Linux file permissions could cause you a lot of trouble if you do not understand them.
Files and directories will have three types of user groups. They are:
There are three types of permission to grant. These are:
You can view the permission of files and directories by using the ls -l command. For this example I am using terminal on the OS X operating system. Lets look at this example output.
drwxr-s--- 3 davidjones staff 102 26 Apr 2014 Applications drwxr-s---+ 45 davidjones staff 1530 23 May 16:17 Desktop drwxr-s---+ 24 davidjones staff 816 23 May 16:15 Documents drwxr-s---+ 33 davidjones staff 1122 23 May 17:53 Downloads drwxr-s---@ 54 davidjones staff 1836 7 Nov 2014 Library drwxr-s---+ 6 davidjones staff 204 21 Jun 2014 Movies drwxr-s---+ 5 davidjones staff 170 4 Dec 17:21 Music drwxr-s---+ 9 davidjones staff 306 22 May 19:17 Pictures drwxr-s---+ 4 davidjones staff 136 13 Feb 2013 Public drwxrwxrwx 4 davidjones staff 136 20 Dec 20:54 Sites drwxr-s--- 21 davidjones staff 714 24 Mar 2013 helloworld
The only thing we are concerned about here is the first section.
If we look at the directory called 'helloworld' we can see that the file permissions are drwxr-s---. Lets break this down and look at each section.
The first character of the permission string is a 'd' which denotes a directory. We can see from our example output that every item is a directory because they all start with the letter 'd'.
The next three characters tell us the permission level for our user. We can find out the name of the user owner by looking at column three from the output of ls -l. In this example we can see the user owner is davidjones. The next three characters are 'rwx'. If we remember the permission types we talked about earlier we know the user has the ability to read, write and execute the directory.
The three characters after our user permissions belong to the group. We can see what group owns this file by looking at the fourth column of our output, it is owned by a group called 'staff'. The permissions for our group is '-s-'. We can see that the group doesn't have the permission to read or execute the directory but it has a special permission to write (more on special permissions later).
The final three characters tell us the permissions for everybody else. In this case they are '---', which means anyone who is not the user davidjones or part of the group staff can not interact with this directory in anyway.
To illustrate this lets go into our home directory and create an empty html file by using the following command touch hellodave.html. If we run ls -l again we should see our new html file.
-rw-r--r-- 1 davidjones staff 0 23 May 18:58 hellodave.html
We can already see that the permissions string looks a lot different to the previous one will looked at. Lets look at what it stands for.
This is the perfect configuration for this type of file. The creator can modify its contents and a web server can read the file so it can be rendered through a web browser.
So how can we modify file permissions?
We use the command chmod to modify permissions. Lets look at some examples to modify our hellodave.html file.
chmod g+wx hellodave.html
The above command will modify the permissions to allow the group to modify and execute this file. If we run ls -l again we will be able to see this change reflected in the permissions string.
-rw-rwxr-- 1 davidjones staff 0 23 May 18:58 hellodave.html
If we want to remove a permission type we can use the minus (-) symbol rather than the plus (+) symbol.
We could also use a binary reference rather than using the permission types, for example 644. More on this later.
A binary reference uses an octal format to change the permission level. The following represents what each number is associated to:
Lets look at the example 644. This means the user will have read and write permission, the user group will only have a read permission and every body else will only have a read permission. You will notice that six is the sum of read and write. So if we wanted to give somebody read, write and execute permission we would use 7, as 4 + 2 + 1 is 7.
There are three types of special permissions that can be assigned to directories and executables.
This says that any the executable will grant access based on the owner of the file and not by the person who is trying to run the file. This can pose a big security risk.
This is similar to setuid but uses the group ID instead of the user ID. Again this can pose a security risk.
This says that the file can only deleted by the owner of the file. This is useful if a user is trying to delete a file in a public directory that is not owned by them.