In Linux, file and directory permissions control access to resources, ensuring that users can only access files and directories they're authorized to. This page will explore how permissions work, how to modify them, and how to manage them effectively.
Each file and directory in Linux has three types of permissions:
- Read (r): Allows viewing the contents of a file or listing the contents of a directory.
- Write (w): Allows modifying the contents of a file or adding/removing files in a directory.
- Execute (x): Allows running a file as a program or accessing a directory.
Permissions are assigned to three categories:
- Owner: The user who owns the file or directory.
- Group: The group associated with the file or directory.
- Others: All other users on the system.
Permissions are displayed in a string of 10 characters, such as -rwxr-xr--. The first character indicates the file type, and the next nine characters represent the permissions:
- File Type:
-for a regular file,dfor a directory,lfor a symbolic link. - Owner Permissions: The next three characters (e.g.,
rwx) represent the permissions for the owner. - Group Permissions: The following three characters (e.g.,
r-x) represent the permissions for the group. - Others' Permissions: The final three characters (e.g.,
r--) represent the permissions for others.
-rwxr-xr---: Regular filerwx: Owner can read, write, and executer-x: Group can read and executer--: Others can read
To view the permissions of files and directories, use the ls -l command:
ls -lThis command lists files and directories with detailed information, including permissions.
Example output:
-rw-r--r-- 1 user group 1234 Sep 1 12:34 example.txtThe chmod (change mode) command is used to modify permissions.
Permissions can be modified using symbolic notation:
-
Add a Permission: Use
+chmod u+x file.txt # Add execute permission to the owner -
Remove a Permission: Use
-chmod g-w file.txt # Remove write permission from the group -
Set a Permission Exactly: Use
=chmod o=r file.txt # Set read permission only for others
Permissions can also be represented as a three-digit octal number:
- Read (r): 4
- Write (w): 2
- Execute (x): 1
Each category (owner, group, others) is assigned a sum of these numbers:
- Full Permissions (rwx): 7 (4+2+1)
- Read and Execute (r-x): 5 (4+1)
- Read Only (r--): 4
Example:
chmod 755 file.txt7for the owner:rwx5for the group:r-x5for others:r-x
To change permissions for a directory and all its contents, use the -R option:
chmod -R 755 /path/to/directoryThis command applies the specified permissions to the directory and everything within it.
The chown command changes the ownership of a file or directory.
To change the owner of a file or directory:
sudo chown newowner file.txtTo change the group associated with a file or directory:
sudo chown :newgroup file.txtTo change both the owner and group:
sudo chown newowner:newgroup file.txtTo change the ownership of a directory and all its contents, use the -R option:
sudo chown -R newowner:newgroup /path/to/directoryThe Setuid bit allows a file to be executed with the permissions of its owner, rather than the user who runs it. This is often used for system binaries that require elevated privileges.
To set the Setuid bit:
sudo chmod u+s file- The file's permissions will display an
sin the owner's execute position (-rwsr-xr-x).
The Setgid bit on a directory ensures that files created within the directory inherit the directory's group, rather than the primary group of the user who created the file.
To set the Setgid bit:
sudo chmod g+s directory- The directory's permissions will display an
sin the group's execute position (drwxr-sr-x).
The Sticky bit on a directory restricts file deletion within the directory to the file's owner, the directory's owner, or the root user. This is commonly used on directories like /tmp.
To set the Sticky bit:
sudo chmod +t directory- The directory's permissions will display a
tin the others' execute position (drwxrwxrwt).
Suppose you want to create a shared directory where all members of a group can read, write, and execute files, but others should have no access:
sudo mkdir /shared
sudo chown :groupname /shared
sudo chmod 770 /shared- Only the group members and the owner can access
/shared.
To allow a script file to be executed by its owner:
chmod u+x script.shTo prevent anyone but the owner from accessing a sensitive file:
chmod 600 sensitive.txt600sets read and write permissions for the owner only (rw-------).
- Principle of Least Privilege: Grant the minimum permissions necessary for users to perform their tasks.
- Regular Audits: Periodically review file and directory permissions to ensure they align with security policies.
- Use Groups for Access Control: Leverage groups to simplify permission management across multiple users.
- Secure Sensitive Files: Always restrict access to sensitive files using appropriate permissions.
- Set Special Permissions Carefully: Use Setuid, Setgid, and Sticky bits only when necessary and understand the security implications.
Effectively managing file and directory permissions is essential for maintaining system security and organization in Linux. By mastering tools like chmod, chown, and understanding special permissions, you can control who has access to what, ensuring that your system remains secure and efficient.
Next: Introduction to Package Management
Previous: Users and Groups