Managing File and Directory Permissions
If you’re the administrator of the system, or if you can run the sudo command, you can change the permissions on files and directories anywhere on your system.
The files structure you made in your home directory is something other users on the machine could use, so let’s copy the structure into the /var directory so others can access it. Use the sudo command since you don’t have write access to the var directory:
| | $ sudo cp -r ~/files /var/files |
Next, get a long listing of the /var/files directory, showing all hidden files. This lets you view the permissions of the /var/files directory itself:
| | $ ls -alh /var/files |
| | total 32K |
| | drwxr-xr-x 8 root root 4.0K Mar 2 13:25 . |
| | drwxr-xr-x 16 root root 4.0K Mar 2 13:25 .. |
| | drwxr-xr-x 2 root root 4.0K Mar 2 13:25 backups |
| | drwxr-xr-x 5 root root 4.0K Mar 2 13:25 code |
| | drwxr-xr-x 4 root root 4.0K Mar 2 13:25 docs |
| | drwxr-xr-x 2 root root 4.0K Mar 2 13:25 movies |
| | drwxr-xr-x 2 root root 4.0K Mar 2 13:25 music |
| | drwxr-xr-x 2 root root 4.0K Mar 2 13:25 photos |
As you recall from Listing Files and Directories, the first entry in the list, (.), represents the directory itself, in this case, /var/files:
| | drwxr-xr-x 8 root root 4.0K Mar 2 13:25 . |
If you recall, the permissions break down like this:
In this case, the root user can read, write, and execute files in this directory. Other users on the system can read from this directory structure and execute any files there, but they won’t be able to create new files or even make changes to the contents of the files. Execute permissions on directories also allow users to list their contents.
There are two methods you can use to alter access to this structure. You can change the permissions, or you can change the owner.
Let’s change the owner first so your user can manipulate this structure.
Changing Ownership
Changing ownership is the easier method, and it’s often the only method you need. In most cases, the permissions are set correctly, but they’re applied to the wrong user and group. That’s the case here, as well.
The chown command lets you change the owner and group of a directory.
| | $ sudo chown brian:brian /var/files |
Get a new directory listing to check the ownership:
| | $ ls -alh /var/files/ |
| | total 36K |
| » | drwxr-xr-x 8 brian brian 4.0K Mar 2 13:25 . |
| | drwxr-xr-x 16 root root 4.0K Mar 2 13:25 .. |
| | drwxr-xr-x 2 root root 4.0K Mar 2 13:25 backups |
| | drwxr-xr-x 5 root root 4.0K Mar 2 13:25 code |
| | drwxr-xr-x 4 root root 4.0K Mar 2 13:25 docs |
| | drwxr-xr-x 2 root root 4.0K Mar 2 13:25 movies |
| | drwxr-xr-x 2 root root 4.0K Mar 2 13:25 music |
| | drwxr-xr-x 2 root root 4.0K Mar 2 13:25 photos |
The chown command changed the ownership on the /var/files directory. Unfortunately, it didn’t do anything to the directory’s contents. To do that, add the -R switch:
| | $ sudo chown -R brian:brian /var/files |
Then get a new directory listing:
| | $ ls -alh /var/files/ |
| | total 32K |
| | drwxr-xr-x 8 brian brian 4.0K Mar 2 13:25 . |
| | drwxr-xr-x 16 root root 4.0K Mar 2 13:25 .. |
| | drwxr-xr-x 2 brian brian 4.0K Mar 2 13:25 backups |
| | drwxr-xr-x 5 brian brian 4.0K Mar 2 13:25 code |
| | drwxr-xr-x 4 brian brian 4.0K Mar 2 13:25 docs |
| | drwxr-xr-x 2 brian brian 4.0K Mar 2 13:25 movies |
| | drwxr-xr-x 2 brian brian 4.0K Mar 2 13:25 music |
| | drwxr-xr-x 2 brian brian 4.0K Mar 2 13:25 photos |
You can now make modifications to the directory without using sudo. Try it out: add a new directory named dropbox, which you’ll use to let every user on the system write files. Create this directory without using the sudo command:
| | $ mkdir /var/files/dropbox |
The command completes without any error messages. Use ls -alh to look at the permissions for the new directory as well as its parent:
| | $ ls -alh /var/files/dropbox |
| | total 8.0K |
| | drwxr-xr-x 2 brian brian 4.0K Mar 2 13:28 . |
| | drwxr-xr-x 9 brian brian 4.0K Mar 2 13:28 .. |
The new directory inherits the permissions from the parent directory. Your user has full access to the directory, while your group and all other users can only list the contents and navigate there. Let’s change who can modify files in this directory.
Changing Permissions
To change file or directory permissions, use the chmod command. You can set permissions a couple of ways. Let’s look at symbolic mode first. In symbolic mode, you will use combinations of letters and symbols to add or remove permissions.
Time to experiment. Create a file in the /var/files/dropbox directory named permissions.txt:
| | $ touch /var/files/dropbox/permissions.txt |
Then look at its permissions:
| | $ ls -lh /var/files/dropbox/permissions.txt |
| | -rw-r--r-- 1 brian brian 0 Mar 2 13:29 /var/files/dropbox/permissions.txt |
The permissions for this file give read and write permissions to your user and allow everyone else access to read the file.
To remove the ability to write to this file for your user, use the chmod -w command:
| | $ chmod -w /var/files/dropbox/permissions.txt |
| | $ ls -lh /var/files/dropbox/permissions.txt |
| | -r--r--r-- 1 brian brian 0 Mar 2 13:29 /var/files/dropbox/permissions.txt |
To add write permission back for your user, use chmod +w:
| | $ chmod +w /var/files/dropbox/permissions.txt |
| | $ ls -alh /var/files/dropbox/permissions.txt |
| | -rw-r--r-- 1 brian brian 0 Mar 2 13:29 /var/files/dropbox/permissions.txt |
Notice that this only changed the permissions for your user. To allow other members of the associated group to write to the file, prefix the permission with the letter g:
| | $ chmod g+w /var/files/dropbox/permissions.txt |
| | $ ls -lh /var/files/dropbox/permissions.txt |
| | -rw-rw-r-- 1 brian brian 0 Mar 2 13:29 /var/files/dropbox/permissions.txt |
To add the ability for others to write to this file, prefix the permission with the letter o, for “others”:
| | $ chmod o+w /var/files/dropbox/permissions.txt |
| | $ ls -lh /var/files/dropbox/permissions.txt |
| | -rw-rw-rw- 1 brian brian 0 Mar 2 13:29 /var/files/dropbox/permissions.txt |
Now everyone has access to write to the file.
You can remove write access for yourself, your group, and everyone, all at once. Use the u prefix to reference your user, and the g and o prefixes for your group and everyone else:
| | $ chmod ugo-w /var/files/dropbox/permissions.txt |
| | $ ls -lh /var/files/dropbox/permissions.txt |
| | -r--r--r-- 1 brian brian 0 Mar 2 13:37 /var/files/dropbox/permissions.txt |
Now add that write permission back with +w:
| | $ chmod ugo+w /var/files/dropbox/permissions.txt |
| | $ ls -lh /var/files/dropbox/permissions.txt |
| | -rw-rw-rw- 1 brian brian 0 Mar 2 13:37 /var/files/dropbox/permissions.txt |
You’ve controlled access to a file, but what about the directory itself? Use ls -lhd to view the current permissions for the /var/files/dropbox directory:
| | $ ls -lhd /var/files/dropbox/ |
| | drwxr-xr-x 2 brian brian 4.0K Mar 2 13:37 /var/files/dropbox/ |
Right now, your user has full access, but nobody else does. Use chmod on the directory to grant write permissions for everyone so they can add or remove files:
| | $ chmod go+w /var/files/dropbox/ |
Then use ls -lhd to view the directory to review its permissions:
| | $ ls -lhd /var/files/dropbox |
| | drwxrwxrwx 2 brian brian 4.0K Mar 2 13:37 /var/files/dropbox/ |
Now everyone has access to modify files here.
The chmod command can also act recursively if you use the -R switch, so to remove write permissions from the /var/files/dropbox directory and all of its contents for other users, execute this command:
| | $ chmod -R o-w /var/files/dropbox/ |
| | $ ls -alh /var/files/dropbox/ |
| | total 8.0K |
| | drwxrwxr-x 2 brian brian 4.0K Mar 2 13:37 . |
| | drwxr-xr-x 9 brian brian 4.0K Mar 2 13:28 .. |
| » | -rw-rw-r-- 1 brian brian 0 Mar 2 13:37 permissions.txt |
Notice that the permissions.txt also lost write permissions. The permissions set at the directory were applied recursively to the files in the directory. You’ll want to be very mindful about this when you set permissions recursively, especially since file permissions and directory permissions work differently.
Things get a little tricker when you want to assign completely different permissions for yourself and everyone else. The easiest way to do that is by changing the permission bits.
Changing Permission Bits
One of the most common ways to change permissions is to use absolute mode, where you specify numbers to set the permissions. This can be more effective if you need to make more granular changes.
Wnen you’re looking at the permissions for a file, you know you can break them down like this:
The first three letters are the permissions for the user that owns the file, the next three are for the group, and the last three are for all the other users. In this case, the user has full access (rwx), while the group and other users have read and execute access (r-x).
If you think of each one of these as a switch, where 1 is “on” and 0 is “off,” you can represent the permissions as a bunch of bits, like so:
If you convert each group of three to decimal numbers, it’ll look like this:
Converting binary to decimal is beyond the scope of this book. If you’re not comfortable converting binary numbers to decimal numbers, you can use this table for now, and then brush up on that later:
To apply these permissions to a file, you pass all three numbers to the chmod command. Let’s apply these permissions to the permissions.txt file:
| | $ chmod 755 /var/files/dropbox/permissions.txt |
| | $ ls -lh /var/files/dropbox/permissions.txt |
| | -rwxr-xr-x 1 brian brian 0 Mar 2 13:37 /var/files/dropbox/permissions.txt |
Using this approach, you can quickly assign different sets of permissions to a file or group of files.
If you wanted to give yourself read and write access but only allow others to read the file, you’d figure this out the same way:
The permissions end up being 644. Apply the new permissions to the file:
| | $ chmod 644 /var/files/dropbox/permissions.txt |
| | $ ls -lh /var/files/dropbox/permissions.txt |
| | -rw-r--r-- 1 brian brian 0 Mar 2 13:37 /var/files/dropbox/permissions.txt |
Finally, since the chmod command lets you set permissions recursively, you can set permissions for the entire contents of a directory. Let’s make sure nobody else can read the source code we put in the /var/files/code directory. Retain full control for your user, but revoke access from others:
| | $ chmod -R 700 /var/files/code |
Now check the permissions on the /var/files/code directory:
| | $ ls -alh /var/files/code |
| | total 20K |
| | drwx------ 5 brian brian 4.0K Mar 2 13:25 . |
| | drwxr-xr-x 9 brian brian 4.0K Mar 2 13:28 .. |
| | drwx------ 2 brian brian 4.0K Mar 2 13:25 elm |
| | drwx------ 2 brian brian 4.0K Mar 2 13:25 go |
| | drwx------ 2 brian brian 4.0K Mar 2 13:25 js |
Your user is now the only user who can access these files.
Before wrapping up, make sure that everyone can read and write files in the /var/files/dropbox directory. And since it’s a directory, you’ll want to make it executable so people can switch to it:
| | $ chmod -R 777 /var/files/dropbox |
Now, check the permissions:
| | $ ls -alh /var/files/dropbox |
| | total 8.0K |
| | drwxrwxrwx 2 brian brian 4.0K Mar 2 15:36 . |
| | drwxr-xr-x 9 brian brian 4.0K Mar 2 15:26 .. |
| | -rwxrwxrwx 1 brian brian 0 Mar 2 15:36 permissions.txt |
Look at the permissions for the permissions.txt file. The permissions.txt file is readable, writable, and executable by everyone, since that’s what you told the chmod command to do; it recursively set all permissions on all of the files and directories.
Be Careful with chmod | |
|---|---|
|
Opening up permissions on a file or directory can have devastating results. It gives everyone access to read and execute files, and if those files are accessible through a web server or a shared disk, you could be in some serious trouble. Before you reach for the chmod command, see if you can find another solution. If you ever see anyone suggest running chmod -R 777 anywhere, you can probably ignore that advice, since it opens things up to everyone. A better solution than that is almost always available. |
Generally, you don’t want files to be executable, and we probably don’t need everyone else reading this file’s contents, so change the permissions on that file back to being readable and writable by you, but only readable by everyone else:
| | $ chmod 644 /var/files/dropbox/permissions.txt |
Verify the permissions one last time to make sure they’re what you want:
| | $ ls -alh /var/files/dropbox |
| | drwxrwxrwx 2 brian brian 4.0K Mar 2 15:36 . |
| | drwxr-xr-x 9 brian brian 4.0K Mar 2 15:26 .. |
| | -rw-r--r-- 1 brian brian 0 Mar 2 15:36 permissions.txt |
To avoid situations like this in the future, where you accidentally set the wrong permissions recursively, you could set the permissions on the directory without using the -R option so it won’t apply recursively, or use letters instead of permission bits. For example, the command chmod -R go+rwX /var/files/dropbox would apply read and write permissions on all files and directories, but the capital X would only apply execute permissions to directories.
Permissions on a Unix-based system is a very complex topic. You have used both symbolic mode and absolute mode to set file permissions, and you will find yourself using both methods depending on the situation you are in. View the documentation for the chmod and chown commands by using man chmod and man chown respectively, and practice changing permissions on files until it becomes second nature.
Next, let’s explore links, which let you create a filesystem object that points to another object.