Sunday 19 May 2024

Linux file-system permissions


Files and directories in Linux file-system have an owner who can set various permissions (e.g. read, write, execute) to the object's group owner or other system users. 

File & Directory Ownership

To see permissions (r= read, w=write, x=execute) and ownership (user:group) over some file or directory use:

$ ls -la


sudo ls -la ./database_data/
total 128
drwx------ 19   999 root    4096 Apr 20 16:13 .
drwxrwxr-x  7 bojan bojan   4096 Apr 20 16:12 ..
drwx------  6   999 docker  4096 Apr 20 16:12 base

sudo ls -la ./database_data/ | awk '{print $3, $4, $9}'
999 root .
bojan bojan ..
999 docker base

$3 is user, $4 is group.

To change ownership (e.g. from root to current user) of directory and all its content use chown (change owner):

$ sudo chown -R $USER directory


$ sudo chown -R username:group directory

-R stands for --recursive.

To change user:group of a file:

$ sudo chown user:group file_name


User is the same as the owner.
Group is the user's primary group. 
Other/All/World refers to all other users.

Object owner can set permissions for the group or other users by using chmod command.

chmod with symbolic modes

chmod can have a format with symbolic modes:

chmod [u|g|o|a][+|-][r|w|x] <object>

u = user
g = group
o = other

plus (+) symbol adds a permission
minus (-) symbol removes a permission

r = read
w = write
x = execute

chmod u+r = "user plus read," as it gives the user read permission

chmod u-r  = "user minus read," as it takes the read permission away from the user.

chmod o-r,g-w = remove read permission from other, remove write permission from group

chmod go-rw,u+x file = give it execute permission to user, prevent anyone else from reading, writing, or executing it

The previous command can be written as:

chmod u=rwx,go= file

Note that there is a space after the second equals; this indicates a value of none.

The letter a is a shortcut to all users.

chmod a+rwx

is same as:

chmod ugo+rwx

chmod with modes as an octal number

chmod can also use a shorter version of representing permissions per subject - mode as an octal number. 

We have three subjects: owner, group and others. We have three permissions: read, write and execute and these can be combined. We can use a numeric representation for each permission like:

read = 4
write = 2
execute = 1
no permissions = 0

We can then represent e.g. read + write permissions as 4 + 2 = 6 or read + write + execute = 4 + 2 + 1 = 7. We can create such combination for each subject and we can introduce the rule that first number shows permissions for the owner, the second for the group and third for the others. This way we can represent permissions for all subjects as a 3-digit number e.g.
  • 600 – owner can 6 = read(4) + write(2), group and others have no permissions on the file
  • 700 – owner can 7 = read(4) + write(2) + execute(1), group and others have no permissions on the file
  • 444 = owner, group and all can read(4) only
  • 666 – owner can 6 = read(4) + write(2), group can 6 = read(4) + write(2), all/anyone can 6 = read(4) + write(2)
  • 755  owner can 7 = read(4) + write(2) + execute(1), group can 5 = read(4) + execute(1), all/anyone/world can 5 = read(4) + execute(1)
  • 777 – owner can  = read(4) + write(2) + execute(1), group can 7 = read(4) + write(2) + execute(1), all/anyone can 7 = read(4) + write(2) + execute(1)
As the sum of these 4 allowed values (0, 1, 2 and 4) fits within range 0 - 7 we can say that this is actually a number in octal system so it's quite common that the permissions number string starts with zero like 0600, 0700, 0755...That leading 0 shows that the number is in octal system. 

To allow only file user  to read and write (but not to execute):

chmod 600 filename

It is very common to add executable permissions to all subjects for some bash script (apart from adding shebang #!/bin/bash at the beginning of the script so it is not necessary to call bash explictily):

$ chmod +x

If u, g or o is not stated before + or - then the new permissions apply to all subjects.

In the following example before chmod +x, the output of ls -la was:

-rw-rw-r-- 1 test_user test_user  300 Oct 30 15:54

...and then after chmod +x:

-rwxrwxr-x 1 test_user test_user  300 Oct 30 15:54

Typical permissions in Linux file-system

All directories in / should be 755 and files 655. 
/home/$USER (and subdirectories) should be 760 and files 640 or 650 if you want write permissions. An exception is /tmp which should be 777.

Which ownership allows object creation or deletion?

Whether a file can be deleted or not is not a property of the file but of the directory that the file is located in. A user may not delete a file that is located in a directory that they can't write to.

Files (and subdirectories) are entries in the directory node. To delete a file, one unlinks it from the directory node and therefore one has to have write permissions to the directory to delete a file in it.

The write permissions on a file determines whether one is allowed to change the contents of the file.
The write permissions on a directory determines whether one is allowed to change the contents of the directory.


No comments: