Understanding Linux File Permissions with chmod, umask, chown and chgrp

by ·Comments Off on Understanding Linux File Permissions with chmod, umask, chown and chgrp

In Linux/UNIX, the concept of a user (owner) and group is very fundamental, as everybody want things to be kept secure and properly organized. The system was designed with security and ownership in mind, and this is why every file and directory has an owner and a group associated with it, and they have different permissions to access that particular file. So, how can we manipulate permissions with chmod, umask, chown and chgrp?


First out, there are 3 user based permissions:

  • Owner permissions: Determines what operations the owner of the file can do on the file.
  • Group permissions: Determines what operations a user belonging to the group associated with that file can do on the file.
  • Other permissions: Indicates what operations all other users can do on the file.

And there are three basic file operations that a user/group/other users can perform on files and directories:

  • Read (r): Permission to read the contents of the file.
  • Write (w): Permission to modify the file.
  • Execute (x): Permission to execute a file as a script/program.

Any given Linux/Unix filesystem assigns numeric values to the Read, Write and Execute permissions which are as follows:

Read = 4
Write = 2
Execute = 1

It’s the combination of those that we get our permissions.

chmod01

Therefore, the permissions associated with any file or directory in Linux have a 3×3 format: Three types of permissions (Read, Write and Execute) that are available for three types of users (Owner, Group and Other).

To observe this, just enter the ls –l command that displays 9 characters for every file/directory representing the permissions for all the three types of users.

 

Changing permissions with chmod
chmod stands for “Change Mode”, which is used to change the access permissions of files and directories in Linux. To change the permissions associated with files and directories, you may either use octal representation (using numeric) or symbolic representation (using alphabets). We’ll tackle the use of octal representation for changing files and directories permissions first.

In octal representation of the permissions:

  • First digit is for Owner
  • Second digit is for Group
  • Third digit is for Others

chmod02b

Now, if we wish to give Read + Write (4+2) permissions to the owner, Read (4) permissions to the group and others, then we need to enter following command:

chmod 644 /directory/file

Another example; to give Read + Execute permission (4 + 1 = 5) to user and no permission (0) to group, and Write (2) permission to others, enter following command:

chmod 502 /directory/file

 

How do directory permissions in Linux work?

Remember: the general rule is that everything in Linux is a file, so a directory is just a file containing a list of other files.

When applying permissions to directories on Linux, the permission bits have different meanings than on regular files.

  • Read: allows the affected user to list the files within the directory.
  • Write: you can add,rename,delete names on the list IF the execute bit is set too. User can also modify the directory’s attributes with write bit.
  • Execute: allows the affected user to enter the directory, and access files and directories inside. In order to use ls and cd commands in /bin directory, a user should have Execute permissions.

So for example to access dir/subdir/file, you need execute permission on dir and dir/subdir, plus the permissions on file for the type of access you want.

The way you access a file matters. For example, if you have execute permissions on /dir1/dir2 but not on /dir1, but your current directory is /dir1/dir2, you can access files in /dir1/dir2 through a relative path, but not through an absolute path. You can’t change to /dir1/dir2 in this scenario; a more privileged process has presumably done cd /dir1/dir2 before going unprivileged. If a file has multiple hard links, the path you use to access it determines your access constraints.

Symbolic links change nothing. The kernel uses the access rights of the calling process to traverse them. For example, if sym is a symbolic link to the directory dir, you need execute permission on dir to access sym/foo. The permissions on the symlink itself may or may not matter depending on the OS and filesystem (some respect them, some ignore them).

To recap: you can traverse a directory if and only if you have execute permission on it.

 

What is umask?

umask, along with default permission of file/directory, is responsible for determining the final value of the default permission of a file/directory. The default permission for a file is 777 and for a directory, it is 666. From these default permissions, the umask value is subtracted to get the final default permission for newly created files or directory. The default value of umask is 022.

Final default permissions for file and directories are determined as follows:

Default file permission: 666
Default directory permission: 777
Default umask : 022
Final default file permission: 644
Final default directory permission: 755

You may change the umask to an appropriate value based on your purpose. For example, if you wish no one but the owner can do anything with the file/directory then you can set umask as 0077.

umask 0077 file-or-directory

Look at umask as the reverse of chmod.

 

Symbolic Representation
The symbolic representation used for three different types of users is as follows:

u is used for user/owner
g us used for group
o is used for others

1. Adding Single Permission
To change single permission of a specific set of users (owner, group or others), we can use ‘+’ symbol to add a permission.

Syntax: chmod +

chmod u+x my_file

Using above command, we can add Execute permission to the owner of the file.

2. Adding Multiple Permissions
This is similar to command explained above, you just need to separate those multiple permissions with a comma (,).

Syntax: chmod +,+

chmod g+x,o+x my_file

Using above command, we can add Execute permissions to the group and other users of the file.

3. Removing a Permission
Removing a permission is as easy as adding a permission, just remember to use ‘-‘ symbol instead of ‘+’.

Syntax: chmod –

chmod o-x my_file

Above command removes Execute permission from the other users of the file.

4. Making the Changes for All
In case we add or remove some permissions for all the users (owner, group and others), we can use a notation ‘a’ which denotes “All users”.

Syntax: chmod a <+ or ->

chmod a+x my_file

Above command will add Execute permission to all the users.

5. Copying the Permissions
If we wish to make permissions of two files/directories same, we can do it using reference option. Consider that, we want to apply permissions of myfile1 to some other file called myfile2, then use following command:

chmod --reference=myfile1 myfile2

6. Applying Changes to All the Content of a Directory
If we want to apply some specific changes to all the files inside a directory, we can make use of option -R denoting that the operation is recursive.

chmod -R /foo/

 
Changing owner and group – chown/chgrp

chown stands for change owner and changes the user and/or group ownership for given file. The syntax is:
chown owner-user file
chown owner-user:owner-group file
chown owner-user:owner-group directory
chown options owner-user:owner-group file

The chgrp command may be used by unprivileged users on Unix-like systems to change the group associated with a file system object to one of which they are a member. The root user however can change to any group.

chgrp has virtually the same syntax as chown:
chgrp options groupname /dir/file

 
Examples

Example 1: How can I make user ‘jane’ as the owner of the file demo.txt?
chown jane demo.txt

Example 2: How can I change ownership of multiple files to user ‘jane’?
chown jane /path/to/file1 /path/to/file2 /path/to/file3
or
chown jane /path/to/{file1, file2, file3}

Using those UID (User ID) and GID (Group ID) in place of new owner and group:
chown 625:874 file1

You can also use chown to change group. A colon separates the name and the group. Example to user jane and group ftp:
chown jane:ftp demo.txt

If only the colon and the following group-name ftp are given, only the group is changed and the user is omitted:
chown :ftp demo.txt

To change the owner of /foo and subfiles to ‘jane’, and make it recursive:
# chown -R jane /foo

We can make ‘jane’ the owner of the directory /home/janes_project, and give the group ‘team1’ access:
# chown -v jane:team1 /home/janes_project
And then use chmod to give ‘jane’ Read+Write+Execute, group ‘team1’ access to Read+Execute, and no access for others:
# chmod -v 750 /home/janes_project

Let’s say that we have created a script called ‘myscript’. To run or execute this file we need to set the X bit on the file: chmod u+x myscript
To the group also: chmod u+x,g+x myscript

This will force the group ‘jane’ onto the file demo.txt:
chgrp -f jane demo.txt

 
Other tips

The option -v is verbose. It’s used to tell the command to spit out more info, and the -f will force+silence any output from the command.

When using certain commands there is a difference between /dir1/dir2 and /dir1/dir2/.
The former will also affect dir2, while the later will only affect dir2’s files and directories under it. This is especially true with the backup command rsync.

Any difference between these two commands?
chown jane:group1 / var/ftp
chown jane:group1 /var/ftp

There is a slight difference. If you see the first command there is a space between / and var/ftp. This is a common mistake which will change entire file-system owner to jane, as the ‘/’ indicates the root directory in a Linux/Unix filesystem.

Sometimes there will be a user called “nobody” as the owner of some files. This could happen when a user account is deleted without deleting his files/folder, or moving the files to another installation/computer and the new installation/computer doesn’t recognize the username or UID/GID. This could be solved by becoming root and using chown/chgrp.

If you get “Operation not permitted” and “Permission Denied”, check if you are the owner of the file or not with the ls command, or try through root with su/sudo.

 

I’ll end this to show some documents and folders that one might want to focus on and show how the optimal permissions should be set. Some are:

home directories – The user’s home directories are important because you do not want other users to be able to view and modify the files in another user’s documents of desktop. To remedy this you will want the directory to have the drwx______ (700) permissions, so lets say we want to enforce the correct permissions on the user user1’s home directory. That can be done by issuing the command chmod 700 /home/user1.
bootloader configuration files – If you decide to implement password to boot specific operating systems then you will want to remove read and write permissions from the configuration file from all users but root. To do you can change the permissions of the file to 700.
system and daemon configuration files – It is very important to restrict rights to system and daemon configuration files to restrict users from editing the contents, it may not be advisable to restrict read permissions, but restricting write permissions is a must. In these cases it may be best to modify the rights to 644.
firewall scripts – It may not always be necessary to block all users from reading the firewall file, but it is advisable to restrict the users from writing to the file. In this case the firewall script is run by the root user automatically on boot, so all other users need no rights, so you can assign the 700 permissions.