Understanding Linux Permissions

Introduction

Linux is a multiuser operating system. In a multiuser environment, it is necessary to ensure that a user cannot access or modify files or directories that they arent supposed to. File permissions provide a protection mechanism for controlling access to files and directories.


Linux's file security model is based on that of Unix. Each file or directory can be accessed or modified by the user who created it, or a group of users who have been given permission to do so. Permissions can also be defined for other users that do not belong to either of these two categories.


In this guide, we will go over how file permissions work in Linux for beginners. We'll cover how you can view the permissions associated with files and directories and also how you can change them.


Requirements

To follow this guide, you’ll need access to a Linux or Mac machine. You’ll need some familiarity with using the terminal to execute commands.

If you aren’t familiar with using the terminal, feel free to take advantage of the resources available at Linux Academy to get up to speed. These resources are listed at the end of this guide.


Getting Started

Before we delve deeper into permissions, there are a few concepts to cover. As mentioned before, the file or directory can be accessed or modified by the user who created it (the owner), a group of users who are allowed to do so, or other users who aren’t either of the two. There are three types of permissions — read, write, and execute. Let’s look at all of these in detail.


Users

Users are people who use the operating system. The operating system recognizes each user by their unique user ID or uid. This information is stored in the /etc/passwd file. Each line in this file contains information about the users of system such as their username, uid, group ID, their home directory, etc.


Groups

Groups are a collection of users. For example, the users from the accounts department can be added to the accounts group. Grouping users together makes it easier to manage permissions. For example, when the accounts group is given read-only access to a certain file, all the users in that group are automatically given that access. This is simpler than having to individually assign permissions to each user who is in the accounts department.


Information about groups is stored in /etc/group file. Each line of this file contains information like the name of the group, the ID of the group or gid, the username of the members, etc.


Types of Permissions

There are three types of permissions - read, write, and execute. Read permission allows the user to view the contents of a file. Write permission allows the user to overwrite or append new data to the file or delete it. The execute permission allows the user to execute the code contained in the file.

Now that we have covered some of the basics, let’s go ahead with viewing and modifying permissions.


Viewing Permissions

Open your terminal and execute the following command:


me@home:~$ ls -l /etc/passwd
-rw-r--r-- 1 root root 2627 Aug 1 16:55 /etc/passwd

passwd is a regular file so the first character is a dash. The next three characters show the permissions for the owner - read, write, but not execute. The next three characters show the permission for the group - only read. All other users can only read the file. The first ‘root’ is the name of the owner and the second ‘root’ is the name of the group whose users can read this file. 

Now execute the following command:


me@home:~$ ls -l /bin/ls
-rwxr-xr-x 1 root root 126584 Feb 18 2016 /bin/ls

The command executed above shows the permissions associated with the ls command. The last r-x means that everybody is allowed to execute the code inside it. Finally, execute the following command:


me@home:~$ ls -l /
drwxr-xr-x 2 root root 12288 Oct 21 23:06 bin

We’re listing everything in the / directory. The output shows the permissions for the /bin directory. Since it is a directory, the first character is “d”.

The permissions are stored in the inode associated with the file or directory. The permissions take 9 bits; 3 for each of user, owner, and others.


Changing Permissions

chmod (change mode) command is used to change the permissions associated with a file or directory. The permissions can be changed either by using numeric or alphanumeric options along with chmod. Let’s begin by creating a file and changing its permissions. Execute the following commands:


me@home:~$ touch script.sh
me@home:~$ ls -l script.sh
-rw-rw-r-- 1 me me 0 Oct 28 11:09 script.sh

The touch command made an empty file named script.sh. The file has been created with permissions rw-rw-r--. This is a script file in which we’ll write some commands a little later. To execute the script, we need to add the execute permission. Execute the following commands:


me@home:~$ chmod 755 script.sh
me@home:~$ ls -l script.sh
-rwxr-xr-x 1 me me0 Oct 28 11:09 script.sh

To use chmod, you specify the permissions to be associated with the file and the path to the file. Since the file is in the same directory as we are, we just specify the name. The permissions here are represented by 755. This gives read, write, and execute permission to the owner, and read and execute permissions to the group and others. Here’s what the numbers mean:


0 - No permissions granted.

4 - Read permission granted.

2 - Write permission granted.

1 - Execute permission granted.


Since we want to give the owner read, write, and execute permissions, we add together 4, 2, and 1 and specify a 7 in the first place. Similarly, we specify a 5 for group and others to give them read and execute permission.

The permissions always follow the order of user, group, and others. So the first 7 applies to the user, the 5 applies to the group and the last 5 applies to others.

Permissions can be written using the alphanumeric options as:


me@home:~$ chmod u+rwx,g+rx,o+rx script.sh

The + and - operators are used to either add or remove permissions. The different combinations can be separated by commas or can be grouped together. The above command can be written more compactly as:


me@home:~$ chmod u+rwx,go+rx script.sh

Here, group and others will be given the read and execute permission. When using alphanumeric options, user is represented by u, group by g, and others by o. The read permission is represented by r, write by w, and execute by x.


What style you use is just a matter of preference.

Now, execute the following:

me@home:~$ echo "echo hello" >> script.sh
me@home:~$ ./script.sh
hello

Without the appropriate permissions, you wouldn’t have been able to execute the script.


bash: ./script.sh: Permission denied

We’ve only modified the permissions associated with the file script.sh. Permissions are also associated with directories. However, since directories are different from files, each of the permissions means something different. Here’s a quick comparison of how the permissions differ in meaning when associated with a file or a directory:


Read

File - View the contents of the file.

Directory - See the files, directories, and subdirectories.


Write

File - Overwrite or append new content. Delete the file.

Directory - Add or remove files and directories.


Execute

File - Run the code within the file.

Directory - Navigate into the directory, execute program within a directory.


Default Permissions

When we create a file, it’s given a permission of rw-rw-r-- by default and a directory is given the permissions rwxrwxr-x. These permissions are determined by umask. The umask command is used to view or set the file creation mask. Execute the following command to view the default umask:


me@home:~$ umask
me@home:~$ 0002


Ignoring the first 0, the umask value of 002 maps to the permission 755 (rwxrwxr-x) for a directory and 644 (rw-rw-r--) for a file. We can also change the default permissions associated with files and directories by using the umask command. Execute the following commands:


me@home:~$ umask 777
me@home:~$ touch script2.sh
me@home:~$ ls -l script2.sh
me@home:~$ ---------- 1 me me 0 Oct 28 16:35 script2.sh


As you can see, the default permissions have changed. These changes to default permission, however, are temporary. If you close and reopen the terminal to create a new file or directory, they will be created with the default permissions that were mentioned earlier. If you want to make the umask permanent, add it to your ~/.bashrc file.


Access Control Lists

Sometimes, basic file and directory permissions aren’t enough and you need a more flexible way to set permissions. Access Control Lists, or ACL for short, provide a more robust and flexible way to assign permissions. ACL allow a user to give permissions to other

setfacl is used to set an ACL for a file and getfacl is used to view it. Only the owner of the file can change the ACL associated with it.

Note that the file system must be mounted with ACL enabled for them to be used.


Viewing ACL

To view the ACL associated with the script file, execute the following command:


me@home:~$ getfacl -l script.sh
# file: script.sh
# owner: me
# group: me
user::rwx
group::r-x
other::r-x

Setting ACL

To set the ACL for the file, use the setfacl command. You modify the ACL by using the -m flag and remove the ACL using the -x flag.

The following command gives the user john read, write, and execute access to the script file.


me@home:~$ setfacl -m u:john:rwx script.sh
me@home:~$ getfacl script.sh
# file: script.sh
# owner: me
# group: me
user::rwx
user:john:rwx
group::rwx
mask::rwx
other::r-x

The u indicates that the ACL permissions are being modified for a user. This is followed by the username and the permissions to grant.

You can also set group permissions using setfacl using the g flag. The following command gives the accounts group read, write, and execute access to the script file.


me@home:~$ setfacl -m g:accounts:rwx script.sh
me@home:~$ getfacl script.sh
# file: script.sh
# owner: me
# group: me
user::rwx
user:john:rwx
group::rwx
group:accounts:rwx
mask::rwx
other::r-x

Running ls -l on the script file will show you an additional + being displayed along with the permissions. This indicates that an ACL is associated with this file


me@home:~$ ls -l script.sh
-rwxrwxr-x+ 1 me me 0 Oct 28 21:31 script.sh

Removing ACL

You can remove an existing permission using the -x flag. To remove the user john, execute the following command:


me@home:~$ setfacl -x u:john script.sh

Similarly, you can remove a group using the g option followed by the name of the group.


me@home:~$ setfacl -x g:accounts script.sh

This brings us to the end of the guide on Linux permissions. The following section lists the resources available on Linux Academy that will help you with this guide.


Additional Resources

If you are new to the Linux operating system, take a look at the Linux Essentials course available at Linux Academy. The course will give you a basic understanding of Linux and give you a gentle introduction to the command line.

https://linuxacademy.com/cp/modules/view/id/38

If you’d like to master the terminal, have a look at Mastering Linux Command Line:

https://linuxacademy.com/cp/modules/view/id/10

To take your skills to the expert level, take a look at Linux by Example from Novice to Pros:

https://linuxacademy.com/cp/modules/view/id/19


Of course, Linux Academy offers a wide range of online training in Linux and many other topics like AWS, DevOps, Azure, and Big Data


  • post-author-pic
    Terrence C
    11-28-2016

    Great guide!

  • post-author-pic
    David G
    12-10-2016

    Very good! Congrats! :)

  • post-author-pic
    Evan L
    12-15-2016

    Great job!  For completeness, you may want to mention the 't' bit on directories, used so that only the owner of the file can delete or rename a file.  This bit is usually set on shared directories like /tmp.   The 's' setuid/setgid bit could be mentioned for completeness.  And my favorite addition to chmod ... +X, when X is capital, it means to only set execute permission on directories, not anything else.  Very useful for recursive permission changes!

  • post-author-pic
    Sola O
    12-15-2016

    Thanks a lot for this very well done Guide! *clap *clap . The ACCESS CONTROL LISTS section, I don't see that as being part of the LA Linux Essentials Course or as an objective on the official LPI site for the Linux Essentials exam, but i'll learn it anyway. Thanks again Fasih.

  • post-author-pic
    Ofrates C. S
    02-05-2017

    Great job! thanks a lot for sharing this information.

  • post-author-pic
    Surya Prathap P
    02-11-2017

    Thanks  , I believe this line needs to be corrected.

    the umask value of 002 maps to the permission 755 (rwxrwxr-x) for a directory and 644 (rw-rw-r--) for a file


    the umask value of 002 maps to the permission 775 (rwxrwxr-x) for a directory and 664 (rw-rw-r--) for a file

  • post-author-pic
    Harlan R
    02-11-2017

    Great information, well documented. 

  • post-author-pic
    Georgi N
    02-12-2017

    Very helpful!

  • post-author-pic
    Richard P
    02-17-2017

    I refer to this a lot still, but it's kinda like a little cheat sheet for me. Love it.

  • post-author-pic
    Nasser A
    03-05-2017

    Good tutorial :+1

  • post-author-pic
    Martin M
    03-22-2017

    Good guide, clear explanation. :-)

  • post-author-pic
    Jonatas P
    03-26-2017

    very useful!!

  • post-author-pic
    Eduardo L
    03-27-2017

    Very nice, Thanks.

  • post-author-pic
    Thy L
    05-05-2017

    Wow, it is very userful for me 

  • post-author-pic
    Hunter F
    05-05-2017

    Awesome! Thank you for your contribution! 

  • post-author-pic
    Matt S
    05-05-2017

    Nice job on this guide, Fasih!

  • post-author-pic
    Thy L
    05-06-2017

    I am Linix Beginer and I agree with Surya Prathap Pendyala "the umask value of 002 maps to the permission 775 (rwxrwxr-x) for a directory and 664 (rw-rw-r--) for a file"; It is the very userful for me thank so much for sharing your idea. 

  • post-author-pic
    Aditi G
    07-26-2017

    umask 002 = 775 or 755 for drectories?

  • post-author-pic
    Marc M
    07-27-2017

    My understanding is that 002 will correspond to 775 because the permissions and the mask will always add up to 777 (as a way to double check). 

  • post-author-pic
    Aditi G
    07-27-2017

    Thank you Marc for clarifying :) In the section 'Default Permissions' of this article, you will need to make corrections. There is a typo I believe as you have mentioned 755.

  • post-author-pic
    Hunter F
    07-27-2017

    Awesome Guide!!! 

  • post-author-pic
    Dante M
    07-30-2017

    Great guide for a long times Window user!!!  Made a few things simple for me!! Great job dude! Thnx

  • post-author-pic
    Gerlando L
    09-13-2017

    Great work! 

    Why don't you add also a section about special file permissions? (I mean setuid, setgid and Sticky Bit) 

  • post-author-pic
    Lane W
    09-19-2017

    This is a super helpful guide. Thank you!

Looking For Team Training?

Learn More