How to use  Linux Permissions ?
18 Mar '17
0 Shares

How to use  Linux Permissions ?

In this guide, we will go over how file permissions work in Linux for beginners. We’ll cover how you can view the permissions associated with files and directories and also how you can change them.

 

USERS

Users are people who use the operating system. The operating system recognizes each user by their unique user ID or uid. This information is stored in the /etc/passwd file. Each line in this file contains information about the users of system such as their username, uid, group ID, their home directory, etc.

 

GROUPS

Groups are a collection of users. For example, the users from the accounts department can be added to the accounts group. Grouping users together makes it easier to manage permissions. For example, when the accounts group is given read-only access to a certain file, all the users in that group are automatically given that access. This is simpler than having to individually assign permissions to each user who is in the accounts department.
Information about groups is stored in /etc/group file. Each line of this file contains information like the name of the group, the ID of the group or gid, the username of the members, etc.

 

TYPES OF PERMISSIONS

There are three types of permissions – read, write, and execute. Read permission allows the user to view the contents of a file. Write permission allows the user to overwrite or append new data to the file or delete it. The execute permission allows the user to execute the code contained in the file.

Now that we have covered some of the basics, let’s go ahead with viewing and modifying permissions.

 

VIEWING PERMISSIONS

Open your terminal and execute the following command:

 

arun@cloudypoint:~$ ls -l /etc/passwd

-rw-r–r– 1 root root 2627 Aug  1 16:55 /etc/passwd
passwd is a regular file so the first character is a dash. The next three characters show the permissions for the owner – read, write, but not execute. The next three characters show the permission for the group – only read. All other users can only read the file. The first ‘root’ is the name of the owner and the second ‘root’ is the name of the group whose users can read this file.

Now execute the following command:

 

arun@cloudypoint:~$ ls -l /bin/ls

-rwxr-xr-x 1 root root 126584 Feb 18  2016 /bin/ls

The command executed above shows the permissions associated with the ls command. The last r-x means that everybody is allowed to execute the code inside it. Finally, execute the following command:

 

arun@cloudypoint:~$ ls -l /

drwxr-xr-x   2 root root 12288 Oct 21 23:06 bin

We’re listing everything in the / directory. The output shows the permissions for the /bin directory. Since it is a directory, the first character is “d”.

The permissions are stored in the inode associated with the file or directory. The permissions take 9 bits; 3 for each of user, owner, and others.

 

CHANGING PERMISSIONS

chmod (change mode) command is used to change the permissions associated with a file or directory. The permissions can be changed either by using numeric or alphanumeric options along with chmod. Let’s begin by creating a file and changing its permissions. Execute the following commands:

arun@cloudypoint:~$ touch test.sh

arun@cloudypoint:~$ ls -l test.sh

-rw-rw-r-- 1 me me 0 Oct 28 11:09 test.sh

The touch command made an empty file named test.sh. The file has been created with permissions rw-rw-r–. This is a script file in which we’ll write some commands a little later. To execute the script, we need to add the execute permission. Execute the following commands:

 

arun@cloudypoint:~$ chmod 755 test.sh

arun@cloudypoint:~$ ls -l test.sh

-rwxr-xr-x 1 me me0 Oct 28 11:09 test.sh

To use chmod, you specify the permissions to be associated with the file and the path to the file. Since the file is in the same directory as we are, we just specify the name. The permissions here are represented by 755. This gives read, write, and execute permission to the owner, and read and execute permissions to the group and others. Here’s what the numbers mean:

 

0 – No permissions granted.

4 – Read permission granted.

2 – Write permission granted.

1 – Execute permission granted.

 

Since we want to give the owner read, write, and execute permissions, we add together 4, 2, and 1 and specify a 7 in the first place. Similarly, we specify a 5 for group and others to give them read and execute permission.

The permissions always follow the order of user, group, and others. So the first 7 applies to the user, the 5 applies to the group and the last 5 applies to others.

Permissions can be written using the alphanumeric options as:

arun@cloudypoint:~$ chmod u+rwx,g+rx,o+rx test.sh

The + and – operators are used to either add or remove permissions. The different combinations can be separated by commas or can be grouped together. The above command can be written more compactly as:

arun@cloudypoint:~$ chmod u+rwx,go+rx test.sh

Here, group and others will be given the read and execute permission. When using alphanumeric options, user is represented by u, group by g, and others by o. The read permission is represented by r, write by w, and execute by x.

 

What style you use is just a matter of preference.

Now, execute the following:

arun@cloudypoint:~$ echo "echo hello" >> test.sh

arun@cloudypoint:~$ ./test.sh

hello

Without the appropriate permissions, you wouldn’t have been able to execute the script.

 

bash: ./test.sh: Permission denied

We’ve only modified the permissions associated with the file test.sh. Permissions are also associated with directories. However, since directories are different from files, each of the permissions means something different. Here’s a quick comparison of how the permissions differ in meaning when associated with a file or a directory:

 

Read

File – View the contents of the file.

Directory – See the files, directories, and subdirectories.

 

Write

File – Overwrite or append new content. Delete the file.

Directory – Add or remove files and directories.

 

Execute

File – Run the code within the file.

Directory – Navigate into the directory, execute program within a directory.

 

DEFAULT PERMISSIONS

When we create a file, it’s given a permission of rw-rw-r– by default and a directory is given the permissions rwxrwxr-x. These permissions are determined by umask. The umask command is used to view or set the file creation mask. Execute the following command to view the default umask:

 

arun@cloudypoint:~$ umask

arun@cloudypoint:~$ 0002

 

Ignoring the first 0, the umask value of 002 maps to the permission 755 (rwxrwxr-x) for a directory and 644 (rw-rw-r–) for a file. We can also change the default permissions associated with files and directories by using the umask command. Execute the following commands:

arun@cloudypoint:~$ umask 777

arun@cloudypoint:~$ touch test2.sh

arun@cloudypoint:~$ ls -l test2.sh

arun@cloudypoint:~$ ---------- 1 me me 0 Oct 28 16:35 test2.sh

 

As you can see, the default permissions have changed. These changes to default permission, however, are temporary. If you close and reopen the terminal to create a new file or directory, they will be created with the default permissions that were mentioned earlier. If you want to make the umask permanent, add it to your ~/.bashrc file.

 

ACCESS CONTROL LISTS

 

Sometimes, basic file and directory permissions aren’t enough and you need a more flexible way to set permissions. Access Control Lists, or ACL for short, provide a more robust and flexible way to assign permissions. ACL allow a user to give permissions to other

setfacl is used to set an ACL for a file and getfacl is used to view it. Only the owner of the file can change the ACL associated with it.

Note that the file system must be mounted with ACL enabled for them to be used.

 

VIEWING ACL

To view the ACL associated with the script file, execute the following command:

 

arun@cloudypoint:~$ getfacl -l test.sh

# file: test.sh

# owner: me

# group: me

user::rwx

group::r-x

other::r-x

 

SETTING ACL

 

To set the ACL for the file, use the setfacl command. You modify the ACL by using the -m flag and remove the ACL using the -x flag.

The following command gives the user john read, write, and execute access to the script file.

 

arun@cloudypoint:~$ setfacl -m u:john:rwx test.sh

arun@cloudypoint:~$ getfacl test.sh

# file: test.sh

# owner: me

# group: me

user::rwx

user:john:rwx

group::rwx

mask::rwx

other::r-x

The u indicates that the ACL permissions are being modified for a user. This is followed by the username and the permissions to grant.

You can also set group permissions using setfacl using the g flag. The following command gives the accounts group read, write, and execute access to the script file.

 

arun@cloudypoint:~$ setfacl -m g:accounts:rwx test.sh

arun@cloudypoint:~$ getfacl test.sh

# file: test.sh

# owner: me

# group: me

user::rwx

user:john:rwx

group::rwx

group:accounts:rwx

mask::rwx

other::r-x

 

Running ls -l on the script file will show you an additional + being displayed along with the permissions. This indicates that an ACL is associated with this file

 

arun@cloudypoint:~$ ls -l test.sh

-rwxrwxr-x+ 1 me me 0 Oct 28 21:31 test.sh

 

REMOVING ACL

 

You can remove an existing permission using the -x flag. To remove the user john, execute the following command:

 

arun@cloudypoint:~$ setfacl -x u:john test.sh

Similarly, you can remove a group using the g option followed by the name of the group.

 

arun@cloudypoint:~$ setfacl -x g:accounts test.sh

 

This brings us to the end of the guide on Linux permissions.

 

 

About arun

Related Posts

Leave a Reply

*