file permissions linux article

Submit Your Article

Latest Articles

Editor's Choice

Article Categories

Join Linux Forums Today

Win Great Prizes

Home Forums Articles Marketplace Downloads Hosting Freebies Jobs Login

Applications | Desktop | Installation | Misc | Multimedia | Network | Programming | Reviews | Security | Servers

Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, oraccessible via our knowledgeable members.

Find the answer to your Linux question: Entire Site GET THE ANSWER

Write an article for LinuxForums Today! Win Great Prizes! Are you a Linux Guru who is willing to share your in-depth Linuxknowledge? Try our new Article submission system.

Any member can post an article to share with the rest of thecommunity.All submissions become eligible for our monthly giveaways.Become a respected contributor to the ever-growing Linux family.

Site Navigation

Linux Forums

Linux Articles

Product Showcase

Linux Downloads

Linux Hosting

Free Magazines

Job Board

IRC Chat

RSS Feeds

Free Publications

File Permissions

User Score

Editor Score

Contributed by: Clement Lefebvre

Category: Security

Distribution: All

Views: 433176

License: Linux Forums Article License

Posted: 05 April, 2006

Tools » Bookmark Share Comment

In GNU/Linux, file access is restricted. Users don't necessarily have the same rights when it comes to deleting,executing or even reading files. In fact, every file contain data such as its owner, its permissions and otherinformation which defines exactly what can be done with it, and by whom.

Note: GNU/Linux treats everything as a file. As a consequence, directories use the same permission scheme.

Understanding file permissionsIn GNU/Linux every user has his own user account, and is a member of one or more user groups. Similarly, each filebelongs to a user and to a user group. For restricting file access, GNU/Linux (and Unix in general) defines threedifferent types of rights:

- Read (symbolized by the letter r), which means that the file can be read;- Write (symbolized by the letter w), which means that the content of the file can be changed;- Execute (symbolized by the letter x), which means that the file can be executed.

For each file, each of these rights (Read, Write and Execute) are defined for three sets of users :

- The user (symbolized by the letter u), who is the owner of the file.- The group (symbolized by the letter g), who represents all the users who are members of the group which the filebelongs to (as a file belongs both to a user, and a user group).- The others (symbolized by the letter o), who basically represent all the users that are neither members of thegroup nor the owner of the file.

For instance, if a file belongs to George (as the owner) and Administrators (as the group), it can define differentRead, Write and Execute permissions for George, for members of the "Administrators" group, and for all other users.

Reading file permissions : ls -lAll information related to file permissions is contained within the file and can be viewed by the "ls -l" command:

ls -l myfile-rwxr-x--- 1 george administrators 10 2006-03-09 21:31 myfile

As you can see in this example, the "ls -l" command gives a lot of information about the file "myfile":

- Its name, "myfile";- Its permissions, "-rwxr-x---";- Its owner, "george";- Its group, "administrators";

File Permissions Linux article http://www.linuxforums.org/articles/file-permissions_94.html

1 of 9 11/24/2012 3:54 PM

- And other information which is not relevant to this article.

The way permissions are shown can seem a bit confusing if you're new to GNU/Linux or Unix, but don't be mistaken,it is very simple. The first character simply indicates the type of file as indicated in the table below:

Character Type of file- regular filed directoryl symbolic links socketp named pipe

c character device file(unbuffered)

b blocked device file (buffered)

In this case myfile is a regular file. Let's have a look at the other nine characters: "rwxr-x---".

The first three characters indicate whether or not the read, write and execute permissions are given to the owner (inthis case, George). If they are, their character representation appear (r, w or x), otherwise they are replaced by thecharacter "-". In the same manner, the next three characters indicate whether or not these permissions are given tothe group (in this case, Administrators). Finally, the last three characters indicate whether the same rights are givento the others (in this case, people who are not members of the Administrators group).

Letter Permissionr Readw Writex Execute, Go through (for directories)- No permission

Letter Type of usersu User (owner of the file)g Group (group to which belong the file)

o Other (users who are neither a member of the Group nor the owner of thefile)

a All (everybody)

So, in our example myfile features the following set of permissions : "

rwxr-x---

". This means that George has all three rights on it, that members of the Administrators group can only read (R) andexecute (X) the file, and that everybody else can't do anything with the file.

You could imagine that this file, written and maintained by George could be an executable script dedicated to theadministrators and not made available to other users.. but hey.. this is only an example, so let's not assume toomuch :) The important thing is that you now understand the concept of file permissions and that you know how toread them using the "ls -l" command. The next step is to learn how to change them.

Changing file permissions : chmodYou can change the permissions of your files (or other people's files if you're the root superuser) by using thecommand "chmod". The syntax is very simple. For instance if George decides to give write permissions to theadministrators, he will type:

chmod g+w myfile

g represents the group of the file (administrators).w represents the write permission.+ represents the fact that the permission is added.

If George then lists the permissions using ls -l he obtains:

ls -l myfile-rwxrwx--- 1 george administrators 10 2006-03-09 21:31 myfile

As you can see, the administrators now have write access to the file, and permission to change its content.

The "chmod" command takes 4 parameters:

- The type of users to apply the change of permissions for (u for user, g for group, o for others, a combination ofthem or a for all three of them).- The type of change to make (+ to add permissions, - to remove permissions, = to define permissions)- The type of permissions to apply the change with (r for read, w for write, x for execute)- The file or group of files to apply the change on (filename for a precise file, but wildcard characters for multiplefiles)

Let's have a look at a few examples:

- chmod o+r myfile adds read permission to the others on myfile;- chmod ug+rx myfile adds read and execute permissions to both the owner (user) and the group on myfile;- chmod a-rwx myfile removes all permissions to everybody (all) on myfile;- chmod a=rx *.txt defines permissions to be read and write to everybody on all files suffixed by .txt.

The chmod command also accepts another syntax which is quite popular among system administrators: the octalsystem. Rather than using letters such as u, g, o, a, r, w and x.. you can use octal numbers. The main advantage isthat once you're used to it, it is faster to use. Also, because it sets permissions rather than adding or removingthem, you don't accidentally overlook anything. Here is how the octal numbers work:

Each permission is given a value:

Permission Value


2 of 9 11/24/2012 3:54 PM

- 0x 1w 2r 4

Values add up when you combine permissions. Consequently the total value can go from 0 (no permission at all) to7 (full permissions):

Permission Value--- 0--x 1-w- 2-wx 3r-- 4r-x 5rw- 6rwx 7

Finally a value is given for each of the three types of users (User, Group and Other) and these three numbersranging from 0 to 7 are put together to form the octal number. This is the number you can use with "chmod".

For instance:

chmod 750 myfile

750 means 7 (rwx) for the owner, 5 (r-x) for the group and 0 (---) for others. As a result, the permissions of myfilewill be "rwxr-x---". As seen above this command is equivalent to:

chmod u=rwx,g=rx myfile; chmod o-rwx myfile;

Here are some common uses of the octal numbers:

- chmod 755 myfile : rwxr-xr-x, all rights to the owner, other people only read and execute;- chmod 644 myfile : rw-r--r--, owner car read and write, other people only read;- chmod 777 myfile : can be considered bad practice in some cases, full permissions to everybody.

Changing file owner or group : chown, chgrpYou can give ownership of your files to somebody else, or change the group that they belong to, by using thecommands "chown" and "chgrp". "chown" allows you yo change the owner of the file, and "chgrp" allows you tochange its group.

For instance, if George decides to give ownership of myfile to Robert, he can simply type:

chown robert myfile

Also, if Robert later on decides to make the file only available to members of the group "SeniorAdmin" group ratherthan to those of the group "Administrators", he can type:

chgrp senioradmin myfile

Note: The "chown" command also allows to change the group ownership. In fact George could have directly typedthe following command:

chown robert:senioradmin myfile

Setting the sticky bit on a directory : chmod +t

If you have a look at the /tmp permissions, in most GNU/Linux distributions, you'll see the following:

clem@pluto:/$ ls -l | grep tmpdrwxrwxrwt 10 root root 4096 2006-03-10 12:40 tmp

The "t" in the end of the permissions is called the "sticky bit". It replaces the "x" and indicates that in this directory,files can only be deleted by their owners, the owner of the directory or the root superuser. This way, it is not enoughfor a user to have write permission on /tmp, he also needs to be the owner of the file to be able to delete it.

In order to set or to remove the sticky bit, use the following commands:

chmod +t tmpchmod -t tmp

Setting the SGID attribute on a directory : chmod g+sIf the SGID (Set Group Identification) attribute is set on a directory, files created in that directory inherit its groupownership. If the SGID is not set the file's group ownership corresponds to the user's default group.

In order to set the SGID on a directory or to remove it, use the following commands:

chmod g+s directorychmod g-s directory

When set, the SGID attribute is represented by the letter "s" which replaces the "x" in the group permissions:

ls -l directorydrwxrwsr-x 10 george administrators 4096 2006-03-10 12:50 directory

Setting SUID and SGID attributes on executable files :chmod u+s, chmod g+sBy default, when a user executes a file, the process which results in this execution has the same permissions as


3 of 9 11/24/2012 3:54 PM

Security Warning

useful

mr.

what is the 10, and what is the 4096?

those of the user. In fact, the process inherits his default group and user identification.

If you set the SUID attribute on an executable file, the process resulting in its execution doesn't use the user'sidentification but the user identification of the file owner.

For instance, consider the script myscript.sh which tries to write things into mylog.log :

ls -l-rwxrwxrwx 10 george administrators 4096 2006-03-10 12:50 myscript.sh-rwxrwx--- 10 george administrators 4096 2006-03-10 12:50 mylog.log

As you can see in this example, George gave full permissions to everybody on myscript.sh but he forgot to do so onmylog.log. When Robert executes myscript.sh, the process runs using Robert's user identification and Robert'sdefault group (robert:senioradmin). As a consequence, myscript fails and reports that it can't write in mylog.log.

In order to fix this problem George could simply give full permissions to everybody on mylog.log. But this wouldmake it possible for anybody to write in mylog.log, and George only wants this file to be updated by his myscript.shprogram. For this he sets the SUID bit on myscript.sh:

chmod u+s myscript.sh

As a consequence, when a user executes the script the resulting process uses George's user identification ratherthan the user's. If set on an executable file, the SUID makes the process inherit the owner's user identificationrather than the one of the user who executed it. This fixes the problem, and even though nobody but George canwrite directly in mylog.log, anybody can execute myscript.sh which updates the file content.

Similarly, it is possible to set the SGID attribute on an executable file. This makes the process use the owner'sdefault group instead of the user's one. This is done by:

chmod g+s myscript.sh

By setting SUID and SGID attributes the owner makes it possible for other users to execute the file as if they werehim or members of his default group.

The SUID and GUID are represented by a "s" which replaces the "x" character respectively in the user and grouppermissions:

chmod u+s myscript.shls -l-rwsrwxrwx 10 george administrators 4096 2006-03-10 12:50 myscript.shchmod u-s myscript.shchmod g+s myscript.shls -l-rwxrwsrwx 10 george administrators 4096 2006-03-10 12:50 myscript.sh

Setting the default file creation permissions : umaskWhen a file is created, its permissions are set by default depending on the umask setting. This value is usually setfor all users in /etc/profile and can be obtained by typing:

umask

The default umask value is usually 022. It is an octal number which indicates what rights will be removed by defaultto all new files. For instance, 022 indicates that write permissions will not be given to group and other.

By default, and with a umask of 000, files get mode 666 and directories get mode 777. As a result, with a defaultumask value of 022, newly created files get a default mode 644 (666 - 022 = 644) and directories get a defaultmode 755 (777 - 022 = 755).

In order to change the umask value, simply use the umask command and give it an octal number. For instance, ifyou want all new directories to get permissions rwxr-xr--- and files to get permissions rw-r----- by default (modes750 and 640), you'll need to use a umask value which removes all rights to other, and write permissions to thegroup : 027. The command to use is:

umask 027

Rate This Article: poor excellent Rate it!

Comments about this article

writen by: Scott on 2006-04-05 16:36:01Be very careful when using SUID/SGID. If you follow the instructions above, then any user can become youand take full controll of whatever you can do, since the SUID file is world-writable. Imagine what wouldhappen if the file were owned by root! No one should use SUID/SGID without a [b]thourough[/b]understanding of the security implications.

writen by: Ashish on 2006-04-06 11:33:05quite good in content. the last part was new to me

writen by: Anatoly on 2006-04-07 02:56:04please, correct the article, to change line "ls -l | grep tmp" to "ls -ld tmp" , it's no good to teach people tobad behaviour... thanks

writen by: Rich on 2006-04-07 17:33:12clem@pluto:/$ ls -l | grep tmp drwxrwxrwt [b]10[/b] root root [b]4096[/b] 2006-03-10 12:40 tmp


4 of 9 11/24/2012 3:54 PM

answers

its like this...

10 and 4096

Typo?

yup

Administrator

umask

typo ?

thx

Permission

need help

n00b external drive permissions

writen by: Lauri on 2006-04-09 08:59:39I recommend you use ls -l tmp instead of pipes 10 tells that the folder tmp/ contains 10 files and 4096 is thesize of the file

writen by: lewis donofrio on 2006-04-09 16:17:03the 10 is 'link count' or how many files are inside that dir, and the 4096 is the size of the files (I believe)

writen by: Chris on 2006-04-09 16:35:0110 are the number of symbolic links where this dir/file pointed to, and 4096 is the size in byte.

writen by: Florian on 2006-04-12 16:19:57About half way through the article is this line... [i] - chmod a=rx *.txt defines permissions to be read andwrite to everybody on all files suffixed by .txt.[/i] Wouldn't it be a=rw instead for write?

writen by: Blitze105 on 2006-06-07 03:45:21typos happen. Excellent guide, i bought a book on linux just to see if it was for me and i thought after i readabout half the book that i would never get it.. my advice to you is this: write a book make money you taughtme more than about 450 pages of that moron's writing :D

writen by: Pravat on 2006-10-27 00:45:04[b]Damn good for newbies...[/b]

writen by: Heiko Rommel on 2006-11-29 10:38:12In the explanation of umask above I read "666 - 022 = 644" That's ok if you subtract from 777 or 666 (that'swhere umask starts), but the notion is somewhat misleading. I think it would be better to use the symbolicnames like "umask u=rwx,g=rx,o=x" for "umask 0026" For displaying the current settings, use "umask -S"In addition, the use of the symbolic names is more like positive thinking since it expresses what rights youwant to give to users/groups/others in contrast to what rights you want to take away ;)

writen by: Izwalito on 2007-01-08 10:54:48Last chapter reads: [quote]For instance, if you want all new directories to get permissions rwxr-x[b]r[/b]---and files to get permissions rw-r----- by default (modes 750 and 640),[/quote] Seems to me that 'r' is a typoand should be ignored. you can tell sumthing wrong cause there are 10 characters instead of 9, and you cantell that 'r' shouldn't be there by crosscheking mode 750 with octal values shown before in the article. thatsaid, this is a nice simple article that covers pretty much everything one needs to know to understand filepermissions. kudos.

writen by: Sheik on 2007-01-12 22:25:12Omg thank you so much. This is one of those things that would be covered in some 500 page book that Iwould never understand. You have told me everything i need to know and saved me countless hours ofscrewing around. Thanks heaps :D

writen by: Jitendra on 2007-01-19 06:19:51

writen by: saurav on 2007-02-06 21:58:041. a umask that would give no permissions (r, w, and x) to group users and other users. 2. perl script thatsubmits messages (you can use any example messages) to syslog with facility “user”. (May require rootaccess) 3. Perl script which goes through the password file /etc/passwd entries one by one and points outpossible problems. The potential problems to check for are: • Find any entries that have UID 0; • Find anyentries that have no password (need to access /etc/shadow) • Find any set of entries that have duplicateUIDs • Find any set of entries that have duplicate login names • Find any entries that have no expiration date(need to access /etc/shadow) After you finish this perl script and test that it works correctly, use cron toschedule this script to run at 3:00am everyday. By default, you will get an email each time your cron jobruns. Configure the crontab file to disable this feature (i.e., do not send emails). 4. Using man pages for du,sort, and head commands as references, write a perl script that determines which 10 directories have thelargest file space usage on your system. 5. perl script that finds all the hard links on a filesystem.

writen by: joji sri bananaramananda on 2007-02-14 03:12:49Greetings all. I have just started running ubuntu and occasionally dyne:bolic on my toshiba satallitepro 6100,after years of abusing myself with micro$oft crap. My Western Dig. external drive has always been in the oldpooey system, and has an ntfs filesys. i totally bailed on using any MS poo, and now when i want toreorganize and do upkeep and save new files on the External HD, I of course get write-protect/read-onlyerrors. to do anything other than read-only, i must go find a MS-running system. boring! Q:can i change thisfrom within my linux platforms and/or linux command shell? and how? any help greatly appreciated!


5 of 9 11/24/2012 3:54 PM

RE: n00b external drive permissions

Device Permissions

Device permissions

Loggin permissions violations?

File permissions problem

mad

file permissions

Don't buy a new external drive. Use syst

I cannot modify the permission

none

report

Teacher

RE: Teacher

Linux

lin

hbighi

writen by: disccomp on 2009-12-09 15:08:11I've had the same problem in past; Be sure the NTFS driver you are using is not READ ONLY, ntfs-3g forinstance is a stable Read/Write driver.

writen by: Osric on 2007-02-21 09:36:43What do the rwx permissions mean when applied to device files?

writen by: me on 2007-03-08 22:05:26

writen by: Wojtek Grabski on 2007-03-18 08:56:07Just a quickie.. is there a way to log failed file reads? I constantly run into problems due to specificpermissions being pre-set by Plesk and would like to know what SPECIFIC permissions problems areencountered by php scripts running on the server. Something that would include date/time, file, attemptinguser info would be the most useful. Does the syslog store this kind of data? Thanks.

writen by: Pedro Ordonez on 2007-03-22 19:43:12I am in trouble, please help. I installed Suse 10.2 but I have a SATA dirve that was giving me troubleconfiguring GRUB so I unplugged it and installed Linux. Now I can boot from both drives, but could notaccess the files on the SATA because it was not mounted. I mounted it but the permissions are dr-x------ soas root I cannot change the permissions for these files and I need the group to be able to have full acess.How can I fix this?

writen by: jyotsna on 2007-04-27 05:12:04

writen by: mbanks on 2007-04-29 14:57:57

writen by: Mateus Denigris on 2007-05-04 16:25:33

writen by: anand babu on 2007-05-15 08:32:18hi all, I am one of Linux lover. my probles is quiet simple but i am unfortunate to sole tat. my problem: i havan 160 GB hard disk in my Dell Machine.... so i created a seperate vfat partition of 49GB(/dev/sda3) which ismounted as /backup for windows backup.... i copied some datas from my windows pc to this partition(/dev/sda3) thru winscp... My problem is " I cannot change the permissions of the files in /backup which ismounted in /dev/sda3" Solution 4 my problem will be much more appreciable... "Thanx in advance"

writen by: Bayard on 2007-07-16 23:24:27From what I have read you can't change permissions for files in VFAT volumes.

writen by: vedakumar on 2007-10-04 06:03:57

writen by: mike on 2008-01-05 12:53:31Hello, One of my students pointed out a useful video tutorial on file permissions for all those newbies.http://www.veoh.com/videos/v2078094HhAcWKp8 hope this helps. Mike

writen by: disccomp on 2009-12-09 15:15:45Correct URL: http://www.veoh.com/browse/videos/category/educational/watch/v2078094HhAcWKp8#watch=v2061669XeXtWJd5

writen by: john on 2008-02-21 11:27:22

writen by: michaek on 2008-02-21 14:39:16


6 of 9 11/24/2012 3:54 PM

how we create a spicel permison on the u

10 are the number of symbolic links wher

permission

Mr

How do I set the user of the public_html

linux beginner

linux beginner

app admin

it doesnt seem to work

Gud article

owner cannot delete created or modified file

writen by: gufufu on 2008-02-21 17:05:43

writen by: gotam tyagi on 2008-03-12 08:35:40sir

writen by: gotam on 2008-03-12 08:37:44xdsd

writen by: DEEPAK SHARMA on 2008-06-27 11:14:18how to give permission to user

writen by: Pradeep on 2008-07-16 00:09:27Hey guys, Can you please tell me if 1. "!!" means that the password is expired and the user will not be ableto login? 2. "*" means that the userid is locked?

writen by: Brian on 2008-08-26 13:48:26Hi, What command do I use to set the user for the public_html? Currently mine looks like this: drwxr-x--- 5username nobody 4096 August 22 public_html Thanks!

writen by: faisal on 2008-09-21 12:24:22

writen by: faisal on 2008-09-21 13:17:01

writen by: Anonymous on 2008-12-08 19:17:10

writen by: Anonymous on 2009-01-07 07:57:52

writen by: Jason on 2009-03-02 12:50:05I'm not sure if anyone else has mentioned this since I haven't read all comments but there's a typo in thelast paragraph: "In order to change the umask value, simply use the umask command and give it an octalnumber. For instance, if you want all new directories to get permissions rwxr-xr--- and files to getpermissions rw-r----- by default (modes 750 and 640),... " rwxr-xr--- should actually read rwxr-x--- if themode should be set to 750 in this example. It looks more like 754 as is.

writen by: doccpu on 2009-11-16 02:03:28I have tried to figure it out for years. unless i am rooot i cant read or edit a file.i change the permissions of motion.conf to root/motion rwrwr-i ( david) am a member of group motionbut in gui i cant read or edit motion.conf. from a terminal Gedit says i have no priviledges to read or edit it.well hell ls-l shows rw-rw-r-- so motion has permission i am a member of motion. why cant i edit it?dhorner at usa tod net

the gui says i am in the motion group but am i really?adduser says The user `david' is already a member of `motion'.so why cant i read or edit the file? :confused:

writen by: mohiyadeen on 2010-03-14 12:19:30It explains about SUID with a simple example...Thanks!

writen by: VidyaEvolution on 2012-08-17 05:48:27hello,

i am searching for a way to set permissions on folder and the contents. The rule is as such that the only thesuperUser can delete contents of the folder. Users can add, view, modify But NOT delete the files in thedirectory. Please tell me if you got any solution for this.

Thank you


7 of 9 11/24/2012 3:54 PM












Thank you



Thank you



Thank you



Thank you



Thank you



Thank you



Thank you



Thank you

writen by: VidyaEvolution on 2012-08-17 05:48:44


8 of 9 11/24/2012 3:54 PM


hello,


Thank you

writen by: VidyaEvolution on 2012-08-17 05:50:05Hello,


Thank you

Comment title: * please do not put yourresponse text here

Submit comment

Advertise About Us Contact Us Write For Us Forum Archive Privacy Top All Areas SEARCH

© 2000 - 2012 - All Rights Reserved - Property of


9 of 9 11/24/2012 3:54 PM

file permissions linux article

Documents