File Permissions in Linux
File permissions are a key aspect to any modern operating system. Some files
should not be accessed by regular users, or they may corrupt a program that
requires those files. The way the syntax for what i am about to perform is such:
[1][2][3][4]
– rwx — —
1. Type of file : Where – is a file, d is a directory and i is a link.
2. User : Read, Write, or Execute (or combinations)
3. Group : Read, Write , or Execute (or combinations)
4. Other Users : Read , Write, or Execute (or combinations)
In parts 2,3 and 4, if a flag is turned off (if the user cant read,write,or
execute the file) then it will appear as a ‘-‘ rather then the abbreviation.
The ‘x’ in the flag stands for execute . So let me run this in a folder i
probably should not be in to show what files i can read, write , or execute:
clim@debian:/etc/X11$ ls -l total 84 drwxr-xr-x 2 root root 4096 Sep 1 10:53 app-defaults -rw-r--r-- 1 root root 18 Aug 30 15:05 default-display-manager drwxr-xr-x 6 root root 4096 Sep 9 2018 fonts drwxr-xr-x 3 root root 4096 Sep 9 2018 ja_JP.eucJP drwxr-xr-x 3 root root 4096 Sep 9 2018 ko_KR.eucKR -rw-r--r-- 1 root root 17394 Nov 23 2016 rgb.txt drwxr-xr-x 2 root root 4096 Sep 1 10:53 xinit drwxr-xr-x 2 root root 4096 Jul 18 2017 xkb -rwxr-xr-x 1 root root 709 Nov 23 2016 Xreset drwxr-xr-x 2 root root 4096 Sep 9 2018 Xreset.d drwxr-xr-x 2 root root 4096 Sep 9 2018 Xresources -rwxr-xr-x 1 root root 3517 Nov 23 2016 Xsession drwxr-xr-x 2 root root 4096 Sep 5 19:28 Xsession.d -rw-r--r-- 1 root root 265 Nov 23 2016 Xsession.options drwxr-xr-x 2 root root 4096 Sep 1 10:53 xsm -rw-r--r-- 1 root root 13 Dec 5 2016 XvMCConfig -rw-r--r-- 1 root root 630 Sep 9 2018 Xwrapper.config clim@debian:/etc/X11$
Interesting! Okay so you see that some of the files can be executed by anyone
on the system . As you can see there are some directories in there as well. Now
let me get into a sandbox directory and show you how you would change
permissions to a file. the command is chmod and it takes in a number in octal,
and the file you are trying to change. The octal number works really well with
this because there are only 8 combinations to what you can do. the first number
represents the current user (you), the second represents the the group it is
associated with, and the third represents the other users on the system.
clim@debian:~/Desktop/Tests/fileperm$ ls -l total 0 -------rwx 1 clim clim 0 Sep 5 21:02 all ---------x 1 clim clim 0 Sep 5 21:01 execute -------r-- 1 clim clim 0 Sep 5 21:01 read --------w- 1 clim clim 0 Sep 5 21:01 write clim@debian:~/Desktop/Tests/fileperm$ chmod 444 read clim@debian:~/Desktop/Tests/fileperm$ ls -l total 0 -------rwx 1 clim clim 0 Sep 5 21:02 all ---------x 1 clim clim 0 Sep 5 21:01 execute -r--r--r-- 1 clim clim 0 Sep 5 21:01 read --------w- 1 clim clim 0 Sep 5 21:01 write clim@debian:~/Desktop/Tests/fileperm$
As you can see i told the system to change the file permissions of read to
allow me to read, allow the group associated with the file to read, and allow
other users to read. This is how it is represented:
i. 0 = no privileges (—)
ii. 1 = execute file (–x)
iii. 2 = write file (-w-)
iv. 3 = execute and write file (-wx)
v. 4 = read file (r–)
vi. 5 = read and execute file (r-x)
vii. 6 = read and write file (rw-)
viii. 7 = read, write , and execute file (rwx)
And last lets check out the manpage:
clim@debian:~/Desktop/Tests/fileperm$ man chmod
CHMOD(1) User Commands CHMOD(1)
NAME
chmod - change file mode bits
SYNOPSIS
chmod [OPTION]... MODE[,MODE]... FILE...
chmod [OPTION]... OCTAL-MODE FILE...
chmod [OPTION]... --reference=RFILE FILE...
DESCRIPTION
This manual page documents the GNU version of chmod. chmod changes the
file mode bits of each given file according to mode, which can be ei‐
ther a symbolic representation of changes to make, or an octal number
representing the bit pattern for the new mode bits.
The format of a symbolic mode is [ugoa...][[-+=][perms...]...], where
perms is either zero or more letters from the set rwxXst, or a single
letter from the set ugo. Multiple symbolic modes can be given, sepa‐
rated by commas.
A combination of the letters ugoa controls which users' access to the
file will be changed: the user who owns it (u), other users in the
file's group (g), other users not in the file's group (o), or all users
(a). If none of these are given, the effect is as if (a) were given,
but bits that are set in the umask are not affected.
The operator + causes the selected file mode bits to be added to the
existing file mode bits of each file; - causes them to be removed; and
= causes them to be added and causes unmentioned bits to be removed ex‐
cept that a directory's unmentioned set user and group ID bits are not
affected.
The letters rwxXst select file mode bits for the affected users: read
(r), write (w), execute (or search for directories) (x), execute/search
only if the file is a directory or already has execute permission for
some user (X), set user or group ID on execution (s), restricted dele‐
tion flag or sticky bit (t). Instead of one or more of these letters,
you can specify exactly one of the letters ugo: the permissions granted
to the user who owns the file (u), the permissions granted to other
users who are members of the file's group (g), and the permissions
granted to users that are in neither of the two preceding categories
(o).
A numeric mode is from one to four octal digits (0-7), derived by
adding up the bits with values 4, 2, and 1. Omitted digits are assumed
to be leading zeros. The first digit selects the set user ID (4) and
set group ID (2) and restricted deletion or sticky (1) attributes. The
second digit selects permissions for the user who owns the file: read
(4), write (2), and execute (1); the third selects permissions for
other users in the file's group, with the same values; and the fourth
for other users not in the file's group, with the same values.
chmod never changes the permissions of symbolic links; the chmod system
call cannot change their permissions. This is not a problem since the
permissions of symbolic links are never used. However, for each sym‐
bolic link listed on the command line, chmod changes the permissions of
the pointed-to file. In contrast, chmod ignores symbolic links encoun‐
tered during recursive directory traversals.
SETUID AND SETGID BITS
chmod clears the set-group-ID bit of a regular file if the file's group
ID does not match the user's effective group ID or one of the user's
supplementary group IDs, unless the user has appropriate privileges.
Additional restrictions may cause the set-user-ID and set-group-ID bits
of MODE or RFILE to be ignored. This behavior depends on the policy
and functionality of the underlying chmod system call. When in doubt,
check the underlying system behavior.
For directories chmod preserves set-user-ID and set-group-ID bits un‐
less you explicitly specify otherwise. You can set or clear the bits
with symbolic modes like u+s and g-s. To clear these bits for directo‐
ries with a numeric mode requires an additional leading zero, or lead‐
ing = like 00755 , or =755
RESTRICTED DELETION FLAG OR STICKY BIT
The restricted deletion flag or sticky bit is a single bit, whose in‐
terpretation depends on the file type. For directories, it prevents
unprivileged users from removing or renaming a file in the directory
unless they own the file or the directory; this is called the re‐
stricted deletion flag for the directory, and is commonly found on
world-writable directories like /tmp. For regular files on some older
systems, the bit saves the program's text image on the swap device so
it will load more quickly when run; this is called the sticky bit.
OPTIONS
Change the mode of each FILE to MODE. With --reference, change the
mode of each FILE to that of RFILE.
-c, --changes
like verbose but report only when a change is made
-f, --silent, --quiet
suppress most error messages
-v, --verbose
output a diagnostic for every file processed
--no-preserve-root
do not treat '/' specially (the default)
--preserve-root
fail to operate recursively on '/'
--reference=RFILE
use RFILE's mode instead of MODE values
-R, --recursive
change files and directories recursively
--help display this help and exit
--version
output version information and exit
Each MODE is of the form
'[ugoa]*([-+=]([rwxXst]*|[ugo]))+|[-+=][0-7]+'.
AUTHOR
Written by David MacKenzie and Jim Meyering.
REPORTING BUGS
GNU coreutils online help:
Report chmod translation bugs to
COPYRIGHT
Copyright © 2018 Free Software Foundation, Inc. License GPLv3+: GNU
GPL version 3 or later .
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
SEE ALSO
chmod(2)
Full documentation at:
or available locally via: info '(coreutils) chmod invocation'
GNU coreutils 8.30 February 2019 CHMOD(1)
This is pretty interesting, so also you can write it as such:
clim@debian:~/Desktop/Tests/fileperm$ chmod u=rwx,g=rx,o=r myfile
This stands for user=read,write,execute, group=read,execute,others=read or in
octal : 754
Very nice
Thank you !