Linux File and Directory Permissions
The core security feature of Linux is file and directory permissions. Linux accomplishes that by assigning each file and directory an owner and allowing that owner to set the basic security settings to control access to the file or directory. The following sections walk through how Linux handles ownership of files and directories as well as the basic permissions settings that you can assign to any file or directory on your Linux system.
Understanding Ownership
Linux uses a three-tiered approach to protecting files and directories:
Owner—Within the Linux system, each file and directory is assigned to a single owner. The Linux system administrator can assign the owner specific privileges to the file or directory.
Group—The Linux system also assigns each file and directory to a single group of users. The administrator can then assign that group privileges that are specific to the file or directory and that differ from the owner privileges.
Others—This category of permissions is assigned to any user account that is not the owner nor in the assigned user group.
You can view the assigned owner and group for a file or directory by adding the -l option to the ls command, as shown in LISTING 10-1.
The first column, -rw-rw-r--, defines the access permissions assigned to the owner, group, and others. That will be discussed later in the chapter in the section “Controlling Access Permissions.” The third column, the rich or barbara value, shows the user account assigned as the owner of the file. The fourth column, sales, shows the group assigned to the file.
When a user creates a file or directory, by default the Linux system automatically assigns that user as the owner and uses the primary group the user belongs to as the group for the file or directory. You can change the default owner and group assigned to files and directories using Linux commands. The following sections show how to do that.
Changing File or Directory Ownership
The root user account can change the owner assigned to a file or directory by using the chown command. The chown command format looks like this:
The newowner parameter is the user name of the new owner to assign to the file or directory, and filenames is the name of the file or directory to change. You can specify more than one file or directory by placing a space between each file or directory name:
There are a few command-line options available for the chown command, but they are mostly obscure and not used much. One that may be helpful for you is the -R option, which recursively changes the owner of all files and directories under the specified directory.
Changing the File or Directory Group
The file or directory owner, or the root user account, can change the group assigned to the file or directory by using the chgrp command. The chgrp command uses this format:
The newgroup parameter is the name of the new user group assigned to the file or directory, and the filenames parameter is the name of the file or directory to change. If you’re the owner of the file, you can only change the group to a group that you belong to. The root user account can change the group to any group on the system:
The chown command allows you to change both the owner and group assigned to a file or directory at the same time using this format:
This is often preferred over using the separate chgrp command.
Controlling Access Permissions
After you’ve established the file or directory owner and group, you can assign specific permissions to each. Linux uses three types of permission controls:
Read—The ability to access the data stored within the file or directory
Write—The ability to modify the data stored within the file or directory
Execute—The ability to run the file on the system, or the ability to list the files contained in the directory
You can assign each tier of protection (owner, group, and other) different read, write, and execute permissions. This creates a set of nine different permissions that are assigned to each file and directory on the Linux system. The nine permissions appear in the ls output as the first column of information when you use the -l option as shown in LISTING 10-1. FIGURE 10-1 shows the order in which the permissions are displayed in the ls output.
FIGURE 10-1 File and directory permissions as displayed in the ls output.
In Figure 10-1, the first character denotes the object type. A dash indicates a file, while a d indicates a directory.
The next three characters denote the owner permissions in the order of read, write, and execute. A dash indicates the permission is not set, while the r, w, or x indicate the read, write, or execute permission is set. In the example in LISTING 10-1, all three files use rw- for the owner permissions, which means the owner has permission to read and write to the file but cannot execute, or run, the file. This is common with data files.
The second set of three characters denotes the group permissions for the file or directory. Again, this uses the read, write, and execute order, with a dash indicating the permission is not set. After making the change to the customers.txt file for the marketing group, the sales group can only write to the research.txt and salesdata.txt files, and the marketing group can only write to the customers.txt file.
Finally, the third set of three characters denotes the permissions assigned to user accounts that are not the owner or a member of the group assigned to the file or directory. The same order of read, write, and execute is used. In the Listing 10-1 examples, other user accounts on the system can read the files but not write or execute them.
Either the root user account or the owner of the file or directory can change the assigned permissions by using the chmod command.
The format of the chmod command can be somewhat confusing. It uses two different modes for denoting the read, write, and execute permission settings for the owner, group, and other. Both modes allow you to define the same sets of permissions, so there’s no reason to use one mode over the other.
In symbolic mode, you denote permissions by using a letter code for the owner (u), group (g), others (o), or all (a) and another letter code for the read (r), write (w), or execute (x) permission. The two codes are separated with a plus sign (+) if you want to add the permission, a minus sign (-) to remove the permission, or an equal sign (=) to set the permission as the only permission. LISTING 10-2 shows an example of this.
In Listing 10-2, the g-w code in the chmod command indicates to remove the write permission for the group from the customers.txt file. Now members of the marketing group can only read the file.
You can combine letter codes for both to make multiple changes in a single chmod command, as shown in LISTING 10-3.
The ug code assigns the change to both the owner and the group, while the rwx code assigns the read, write, and execute permissions. The equal sign indicates to set those permissions.
The second mode available in chmod is called octal mode. With octal mode, the nine permission bits are represented as three octal numbers, one each for the owner, group, and other permissions. TABLE 10-2 shows how the octal number matches the three symbolic mode permissions.
TABLE 10-2 Octal mode permissions.
| Octal Value | Permission | Meaning |
|---|---|---|
| 0 | --- | No permissions |
| 1 | --x | Execute only |
| 2 | -w- | Write only |
| 3 | -wx | Write and execute |
| 4 | r-- | Read only |
| 5 | r-x | Read and execute |
| 6 | rw- | Read and write |
| 7 | rwx | Read, write, and execute |
You must specify the three octal values in the owner, group, and other in the correct order, as shown in LISTING 10-4.
The 664 octal mode set the owner and group permissions to read and write (6) but the others permission to read only (4). You can see the results from the ls output. This is a handy way to set all of the permissions for a file or directory in a single command.
Exploring Special Permissions
Linux uses three special permission bits for controlling the advanced behavior of files and directories.
The Set User ID (SUID) bit is used with executable files. It tells the Linux kernel to run the program with the permissions of the file owner and not the user account actually running the file. This feature is most commonly used in server applications that must run as the root user account to have access to all files on the system, even if the user launching the process is a standard user.
The SUID bit is indicated by an s in place of the execute permission letter for the file owner: rwsr-xr-x. The execute permission is assumed for the system to run the file. If the SUID bit is set on a file that doesn’t have execute permission for the owner, it’s indicated by an uppercase S.
To set the SUID bit for a file, in symbolic mode add s to the owner permissions, or in octal mode include a 4 at the start of the octal mode setting:
The Set Group ID (SGID, also called GUID) bit works differently in files and directories. For files, it tells Linux to run the program file with the file’s group permissions. It’s indicated by an s in the group execute position: rwxrwsr--.
For directories, the SGID bit helps us create an environment where multiple users can share files. When a directory has the SGID bit set, any files users create in the directory are assigned the group of the directory and not that of the user. That way all users in that group can have the same permissions as all of the files in the shared directory.
To set the SGID bit, in symbolic mode add s to the group permissions, or in octal mode include a 2 at the start of the octal mode setting:
Finally, the sticky bit is used to protect a file from being deleted by those who don’t own it, even if they belong to the group that has write permissions to the file. The sticky bit is denoted by a t in the execute bit position for others: rwxrw-r-t.
The sticky bit is often used on directories shared by groups. The group members have read and write access to the data files contained in the directory, but only the file owners can remove files from the shared directory.
To set the sticky bit, in symbolic mode add t to the owner permissions, or in octal mode include a 1 at the start of the octal mode setting:
Managing Default Permissions
When a user creates a new file or directory, the Linux system assigns it a default owner, group, and permissions. The default owner, as expected, is the user who created the file. The default group is the owner’s primary group.
The user mask feature defines the default permissions Linux assigns to the file or directory. The user mask is an octal value that represents the bits to be removed from the octal mode 666 permissions for files or the octal mode 777 permissions for directories.
The user mask value is set with the umask command. You can view your current umask setting by simply entering the command by itself on the command line:
The output of the umask command shows four octal values. The first octal value represents the mask for the SUID (4), GUID (2), and sticky (1) bits assigned to files and directories you create. The next three octal values mask the owner, group, and other permission settings.
The mask is a bitwise mask applied to the permission bits on the file or directory. Any bit that’s set in the mask is removed from the permissions for the file or directory. If a bit isn’t set, the mask doesn’t change the setting. TABLE 10-3 demonstrates how the umask values work in practice when creating files and directories on your Linux system.
TABLE 10-3 Results from common umask values for files and directories.
| Umask | Created Files | Created Directories |
|---|---|---|
| 000 | 666 (rw-rw-rw-) | 777 (rwxrwxrwx) |
| 002 | 664 (rw-rw-r--) | 775 (rwxrwxr-x) |
| 022 | 644 (rw-r--r--) | 755 (rwxr-xr-x) |
| 027 | 640 (rw-r-----) | 750 (rwxr-x---) |
| 077 | 600 (rw-------) | 700 (rwx------) |
| 277 | 400 (r--------) | 500 (r-x------) |
You can test this by creating a new file and directory on your Linux system:
The umask value of 0022 created the default file permissions of rw-r--r-- , or octal 644, on the test2 file, and rwx-r-xr-x, or octal 755, on the test1 directory, as expected (note that the directory entry starts with a d in the permissions list).
You can change the default umask setting for your current shell session by using the umask command from the command line:
The default permissions for the new file have changed to match the umask setting.