Understanding Linux File Permissions
If you’re coming from a Windows background then you’re probably used to being able to open files, save them, move them and run them without giving a seconds thought. Life is a bit different in a Unix/Linux world. You need to understand the concept of “Users” and “File Permissions”.
Users
There are three types of “users” in Linux:
- owners
- groups
- others
Owners: The username of the person who owns the file or folder. By default, the user who creates the file or folder will become its owner.
Groups: The usergroup that owns the file or folder. All users who belong in the same group as the user who created the file or folder will have the same access permissions to that file or folder. This is useful if, for example, you have a folder that requires a bunch of different users to be able to access files within it, while others can’t. In this case, you’d add all the users who need to access the files to the same user group, making sure the required files and folders are owned by that group, and then set the file’s group permissions accordingly.
Others: A user who isn’t the owner of the file or folder and doesn’t belong in the same group the file or folder does. In other words, if you set a permission for the “other” category, it will affect everyone else by default.
File Permissions
There are 3 types of permissions:
- Read
- Write
- Execute permission
Read (r): this gives permission to merely open a file or folder and view its contents.
Write (w): this gives permission to overwrite, append-to or delete a file or folder.
Execute (x): this gives permission to “run” a file. For example to run a script or a program.
So, how can we put this all into context? Let’s have a look at the contents of a typical folder. I used the command ls -l to bring up this list:
-rw-r----- 1 syslog adm 542223 2009-11-12 21:15 messages
-rw-r----- 1 syslog adm 483710 2009-11-08 06:45 messages.0
drwxr-s--- 2 mysql adm 4096 2009-11-07 17:22 mysql
-rw-r----- 1 mysql adm 0 2009-11-07 17:22 mysql.err
-rw-r----- 1 mysql adm 0 2009-11-07 17:22 mysql.log
drwxrwsr-x 2 mythtv mythtv 4096 2009-11-07 18:28 mythtv
drwxr-sr-x 2 news news 4096 2009-11-07 17:05 news
drwxr-xr-x 2 ntp ntp 4096 2009-05-13 22:10 ntpstats
-rw-r--r-- 1 root root 0 2009-11-07 17:07 pycentral.log
drwxr-x--- 3 root adm 4096 2009-11-08 01:00 samba
Let’s concentrate on the column on the left. This shows the file permissions. Let’s take the file called “mysql.err” for example, it has the following permissions: -rw-r—–. What does this mean exactly? Well, the -rw-r—– can be broken down into 4 sections:
1 2 3 4
- rw- r-- ---
- The first part signifies whether it’s a directory or not a directory. In this example mysql.err is not a directory. Contrast this with the last line in the file list above, samba. This one IS a directory since it is denoted with a “d”.
- The second section (rw-) shows the permissions for the file “owner”. You can see the owner has read permssion, write permission but not execute permission to this file.
- The third section (r–) denotes the “group” permissions. Here the group has read but not write or execute permission.
- The fourth section is the permissions for “other” users. Here “other” users have no access at all to the file.
Now let’s look at the second section. Again we’ll use the mysql.err file as an example.
-rw-r----- 1 mysql adm 0 2009-11-07 17:22 mysql.err
The first column in this section (mysql) signifies the “owner” of the file. mysql is the owner of the mysql.err file and has read and write access but not execute access (rw-).
The second column signifies the “group”. Any user in the adm group can access the file according to the group permissions. In this case read only (r–). So, not write nor execute.
Changing File Permissions
If you want to change the ownership of a file/folder you’d type:
chown theowner:usergroup file_foldername
this will change ownership of “file_foldername” to the “usergroup” group and the owner to “theowner”. You use the same syntax to change the permissions on files or folders.
If you want to change permissions (called change mode) on a file or folder you use the following syntax:
chmod who=permissions filename/folder
Where who is either the user, group, others or all three of them
and permissions is read, write or execute
For example: chmod u=rw testfolder would set the permissions for the user who owns testfolder to be read and write.
You can also add and remove permissions relative to the existing permissions on the file or folder. For example if you were to type chmod g+x testfile you would add execute permissions for the group which owns the testfile whilst leaving the existing read/write permissions intact.
Similarly to remove write permission to a file for others you’d type chmod o-w thefile
If you don’t currently own the file or folder that you wish to change ownership or permission for then you need to prefix the chown/chmod commands with sudo. For example:
sudo chmod u=rw testfolder