I thought it might be nice to start a daily tips & tricks post to stimulate some conversation while offering up fundamental knowledge to those who might appreciate it. And it gives me something to get my brain going with my morning coffee. I intend for them to be very brief (this turned out to be a lie) and serve as a starting point for anyone who may wish to dig deeper through their own research or discussion.

Feel free to add any additional thoughts or questions in the comments. Certainly please correct me if I make any mistakes. If there are any topic requests for future tips & tricks, throw them out there or if you have one of your own you’d like to share, please post it. I’ll try to post and/or feature one daily. If I don’t have time to write my own and no one else has offered anything up, I’ll find something interesting elsewhere to feature.


File Permissions and Ownership

Understanding permissions and ownership for files and directories gives you granular control over who can access and modify your files. Understanding this is especially essential for security and privacy. I’ll be working in the terminal to explain:

View Permissions

To view permissions, run ls -l. This outputs a long listing of the files in your current directory. The information in the far left column are the permissions. It should be noted that everything in Linux is treated as a file, including directories. This isn’t technically true, but you can think of it this way for our purposes here.

drwxr-xr-x is an example of permissions for one of my directories I’ll refer to as funny_memes.

Permission Symbols
  • d = directory
  • r = read
  • w = write
  • x = execute
  • - = not set (or regular file)

For our purposes, you can ignore the first character. Most commonly you’ll see ‘d’ or ‘-’ to denote it being a directory or a regular file. There are also others you may wish to explore (symlinks, sockets, etc).

The 3 groups we are interested in each contain 3 characters. That is, 3 groups of 3. (I know this is confusing, but “group” is one of the groups of 3.) The order of these groups are ‘user’, ‘group’, and ‘others’. That order is specific and important to remember. To use my funny_memes example, my current permissions are set as follows:

~$ ls -l

drwxr-xr-x. 1 PlutoParty PlutoParty 0 Aug 9 04:08 funny_memes

Type User Group Others
d rwx r-x r-x

This means the user who owns this directory can read, write, and execute. The group assigned to this directory can only read and execute. And all others can also only read and execute.

Ownership

In the ls -l output, the user and group assigned to the directory (or file) is displayed just after the permissions, in that order. In my example, PlutoParty is my user and PlutoParty is the group of the funny_memes directory.

Changing permissions

Octal Notation

Permissions can be changed with chmod using octal or symbolic notation. Understand the 3 bit octal notation is a little tricky to understand at first. In short, for each group (user, group, and others) the sum of the bits set determines the file permission. Individual permission bits are as follows:

  • ‘r’ (Read): 4
  • ‘w’ (Write): 2
  • ‘x’ (Execute): 1

If I wanted to give execute and read permission only to a user, group, or to others, for example, that permission value would be 5. (1 + 4). Full permissions would be 7. Read and write only would be 6. This works because every combination is a unique sum.

Here is a cheat sheet of all the combinations for reference:

Octal Value Permissions
0 No permissions
1 Execute only
2 Write only
3 Write and execute
4 Read only
5 Read and execute
6 Read and write
7 All permissions

The user, group, and others each get a value set. To change my funny_memes directory to full permissions for user, group, and others, I’d set that with chmod 777 funny_memes. Again, each number represents the sum of the permission bits you want assigned for user, group, and others, individually and in that order. 777 gives full permission to each of them because 4 (read) + 2 (write) + 1 (execute) = 7.

If I want to only allow the user full permissions (myself, in this case) and deny group and others anything, I’d run chmod 700 funny_memes. One more example is if I wanted to allow the user to read and write while only allowing the group and others to read, I’d use chmod 644 funny_memes

For many people, this is tricky to remember and understand at first. So, don’t get frustrated. Write the individual permission bits down (read, write, and execute - not the full cheat sheet) from above and use it. You’ll quickly have it memorized. It’s really only 3 numbers to memorize. If you memorize those and remember that the order is user, group, others, you’ll be a master at setting permissions with octal notation by the end of the day. In my opinion, it is actually easier than setting with symbolic notation, which we’ll get familiar with now.

Symbolic Notation

  • u : owner of the file.
  • g : group associated with the file.
  • o : users who are not the owner or part of the group (others).
  • a : all users (or you can also use ugo combined).

Permissions:

  • r (read)
  • w (write)
  • x (execute)

Operators:

  • + : Adds a permission.
  • - : Removes a permission.
  • = : Sets the specified permissions and removes any others.

If we had a script called do_backup.sh and we want to set the permissions for the owner to execute, the group to read, and deny others from any permissions, we’d run chmod u+x,g+r,o- do_backup.sh. You can add or remove permissions individually in this manner. You can also combine u, g, or o as needed if they will have identical permissions. I think this is handy for ‘fine tuning’ any permissions, but it is a bit (hehe) of a pain to type it all out in comparison to 3 numbers that can quickly be added up in your head.

Changing Ownership and Conclusion

In order to change the owner and group of a file (which you may need elevated permissions to do depending on existing permissions), I’ll leave you to explore the chown and chgrp commands. They are pretty straightforward, but do offer more advanced options you can read about in the man pages.

And that’s really the basics of assigning permissions. To explore more, I’d suggest reading the man pages on the following commands:

  • man chmod
  • man chown
  • man chgrp

Those really interested may want to go on to read about creating and managing groups.

  • metiulekm@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    It might be helpful to elaborate on what permissions mean for directories. As always, this is well explained on the Arch Wiki: https://wiki.archlinux.org/title/File_permissions_and_attributes#Viewing_permissions

    The short version is that, when it comes to permissions for directories:

    • r is what allows you to see what files are in the directory, for instance by ls directory,
    • x is what allows you to operate on the contents of the file, for instance by cat directory/file or by echo something > directory/file,
    • w (together with x, in case of directories it is meaningless without x) is what allows you to create new files, delete existing or otherwise modify the directory itself, for instance by cp directory/file directory/new_file.

    Note that these are completely separate from the file permissions, which govern the contents of the file. For instance, if I have only x permission for the directory, but I have rw permission for a file of that directory, I can write to the file and read from it. However, I wouldn’t be able to remove it. On the other hand, if I have wx permission for a directory and I have no permissions for a file of that directory, I cannot write nor read from the file, but I can remove the file.

    In spite of above, you will find all users have rwx permissions for /tmp, but they can only remove their own files. This is due to the sticky bit, which is marked by the output of ls -l having drwxrwxrwt instead of drwxrwxrwx. This means that the system will only allow the other users to rename or remove the file if they actually own it.

    A common(ish) usecase for splitting r and x on permissions is when teachers want to collect the work of the students. They might have their home directory permissions set to rwx--x--x to ensure other people can’t see their files (and of course they still should make sure that the individual files have the correct permissions). However then they can create a directory /home/teacher/work and set its permissions to rwxrwxrwt. Then for a student, ls /home/teacher will fail, but ls /home/teacher/work and cp my_work.tar.gz /home/teacher/work will succeed.

    • PlutoPartyOPM
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      This is excellent and a very helpful addition.Thanks for adding this.