Linux - File/Folder Permissions - Access Control List ( ACL ) - Posix Model

Introduction

In Linux, every object is a file. A directory or a folder is then also a file.

Linux follows the POSIX permissions model.

Metadata

A permission is a combination between:

  • an access right (read, write, execute)
  • and a user identification group ( owner, group or others)

Linux file permissions are thennine bits of information (3 types x 3 type of users), each of them may have just one of two values:

  • allowed
  • or denied.

Simply put:

  • for each file it can be specified who can read or write from/to the file.
  • for programs or scripts it also can be set if they are allowed to be executed.

Access

Every file or folder in Linux has access permissions. There are three types of permissions (what allowed to do with a file):

  • read access
  • write access
  • execute access

Difference in access permissions for files and folders

Access permissions for files and folders mean different things from the user standpoint. The table below shows the difference.

Access type File Folder
Read If the file contents can be read If the directory listing can be obtained
Write If user or process can write to the file (change its contents) If user or process can change directory contents somehow: create new or delete existing files in the directory or rename files.
Execute If the file can be executed If user or process can access the directory, that is, go to it (make it to be the current working directory)

Identification Information

Every file on your Linux system, including directories, is owned by a specific user and group. Therefore, file permissions are defined separately for users, groups, and others.

  • User/Owner (u) : The username of the person who owns the file. By default, the user who creates the file will become its owner.
  • Group (g): The usergroup that owns the file. All users who belong into the group that owns the file will have the same access permissions to the file. This is useful if, for example, you have a project that requires a bunch of different users to be able to access certain files, while others can't. In that case, you'll add all the users into the same group, make sure the required files are owned by that group, and set the file's group permissions accordingly.
  • Other (o): A user who isn't the owner of the file and doesn't belong in the same group the file does. In other words, if you set a permission for the “other” category, it will affect everyone else by default. For this reason, people often talk about setting the “world” permission bit when they mean setting the permissions for “other.”

File permissions notation

Textual representation like “-rwxr–r–”

It is used in Linux long directory listings. It consists of the 10 first characters.

[nicolasg@hasbitdb01 /]$ dir -l
total 158
drwxr-xr-x   2 root root  4096 Feb 11 04:02 bin
drwxr-xr-x   4 root root  1024 Feb 10 15:42 boot
drwxr-xr-x  16 root root  5780 Feb 16 16:10 dev
drwxr-xr-x  90 root root 12288 Mar 17 04:02 etc
drwxr-xr-x  12 root root  4096 Mar 11 15:08 home
Symbol Position Description
0 the file type. It is either
* d if the item is a directory,
* l if it is a link,
* or - if the item is a regular file.
1 to 3 permissions for the owner of the file
4 to 6 permissions for the group.
7 to 9 permissions for others.
Permissions symbol Description
r Read access is allowed
w Write access is allowed
x Execute access is allowed
- Access is denied

Numeric

Structure:

  • number has 3 figures (for instance 022) respectively for
    • owner
    • group
    • world or others
  • the figure which set the permission can take the following values:
    • 0 – read, write and execute
    • 1 – read and write
    • 2 – read and execute
    • 3 – read only
    • 4 – write and execute
    • 5 – write only
    • 6 – execute only
    • 7 – no permissions

Example: 0644. Here :

  • the first digit, a leading zero means in programming language that the value is in the octal format. Basically, it can be omitted.
  • the second digit (“6” in the example) stands for rights of the owner,
  • the third digit (“4” in the example) stands for rights of the group,
  • the fourth digit (“4” in the example) stands for rights of others.

This table shows what numeric values mean:

Octal digit Text equivalent Binary value Meaning
0 000 All types of access are denied
1 –x 001 Execute only
2 -w- 010 Write only
3 -wx 011 Read only
4 r– 100 Read access is allowed only
5 r-x 101 Read and execute access are allowed
6 rw- 110 Read and write access are allowed
7 rwx 111 Everything is allowed

To combine the permissions you can simply add 1, 2 and 4 to get a needed combination.
For instance,

  • to get read and write permissions, you add 4 (read) and 2 (write), thus getting 6 (read and write).
  • to get read and execute permissions, you add 4 (read) and 1 (execute), thus getting 5 (read and execute).

This is a base 8 number, if you get any problem setting it, verify that the number should not be converted to a decimal (ie base 10)

For instance:

  • as a literal, in place of 755, you would give 493
  • otherwise you would need to convert the representation. For instance in Java
fileMode = Integer.parseInt("755", 8);

Management

Default

See Linux - Umask (user mask)

Group/Owner/Permissions

Permissions for files, directories, and applications are an integral part of managing resources within an organization. The following table describes some of the more common command line tools used for this purpose.

Application Function
chgrp Changes which group owns a given file.
chmod Changes access permissions for a given file. It is also capable of assigning special permissions.
chown Changes a file's ownership (and can also change group).

It is also possible to alter these attributes in the GNOME and KDE graphical environments by right-clicking on the desired object and selecting Properties.

How to view file permissions?

You can view the access permissions of a file by doing the long directory listing with the ls -l command. This is what a long directory listing might look like:

[nicolasg@hasbiodb01 ~]$ ls -l
total 4
drwxrwxrwx 2 nicolasg oinstall 4096 Feb 24 11:26 weegbrug
  • The first column (drwxrwxrwx) is the file type and permissions.
  • The second column (2) shows the number of links (directory entries that refer to the file),
  • The third one (nicolasg) shows the owner of the file,
  • The fourth one (oinstall) shows the group the file belongs to.
  • The other columns show the file's size (4096) in bytes, date and time of last modification, and the filename.

Backup/Diff

See getfacl and setfacl

With the find commando

  • Search for files which have read and write permission for their owner, and group, but which other users can read but not write to. Files which meet these criteria but have other permissions bits set (for example if someone can execute the file) will not be matched.
find . -perm 664
  • Search for files which have read and write permission for their owner and group, and which other users can read, without regard to the presence of any extra permission bits (for example the executable bit). This will match a file which has mode 0777, for example.
find . -perm -664
  • Search for files which are writable by somebody (their owner, or their group, or anybody else).
find . -perm /222
  • Search for files where the owner has no write access.
find . ! -perm /u=w
  • Search for files which are writable by either their owner or their group. (The files don’t have to be writable by both the owner and group to be matched; either will do.)
# All three of these commands do the same thing but with a different syntax
find . -perm /220 # octal  representation  of the file mode
find . -perm /u+w,g+w # use the symbolic form
find . -perm /u=w,g=w # use the symbolic form
  • search for files which are writable by both their owner and their group.
# Both these commands do the same	thing;	
find . -perm -220
find . -perm -g+w,u+w
  • Search for files that are readable for everybody (-perm -444 or -perm -a+r), have at least on write bit set (-perm /222 or -perm /a+w) but are not executable for anybody (! -perm /111 and ! -perm /a+x respectively)
# Both these commands do the same	thing;	
find . -perm -444 -perm /222 ! -perm /111
find . -perm -a+r -perm /a+w ! -perm /a+x

Documentation / Reference





Discover More
Bash Liste Des Attaques Ovh
Bash - Script

This page is Os Shell scripts (with a accent on the Bash shell) A Bash or Shell Script is a text file that: has a shebang has the executable permission. File extensions are meaningless in UNIX,...
Undraw File Manager Re Ms29
File System - File (Attributes|Metadata|Status)

file attributes are the metadata of a file. A file consists also of attributes such as: path (location) its directory (act as a namespace) contents (only for regular file) the security descriptor,...
Gradle - File System (File API )

The file api of gradle to execute file system operations is detailled in this page You need to be cautious...
Yarn Hortonworks
HDFS - ACL

ACL POSIX style permissions/HDFS ACLs in HDFS is one authorization method . By default, ACLs are disabled. dfs.namenode.acls.enabled - Set to true to enable support for HDFS ACLs (Access Control...
Yarn Hortonworks
Hadoop - Permission (User, Group and Permission)

In contrast to the POSIX model, there are no setuid or setgid bits for files as there is no notion of executable files. There is no provision within HDFS for creating user identities, establishing groups,...
How to write a Linux Script (Shebang)?

This page is the creation of Script in Linux. They can be written in many languages does not need an extension must be given the execution permission where the first line called the Shebang_(Unix)shebang...
Distribution Testing Jmeter
JMeter - 2.9 - (Remote Test|Distributed testing)

In distributed testing, JMeter run in server mode on the remote node(s) that are controlled from the client. The client sends the test plan to all the servers. Then each server run it (JMeter does not...
Bash Liste Des Attaques Ovh
Linux - File

Linux file management See Using Parameters Expansion Removal From a path string where the file does not exist dirname returns the first parent of an existing path file. ...
Bash Liste Des Attaques Ovh
Linux - Stat (File status)

This page is the file metadata (also known as file status) on the linux file system Principally, the stat command display the file metadata. find command man where: Through the --printf=FORMAT...
Linux - Umask (user mask)

umask also known as: user mask user file creation mask is a security command and a function in POSIX environments that sets the default privileges that a file get when it's created. When a shell...



Share this page:
Follow us:
Task Runner