Linux File and Directory Permissions

What are file permissions:
Every file or folder in Linux has access permissions. There are three
types of permissions (what allowed to do with a file):

read access (symbolized by the letter r)
write access (symbolized by the letter w)
execute access (symbolized by the letter x)

Permissions are defined for three types of users:

the owner of the file (symbolized by the letter u )
the group that the owner belongs to (symbolized by the letter g)
other users (symbolized by the letter o)

Thus, Linux file permissions are nine bits of information. The table
below shows the syntax:

1
2
3
4
5
6
7
8
9
10
File
User Permissions
Group Permissions
Other Permissions
Type
Read
Write
Execute
Read
Write
Execute
Read
Write
Execute
d
r
w
e
r
w
e
r
w
e
- > The first character is not a permission bit, it simply indicates
    the type of file as indicated in the table below:

Character
 
Type of file
- 
regular file
d
directory
l
symbolic link
s
socket
p
named pipe
c
character device file (unbuffered)
b
blocked device file (buffered)
Remaining nine bits are permission bits.

-> Characters 2-4 show owner of the file permissions.
    Character 2 indicates read permission, character 3 indicates write
     permission, and character 4 indicates execute permission.
-> Characters 5-7 show group permissions(group to which belong the file).
     Character 5=read, 6=write, 7=execute .
-> Characters 8-10 show permissions for all other users. (users who are
  neither a member of the Group nor the owner of the file)
     Character 8=read, 9=write, 10=execute.

Ownership: When you create a file, you automatically become its
owner. The owner has full authority to tamper with a file's contents
and permissions –a privilege not available with others except the root
user.Similarly, You can create, modify  or remove files in a directory
if you are the owner of the directory.

Group Ownership: When creating a user account,the system admin-
istrator also assigns the user to some group. People working on a
project are generally assigned a common group, and all files created
by group members (who have separate user ids) will have the same group
owner. However, make no mistake : The privileges of the group are set
by the owner of the file and not by the group members.

ls -l   : Listing File Attributes
$ ls -l sample
-rwxr-xr-- 1 king development 0 Mar 15 00:26 sample

 ls -l displays most attributes of a file – like its permissions,size
and ownership details. If file is a directory,to list attributes of a
directory use “ls -ld”.

 As you can see in this example, the "ls -l" command gives a lot of
information about the file "sample":

     - Its name, "sample";
     - Its permissions, "-rwxr-xr--";
     - Its owner, "king";
     - Its group, "development";
     - And other information time,size,date etc..

Permissions: rwx r-x r--

  r  
Read access is allowed
w
Write access is allowed
    
x
Execute access is allowed    
  
-
No permissions

 The first group (rwx) has all three permissions.The file is readable,
writable and executable by the owner of the file,King. But do we Know
who the owner is? Yes we do. The third column shows king as the owner
and the first permissions group applies to king. You have to log in
with the username king for these privileges to apply to you.

 The second group (r-x) has a hyphen in the middle slot, which indica-
tes the absence of write permission by the group owner of the file.
This group owner is development, and all users belonging to the devel-
opment group have read and execute permissions only.

 The third group (r--) has the write and execute bits absent. This set
of permissions is applicable to others i.e., those who are neither the
owner king nor belong to the development group. So this file is not
world writable.

chmod: CHANGING FILE PERMISSIONS
  If you are owner of the file you can set different permissions for
the three categories of users --owner,group, and others.It's important
that you understand them because a little learning here can be a
dangerous thing.A faulty file permission is a sure recipe for disaster.

 The chmod (change mode) command is used to set the permissions of
one or more files for all three categories of users.It can be run only
by the user(the owner) and the superuser. The command can be used in
two ways:

     1.In a relative manner by specifying the changes to the current
       permissions.
     2.In an absolute manner by specifying the final permissions.

Relative Permissions: 
  When changing permissions in a relative manner, chmod only changes
the permissions specified in the command line and leaves the other
permissions unchanged. In this mode it uses the following syntax:

   chmod category operation permission filename(s).

  Bellow table shows letters to represent category, operation and
permission:
Category
Operation
Permission
 
u   User 
+   Assigns permission
r   Read Permission
g   Group 
-   Removes permission
w   Write Permission
o   Other 
=   Assigns absolute permission
x   Execute Permission
a   All(ugo)

 Now let's consider an example. First create a file temp.

$ cat > temp
Hello world
Ctrl+d
$ ls -l temp
-rw-r--r-- 1 root root 12 Mar 16 13:32 temp
 To assign execute permissions to the User of the file temp, we need
to frame a suitable expression by using appropriate characters from
each of the three columns of above Table. Since the file needs to be
executable only by the user,the expression required is u+x:

$ chmod u+x temp
$ ls -l temp
-rwxr--r-- 1 root root 12 Mar 16 13:32 temp
  The command assigns(+) execute(x) permissions to the user(u), but
other permissions remain unchanged. To enable group and others to exe-
cute this file, you have to use multiple characters to represent the
user category(ugo) or simply use a it implies ugo.

$ chmod ugo+x temp
$ ls -l temp
-rwxr-xr-x 1 root root 12 Mar 16 13:32 temp
chmod command also accept more than one file name in the command line.
When you need to assign the same set of permissions to a group files,
all the file names have to be specified with a single chmod command:

$ chmod u+x temp1 temp2 temp3

 Permissions are removed with the - operator. To remove the read
permission from both group and others, use the expression go-r:

$ chmod go-r temp ; ls -l temp
-rwx--x--x 1 root root 12 Mar 16 13:32 temp
  chmod also accepts multiple expressions delimited by commas. For
instance, to restore the original permissions to the file temp,you
have to remove the execute permission from all(a-x) and assign read
permission to group and others(go+r):

$ chmod a-x,go+r temp; ls -l temp
-rw-r--r-- 1 root root 12 Mar 16 13:32 temp
 More than one permission can also be set; u+rwx is a valid chmod
expression.So setting write and execute permissions for others is no
problem:

$ chmod o+rwx temp; ls -l temp
-rw-r--rwx 1 root root 12 Mar 16 13:32 temp
Absolute Permissions:
    Some times you don't need to now what a file's current permissions
are,but want to set all nine permission bits explicitly.The expression
used by chmod here is a string of three octal numbers(base 8).Each type
of permission is assigned a number as shown :

       I. Read permission    - 4
      II. Write permission   - 2
     III. Execute permission - 1

     For each category we add the numbers that represent the assigned
permissions. For instance, 6 represents read and write permissions,and
7 represents all permissions.

This table shows what numeric values mean:

Octal digit
Text equivalent
Meaning
  
0
---
    
All types of access are denied
  
1
--x
 
Execute access is allowed only
  
2
-w-
    
Write access is allowed only
  
3
-wx
Write and execute access are allowed
  
4
r--
Read access is allowed only
  
5
 
r-x
Read and execute access are allowed
  
6
rw-
Read and write access are allowed
  
7
rwx
 
Everything is allowed
  

   We see that "1" stands for execute only, "2" stands for write only,
"4" stands for read only.To combine the permissions you can simply add
1, 2 and 4 to get a needed combination. For instance, to get read and
write permissions,you add 4 (read) and 2 (write), thus getting 6 (read
and write). To get read and execute permissions, you add  4 (read) and
1 (execute), thus getting 5 (read and execute).

 To take a simple example,if a file has read and write permissions for
the user, the octal representation of the user's permissions will be
4 + 2 = 6. When this exercise is repeated for the other categories, the
result will be a three character string representing three octal digi-
ts, with each octal digit indicating the permissions for the category.
The sequence followed is user,group and others. You can use this method
to assign read and write permissions to all three categories.

Examples:

  To assign all permissions to the owner,read and write permissions to
the group,and only execute permission to the others, use this:

$ chmod 761 sample ; ls -l sample
-rwxrw---x 1 king development 0 Mar 15 00:26 sample
 Assign yourself full access to read and modify the file,allow members
of the group to read it and do not allow any others access:

$ chmod 640 sample ; ls -l sample
-rw-r----- 1 king development 0 Mar 15 00:26 sample
Some octal permissions and their meaning:

Permissions
Meaning
644
owner: read and write permissions,
group: only read permissions,
others: only read permissions. 
755
    owner: read, write and execute permissions,
group: read and execute permissions,
      others: read and execute permissions. 
754
 owner: read, write and execute permissions,
 group: read and execute permissions,
others: only read permissions. 

  As long as you're the owner of a file, you can use the chmod command
to set the permissions any way you like.

umask: Default file and Directory permissions: 

  The UNIX system has the following default permissions for all files
and directories:

rw-rw-rw-(octal 666) for regular files.
rwxrwxrwx(octal 777) for directories.

  However,you don't see these permissions when you create a file or a
directory. To understand this let us first create an empty file called
sample using the touch command and then try to list it.

$ touch sample ; ls -l sample
-rw-r--r-- 1 king development 0 Mar 18 00:41 sample
 How come that the file permissions for this file have been set to 644
What Unix does is it uses the value stored in a variable called umask
to decide the default permissions. The umask value tells Unix which of
the three permissions are to be denied rather than granted.The current
value of umask can be easily determined by just typing umask.

# umask
0022  (Default umask value for admin is 0022)

$ umask
0002  (Default umask value for normal user is 0002)

 Here, the first 0 indicates that what follows is an octal number.This
octal number which has to be subtracted from the system default to ob-
tain the actual default. This becomes 664 (666-002) for ordinary files
and 775 (755-002) for directories.When you crate a file on this system
,it will have the permissions rw-rw-r--.

umask is a shell built-in command though it also exists as an external
command. A user can also use this command to set a new default. Here's
an extreme setting:

$ umask 000                           All read-write permissions on

  A umask value of 000 means that you haven't subtracted anything, and
this could be a dangerous. The system's default then applies (666 for
files and 777 for directories). All files and directories are then
writable by all;  nothing could be worse than that! However,  a mask
value of 666 or 777 doesn't make much sense either; you'll then be cr-
eating files and directories with no permissions.

   For instance, if you want all new directories to get permissions
rwxr-xr--- and files to get permissions rw-r----- by default(modes 750
and 640), you'll need to use a umask value which removes all rights to
other,and write permissions to the group : 027. The command to use is:

$ umask 027

 One important thing to remember is that,no one not even the administ
rator can turn on permissions not specified in the system wide default
settings. However you can always use chmod as and when required. The
system wide umask setting is placed in one of the machine's startup
scripts, and is automatically made available to all users.

Directory Permissions:

    Unix treats every thing as a file, directories too are treated by
Unix as files.A directory, as Unix perceives, is a file which contains
the names of the files present in the directory.Hence a read permission
on a directory allows the listing of the directory contents and
nothing else.

     Directories also have their own permissions and the significance
of these permissions differ from those of ordinary files. Read and
write access to an ordinary file are also influenced by the permissio-
ns of the directory housing them. It's possible that a file can't be
accessed even though it has read permission, and can be removed even
when it's is write protected.

Here are some typical permissions required on directories:

To understand permissions first create temp directory and create some
files in that directory.

$ mkdir temp
$ cd temp
$ touch a b
$ pwd
/home/project/temp
$ ls -l
total 8
-rw-r--r-- 1 king development 0 Mar 18 18:56 a
-rw-r--r-- 1 king development 0 Mar 18 18:56 b
-> Execute permission is required for a user to cd into a directory.

    change temp directory permissions to 400(Read only permission).
Then try to change directory, you won't be permitted.

$ chmod 400 temp
$ cd temp
cd: temp: Permission denied
$ ls temp
a  b 
->  Read permission is required for a user to use a command such as ls
to view the files contained in a directory.

$ chmod 300 temp
$ ls temp
ls: temp: Permission denied
$ cd temp
$ pwd
/home/project/temp
-> Execute-only permission allows a user to access the files in a
directory as long as the user knows the names of the files in the
directory, and the user is allowed to read the files.

$ chmod 100 temp
$ ls temp/
ls: temp/: Permission denied
$ cat temp/a
Hello world
-> Write permission allows the user to create, delete, or modify any
files or sub directories, even if the file or sub directory is owned by
another user.

Difference in access permissions for files and 
directories:

 Access permissions for files and folders mean different things from
the user standpoint. The table below shows the difference.

Access type
File
Directory
        
 
Read 
If the file contents can
 be read
 
 If the directory listing can 
be obtained
 
Write 
If user or process can 
write to the file
(change its contents)
If user or process can change
directory contents somehow: create
new or delete existing files in the
directory or rename files.  
 
Execute 
If the file can 
be executed
If user or process can access the
directory, that is, go to it (make 
it to be the current working direc
tory)