Tuesday, September 19, 2006 

Understanding file permissions on Linux

This article is an exact copy of the article on File Permission Contributed by Clement Lefebvre in Linuxforums.org original article can be read here
I copied this article here just for my reference.. any modifications to the original article will not be refelected here.Please read the original article for accurate info.

Understanding file permissions

In GNU/Linux every user has his own user account, and is a member of one or more user groups. Similarly, each file belongs to a user and to a user group. For restricting file access, GNU/Linux (and Unix in general) defines three different types of rights:

- Read (symbolized by the letter r), which means that the file can be read;
- Write (symbolized by the letter w), which means that the content of the file can be changed;
- Execute (symbolized by the letter x), which means that the file can be executed.

For each file, each of these rights (Read, Write and Execute) are defined for three sets of users :

- The user (symbolized by the letter u), who is the owner of the file.
- The group (symbolized by the letter g), who represents all the users who are members of the group which the file belongs to (as a file belongs both to a user, and a user group).
- The others (symbolized by the letter o), who basically represent all the users that are neither members of the group nor the owner of the file.

For instance, if a file belongs to George (as the owner) and Administrators (as the group), it can define different Read, Write and Execute permissions for George, for members of the "Administrators" group, and for all other users.

Reading file permissions : ls -l

All information related to file permissions is contained within the file and can be viewed by the "ls -l" command:

ls -l myfile
-rwxr-x--- 1 george administrators 10 2006-03-09 21:31 myfile

As you can see in this example, the "ls -l" command gives a lot of information about the file "myfile":

- Its name, "myfile";
- Its permissions, "-rwxr-x---";
- Its owner, "george";
- Its group, "administrators";
- And other information which is not relevant to this article.

The way permissions are shown can seem a bit confusing if you're new to GNU/Linux or Unix, but don't be mistaken, it is very simple. The first character simply indicates the type of file as indicated in the table below:

Character Type of file
- regular file
d directory
lsymbolic link
ssocket
pnamed pipe
ccharacter device file (unbuffered)
bblocked device file (buffered)

In this case myfile is a regular file. Let's have a look at the other nine characters: "rwxr-x---".

The first three characters indicate whether or not the read, write and execute permissions are given to the owner (in this case, George). If they are, their character representation appear (r, w or x), otherwise they are replaced by the character "-". In the same manner, the next three characters indicate whether or not these permissions are given to the group (in this case, Administrators). Finally, the last three characters indicate whether the same rights are given to the others (in this case, people who are not members of the Administrators group).

Letter Permission
rRead
wWrite
xExecute, Go through (for directories)
-No permission

Letter Type of users
u User (owner of the file)
g Group (group to which belong the file)
o Other (users who are neither a member of the Group nor the owner of the file)
a All (everybody)

So, in our example myfile features the following set of permissions : "

rwxr-x---
". This means that George has all three rights on it, that members of the Administrators group can only read (R) and execute (X) the file, and that everybody else can't do anything with the file.

You could imagine that this file, written and maintained by George could be an executable script dedicated to the administrators and not made available to other users.. but hey.. this is only an example, so let's not assume too much :) The important thing is that you now understand the concept of file permissions and that you know how to read them using the "ls -l" command. The next step is to learn how to change them.

Changing file permissions : chmod

You can change the permissions of your files (or other people's files if you're the root superuser) by using the command "chmod". The syntax is very simple. For instance if George decides to give write permissions to the administrators, he will type:

chmod g+w myfile

g represents the group of the file (administrators).
w represents the write permission.
+ represents the fact that the permission is added.

If George then lists the permissions using ls -l he obtains:

ls -l myfile
-rwxrwx--- 1 george administrators 10 2006-03-09 21:31 myfile

As you can see, the administrators now have write access to the file, and permission to change its content.

The "chmod" command takes 4 parameters:

- The type of users to apply the change of permissions for (u for user, g for group, o for others, a combination of them or a for all three of them).
- The type of change to make (+ to add permissions, - to remove permissions, = to define permissions)
- The type of permissions to apply the change with (r for read, w for write, x for execute)
- The file or group of files to apply the change on (filename for a precise file, but wildcard characters for multiple files)

Let's have a look at a few examples:

- chmod o+r myfile adds read permission to the others on myfile;
- chmod ug+rx myfile adds read and execute permissions to both the owner (user) and the group on myfile;
- chmod a-rwx myfile removes all permissions to everybody (all) on myfile;
- chmod a=rx *.txt defines permissions to be read and write to everybody on all files suffixed by .txt.

The chmod command also accepts another syntax which is quite popular among system administrators: the octal system. Rather than using letters such as u, g, o, a, r, w and x.. you can use octal numbers. The main advantage is that once you're used to it, it is faster to use. Also, because it sets permissions rather than adding or removing them, you don't accidentally overlook anything. Here is how the octal numbers work:

Each permission is given a value:

Permission Value
- 0
x 1
w 2
r 4

Values add up when you combine permissions. Consequently the total value can go from 0 (no permission at all) to 7 (full permissions):

Permission Value
--- 0
--x 1
-w- 2
-wx 3
r-- 4
r-x 5
rw- 6
rwx 7

Finally a value is given for each of the three types of users (User, Group and Other) and these three numbers ranging from 0 to 7 are put together to form the octal number. This is the number you can use with "chmod".

For instance:

chmod 750 myfile

750 means 7 (rwx) for the owner, 5 (r-x) for the group and 0 (---) for others. As a result, the permissions of myfile will be "rwxr-x---". As seen above this command is equivalent to:

chmod u=rwx,g=rx myfile; chmod o-rwx myfile;  

Here are some common uses of the octal numbers:

- chmod 755 myfile : rwxr-xr-x, all rights to the owner, other people only read and execute;
- chmod 644 myfile : rw-r--r--, owner car read and write, other people only read;
- chmod 777 myfile : can be considered bad practice in some cases, full permissions to everybody.

Changing file owner or group : chown, chgrp

You can give ownership of your files to somebody else, or change the group that they belong to, by using the commands "chown" and "chgrp". "chown" allows you yo change the owner of the file, and "chgrp" allows you to change its group.

For instance, if George decides to give ownership of myfile to Robert, he can simply type:

chown robert myfile

Also, if Robert later on decides to make the file only available to members of the group "SeniorAdmin" group rather than to those of the group "Administrators", he can type:

chgrp senioradmin myfile

Note: The "chown" command also allows to change the group ownership. In fact George could have directly typed the following command:

chown robert:senioradmin myfile

Setting the sticky bit on a directory : chmod +t

If you have a look at the /tmp permissions, in most GNU/Linux distributions, you'll see the following:

clem@pluto:/$ ls -l | grep tmp
drwxrwxrwt 10 root root 4096 2006-03-10 12:40 tmp

The "t" in the end of the permissions is called the "sticky bit". It replaces the "x" and indicates that in this directory, files can only be deleted by their owners, the owner of the directory or the root superuser. This way, it is not enough for a user to have write permission on /tmp, he also needs to be the owner of the file to be able to delete it.

In order to set or to remove the sticky bit, use the following commands:

chmod +t tmp
chmod -t tmp

Setting the SGID attribute on a directory : chmod g+s

If the SGID (Set Group Identification) attribute is set on a directory, files created in that directory inherit its group ownership. If the SGID is not set the file's group ownership corresponds to the user's default group.

In order to set the SGID on a directory or to remove it, use the following commands:

chmod g+s directory
chmod g-s directory

When set, the SGID attribute is represented by the letter "s" which replaces the "x" in the group permissions:

ls -l directory
drwxrwsr-x 10 george administrators 4096 2006-03-10 12:50 directory

Setting SUID and SGID attributes on executable files : chmod u+s, chmod g+s

By default, when a user executes a file, the process which results in this execution has the same permissions as those of the user. In fact, the process inherits his default group and user identification.

If you set the SUID attribute on an executable file, the process resulting in its execution doesn't use the user's identification but the user identification of the file owner.

For instance, consider the script myscript.sh which tries to write things into mylog.log :

ls -l
-rwxrwxrwx 10 george administrators 4096 2006-03-10 12:50 myscript.sh
-rwxrwx--- 10 george administrators 4096 2006-03-10 12:50 mylog.log

As you can see in this example, George gave full permissions to everybody on myscript.sh but he forgot to do so on mylog.log. When Robert executes myscript.sh, the process runs using Robert's user identification and Robert's default group (robert:senioradmin). As a consequence, myscript fails and reports that it can't write in mylog.log.

In order to fix this problem George could simply give full permissions to everybody on mylog.log. But this would make it possible for anybody to write in mylog.log, and George only wants this file to be updated by his myscript.sh program. For this he sets the SUID bit on myscript.sh:

chmod u+s myscript.sh

As a consequence, when a user executes the script the resulting process uses George's user identification rather than the user's. If set on an executable file, the SUID makes the process inherit the owner's user identification rather than the one of the user who executed it. This fixes the problem, and even though nobody but George can write directly in mylog.log, anybody can execute myscript.sh which updates the file content.

Similarly, it is possible to set the SGID attribute on an executable file. This makes the process use the owner's default group instead of the user's one. This is done by:

 chmod g+s myscript.sh 

By setting SUID and SGID attributes the owner makes it possible for other users to execute the file as if they were him or members of his default group.

The SUID and GUID are represented by a "s" which replaces the "x" character respectively in the user and group permissions:

chmod u+s myscript.sh
ls -l
-rwsrwxrwx 10 george administrators 4096 2006-03-10 12:50 myscript.sh
chmod u-s myscript.sh
chmod g+s myscript.sh
ls -l
-rwxrwsrwx 10 george administrators 4096 2006-03-10 12:50 myscript.sh

Setting the default file creation permissions : umask

When a file is created, its permissions are set by default depending on the umask setting. This value is usually set for all users in /etc/profile and can be obtained by typing:

umask

The default umask value is usually 022. It is an octal number which indicates what rights will be removed by default to all new files. For instance, 022 indicates that write permissions will not be given to group and other.

By default, and with a umask of 000, files get mode 666 and directories get mode 777. As a result, with a default umask value of 022, newly created files get a default mode 644 (666 - 022 = 644) and directories get a default mode 755 (777 - 022 = 755).

In order to change the umask value, simply use the umask command and give it an octal number. For instance, if you want all new directories to get permissions rwxr-xr--- and files to get permissions rw-r----- by default (modes 750 and 640), you'll need to use a umask value which removes all rights to other, and write permissions to the group : 027. The command to use is:

umask 027