os:linux:file_permission

Introduction

In Linux, every object is a file. A directory or a folder is then also a file.

Linux follows the POSIX permissions model.

Metadata

A permission is a combination between:

an access right (read, write, execute)
and a user identification group ( owner, group or others)

Linux file permissions are thennine bits of information (3 types x 3 type of users), each of them may have just one of two values:

allowed
or denied.

Simply put:

for each file it can be specified who can read or write from/to the file.
for programs or scripts it also can be set if they are allowed to be executed.

Access

Every file or folder in Linux has access permissions. There are three types of permissions (what allowed to do with a file):

read access
write access
execute access

Difference in access permissions for files and folders

Access permissions for files and folders mean different things from the user standpoint. The table below shows the difference.

Access type	File	Folder
Read	If the file contents can be read	If the directory listing can be obtained
Write	If user or process can write to the file (change its contents)	If user or process can change directory contents somehow: create new or delete existing files in the directory or rename files.
Execute	If the file can be executed	If user or process can access the directory, that is, go to it (make it to be the current working directory)

Identification Information

Every file on your Linux system, including directories, is owned by a specific user and group. Therefore, file permissions are defined separately for users, groups, and others.

User/Owner (u) : The username of the person who owns the file. By default, the user who creates the file will become its owner.
Group (g): The usergroup that owns the file. All users who belong into the group that owns the file will have the same access permissions to the file. This is useful if, for example, you have a project that requires a bunch of different users to be able to access certain files, while others can't. In that case, you'll add all the users into the same group, make sure the required files are owned by that group, and set the file's group permissions accordingly.
Other (o): A user who isn't the owner of the file and doesn't belong in the same group the file does. In other words, if you set a permission for the “other” category, it will affect everyone else by default. For this reason, people often talk about setting the “world” permission bit when they mean setting the permissions for “other.”

File permissions notation

Textual representation like “-rwxr–r–”

It is used in Linux long directory listings. It consists of the 10 first characters.

[nicolasg@hasbitdb01 /]$ dir -l
total 158
drwxr-xr-x   2 root root  4096 Feb 11 04:02 bin
drwxr-xr-x   4 root root  1024 Feb 10 15:42 boot
drwxr-xr-x  16 root root  5780 Feb 16 16:10 dev
drwxr-xr-x  90 root root 12288 Mar 17 04:02 etc
drwxr-xr-x  12 root root  4096 Mar 11 15:08 home

Symbol Position	Description
0	the file type. It is either * d if the item is a directory, * l if it is a link, * or - if the item is a regular file.
1 to 3	permissions for the owner of the file
4 to 6	permissions for the group.
7 to 9	permissions for others.

Permissions symbol	Description
r	Read access is allowed
w	Write access is allowed
x	Execute access is allowed
-	Access is denied

Numeric

Structure:

number has 3 figures (for instance 022) respectively for
- owner
- group
- world or others
the figure which set the permission can take the following values:
- 0 – read, write and execute
- 1 – read and write
- 2 – read and execute
- 3 – read only
- 4 – write and execute
- 5 – write only
- 6 – execute only
- 7 – no permissions

Example: 0644. Here :

the first digit, a leading zero means in programming language that the value is in the octal format. Basically, it can be omitted.
the second digit (“6” in the example) stands for rights of the owner,
the third digit (“4” in the example) stands for rights of the group,
the fourth digit (“4” in the example) stands for rights of others.

This table shows what numeric values mean:

Octal digit	Text equivalent	Binary value	Meaning
0	—	000	All types of access are denied
1	–x	001	Execute only
2	-w-	010	Write only
3	-wx	011	Read only
4	r–	100	Read access is allowed only
5	r-x	101	Read and execute access are allowed
6	rw-	110	Read and write access are allowed
7	rwx	111	Everything is allowed

To combine the permissions you can simply add 1, 2 and 4 to get a needed combination.
For instance,

to get read and write permissions, you add 4 (read) and 2 (write), thus getting 6 (read and write).
to get read and execute permissions, you add 4 (read) and 1 (execute), thus getting 5 (read and execute).

This is a base 8 number, if you get any problem setting it, verify that the number should not be converted to a decimal (ie base 10)

For instance:

as a literal, in place of 755, you would give 493
otherwise you would need to convert the representation. For instance in Java

fileMode = Integer.parseInt("755", 8);

Management

Default

See Linux - Umask (user mask)

Group/Owner/Permissions

Permissions for files, directories, and applications are an integral part of managing resources within an organization. The following table describes some of the more common command line tools used for this purpose.

Application	Function
chgrp	Changes which group owns a given file.
chmod	Changes access permissions for a given file. It is also capable of assigning special permissions.
chown	Changes a file's ownership (and can also change group).

It is also possible to alter these attributes in the GNOME and KDE graphical environments by right-clicking on the desired object and selecting Properties.

How to view file permissions?

You can view the access permissions of a file by doing the long directory listing with the ls -l command. This is what a long directory listing might look like:

[nicolasg@hasbiodb01 ~]$ ls -l
total 4
drwxrwxrwx 2 nicolasg oinstall 4096 Feb 24 11:26 weegbrug

The first column (drwxrwxrwx) is the file type and permissions.
The second column (2) shows the number of links (directory entries that refer to the file),
The third one (nicolasg) shows the owner of the file,
The fourth one (oinstall) shows the group the file belongs to.
The other columns show the file's size (4096) in bytes, date and time of last modification, and the filename.

Backup/Diff

See getfacl and setfacl

Search

With the find commando

Search for files which have read and write permission for their owner, and group, but which other users can read but not write to. Files which meet these criteria but have other permissions bits set (for example if someone can execute the file) will not be matched.

find . -perm 664

Search for files which have read and write permission for their owner and group, and which other users can read, without regard to the presence of any extra permission bits (for example the executable bit). This will match a file which has mode 0777, for example.

find . -perm -664

Search for files which are writable by somebody (their owner, or their group, or anybody else).

find . -perm /222

Search for files where the owner has no write access.

find . ! -perm /u=w

Search for files which are writable by either their owner or their group. (The files don’t have to be writable by both the owner and group to be matched; either will do.)

# All three of these commands do the same thing but with a different syntax
find . -perm /220 # octal  representation  of the file mode
find . -perm /u+w,g+w # use the symbolic form
find . -perm /u=w,g=w # use the symbolic form

search for files which are writable by both their owner and their group.

# Both these commands do the same	thing;	
find . -perm -220
find . -perm -g+w,u+w

Search for files that are readable for everybody (-perm -444 or -perm -a+r), have at least on write bit set (-perm /222 or -perm /a+w) but are not executable for anybody (! -perm /111 and ! -perm /a+x respectively)

# Both these commands do the same	thing;	
find . -perm -444 -perm /222 ! -perm /111
find . -perm -a+r -perm /a+w ! -perm /a+x

Table of Contents

Linux - File/Folder Permissions - Access Control List (ACL) - Posix Model