File permissions

Linux (the same as any UNIX) is a secure, multiuser operating system, and this creates a level a complexity with "files permissions". Trouble with file permissions can lead to unexpected and nasty problems. Understanding file permissions is of uttermost importance to be able to administer any multiuser operating system (be it UNIX, WinNT, or Linux). My advice would be: learn the system of Linux (or any UNIX) file permission conventions; you will not regret it.

File owners. Each file (or directory) belongs to an owner (normally a login name) and to a group. The owner is typically the person who created (or copied) the file. The group often consists of one person--the owner, and has a name identical to that of the owner, but it does not need to be so. A file can be removed (erased) only by the owner of the file, or a member of the group that owns the file, or the root. Other users, however, may be able to modify or erase the contents of the file if they are given permission to do so--read on. The owner and group that owns the file will be shown in the output from the ls -l command (="list in the long format"). For example, the command:

ls -l junk

produced this output on my screen:

-rwx------ 1 yogin inca 27 Apr 24 14:12 junk

This shows the file "junk", belonging to the owner "yogin" and to the group "inca".

The ownership of a file can be changed using the commands chown (change owner) and chgrp (change group), which are normally executed by root:

chown peter junk

chgrp peter junk

ls -l junk

After executing the above 3 lines, the command ls-l junk produces this output on my screen:

-rwx------ 1 peter peter 27 Apr 25 20:27 junk

Changing file ownership comes handy if you move/copy files around as root for use by other users. At the end of your housekeeping you typically want to hand the file ownership over to the proper user.

File permissions. Now, an owner of a file can make the file accessible in three modes: read (r), write (w) and execute (x) to three classes of users: owner (u), members of a group (g), others on the system (o). You can check the current access permissions using:

ls -l filename

If the file is accessible to all users (owner, group, others) in all three modes (read, write, execute) it will show:

-rwxrwxrwx

Skip the first "-" (it shows the type of file, and is "-" for normal files, "d" for directories, "l" for links, "c" for character devices, "b" for block devices, "p" for named pipes i.e. FIFO files, "f" for stacks i.e. LIFO files). After the initial "-" character, the first triplet shows the file permission for the owner of the file, the second triplet shows the permissions for the group that owns the file, the third triplet shows the permissions for other users. A "no" permission is shown as "-". Here is an output from the ls -l command on a file that is owned by root, for which the owner (root) has all permissions, but the group and others can only read and execute:

drwxr-xr-x 2 root root 21504 Apr 24 19:27 dev

The first letter "d" shows that the file is actually a directory.

You can change the permissions on a file which you own using the command chmod (="change mode"). For example, this command will add the permission to read the file "junk" to all (=user+group+others):

chmod a+r junk

In the command above, instead of "a" (="all"), I could have used "u", "g" or "o" (="user", "group" or "others"). Instead of "+" (="add the permission"), I could have used "-" or "=" ("remove the permission" or "set the permission"). Instead of "r" (="read permission"), I could have used "w" or "x" ("write permission" or "execute permission").

Second example. This command will remove the permission to execute the file "junk" from others:

chmod o-x junk

Instead of letters, one can also use numbers to specify the permissions. To understand how it works, look at this:

execute=1

write=2

read=4

The total permission for a class of users is the sum of the three. Thus:

0 = no permissions at all(neither to write, nor to read nor to execute)(common)

1 = execute only (seems unusual)

2 = write only (seems unusual)

3 = write and execute (seems unusual)

4 = read only (common)

5 = read and execute (common)

6 = read and write (common)

7 = read, write and execute (common).

The permission for all three classes of users (owner, group, others) is obtained by gluing the three digits together one by one. For example, the command:

chmod 770 junk

will give the owner and the group the completto of permissions, but no permissions to others. The command:

chmod 666 junk

gives all three classes of users (owner, group, others) the permissions to read and write (but not execute) the example file named "junk". Please note the "666". It is quite often used and, for at least one person I know, it is proof that Linux (any UNIX for that matter) is the work of the devil >:-0.

This command:

chmod 411 junk

would give the owner the permission to read only, and the group and others to execute only. This one does not seem useful, but might be funny, at least for those North American Linux users who dial 411 (telephone number) for directory assistance. Mail me if you can think of any other funny permissions (perhaps 007?).

The numerical way of representing file permissions is called "octal" because the numbers have the base 8 (the decimal system's base is 10). The highest digit in the octal system is 7 (the octal system has eight digits: 0 to 7, analogous to the decimal system having ten digits: 0 to 9). The octal representation is really a convenient notation for the binary representation of file permissions, where each permission is flagged as "set" or "denied" with a one or zero and the total is represented as a string of zeroes and ones, as in this diagram:

user class: owner group others

example permissions: rwx rw- r--

absent permissions: --- --x -wx

binary representation of the permissions: 111 110 100

octal representation of the binary: 7 6 4