File Permissions in Linux is one of its core security features. Understanding and setting the appropriate file permissions correctly can keep your system safe and secure especially in a multi user environment. In Linux, you can change permissions on a per file or per folder basis. Actually, folders or directories in Linux is actually implemented as a special type of file, so the steps are essentially the same.
There are three distinct levels of granularity when specifying file permissions. The entire notion of the file permissions is based on the concept of file ownership. A file is owned by a single user and the user belongs to a at least one group, and has a primary group assigned.
User Level (u): The owner of the file has a specific level permissioning, usually referred to as the owner level.
Group Level (g): The users that belong to the same group as the owner has specific permissions when accessing the file.
World Level (o): Everyone else who are users but does not belong to the same user group has another set of permissions.
Users within each of these levels are access rights based on the actions that can performed on the file, again divided into three categories.
Read (r): Users with the access rights to read will be able to view, print and read the contents of the file.
Write (w): Users with write permissions will be able to modify the file and its contents. This also implies other actions such as create files, rename and delete.
Execute (x): Users with execute permission will be able to execute the file.
You can view the currently assigned permissions of a file by listing it using the ls command. To view the permissions of the file use the following command.
bash$ ls -l
This will print out something like what is shown below. The leftmost column denotes the permissions in standard display format, which will decipher later in the post.
-rwxrw-r-x 1 tom users 16421 Sep 4 09:45 mytext.php
The first character (–) denotes the type of file, it can be – for files, d for folders, l for links etc. The next three characters denotes the user’s or file owners’ access rights, the next three are the group’s permissions and the last three are the permissions to all other users.
In the example above, the owner has all rights (r, w and x) while the group has only read and write (rw-) permissions. All other users have read and execute permissions, but no write access (r-x). A file that gives all access rights to all levels is shown below as an example (rwx rwx rwx).
-rwxrwxrwx 1 tom users 3453 Sep 4 09:45 mytext2.php
The Linux command that allows you to change permissions of the file is chmod which is short for change file bit modes. Note that the user who is executing the command will need write access to the file(s) whose permissions are being changed.
The permissions can be specified in two different ways: as a character or as an equivalent numerical value. Each of the file access rights have a numerical value assigned to it. The read access (or r) is 4, the write access (or w) is 2 and the execute access (or x) is 1. Adding them up in any combination will give you a unique value that can then be used to represent the permissions. For example, r+w+x is 7, r+w is 6 , r+x is 5 etc..
Now, you can do this sum for each of the levels and then concatenate the numbers to create a three digit value to specify the exact permission for the file. For example, 755 means rwxr-xr-x, while 666 means rw-rw-rw etc.
The generic format of the chmod command is
The filename argument accepts multiple file names and regular expressions as with most Linux commands.
bash$ chmod 755 file*.txt
The above will set the file permissions as rwxr-xr-x (ie. 755) for all files that match the regular expression file*.txt. In order to set the permissions to rw-rw-rw-, use the example below.
bash$ chmod 666 image*.jpg
Although the numbering scheme sounds and looks complex, it is actually pretty simple once you get a hang of it. All you need to remember is three mappings for the access rights (4,2,1). I am sure you are smart enough to quickly add up those small numbers in the head as you type the command.
You can also use the characters instead of the numbers, and some will find that easier. u is for user, g is for group, o is for others, a is for all (ie. short notation for ugo), r is for read, w is for write and x is for execute. The + (plus) symbol is used to add or enable an access right to a level while the – (minus) symbol is used to remove an access right. = (equals) symbol allows you to set the access exactly as specified in the argument.
While using the character format, you can only modify one permission level with the command, unless you are setting the same access rights to multiple levels.
bash$ chmod u+rwx file1.txt
Adds the read, write and execute access to the user or owner of the file.
bash$ chmod g-w file1.txt
This disables or takes away the write permission for the group.
bash$ chmod a+x file1.txt
This adds or enables the execute right for all users, ie. the owner, group and others.
When using the numerical format, usually all three numbers are used for the sake of clarity, but it is not necessary. If less than three digits are used, then the access is calculated for right to left. If there is only one digit, then it is for the other or public. If there are only two digits then the first is for the group and the second is for others.
bash$ chmod 4 file.txt
This will change the permission for others (o) to just the read access. (r–).
You can also use the addition (+) and subtraction (-) operators with the numerical values, just as with the characters.
bash$ chmod +031 file.txt
This will keep the access right for the user as it is (ie. +0), and add the write and execute access (+3) for group and add execute (+1) to others.
bash$ chmod -7 file.txt
This will take away all access (ie. -7 or -rwx) from the other group. (Remember just one digit means it is for others).
As with other Linux commands, there are some useful command line options you can use with chmod, especially the recursive and verbose options.
-R or –recursive: This will traverse down the directory structure and change the permissions of all the files in the subdirectories and of the subdirectory itself.
-v or –verbose: useful when changing multiple files, as it will print out information about every file processed
The various combinations that can be used is too long to be listed in a short article. The best way to master the permissioning is to practise repeatedly with different formats, of course on dummy or test files and folders and stick with the format you find most easy to remember.