David Jones

Linux file permissions

Linux file permissions could cause you a lot of trouble if you do not understand them.

Groups

Files and directories will have three types of user groups. They are:

Permission Types

There are three types of permission to grant. These are:

Viewing Permissions

You can view the permission of files and directories by using the ls -l command. For this example I am using terminal on the OS X operating system. Lets look at this example output.

drwxr-s---   3 davidjones  staff     102 26 Apr  2014 Applications
drwxr-s---+ 45 davidjones  staff    1530 23 May 16:17 Desktop
drwxr-s---+ 24 davidjones  staff     816 23 May 16:15 Documents
drwxr-s---+ 33 davidjones  staff    1122 23 May 17:53 Downloads
drwxr-s---@ 54 davidjones  staff    1836  7 Nov  2014 Library
drwxr-s---+  6 davidjones  staff     204 21 Jun  2014 Movies
drwxr-s---+  5 davidjones  staff     170  4 Dec 17:21 Music
drwxr-s---+  9 davidjones  staff     306 22 May 19:17 Pictures
drwxr-s---+  4 davidjones  staff     136 13 Feb  2013 Public
drwxrwxrwx   4 davidjones  staff     136 20 Dec 20:54 Sites
drwxr-s---  21 davidjones  staff     714 24 Mar  2013 helloworld

The only thing we are concerned about here is the first section.

If we look at the directory called 'helloworld' we can see that the file permissions are drwxr-s---. Lets break this down and look at each section.

The first character of the permission string is a 'd' which denotes a directory. We can see from our example output that every item is a directory because they all start with the letter 'd'.

The next three characters tell us the permission level for our user. We can find out the name of the user owner by looking at column three from the output of ls -l. In this example we can see the user owner is davidjones. The next three characters are 'rwx'. If we remember the permission types we talked about earlier we know the user has the ability to read, write and execute the directory.

The three characters after our user permissions belong to the group. We can see what group owns this file by looking at the fourth column of our output, it is owned by a group called 'staff'. The permissions for our group is '-s-'. We can see that the group doesn't have the permission to read or execute the directory but it has a special permission to write (more on special permissions later).

The final three characters tell us the permissions for everybody else. In this case they are '---', which means anyone who is not the user davidjones or part of the group staff can not interact with this directory in anyway.

Modifying Permissions

To illustrate this lets go into our home directory and create an empty html file by using the following command touch hellodave.html. If we run ls -l again we should see our new html file.

-rw-r--r--   1 davidjones  staff       0 23 May 18:58 hellodave.html

We can already see that the permissions string looks a lot different to the previous one will looked at. Lets look at what it stands for.

This is the perfect configuration for this type of file. The creator can modify its contents and a web server can read the file so it can be rendered through a web browser.

So how can we modify file permissions?

We use the command chmod to modify permissions. Lets look at some examples to modify our hellodave.html file.

chmod g+wx hellodave.html

The above command will modify the permissions to allow the group to modify and execute this file. If we run ls -l again we will be able to see this change reflected in the permissions string.

-rw-rwxr--   1 davidjones  staff       0 23 May 18:58 hellodave.html

If we want to remove a permission type we can use the minus (-) symbol rather than the plus (+) symbol.

We could also use a binary reference rather than using the permission types, for example 644. More on this later.

Binary References

A binary reference uses an octal format to change the permission level. The following represents what each number is associated to:

Lets look at the example 644. This means the user will have read and write permission, the user group will only have a read permission and every body else will only have a read permission. You will notice that six is the sum of read and write. So if we wanted to give somebody read, write and execute permission we would use 7, as 4 + 2 + 1 is 7.

Special permissions

There are three types of special permissions that can be assigned to directories and executables.

setuid

This says that any the executable will grant access based on the owner of the file and not by the person who is trying to run the file. This can pose a big security risk.

setgid

This is similar to setuid but uses the group ID instead of the user ID. Again this can pose a security risk.

Sticky bit

This says that the file can only deleted by the owner of the file. This is useful if a user is trying to delete a file in a public directory that is not owned by them.