Linux File Permissions

One advantage of Linux and other UNIX-like operating systems is their straightforward approach to permissions. This makes it easy to protect or share your files, and to set the degree of access people have. 

  1. Viewing Permissions
  2. Reading the Protection Mask
  3. Setting the Protection Mask
  4. Additional Information

Viewing Permissions

The first order of business is to be able to view existing permissions. This is most easily achieved via the ls command, specifically by using the -l and -a options. The former option is what tells the command to show permissions, while the latter tells it to list all items in the directory (including hidden ones). 

Assume, for example, that the output of ls -la is this:

total 20
drwx------  3 josh  staff   512 Jun 13 09:27 ./
drwxr-xr-x 12 josh  staff  1024 Jun 13 09:18 ../
-rw-------  1 josh  staff  2615 Jun 13 09:33 .omega
-rw-r--r--  1 josh  staff   365 Jun 13 09:33 alpha
-rw-------  1 josh  staff  1834 Jun 13 09:34 beta
-rwxr-xr--  1 josh  staff 10031 Jun 13 09:34 delta
drwx------  2 josh  staff   512 Jun 13 09:18 gamma
lrwxrwxrwx  1 josh  staff     4 Jun 13 09:25 rho -> beta

This can seem very intimidating at first, so let's break it down.

The first line, total 20, means that 20 one-kilobyte blocks are used by the files displayed, not including their contents. Following this is a number of lines, one for each file in the directory. . and .., which are aliases of the current directory and its parent, are always included.

The first column in the file lines are what tell us the permissions assigned to the file. There are three permissions to consider: read, write, and execute (these are abbreviated as r, w, and x, respectively). The first character in the first column of the file line tells us what type of file it is; d indicates that the file is a directory, - means it's a normal file, and l means it is a link.

The next nine characters are the permission/protection mask. We discuss how to read these later. 

Following that is the file's owner (all josh) and group (all staff). It is possible to change a file's owner or group, but that is beyond the scope of this article. 

Next is the file's size in bytes; for example, "beta" is 1834 bytes. After that we have the timestamp for when the file was created, and finally the file name.

Reading the Protection Mask

As noted before, the first character of the protection mask denotes what kind of file it is. Beyond that the 9 characters indicate the file's protections. There are three levels of unix file protections: owner, group, world. Within each one of these there are three different types of protection: read, write and execute (r, w, and x). Thus the nine entries in the protection mask correspond to owner, group, world, each with three entries. Consider the file delta:

-rwxr-xr--  1 josh  staff 10031 Jun 13 09:34 delta

This means that owner has rwx rights, the file's group has r-x rights, and world has r-- rights. That is, owner has read, write and execute; group has read and execute; and, world has only read. This means anyone on the system can read this file (world protection), anyone in the group staff can read or execute it, and the owner, josh, can read, change (write), and execute the file.

Files:
read - can see the contents of the files
write - can change, overwrite or delete the file
execute - can run the file from the command line

Directories:
read - can see (ls) the files in the directory
write - can create and delete files in the directory
execute - can cd into the directory, and use the directory name in a path to a file

Thus, by setting directory protections, files that normally could be read can be protected by the directory, or files that normally can not be deleted can be, just by the protection of the directory.

Note that for links, it's always rwxrwxrwx. This is because the protection is controlled by the file the link points to.

Setting the Protection Mask

Protections are set by using the chmod command. The format of the command is: chmod mask filename(s) Where filename(s) are the file(s) that you want to change, with wild cards being allowed. For example, chmod 644 qwe* will change all the files beginning with qwe in the current directory.

Mask is a little tricky. The mask of a file, like rwxr-xr--, consists of three separate segments, in this case rwx r-x and r--. These can be considered a three bit binary number, where if a bit is on (a one), that type of protection is set. For example:
--- = 000 in binary = 0 in decimal
r-- = 100 in binary = 4 in decimal
r-x = 101 in binary = 5 in decimal
rw- = 110 in binary = 6 in decimal
rwx = 111 in binary = 7 in decimal
These are probably the only combinations that you will ever need to use. The 7, 5, and 0 for directories and executable files, and the 6, 4, and 0 for other files.

Thus doing a chmod 750 beta would change beta to owner rwx, group r-x, and world --- (nothing). A chmod 644 beta would change beta to owner rw-, group r--, and world r--. For normal files I either set them to 644 or 600, if I want them to be seen or not. For directories, I generally set them to 755 or 700, again depending on if I want them to be used be other people or not. If you only want people in your group to see something, you could do 640 on a normal file and 750 on the directory above it. If you wanted the group to be able to change this file, you could chmod 660 it.

Additional Information

The umask command controls the default protections for file creation. All files after a umask command is issued will be created according to the umask specified. It's a reverse mask of the chmod bit mask, so umask 077 creates secure, owner only files, while umask 022 allows world and group to read files.

Of course there are man pages for ls, chmod, and umask which will explain things in greater detail. Also see chown and chgrp for changing owner and group of files.

Print Article

Related Articles (1)

General information, and help topics for common Linux network file system problems.