Under Linux, access to files and directories is controlled by a system of permissions. Those permissions define who can see a file, whether they can modify it in any way, and in the case of some files, whether the commands within that file (or the file itself) can be executed. By executed, we mean “can we run that program?”. Let’s take a look at permissions and how you you can work with them.
Your introduction is one of the first commands I told you about, “ls“, the program you use to list files. When we use the ‘ls -l‘ command, we get our first look at Linux security, this time at the file (or directory) level. Here is an example of a long ‘ls‘ listing.
$ ls -l total 3 drwxr-x--- 5 root system 512 Dec 25 12:01 presents -r-xr--r-- 1 zonthar users 123 Dec 24 09:30 wishlist -rw-rw---- 1 zonthar users 637 Nov 15 09:30 griflong
The first entry under the total column shows a directory (we’ll talk about the next nine characters in a moment). The first character is a ‘d‘ which indicates a directory. Right at the end of each line, you’ll find the directory or file name – in my example, they are presents, wishlist, and griflong. Since the first character in the permissions field is a “d“, then presents is a directory.
On to those other nine characters (characters 2 thru 10). These indicate permissions for the user or owner of the file (first three), the group (second group of three), and others or everyone else (last three). In line one, user root has read, write, and execute permission while the system group has only read and execute. The three dashes at the end imply that no one else has any permissions. The next two files are owned by the user called “zonthar”.
So remember user, group, and other (ugo). You will find it useful later when we talk about changing file and directory permissions.
More on File Permissions
What you can and can’t do with a file, as defined by your user or group name, is pretty much wrapped up in 4 little letters. Each of those letters in turn can be referenced by a number. They are r, w, x, and s. Their numerical representations are 4, 2, 1, and “it depends”. To understand all that, we need to do a little binary math.
Reading from right to left, think of the x as being in position 0. The w, then, is in position 1 and the r is in position 2. Here’s the way it works.
2 to the power of 0 equals 1 (x is 1) 2 to the power of 1 equals 2 (w is 2) 2 to the power of 2 equals 4 (r is 4)
In order to specify multiple permissions, you can then just add the numbers together. If you want to specify both read and execute permissions, simply add 4 and 1 and you get 5. For all permissions (rwx), use 7.
File permissions are referenced in groups of three “rwx” sections. The “r” stands for “read”, the “w” means “write”, and the “x” denotes that the file is executable.
While these permissions are arranged in three groups of three “rwx” combinations, their meaning is the same in all cases. The difference has to do with who they represent rather than the permissions themselves. The first of these three represents the user; the second trio stands for the group permissions, while the third represents everybody that doesn’t fit into either of the first two categories.
The commands you will use for changing these basic permissions are chmod, chown, and chgrp.
chmod (CHange the MODe of a file, aka its permissions) chown (CHange the OWNer of the file or directory) chgrp (CHange the GRouP of the file or directory)
User and Group Ownership
To change the ownership of file “mail_test” from “root” to “natika”, you would first have to log in as root since only root can change root’s ownership of a file. This is very simple .
chown natika mail_test
You can also use the “-R” option to change ownership recursively. We’ll use a directory called “test_directory” as an example. Once again, it belongs to root and we want to make every file in that directory (and below) owned by natika.
chown –R natika test_directory
The format for changing group ownership is just as easy. Let’s change the group ownership of test_directory (previously owned by root) so that it and all its files and subdirectories belong to group “accounts”.
chgrp –R accounts test_directory
You can even combine the two. In the following example, I change the ownership of the entire finance_data directory to natika as the owner and accounts as the group. To do that you use this form of the “chown” command.
chown –R natika.accounts finance_data
You can use the “-R” flag to recursively change everything in a subdirectory with “chgrp” and “chmod” as well.
So, now files (and directories) are owned by some user and some group. This brings us to the next question.
Who can do what?
From time to time, you will need to modify file permissions. One reason has to do with security. The most common reason, however, is to make a shell script file executable. This is done with the chmod command.
chmod mode filename
For instance, if we had a script file called list_users, we would make it executable with the command:
chmod +x list_users
That will allow execute permissions for all users. If you wanted to make the file executable for the owner and group only, you would specify it on the command line like this.
chmod u+x,g+x list_users
The “u” means user (the owner of the file, really) while “g” stands for group. The reason we use “u” for the owner instead of “o” is that the “o” is being used for other, meaning everyone else. The “chmod +x list_users” command could then be expressed as “chmod u+x,g+x,o+x list_users”. Unfortunately, this starts to get a bit cumbersome. Now, let’s take a much more complicated set of permissions. Imagine that we want our “list_users” script to have read, write, and execute permissions for the owner, read and execute for the group, and read only for anybody else. The long way is to do this.
chmod u=rwx,g=rx,o=r list_users
Notice the equal sign (=) construct rather than the plus sign (+). That’s because the plus sign adds permissions and in this case, I wanted them to be absolute. If the original permissions of the file allowed write access for “other”, the plus sign construct would not have removed the execute permission. Using the minus sign (-) removes permissions. If we wanted to take away execute permissions entirely from a file, we could do something like this.
chmod –x list_users
One way to simplify the chmod command is to remember that “r” is 4, “w” is 2, and “x” is 1 and adding up the numbers in each of the three positions. “rwx” would then be “4 + 2 + 1” or 7. “r-x” would translate to “4+1” and “x” would simply be one. That monster from our second last example could then be rewritten like this.
chmod 751 list_users
Who was that masked user?
Every time you create a file, you are submitted to a default set of permissions. Go ahead. Create a blank file using the touch command. I am going to call my blank file “fish”.
$ touch fish
Now, have a look at its permissions by doing and “ls –l”.
$ ls -l total 0 -rw-rw-r-- 1 mgagne mgagne 0 Nov 5 11:57 fish
Without doing anything whatsoever, your file has read and write permissions for both the user and group, and read permission for everybody else. This happens because you have a default file creation mask of “002”. You can discover this using the “umask” command.
$ umask 002
The 2 is subtracted from the possible set of permissions, rwx (or 7). 7 – 0 remains 7 while 7 – 2 is 5. But wait! 5 stands for “r-x” or read and execute. How is it that the file only shows a read bit set? That’s because newly created files are not set executable. At best, they provide read and write permissions for everyone. Another way to display this information is by using the “-S’ flag. Instead of the numeric output, you’ll get a symbolic mask displayed.
$ umask -S u=rwx,g=rwx,o=rx
If you have an application that requires you to provide a default set of permissions for all the files you create, then change the “umask” to reflect that inside your scripts. As an example, let’s pretend that your program or script created text files that you wanted everyone to be able to read (444). Since the execute bit won’t be a factor anyway, if you mask out the write bit using a 2 all around, then everybody will have read permission. We’ll set our umask to 222, create another file (called “duck” this time), then do an “ls –l” to check things out.
$ umask 222 $ touch duck $ ls -l total 0 -r--r--r-- 1 mgagne mgagne 0 Nov 5 12:58 duck
And once again, it’s time to wrap it up. Look for part 6 of this series coming your way on Thursday. Leave any comments you may have here on Google Plus or over here on Facebook. Remember that you can also follow the action on CookingWithLinux.com where it’s all Linux, all the time. Except for the occasional wine review. Also, make sure you sign up for the mailing list over here so that you’re always on top of what you want to be on top of. So to speak. And this is where I leave you, until next time.
A votre santé! Bon appétit!