# owner: <username>
# group: <username>
user::rw-
user:user1:rwx
group::r--
mask::rwx
other::r--

The output shows that user1 can now read, write, and execute the file.

To allow group1 to read file.txt, you would type:

setfacl -m g:group1:r test.txt

Output:

# file: test.txt
# owner: <username>
# group: <username>
user::rw-
user:user1:rwx
group::r--
group:group1:r--
mask::rwx
other::r--

To remove ACL related to group1 on your file.txt, type:

setfacl -x u:user1 test.txt

On viewing the current ACL of text.txt, the user1 has been removed as shown in the following output:

# file: test.txt
# owner: <username>
# group: <username>
user::rw-
group::r--
mask::r--
other::r--

Specific rights from a single ACL entry can’t be removed. For example, write permissions can’t be removed by keeping the ACL read permissions active.

Umask command

On Linux operating systems, all new files and directories are created with a default set of permissions. The umask command allows you to view or to set the file mode creation mask, which determines the permissions for newly created files or directories.

By default, on Linux systems, the default creation permissions are 666 for files, and 777 for directories.

For example, when you create a directory named testdir, it will have default permissions as shown below:

drwxr-xr-x   2 <username> <username>      4096 May  4 17:48  testdir/

You can see that write permission was removed from groups and others. This is because that the umask value is used to get the right permission of newly created files and directories.

To view the current umask value, you simply type:

umask

Output:

0022

The value 0022 means that the write permission will be removed from the group and others once files or directories are created.

Permissions of testdir are rwxr-xr-x that can be represented numerically as 755 which can be computed as follows:

default permission - umask = 777 - 022 = 755

You can change the value of umask to change the default permission of newly created files and directories. To change the umask setting of the current shell to something else, you type:

umask newvalue

For example, to change umask to become 011, you simply type:

umask 011

Then, any newly created files will have numeric permission as 655 which can be computed as follows:

file default permission - umask = 777 - 011 = 655.

The value of umask won’t be changed permanently, it will be changed for the current shell only.