File permissions in linux - explained

Linux is often used as a multi-user system and it is not desirable that all users have access to all files and directories.
For eg. : On a multi-user environment in a office using a central server running linux , it might be required the accountants documents be shared between employees of the accountants department . At the same time, it might be undesirable and indeed dangerous if anyone having access to the server is able to read/edit them.

Linux has a 3X3 permission system.

There are 3 levels of security for a file :

Read Permission : Permission to read a file (r)
Write Permission : Permission to edit a file (w)
Execute Permission : Permission to execute a file if it is executable (x)

and 3 different levels for a directory :

Enter Permission : Permission to Enter into the Directory
Show Entry : Permission to see the contents of the Directory
Write Entry : Permission to make a new file or subdirectory in the Directory

For granting the above permissions, users are divided into 3 different sets

User : The owner of the file/directory - mostly the person who created the file/directory
Group : Linux users can be divided in groups and one user can be a member of more than one group. A Group denotes all users who are members of group(s) to which the owner of a file/directory belongs
Others : All users not in the group(s) of the owner.

Let's discus next example, which is output of ls -l command:
drwxr-x--- 2 mayank freeos 4096 Dec 28 04:09 tmp
-rw-r--r--  1 mayank freeos   969 Dec 21 02:32 foo
-rwxr-xr-x 1 mayank freeos   345 Sep   1 04:12 somefile
The first entry here is tmp.
d       rwx     r-x       ---
file type | user | group |  others

The first character in the field indicates a file type of one of the following
The first character in the first column is 'd', which means the tmp is a directory.

d = directory
l = symbolic link
s = socket
p = named pipe
- = regular file
c= character (unbuffered) device file special
b=block (buffered) device file special

The chmod command

The chmod command is used to change the permissions of files/directories in linux. It's syntax is as follows :
chmod -R/c/f/v [u / g / o / a] [+ / - / =] [rwxXstugo..]
For eg. if u want to give all users in the group of the owner just read permission to a file called foo.txt, the command is
chmod g+r /home/aarjav/foo.txt
Here g stands for group, + stands for giving permission (as against - for taking permission away), r stands for read permission.

Now if they misbehave and u want to take their read permission away. The command is the same as above, just substituting the + sign with a minus sign
chmod g-r /home/aarjav/foo.txt
As shown the general format of the command is
chmod -R/c/f/v [u / g / o / a] [+ / - / =] [rwxXstugo]
where parameters are:
which user?
u : user
g: group
o : others
a : all
what to do?
+ : give permission
- : take permission away
= : cause the permissions given to be the only permissions of the file
which permissions?
r : read permission
w: write permission
x : execute permission

And some other parameters:
X: execute only if it is a directory or already has execute permission for some user
s : set user or group ID on execution
t : save program text on swap device
(X, s, t are not required for common tasks)

the initial options -R/c/f/v are explained as follows :

-c : Displays names of only those files whose permissions are being changed ( --changes can also be used instead of -c )

-f : Suppresses display of error messages when a file?s permissions cannot be changed ( --silent of --quiet can also be used instead of -f )

-R: Recursively changes the permission of all files in all subdirectories of the directory whose permissions are being changed ( --recursive can also be used )

-v : Displays results of all permission changes ( --verbose can also be used )


chmod g-wx somefile - We're removing write and execute permission for members of the group. The file will now have attributes of -rwxr-rwx.

You can also specify permissions for users, groups or others in the same
command, separated but commas.

chmod g+wx,o-rwx somefile - Group members have been given write and execute access but all access has been removed for users that are not members of that group. File
permissions now are -rwxrwx---.

chmod a+x somefile - Give everyone execute access. Permissions now are -rwxrwx-x. Specifying
'a' here is not essential. You could simply say '+x' here; 'all' is assumed by default. So, the command chmod +x somefile is equivalent to the one above.

chmod go-rx somefile - If the same permission bits are to be set/unset for users, groups or
others then you can club them together as above. File permissions now are -rwx-w----.

chmod ug=rwx somefile - This sets the file permissions to exactly what is specified. Now, the file
permissions become -rwxrwx---.

chmod o=g somefile - File permissions for others are set at what the permissions for group are
set. Permissions now are -rwxrwxrwx.

There is another way in which you can specify the file permissions.
Thepermission bits r,w and x are assigned a number.
r = 4
w = 2
x = 1
Now you can use numbers, which are the sum of the various permission bits.
E.g - rwx will be 4+3+1 = 7. rx becomes 4+1 = 5.
The chmod command now becomes:
chmod xyz filename
where x,y and z are numbers representing the permissions of user, group and others respectively.
Each number is the sum of the permissions to be set and are calculated as given above.
chmod 644 somefile

6 = 4 + 2 = rw
4 = r
4 = r
As you can see, the permissions for somefile are being set to -rwr--r--.

This is a simpler and quicker way of setting the file permissions. Refer to the table below as a quick reference.
0 - ---
1 - --x
2 - -w-
3 - -wx
4 - r--
5 - r-x
6 - rw-
7 - rwx
 SUID, SGID, sticky bit
After you have worked for a while with Linux you discover probably that there is much more to file permissions than just the "rwx" bits. When you look around in your file system you will see "s" and "t":
>ls -ld /usr/bin/crontab  /usr/bin/passwd  /usr/sbin/sendmail  /tmp
drwxrwxrwt   5 root   root   1024 Jan 1 17:21 /tmp
-rwsr-xr-x   1 root   root   0328 May 6 1998 /usr/bin/crontab
-r-sr-xr-x   1 root   bin     5613 Apr 27 1998 /usr/bin/passwd
-rwsr-sr-x   1 root   mail   89524 Dec 3 22:18 /usr/sbin/sendmail 
What is this "s" and "t" bit? The vector of permission bits is really 4 * 3 bits long. chmod 755 is only a shortcut for chmod 0755
There are cases when you may come across four non-zero digits, in this case the first meaningful (non-zero) digit combines the following bits (in this order, high to low): SUID, SGID, sticky bit. We also know  that the last three are for owner, group and others.

Sticky bit. It was used to trigger process to "stick" in memory after it is finished, now this usage is obsolete. Currently its use is system dependant and it is mostly used to suppress deletion of the files that belong to other users in the folder where you have "write" access to.
The t-bit can be set with chmod a+tw or chmod 1777.
With the t-bit set only the owner of the file or the owner of the directory can delete the files

SUID or setuid: change user ID on execution. If setuid bit is set, when the file will be executed by a user, the process will have the same rights as the owner of the file being executed.
Can be set with chmod u+s or chmod 4755.
Set-UID programs are often used by "root" to give ordinary users access to things that normally only "root" can do.

SGID or setgid: change group ID on execution. Same as above, but inherits rights of the group of the owner of the file. For directories it also may mean that when a new file is created in the directory it will inherit the group of the directory (and not of the user who created the file).
Can be set with chmod g+s or chmod 2775.
This is a good feature when you want to work with several people in a team and ensure that the group IDs of the files are set to the right group for the working directory of that team especially in an environment where users normally have a 027 umask that makes files un-accessible for people outside the group.
Numeric Representation
0 - setuid, setgid and sticky bits are cleared
1 - sticky bit is set
2 - setgid bit is set
3 - setgid and sticky bits are set
4 - setuid bit is set
5 - setuid and sticky bits are set
6 - setuid and setgid bits are set
7 - setuid, setgid, sticky bits are set
Textual Representation
If set, then replaces "x" in the owner permissions to "s", if owner has execute permissions, or to "S" otherwise. Examples:
-rws------ both owner execute and SUID are set
-r-S------ SUID is set, but owner execute is not set
If set, then replaces "x" in the group permissions to "s", if group has execute permissions, or to "S" otherwise. Examples:
-rwxrws--- both group execute and SGID are set
-rwxr-S--- SGID is set, but group execute is not set
If set, then replaces "x" in the others permissions to "t", if others have execute permissions, or to "T" otherwise. Examples:
-rwxrwxrwt both others execute and sticky bit are set
-rwxrwxr-T sticky bit is set, but others execute is not set

The chown command

The chown command is used to change the user and/or group which owns one or more files or directories. Its general format is :
chown [-Rcfv] [username][:.][groupname] somefile
The flags used above are same as those used in the chmod command . The following are the different ways in which this command can be used :
  • The username followed by a dot or colon followed by a groupname changes both the user and group ownerships to those specified.
  • The username followed by a dot or colon and no groupname changes the user ownership as specified and changes the group ownership to the specified user?s login group.
  • If the colon or dot and groupname are specified without a username, then only the groupownership is changed. This is effectively the same as the chgrp command.
  • If the username is not followed by a dot or a colon, then only the user ownership is changed.
The chgrp command

The chgrp command is used to change the group ownership of one or more files or directories. Its general syntax is :
chgrp [-Rcfv] groupname foo.txt
The flags used here are also the same as those in the chmod command. The changes in ownership are applied to the groupname and the filename specified.

Links: 1 , 2, 3
  • rss
  • Del.icio.us
  • Digg
  • Twitter
  • StumbleUpon
  • Reddit
  • Share this on Technorati
  • Post this to Myspace
  • Share this on Blinklist
  • Submit this to DesignFloat