Linux is a multi-user system and therefore directories and files inside a Linux computer need to be protected from unauthorized use. Linux file access permissions are used to control who is able to read, write and execute a certain file. Access permissions are implemented at a file level with the appropriate permission set based on the file owner ,the group owner of the and other access. In Linux, directories and device are also files and therefore the file permissions apply on a directory and device level as well, although some permissions are applied differently depending upon whether the file is a regular file, directory or device. The access permission design allows a good amount of flexibility in what permissions can be applied.
There are three categories of permissions which apply: read, write and execute. These permissions affect access to files and directories. The permissions can be assigned in octal notation or in the more easily recognized character or symbolic format.
| r (Read) | permission to read a file. permission to read a directory (also requires “x”) |
| w (write) | permission to delete or modify a file. permission to delete of modify file in a directory |
| x (Execute) | permission to execute a file/script. permission to read a directory(also requires ‘r’) |
To view file and directory permissions and ownership use -l option of the ls command will expand the file listing to include both the permissions of a file and the ownership.
IMAGE
Changing permission by symbolic method
The symbolic method of changing file permissions uses letters to represent the different groups of permissions: u for user, g for group, and a for all. Use three symbols:+to add permissions to a set, – to remove permissions from a set, and = to replace the entire set for a group of permission.
| Providing write access to a user [root@asim Desktop]# chmod u+w f1 |
| Adding write permission to a grp [root@asim Desktop]# chmod g+w f2 |
| Adding executable permissions to others [root@asim Desktop]# chmod o+x f1 |
| Adding executable and write permission to all [root@asim Desktop]# chmod a+wx f1 |
| Replicating user permission to a group [root@asim Desktop]# chmod u=g f1 |
| Removing execute permission to a user [root@asim Desktop]# chmod u=x f1 |
| Removing execute permission to a user [root@asim Desktop]# chmod u-x f1 |
| Adding execute permission to others, [root@asim Desktop]# chmod o+x f1 |
| Providing read and write access to a user [root@asim Desktop]# chmod o+x f1 |
| Provide read access to user and executable to group [root@asim Desktop]# chmod u+r,g+x f1 |
| Remove read and write permission from user [root@asim Desktop]# chmod u-rx f1 |
| Provide read, write and execute to user, read and write to group and rad only to other. [root@asim Desktop]# chmod u+rwx,g+rw,o+r f1 |
| Adding read, write and execute to everyone [root@asim Desktop]# chmod ugo+rwx f2 |
Changing permission by Numerical Method
Using number is another method which allows you to edit the permissions for all three owner, group and other at the same time. A numeric move is from one to four octal digits, derived by adding upon the bits with value,4,2 and1. Omitted digits a assumed to be leading zeros. The single octal digit presents the there symbolic letters using a number weight in scheme.
| Description | Abbreviation | Octal | Binary |
| No Permission | — | 0 | 000 |
| Read access | r– | 4 | 100 |
| Write permission | -w- | 2 | 010 |
| Execute Permission | –w | 1 | 001 |
| Read and Write | rw- | 6 | 110 |
| Read and Execute | r-x | 5 | 101 |
| Write and Execute | -wx | 3 | 001 |
| rwx | rwx | 7 | 111 |
| Owner can read and write [root@asim Desktop]# chmod 600 f3 |
| Owner can read write and execute [root@asim Desktop]# chmod 700 f3 |
| All can read and write [root@asim Desktop]# chmod 666 f3 |
| All can read, write, and execute [root@asim Desktop]# chmod 777 f3 |
| Owner can read n write the group and other can read only [root@asim Desktop]# chmod 644 f3 |
chown command:
The chown command stands for “changing owner”, and allows changing the owner of a given file or folder, which can be a user and a group. chown command is used to change ownership as well as group name associated to different one, whereas chgrp can change only group associated to it.
| Change the owner of file [root@asim Desktop]# chown root f2 |
| Change the group of a file [root@asim Desktop]# chown :xyz1 f2 |
| Change both owner and grp [root@asim Desktop]# chown cms:cms f3 |
| Chang the owner of al contents inside [root@asim Desktop]# chown -R cms /home |
chgrp command:
chgrp (change group) is a command which is useful to change group associated to a file or folder from group to another in a Linux. This is sister command to chown which is used to change owner of the file or folder as well as group name associate with that file.
| Change to group name [root@asim Desktop]# chgrp root f1 |
| Change the group name of all content inside [root@asim Desktop]# chown cms folder1 |
Umask:
UMASK(User Mask or User file Creation Mask) is the default given when a new file or folder is created. The default umask 002 used for normal size. With this mask default directory permissions are 775 and default the permissions are 664. The default umask for the root user is 022 result into default directory permissions are 755 and default permissions are 664. The minimum UMASK value for afile is 000 to 666 .The file has 666 because only scripts and binaries should have executed permissions, normal and regular files should have just read and write permissions: Directories require execute permissions for viewing the contents in it, so they can have 777 permissions. Simple subtract the umask from the default to determine the final permission for file: 666 -002=664: simply subtract the umask from the default permissions to determine the final permission for directory :777-002=775
| Show the default UMASK in octal information [root@asim Desktop]# umask |
| Show the default UMASK in symbolic notation [root@asim Desktop]# umask -S |
| To change default umask value numeric value [root@asim Desktop]# umask 02 |
Special Permissions:
There will be items when the standard ugo and rwx permissions don’t provide enough flexibility to allow a group of people to work collaboratively. That’s why another set of permissions, called “Special Permission” are available. There are three special permission that can be assign to a file or directory apart from basic file permission (rwx). With the help of “chmod” command we can implement the special permissions or advance permission on file and directories. SUID- Set User ID, SGID- Set Group ID and Sticky Bit.
Set User ID(SUID):
This permission only makes sense if you apply it to a file that is an executable (shell script). You can apply this permission with chmod command and the “s” value:chmod u+s testscript.sh The “s” under the user’s permission means that if an “other” runs the script, then the script will run with the same level of privileges as whoever is the owner, of this file. For example, the suid permission on the passwd command make it possible for a normal user to change passwords by updating few system files like /etc/passwd and /etc/shadow which cant be update by non-root accounts. Therefore, passwd command always run with root user rights.
Set Group ID (SGID)
This is a special permission that can be applied to files and folder. You can apply SGID permission to a file using chmod along with the ‘s’ value being attached to the group setting: chmod g+s testscript.sh. It is being run as if run by one of the groups member.
SGID can also be used on a directory so that every file created in that directory will have the directory group owner rather than the group owner of the user creating the file.
Sticky Bit:
If sticky bit is applied on a file or directory, then only root and owner of that file or directory can delete it. Even if other users are having full permission they cannot delete the file or directory. chmod o+t folder. “T”, which means sticky bit has been applied. The sticky bit is primarily used on shared directories.
