Permission is one of the most useful aspects of a Linux system, It is a must to know the ins and out of setting proper file or directory permission. The way many guides teach permission is really difficult to grasp easily, which is why I am stepping in to make it easily understandable.
In this guide, we will learn the concepts of permissions using an analogical approach and we dive straight into settings permission, removing permissions, changing the ownership of user and groups of a file/direction and more related stuff about permission.
Let's get started with ...
The Concept of Permission In Linux
Before we go in fully on the concept of permission, let us look at some definitions from dictionaries:
According to the Oxford dictionary, permission is:
The action of officially allowing someone to do a particular thing...
and Cambridge defines permission as:
The act of allowing someone to do something, or of allowing something to happen...
Looking at both definitions, we can summarise permission as the act of granting someone or user privileges over one or more specific things.
"Someone can be a user or a group of users.
But wait! Who is granting the permission?
A semi-god or what (Joking of course), it is obviously the superuser or you can say the administrator.
That cleared, let's turn the stuff we've learned so far into an analogy of how it works on a Linux system.
My analogy would be based on an imaginary apartment, things inside the apartment and users around the apartment.
To understand this easily I need your attention...
An apartment is a set of two or more rooms. We would assume the room is our directory, inside this room or directory we have couches, TV, home speakers and basically any stuff you would find in an actual living room.
We would call the items found inside this room/directory our files.
These files also have names, and sizes, so, the owner of the living room might decide to arrange stuff in the room by sizes or by their names. I know this sounds weird but I want you to assume the items in the room can be sorted the way you would sort actual files in a computer system.
Can an unknown user come into my room without my consent? No
But, my girlfriend can come into my living room, right? Yh
Are you seeing those patterns! This is called permission, since I am the owner of the room, I can give whoever I want permission to come into my room, and do whatever they like.
Here's where things would get interesting...
Permissions aren't just granted blindly, there are sets of people I will give access to Item A and there are some people I'll give access to Item B but not A, the question is who are these people?
They are in three categories, we have the Users, Groups and the World.
Confusing right? Bear with me, I'll clear things up.
- Users could be your friend or family, they are tightly living with you in your apartment.
- Group is the way of categorizing what a user could do, you could have a special room in your apartment where you want only selected users to access, and for them to be able to access that room, you give them your permission( key into the room).
- World or Other are public users, they can see what is going on in our room from afar, of course, you have to open your windows for them to do that(so, again, you are granting permission)
There should be a restriction around the permission, and we shouldn't just be dashing out permission without a good reason, anyway, there are three types of permissions and they're applied differently based on the context of the rooms/directory and the stuff within the room; files.
We have the read or r, write or w and execute or x permission. You remember I said, the permission is applied differently based on the context of the room/director or the files, Starting with the Room/Directory:
r | The content of the directory can be viewed; a user can see the item in the room but can't enter or alter the items in the room |
w | The content of the directory can be altered but this is not useful if you can't go into the directory/room; it kinda makes sense, if you can't go into a room, how do you wanna alter the files in the room, which brings us to... |
x | execute permission - it means you can go into the room/directory but you can only alter the items in the directory if you have the write(w) permission. |
This is what the permission means on a File:
r | The file can be read; this is more of like interacting with the items in the room (e.g sitting on the couch) |
w | The file can be written to; this is more of like repairing an item or like customizing the look of an item in the room |
x | The file can be executed as a program; this is like carry the item to other room in the apartment |
I guess we have covered the concept of permissions in Unix, so any further explanation should be easier as I walk you through how it works on a Linux system.
First...
Viewing File/Directory Permission in Linux
To view permission and any other info of a directory or a file, we use the ls -l command.
ls: This is for listing contents
-l: This shows info such as file permission, owner of the file, date, etc in a long listing format.
Starting from the home directory:
ls -l /home
You can see different directories, so, I'll use dumm directory as an example, what I am about to explain applies to the others too:
drwxr-xr-x 4 dumm dumm 4096 Feb 3 04:02 dumm
Let's depict the information above, entry by entry. Each entry is separated by a space.
- drwxr-xr-x: This is our permission (I know it doesn't make sense now, I'll explain later
- 4: This is the link count of the directory
- dumm: This is the user that owns the file
- dumm: The group
- 4096: The size in byte
- Feb 3 04:02: The last date the directory was last modified
- dumm: The name of the directory
Note: users are highlighted in blue, groups in red and directory in yellow for clarity.
Another Note: The group or the directory doesn't have to be identical, I will show you more example later.
What we would focus on is the permission string (drwxr-xr-x), the other fields are self-explanatory.
You remember I said we can grant permission on files or directory and we are granting permission on a user, group or world.
The thing is a user, group or world(Other) can have three types of permission, but you don't have to grant the whole permission, the below table shows the permission of the dumm directory:
Object Type: | User: | Group: | World(Other): |
d | rwx | r-x | r-x |
The string is splitted at the first character, and then every third, Again, this is the permission of the dumm directory:
drwxr-xr-x
The first character is a type of object, and in our case, it is a directory, d represents a directory, if it was a file, it would have been represented by a dash(-) and if it was a link, you would see a lowercase l.
The rest of the fields all have three characters, starting with the user(rwx), this refers to the permission that applies to the user, in our case we have:
drwxr-xr-x 4 dumm dumm Feb 3 04:02 dumm
The third field represents the user, and it shows the permission string(rwx) applies to the user "dumm".
The string(r-x) applies to the group dumm and the last string(r-x) applies to the world, which is also called others.
Let's carefully look into the meaning of each permission:
Object Type: | User (dumm): | Group (dumm): | World (others): |
d | rwx | r-x | r-x |
directory | The user dumm can view the content of the directory, can modify the files and can cd(change directory) into the directory | Can go into the directory both can not alter files within the directory | Can go into the directory both can not alter files within the directory |
Again, If you are confused, this is what permission means for a directory:
Note: Don't worry, we would look at possible scenarios later.
r | The content of the directory can be viewed; a user can see the item in the room but can't enter or alter the items in the room |
w | The content of the directory can be altered but this is not useful if you can't go into the directory/room; it kinda makes sense, if you can't go into a room, how do you wanna alter the files in the room, which brings us to... |
x | execute permission - it means you can go into the room/directory but you can only alter the items in the directory if you have the write(w) permission. |
We have cleared up the directory part, let's understand permission on files in our Linux system, note that, you can always reference the meaning of file permissions on directory/files tables above.
An example file on my system:
Let's understand the permission of the mydiary.txt file:
You can see that dumm is the owning user of mydiary.txt, and the file is assigned a root group. Since this is a confidential file, I decided to assign it a root group but basically, it can be any group, you can have a group about accounting for accounting related files, manager, etc.
-rw-r--r-- 1 dumm root 0 Feb 8 01:22 mydiary.txt
The first string, which is a dash(-), signifies the object is of a file. It is readable & writeable by user dumm, and readable by everyone else (group and 'other or world'). Personally, I wouldn't want to make the diary file readable for the Other/World considering this is confidential, I'll show you how to change this later.
Meaning of the permission on the mydiary.txt file
Object Type: | User (dumm): | Group (root): | World (others): |
- | rw- | r-- | r-- |
file | User dumm can read and write to this file | Readable by group | Readable by others |
Again, If you are confused, this is what permission means for a file:
r | The file can be read; this is more of like interacting with the items in the room (e.g sitting on the couch) |
w | The file can be written to; this is more of like repairing an item or like customizing the look of an item in the room |
x | The file can be executed as a program; this is like carry the item to other room in the apartment |
As I have outlined above, permissions are read differently depending on the context of either a file or a directory.
The next stage is learning how to alter the permission, you remember I said, I don't want the mydiary.txt file to be readable by the World(others).
Altering File/Directory Permission in Linux
chmod is the command we would use to alter the file permission, you can also use for directories too.
To remove the read access for the "Other", you run the following command, this is assuming, we are already in the directory where the file resides:
chmod o-r mydiary.txt
If you are not in the directory where the file resides, you include the full path:
chmod o-r /home/dumm/mydiary.txt
The command above is removing the r bit from the other(o-r), it is basically saying, "hey chmod, remove r from other, this is the output:
If I was to add this bit again, I'll use chmod o+r against the file, you get the idea right, here are some examples:
chmod u+r <filename> | This adds r(read)bit to the user of the object |
chmod u-r <filename> | This removes r(read) bit from the user of the object |
chmod u+rw <filename> | This adds rw(read and write)bits to the user of the object |
chmod u-rw <filename> | This removes rw(read and write)bits from the user of the object |
chmod u+rwx <filename> | This adds rw(read, write and execute)bits to the user of the object |
chmod u-rwx <filename> | This removes rwx(read, write and execute)bits from the user of the object |
chmod g+rw <filename> | This adds rw(read and write)bits to the group of the object |
chmod o-rwx <filename> | This removes rwx(read, write and execute)bits from the other of the object |
chmod og+rw <filename> | This adds rw(read and write)bits to other and group of the object |
chmod u=rw <filename> | This overrides all the current permission of the user with rw(read-write), for example, if the current permission was rwx, then u=rw would remove all that and instead replace it with rw. |
chmod a=rw <filename> | This overrides all the current permission of user, group & others with rw(read-write), for example, if the current permission was rwx, then a=rw means all with rw |
chmod a=rwx <filename> |
This replaces all current permission of the user, group & other to rwx(read, write and execute), you wouldn't wanna try this. |
You can see some possible combos, play with those a bit on your system before you continue reading.
Note: You can also use chmod on directories, the same syntax applies.
Altering File/Directory Permission Using Octal Values in Linux
That is one way of altering file/directory permission, the other way is to use octal point values to manage and modify permission. Well, this is what you would most likely be working with, and it is a whole lot easier when you grasp the concept.
If you want to understand this method from the ground up, the trick is understanding how a binary numbering works, binary can be in two-state, 1 or 0 | 0 or 1.
Octal is base-8 (meaning a numbering system that only uses 0 -7) or octal groups three-bit per digit. It means three-bit can represent from 0-7.
Since there are only 8 digits (from 0 to 7) in the octal number system, we can represent any digit of the octal number system using only 3 bit as following below.
Octal Value | Binary Equivalent |
0 | 000 |
1 | 001 |
2 | 010 |
3 | 011 |
4 | 100 |
5 | 101 |
6 | 110 |
7 | 111 |
The question is why are we using 3 bits and how am I getting those values, Octal is 8 which is equivalent to 23, so, how am I getting those values, the formula is using the 4 2 1 method.
This is how it works, first, we have 4 2 1, if we want to convert octal value Zero(0) to binary, we would represent the whole three-digit with zero placeholders because there isn't a way we can get zero in 4 2 1, let's try another example.
If we have octal value 3, the binary equivalent would be 011, because 2 and 1 is the sum of 3, and since we didn't use 4, we put a zero as a placeholder:
so, 421 = 011
If we have octal value 5, the binary equivalent would be 101, because the 4 and 1 is the sum of 5, so, you replace 4 and 1 with 1, and you put a zero as a placeholder for the ones that we didn't use
421 = 101
For Octal Value 2, w have 421 = 010
There are other ways you can convert this but, this method is not only faster but it also helps in understanding the concept in general.
Now, let's head to the interesting part, how do we utilize the octal value for permissions! The rwx strings line up exactly with the three-digit binary representations.
To actually represent the permissions in binary, you look at where you have a permission string, and you place a 1 for each and every place you see a permission string, If there is a dash, put a zero as a placeholder:
Let's take the diary file as an example:
-rw-r--r-- 1 dumm root 0 Feb 8 01:22 mydiary.txt
If we should split the permission by the user, group, and world we have this:
user(dummy): rw-
group(root): r--
other: r--
Quoting from what I said above: "you place a 1 for each and every place you see a permission string. If there is a dash, put a zero as a placeholder" which gives us:
- user(dummy): rw- =110
- group(root): r-- = 100
- other: r-- = 100
or you say we have 110 100 100 in binary
These are still in binary, to build the octal, you can either use the table or imagine have 4 2 1 in your mind, for example:
- 110 gives us 4+2+0 = 6
- 100 gives us 4+0+0 = 4
- 100 gives us 4+0+0 = 4
or you say we have 644:
It is as simple as that, the permission for the mydiary.txt is 644
Let's try another example:
drwxr-xr-x 4 dumm dumm Feb 3 04:02 dumm
Quoting again: "you place a 1 for each and every place you see a permission string. If there is a dash, put a zero as a placeholder" which gives us:
- user(dummy): rwx =111
- group(root): r-x = 101
- other: r-x = 101
or you say we have 111 101 101 in binary
These are still in binary, to build the octal, you can either use the table or imagine having 4 2 1 in your mind, for example:
- 111 gives us 4+2+1 = 7
- 101 gives us 4+0+1 = 5
- 101 gives us 4+0+1 = 5
or you say we have 755:
It is as simple as that, the permission for the directory dumm is 755
It looks as if I am throwing a random number, we can confirm this by displaying the file permission in an octal format on our Linux system. To do this, we use the stat command, and few parameters, some parameters you can use along with the stat command are:
- %a – Shows permissions in octal format
- %A – Shows permissions in human-friendly format (like in ls -l)
- %n – Show the file name
Let's try this on our dumm directory:
stat -c %a%A%n dumm
That looks rough, to separate it, use this command:
stat -c '%a %A %n' dumm
Better, you can view the manpage to learn more about the stat command.
But, how do we change the permission using the octal value?
You can use chmod as we did before, just that this time, we are dealing with octal value, some example:
- chmod 600 filename
- chmod 755 filename
- chmod 740 filename.
- chmod 770 filename
I think we have covered much already about permissions, one more thing I would love to share with you is how to grant user or group permission to an object.
How to Change File Ownership & Groups in Linux
We can change user and group ownership of a directory or file using the chown command.
For example, if we wanted to change the owner of the dumm directory to user james, you could use the following command:
sudo chown james dumm
If you want to change the group assignment of an object, you can use the following syntax:
sudo chown james:manager dumm
This would change both the user and group of the directory, to change only the group of an object, you can use the chgrp command, e.g
sudo chgrp root dumm
I have covered so much already, so, I will be saving my words for future articles, there are still tons of interesting stuff to share, please comment if you have any question or perhaps you spotted an error, you are very welcome to point it out, bye for now.