## File Permissions in Linux
Understanding these permissions is crucial for managing access, modification, and execution of files and directories in a Linux system.
1. **File Ownership**:
- Every file and directory in Linux has three kinds of owners:
- **User**: The creator of the file becomes its owner. You can change the ownership later.
- **Group**: Users are part of specific groups. Managing users in a multi-user environment is easier through groups. For instance, if you have development, QA, and sysadmin teams, create separate groups for them.
- **Other**: This group includes all users on the system.
- Even if you're the only user, you'll still belong to various groups.
2. **File Permissions**:
- Each file and directory has three permissions for all three owners:
- **Read (r)**: Allows viewing or copying file contents.
- **Write (w)**: Permits modifying file content.
- **Execute (x)**: Enables running the file (if it's executable).
- For directories:
- **Read**: Lists all files and allows copying from the directory.
- **Write**: Adds or deletes files (requires execute permission).
- **Execute**: Allows entering the directory.
## Let's get practical
In Linux, every file and directory is assigned access rights for the owner of the file, the members of a group of related users, and everybody else. Rights can be assigned to read a file, to write a file, and to execute a file (i.e., run the file as a program).
To see the permission settings for a file, we can use the command `ls -l`. The output will look something like this:
```bash
-rwxrwxr-x 1 owner group 123 Jan 2 12:34 myfile
```
Here's what each section means:
- `-rwxrwxr-x` are the permissions.
- `owner` is the user name of the file's owner.
- `group` is the group the file belongs to.
- `123` is the size of the file in bytes.
- `Jan 2 12:34` is the date and time of the last modification.
- `myfile` is the name of the file.
The permissions `-rwxrwxr-x` are broken down as follows:
- The first character `-` is the file type. A `-` indicates a regular file. A `d` indicates a directory.
- The next three characters `rwx` represent the owner's permissions to read (r), write (w), and execute (x) the file.
- The next three `rwx` represent the group's permissions to read(4), write(2), and execute the file(1), this sums up to 7(4+2+1), this means certain user, group, others has full access on the resource(read, write, execute).
- The final three `r-x` represent the permissions for other users. In this case, they can read and execute but not write to the file.
### Setuid
Setuid stands for 'set user ID upon execution'. If the setuid permission is set for an executable file, the system will run the program with the permissions of the file's owner. You can set this permission using `chmod`:
```bash
chmod u+s myfile
```
### Setgid
Setgid stands for 'set group ID upon execution'. If the setgid permission is set for an executable file, the system will run the program with the permissions of the file's group. You can set this permission using `chmod`:
```bash
chmod g+s myfile
```
## Managing File Permissions
You can change the permissions with the `chmod` command. For example, if you want to add the execute permission for the user, you can use the command:
```bash
chmod u+x myfile
```
Here, `u` stands for user, `+` means add, and `x` means execute.
## Practical Scenario
Sure, let's consider a practical scenario where we have three users, `pawankr` and `testerkr` and `chronic (existing user)`, and two groups, `developers` and `testers`. pawankr is part of the `developers` group, and testerkr is part of the `testers` group. We have a file called `projectfile` that both users need to access, but with different permissions.
Here's how we can manage this:
1. **Create the groups and users:**
```bash
# Add groups
chronic@chronic:~$ sudo groupadd developers
chronic@chronic:~$ sudo groupadd testers
# Add users to the groups
chronic@chronic:~$ sudo useradd -G developers -m pawankr
chronic@chronic:~$ sudo useradd -G testers -m testerkr
# Add passwords for both users
chronic@chronic:~$ sudo passwd pawankr
chronic@chronic:~$ sudo passwd testerkr
```
2. **Create the file and change group ownership:**
```bash
# Create a file 'projectfile' as pawankr (developer)
su - pawankr -c "touch projectfile"
#Output:
chronic@chronic:~$ sudo ls -l /home/pawankr/
total 0
-rw-rw-r-- 1 pawankr pawankr 0 Apr 12 17:56 projectfile
# Change the ownership to developers group using chown
chronic@chronic:~$ sudo chown :developers /home/pawankr/projectfile
# Notice, group has changed to developers from pawankr in comparision to previous prompts
chronic@chronic:~$ sudo ls -l /home/pawankr/
total 0
-rw-rw-r-- 1 pawankr developers 0 Apr 12 17:56 projectfile
```
3. **Set the permissions:**
We want the `developers` group to read, write, and execute the file, and `others` to deny all access.
```bash
# Set the permissions
chmod 750 projectfile
```
In this case, `750` means that the owner (pawankr) can read, write, and execute (`7`), the group (developers) can read and execute (`5`), and others (including the testers group) permissions to read the file (`4`).
> I tried to read the file as 'chronic' (the other user) but permission is denied
```bash
# Output:
chronic@chronic:~$ cat /home/pawankr/projectfile
cat: /home/pawankr/projectfile: Permission denied
```
> Let's try to read it as pawankr, as you can see read the file without errors (file doesn't print anything because it's empty)
```bash
chronic@chronic:~$ sudo su - pawankr
$ ls
projectfile
$ cat projectfile
```
> Let's change the file permissions to be read by other users as well
```bash
# Set the permissions
chmod 754 projectfile
chronic@chronic:~$ cat /home/pawankr/projectfile
No errors ^
```
Now, pawankr can read, write, and execute `projectfile`, while `chronic` can read now.
This is a simple example, but it demonstrates how you can manage file permissions among different groups in Linux. But in order to allocate tester group to only read and restrict access to other users for one and all, ACL is required for fine grain access controls. We will talk about ACL in next series of article.
## Special Permissions
### Sticky Bit
The sticky bit is a permission that can be set on a directory, which allows only the owner of the file within that directory or the root user to delete or rename the file. No other user has the needed privileges. A common place this is used is the `/tmp` directory. You can set the sticky bit using `chmod`:
```bash
chmod +t mydirectory
```
### Umask
Umask, or 'user file-creation mode mask', determines the settings of a mask that controls which file permissions are set for files and directories when they are created. In other words, it controls the default file permission for new files. It can be set in the shell profile, like so:
```bash
umask 022
```
This means that new files will have 755 permission (confused why 022 represents 755? read ahead!) - readable and executable by everyone and also writable by the owner.
## Why 022 represents 755?
The value of umask is subtracted from the maximum permissions to give the default permissions.
The maximum permissions for a file are 666 (read and write for owner, group, and others) and for a directory are 777 (read, write, and execute for owner, group, and others).
When you set umask to 022, you’re subtracting 022 from the maximum permissions. Here’s how it works:
For a file:
Maximum permissions: 666
Subtract umask: 022
Resulting permissions: 644 (owner can read and write, group and others can only read)
For a directory:
Maximum permissions: 777
Subtract umask: 022
Resulting permissions: 755 (owner can read, write, and execute; group and others can read and execute)
So, a umask of 022 results in a default permission of 755 for directories and 644 for files. This is a common umask setting because it allows the owner full access, while restricting write access for others.
## Why max file permissions are 666 and not 777 ?
The maximum permissions for a file are typically set to 666 in Linux, which stands for read (4) and write (2) access for the owner, group, and others. Here’s how it breaks down:
Owner: read (4) + write (2) = 6
Group: read (4) + write (2) = 6
Others: read (4) + write (2) = 6
So, the maximum permissions become 666.
_The execute permission (1) is not included in the maximum permissions for a file by default because not all files need to be executable_. **In general, only programs and scripts that are meant to be run as commands have the execute permission set**. If a file is not intended to be a program, giving it the execute permission can be a security risk.
That’s why the maximum permissions for a file are 666 (read and write), and for a directory are 777 (read, write, and execute).
Sign in with Wallet
Connect another wallet