Files and directories in Linux file-system have an owner who can set various permissions (e.g. read, write, execute) to the object's group owner or other system users.
File & Directory Ownership
To see permissions (r= read, w=write, x=execute) and ownership (user:group) over some file or directory use:$ ls -la
Example:
$ sudo ls -la ./database_data/
total 128
drwx------ 19 999 root 4096 Apr 20 16:13 .
drwxrwxr-x 7 bojan bojan 4096 Apr 20 16:12 ..
drwx------ 6 999 docker 4096 Apr 20 16:12 base
$ sudo ls -la ./database_data/ | awk '{print $3, $4, $9}'
999 root .
bojan bojan ..
999 docker base
$3 is user, $4 is group.
To change ownership (e.g. from root to current user) of directory and all its content use chown (change owner):
$ sudo chown -R $USER directory
or
$ sudo chown -R username:group directory
-R stands for --recursive.
To change user:group of a file:
$ sudo chown user:group file_name
$ sudo chown -R $USER directory
or
$ sudo chown -R username:group directory
-R stands for --recursive.
To change user:group of a file:
$ sudo chown user:group file_name
Permissions
User is the same as the owner.
Group is the user's primary group.
Other/All/World refers to all other users.
Object owner can set permissions for the group or other users by using chmod command.
chmod with symbolic modes
chmod can have a format with symbolic modes:
chmod [u|g|o|a][+|-][r|w|x] <object>
u = userg = groupo = otherplus (+) symbol adds a permissionminus (-) symbol removes a permissionr = readw = writex = execute
chmod u+r = "user plus read," as it gives the user read permission
chmod u-r = "user minus read," as it takes the read permission away from the user.
chmod o-r,g-w = remove read permission from other, remove write permission from group
chmod go-rw,u+x file = give it execute permission to user, prevent anyone else from reading, writing, or executing it
The previous command can be written as:
chmod u=rwx,go= file
Note that there is a space after the second equals; this indicates a value of none.
The letter a is a shortcut to all users.
chmod a+rwx
is same as:
chmod ugo+rwx
chmod with modes as an octal number
chmod can also use a shorter version of representing permissions per subject - mode as an octal number.
We have three subjects: owner, group and others. We have three permissions: read, write and execute and these can be combined. We can use a numeric representation for each permission like:
read = 4write = 2execute = 1no permissions = 0
We can then represent e.g. read + write permissions as 4 + 2 = 6 or read + write + execute = 4 + 2 + 1 = 7. We can create such combination for each subject and we can introduce the rule that first number shows permissions for the owner, the second for the group and third for the others. This way we can represent permissions for all subjects as a 3-digit number e.g.
- 600 – owner can 6 = read(4) + write(2), group and others have no permissions on the file
- 700 – owner can 7 = read(4) + write(2) + execute(1), group and others have no permissions on the file
- 444 = owner, group and all can read(4) only
- 666 – owner can 6 = read(4) + write(2), group can 6 = read(4) + write(2), all/anyone can 6 = read(4) + write(2)
- 755 – owner can 7 = read(4) + write(2) + execute(1), group can 5 = read(4) + execute(1), all/anyone/world can 5 = read(4) + execute(1)
- 777 – owner can = read(4) + write(2) + execute(1), group can 7 = read(4) + write(2) + execute(1), all/anyone can 7 = read(4) + write(2) + execute(1)
As the sum of these 4 allowed values (0, 1, 2 and 4) fits within range 0 - 7 we can say that this is actually a number in octal system so it's quite common that the permissions number string starts with zero like 0600, 0700, 0755...That leading 0 shows that the number is in octal system.
To allow only file user to read and write (but not to execute):
$ chmod 600 filename
$ chmod 600 filename
It is very common to add executable permissions to all subjects for some bash script (apart from adding shebang #!/bin/bash at the beginning of the script so it is not necessary to call bash explictily):
$ chmod +x script.sh
If u, g or o is not stated before + or - then the new permissions apply to all subjects.
In the following example before chmod +x, the output of ls -la was:
-rw-rw-r-- 1 test_user test_user 300 Oct 30 15:54 download.sh
...and then after chmod +x:
-rwxrwxr-x 1 test_user test_user 300 Oct 30 15:54 download.sh
Typical permissions in Linux file-system
All directories in / should be 755 and files 655.
/home/$USER (and subdirectories) should be 760 and files 640 or 650 if you want write permissions. An exception is /tmp which should be 777.
Which ownership allows object creation or deletion?
Whether a file can be deleted or not is not a property of the file but of the directory that the file is located in. A user may not delete a file that is located in a directory that they can't write to.Files (and subdirectories) are entries in the directory node. To delete a file, one unlinks it from the directory node and therefore one has to have write permissions to the directory to delete a file in it.The write permissions on a file determines whether one is allowed to change the contents of the file.The write permissions on a directory determines whether one is allowed to change the contents of the directory.
No comments:
Post a Comment