UNIX: Basic File Permissions
scottalanmiller last edited by
UNIX systems have a standard file-based permissions system that is simple and easy to learn and standard across the entire UNIX family. It is not uncommon for more granular file permissions, by way of ACLs (Access Control Lists), to be applied as well, but those are more advanced and we will address them in a later lesson. For now we are going to focus on the standard UNIX permissions. You will find these on Linux, BSD, Solaris, etc.
There are three types of UNIX File System Permissions. They are:
- read (r): When applied to a file it gives the ability to access the file and see its contents.
- write (w): Write permission grants the ability to modify a file. The power to modify is the power to destroy (delete, erase, etc.)
- execute (x): Without execute permissions, the UNIX operating system will refuse to "run" a file including both scripts and binaries.
Each of these three permissions can be set for each of three "actors". These actors are:
- User Owner (u): The owner is the user (identified by UID) that owns a file. Only one user may own any given file.
- Group Owner (g): Each file also has a group that owns it as well (identified by GID.) Only one group may own any given file.
- World or Other(o): These are the permissions given to anyone that is neither the owner nor a member of the group owner.
When we use the ls -l command we are shown the information above. Reading this information on UNIX can be a bit confusing and takes time to grow accustomed to. Typically we have a ten character field that tells us the file permission information. We will ignore the first character for the moment. Here is an example file:
# ls -l total 0 -rwxr-x--- 1 scott scott 0 Feb 10 04:49 myfile
In this example we have one file, named "myfile". The first ten characters of the output are: -rwxr-x---. Very confusing indeed! How are we supposed to read that?
Well the first character will be ignored leaving us with nine characters. Each of these nine characters, of fields, corresponds with one set of permissions from above. The first three characters (after having skipped the first) correspond to the permissions for the User Owner, the second three characters correspond to the Group Owner and the final three characters correspond to the World.
The characters come in order: rwxrwxrwx. If the permission is granted, the letter appears. If the permission is not granted, a - appears instead to show the place holder.
So in our example, which is rwxr-x--- we can translate this into: [User Owner: rwx] [Group Owner: r-x] [World: ---]
This is a very common set of permissions to find. The file owner (me) as full permissions to do anything with the file. My group has read and execute permissions but cannot modify the file (no write.) Anyone who is not in my designated group or is not me (the group and the user owners have no need to be related, the user owner will not necessarily be a member of the owner group) has no permissions at all and cannot access the file.
In our example above, the user owner and the group owner fields are designated by scott and scott, confusingly. In this case, this is a user named scott and a group that has the same name (presumably because I am the only member.) This is the standard way in which CentOS works. But each UNIX environment can do its own thing.
It is also very common to have the default group for users be a group called "users" or something similar. The two most common approaches are either a general user group and everyone gets the same one, or each user gets their own group (generally with a name that matches their username and a GID that is the same as their UID.) So look for those two paradigms to be in place on any given server. Of course, you can change this and customize it as you see fit on your own servers, there is no need to use the default. But the general industry feeling is that the dedicated user group approach is the best default approach today.
Now that we understand the user owner, the group owner and the permissions, we can learn how to modify them. There are standard UNIX commands to handle these tasks:
- chown: CHange OWNer. This command changes the user owner of a file and, with the right syntax, will change owner and group together.
- chgrp: CHange GRouP. This command changes the group owner of a file.
- chmod: CHange MODe. This is the command that allows us to modify the permission settings on the file (the r, w and x settings.)
First we will change the owner from scott to root.
chown root myfile
Easy peasy. We could change the group from the scott group to the user group in a similar fashion.
chgrp user myfile
The chmod command can get a bit complicated. We are going to look at one way of using it here in this article and will reserve the "octet" means of working with it for a separate article as we want to get through our basic concepts here. You can use either method and most admins will use both depending on what they want to do.
The chmod command uses a mode syntax of [users we want to modify][+-=][mode to change]. Sounds a bit confusing and it is just a little. But if we see it in action I think that you will find it relatively straightforward.
If we use the + modifier, we will add permissions that may or may not have already been applied. If we want to make a file executable for the group owner, we would use "g" to designate the group owner and "x" to indicate executable and "+" to denote adding the permission, like so:
chmod g+x myfile
If we wanted to remove a permission, we would use a minus sign, -. In this example we will remove any possible write "w" permissions from the group owner and the world (other) groups (which are "g" and "o").
chmod go-w myfile
Using the equals modifier we can tell the command exactly what we want the resulting permissions to be rather than using the plus or minus to "modify from what it currently is." The plus and minus are relative permissions, the equals is absolute.
chmod u=rwx myfile
There we go, we can now change the owner, change the group and set the permissions (modes) on a file to control security.
One additional quick trick is the (a) user, for all. It refers to everyone, the user owner, group owner and the other together. So if you wanted to set execute permission for everyone:
chmod a+x myfile
I promised to show how to use the chown command to change both the user and the group at the same time. Just use a colon like so:
chown root:accounting myfile
Directories. Thus far we have only talked about how UNIX Standard Permissions apply to normal files. But we need to understand how they apply to directories, too. Directories use the same permissions structure but the permissions mean slightly different things when they are used on directories.
- Read (r): On a directory, read permission means the ability to read the file names within the directory. The ability to list, ls, the files.
- Write (w): On a directory, write permission means the ability to create, delete and rename files within the directory.
- Execute (x): On a directory, execute permission means the ability to access file contents and meta data (but not list the contents of the directory, so if read is not also present you must know the name of the file to be able to reference it.)
One additional feature of all of the commands that we have learned here when applied to directories is the ability to add permissions recursively. If you wanted to make "scott" the owner of a directory and everything that that it contains all at once you could do so like this:
chown -R scott /var/scottscooldirectory