Open Source

Linux file and directory permissions

To ensure system security, you must establish good file and directory standards. Jim McIntyre provides an introduction to the Linux file system, and he discusses how to limit or allow user permission to files and directories.

One of the most common reasons people give for disliking the UNIX and Linux operating systems is a lack of understanding of the UNIX/Linux file system. As a system administrator, you'll discover that the majority of problems users have are related to file and directory permissions and ownership.

Establishing good file and directory standards is crucial to your system security. If users are able to make changes to the file system (where they shouldn't have access), it's only a matter of time before they begin to overwrite each other's files, resulting in a loss of important information. If users can access system files, they will. This can and probably will result in the loss of one or more servers—not to mention the loss of productivity and business associated with downtime.

Understanding file and directory permissions
Linux always associates a file or directory with a user and a group. For example, assume I have a file named webmaster.txt in my home directory. If I run the command ls -l webmaster.txt, I get the following result:
-rw-rw-r- 1 jim webmaster 1024 Feb 21 15:10 webmaster.txt

Before examining this line, I should explain that there are three sets of permissions that every UNIX or Linux file system uses: the file's owner, the file's group, and everyone else (commonly referred to as other). My example output is the listing of file access permissions that have been set for the file's owner, the file's group, and everyone else. This file is owned by a user named jim, the file's group is webmaster, the file size is 1,024 bytes, the file was last modified on Feb 21, at 15:10 (3:10 P.M.), and the filename is webmaster.txt.

The area of this output we're really concerned with is the grouping at the beginning of the line:
-rwx-rw-r-

This is the area where the access permissions for the file are displayed. The first entry is a dash [-], which indicates that this is a file (not a directory or link). A [d] in this position indicates that this is a directory, and an [l] indicates that this is a link. The letters r, w, and x stand for read, write, and execute.

The first entry is a dash, so we know that this file is not a directory or a link; it is just a file. The first triplet of letters indicates the permissions for the file's owners and contains the letters rwx. This means that the owner of the file has read, write, and execute permissions for this file. The owner can do anything to this file, including changing the access permissions. (The only other user who can do this is the superuser, or root.)

The next triplet indicates the access rights for the file's group. In our webmaster.txt example, the permissions are read and write (rw). The users who belong to the webmaster group can read and make changes to this file, but they cannot execute the file—assuming it's an executable file such as a Perl script or a shell script.

The third triplet concerns all users other than the file's owner and all users who don't belong to the file's group. In this case, the rights for "other" are read-only (r), which means that any user who isn't the file's owner, or who doesn't belong to the file's group, can only read the file. If these users run the cat or ls command on the file, they will see that it exists, and they can open it in an editor. However, these users can't execute the file, (if it's an executable program), and they can't make any changes to the file.

Now let's practice. Run your favorite editor; then, create a simple text file and name it myfile.txt. Don't worry about content; a few lines of text will suffice. Save the file to your home directory. Now, run ls -l myfile.txt. The following output should appear:
-rw-rw-r 1 <username> <username> 1024 Feb 22 10:20 myfile.txt

You can see that the file's owner and the file's group are the same. This is because the user who created the file is the file's owner, and the group is the owner's default group.

Changing file and directory access rights
As a file or directory owner, you can set the access rights for the file or directory. There are two ways of doing this.

The first method involves some simple binary math. There are three permissions: read, write, and execute. Each permission is assigned a value based on a power of two, from right to left.

The first permission, execute, has a value of two to the zero power, or one. The second permission, write, has a value of two to the first power, or two. The third permission, read, has a value of two to the second power, or four. The highest access right is seven, or read, write, and execute. The lowest access right is zero, or no rights.

Run ls -l on myfile.txt again.

The owner has read/write permission (4 + 2), or a value of six. The file's group also has read/write permission, also a value of six. Everyone else has read-only permission, or a value of four.

Now let's change the permissions on myfile.txt. To assign permissions, add the values of the permissions you want to assign, and then assign them using the chmod command.

As the owner of the file, you want execute permission. Execute has a value of four, so you'll run the command:
chmod 764 myfile.txt

Now run ls -l on myfile.txt, and you should see something similar to this:
-rwx-rw-r— 1 <username> <groupname> <size> <date> <time> myfile.txt

If you aren't happy with the file's group having write access, run the chmod command again:
chmod 744 myfile.txt

Run ls -l myfile.txt, and you'll see that the owner has read, write, and execute access but that the file's group and everyone else has read access only.

Another mode to use with the chmod command is to use letters to represent the permissions. Read is r, write is w, and execute is x.

Let's say you want to give execute permission to the file's group. Run chmod g+x myfile.txt. The triplet should now read -rwxr-x-r—. To remove a permission, replace the [+] with a [-]. To take away execute permission from the group, run:
chmod g-x myfile.txt

The triplets should now read -rwxr—r—.

As long as you're the owner of a file, you can use the chmod command to set the permissions any way you like.

Directory permissions
Permissions for directories aren't exactly the same as they are for files. Here are some typical permissions required on directories:
  • Execute permission is required for a user to cd into a directory.
  • Read permission is required for a user to use a command such as ls to view the files contained in a directory.
  • Execute-only permission allows a user to access the files in a directory as long as the user knows the names of the files in the directory, and the user is allowed to read the files.
  • Write permission allows the user to create, delete, or modify any files or subdirectories, even if the file or subdirectory is owned by another user.

Changing file ownership
Only the superuser, or root, can change ownership of a file. This is a built-in security feature of Linux. Suppose I wrote a program that changed the access of critical system files that only root had access to on a server. I could then simply change the ownership of the program file to root. When I ran the program, I would have root access to all files affected by the program.

To change file or directory ownership, login as root, or su to root, and then run the command:
chown <username> <filename>

To change ownership of myfile.txt to a user named bill, run:
chown bill myfile.txt

To change the file's group with the same command, run:
chgrp <new group> <filename>

To change the group for myfile.txt to admin, run:
chgrp admin myfile.txt

To change the owner and group of a file in one step, run:
chown bill.admin myfile.txt
To change the ownership or group of all files and directories under a parent directory, use the -R option with the chown command.
If you want to change the owner and group of all files and directories under the /www directory to user jim and group internet, run the command:
chown -R jim.internet /www

If you only want to change the file's group, run the command:
chgrp <new group> <filename>

To change the group of all text files in the /www directory to the group jim, run the command:
chgrp -R jim /www

The chown and chgrp commands may also be used with an asterisk (*) to change the permissions or group of all files in a directory. For example, type cd /www to change to the /www directory. Then, to change the permissions on all text files in the /www directory, run:
chmod 755 *txt

To change the group for all files with the extension pl in the /www directory, run:
chgrp internet *pl

Managing permissions for links
Hard links
Hard links point to files in the same directory. A file that has hard links won't be removed from the hard disk until all links are deleted. Links are created using the ln command. To create a hard link from myfile.txt to linkfile.txt, use the command:
ln myfile.txt linkile.txt

Now, when you run the command ls -l *txt, you should see something similar to:
-rw-r-r- 2 jim 1024 Feb 22 15:10 myfile.txt
-rw-r-r- 2 jim 1024 Feb 22 15:10 linkfile.txt


The hard link and the original file will have the same size, modification date, owner, group, and access permissions. Now, if the owner runs:
chown <newuser> hardlink.txt

the output of the ls -l *txt will produce:
-rw-r-r- 2 <newuser> 1024 Feb 22 15:10 myfile.txt
-rw-r-r- 2 <newuser> 1024 Feb 22 15:10 hardlink.txt


As you can see, the ownership of both the original file and the hard link have changed.

Symbolic links
Symbolic links can point to another directory, or even to another file system. Symbolic links are created by using the -s option with the ln command. When a symbolic link is created, it will have the same characteristics as the original file. These characteristics may be changed on either file without changing the characteristics of the other.

First, let's create a symbolic link to myfile.txt. Use the command:
ln -s myfile.txt symboliclink.txt

Using ls -l *txt, we get the following:
-rw-r-r- 2 <newuser> 1024 Feb 22 15:10 myfile.txt
-rw-r-r- 2 <newuser> 1024 Feb 22 15:10 hardlink.txt
-rw-r-r- 2 <newuser> 1024 Feb 22 15:10 symboliclink.txt


Now, using chown, you can change the ownership of the myfile.txt file to another user (let's say guest) and then run the ls -l command again. You should see something like:
-rw-r-r- 2 <guest> 1024 Feb 22 15:10 myfile.txt
-rw-r-r- 2 <newuser> 1024 Feb 22 15:10 hardlink.txt
-rw-r-r- 2 <newuser> 1024 Feb 22 15:10 symboliclink.txt


The advantage of symbolic links is that the characteristics of either the original file or the symbolic link may be changed without changing the other.

Conclusion
A good policy for file system access can prevent many problems for system administrators. This Daily Drill Down has provided an introduction to the Linux file system and discussed how to limit or allow user permission to files and directories.

Jim McIntyre has been training users on IT-related subjects since 1988. He began his training career as a sonar operator in the Canadian Navy. After retiring early from the military in 1996, Jim completed the Novell CNE program, the Adult Education program at Saint Francis Xavier University, and the Webmaster Program at Dalhousie University. He also graduated from the Train the Computer Trainer program at Dalhousie, where he now serves as a contract instructor. Jim has extensive technical support experience, and he tries to see technical problems as training opportunities. If Jim had a motto, it would be: "Share what you know; learn what you don't." He didn't come up with that phrase, but he likes it.

The authors and editors have taken care in preparation of the content contained herein, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks