Linux - File/Folder Permissions - Access Control List (ACL) - Posix Model

> Operating System - Kernel (Windows, Unix, Linux) > Linux / Unix

1 - Introduction

In Linux, every object is a file. A directory or a folder is then also a file.

Linux follows the POSIX permissions model.

Advertising

3 - Metadata

A permission is a combination between:

  • an access right (read, write, execute)
  • and a user identification group ( owner, group or others)

Linux file permissions are thennine bits of information (3 types x 3 type of users), each of them may have just one of two values:

  • allowed
  • or denied.

Simply put:

  • for each file it can be specified who can read or write from/to the file.
  • for programs or scripts it also can be set if they are allowed to be executed.

3.1 - Access

Every file or folder in Linux has access permissions. There are three types of permissions (what allowed to do with a file):

  • read access
  • write access
  • execute access
Advertising

3.1.1 - Difference in access permissions for files and folders

Access permissions for files and folders mean different things from the user standpoint. The table below shows the difference.

Access type File Folder
Read If the file contents can be read If the directory listing can be obtained
Write If user or process can write to the file (change its contents) If user or process can change directory contents somehow: create new or delete existing files in the directory or rename files.
Execute If the file can be executed If user or process can access the directory, that is, go to it (make it to be the current working directory)

3.2 - Identification Information

Every file on your Linux system, including directories, is owned by a specific user and group. Therefore, file permissions are defined separately for users, groups, and others.

  • User/Owner (u) : The username of the person who owns the file. By default, the user who creates the file will become its owner.
  • Group (g): The usergroup that owns the file. All users who belong into the group that owns the file will have the same access permissions to the file. This is useful if, for example, you have a project that requires a bunch of different users to be able to access certain files, while others can't. In that case, you'll add all the users into the same group, make sure the required files are owned by that group, and set the file's group permissions accordingly.
  • Other (o): A user who isn't the owner of the file and doesn't belong in the same group the file does. In other words, if you set a permission for the “other” category, it will affect everyone else by default. For this reason, people often talk about setting the “world” permission bit when they mean setting the permissions for “other.”

4 - File permissions notation

4.1 - Textual representation like "-rwxr--r--"

It is used in Linux long directory listings. It consists of the 10 first characters.

[nicolasg@hasbitdb01 /]$ dir -l
total 158
drwxr-xr-x   2 root root  4096 Feb 11 04:02 bin
drwxr-xr-x   4 root root  1024 Feb 10 15:42 boot
drwxr-xr-x  16 root root  5780 Feb 16 16:10 dev
drwxr-xr-x  90 root root 12288 Mar 17 04:02 etc
drwxr-xr-x  12 root root  4096 Mar 11 15:08 home
Symbol Position Description
0 the file type. It is either
* d if the item is a directory,
* l if it is a link,
* or - if the item is a regular file.
1 to 3 permissions for the owner of the file
4 to 6 permissions for the group.
7 to 9 permissions for others.
Permissions symbol Description
r Read access is allowed
w Write access is allowed
x Execute access is allowed
- Access is denied
Advertising

4.2 - Numeric

Structure:

  • number has 3 figures (for instance 022) respectively for
    • owner
    • group
    • world or others
  • the figure which set the permission can take the following values:
    • 0 – read, write and execute
    • 1 – read and write
    • 2 – read and execute
    • 3 – read only
    • 4 – write and execute
    • 5 – write only
    • 6 – execute only
    • 7 – no permissions

Example: “0644”. Here :

  • the first digit, a leading zero means in programming language that the value is in the octal format. Basically, it can be omitted.
  • the second digit (“6” in the example) stands for rights of the owner,
  • the third digit (“4” in the example) stands for rights of the group,
  • the fourth digit (“4” in the example) stands for rights of others.

This table shows what numeric values mean:

Octal digit Text equivalent Binary value Meaning
0 000 All types of access are denied
1 –x 001 Execute only
2 -w- 010 Write only
3 -wx 011 Read only
4 r– 100 Read access is allowed only
5 r-x 101 Read and execute access are allowed
6 rw- 110 Read and write access are allowed
7 rwx 111 Everything is allowed

To combine the permissions you can simply add 1, 2 and 4 to get a needed combination.
For instance,

  • to get read and write permissions, you add 4 (read) and 2 (write), thus getting 6 (read and write).
  • to get read and execute permissions, you add 4 (read) and 1 (execute), thus getting 5 (read and execute).

5 - Management

5.1 - Default

5.2 - Group/Owner/Permissions

Permissions for files, directories, and applications are an integral part of managing resources within an organization. The following table describes some of the more common command line tools used for this purpose.

Application Function
chgrp Changes which group owns a given file.
chmod Changes access permissions for a given file. It is also capable of assigning special permissions.
chown Changes a file's ownership (and can also change group).

It is also possible to alter these attributes in the GNOME and KDE graphical environments by right-clicking on the desired object and selecting Properties.

5.3 - How to view file permissions?

You can view the access permissions of a file by doing the long directory listing with the ls -l command. This is what a long directory listing might look like:

[nicolasg@hasbiodb01 ~]$ ls -l
total 4
drwxrwxrwx 2 nicolasg oinstall 4096 Feb 24 11:26 weegbrug
  • The first column (drwxrwxrwx) is the file type and permissions.
  • The second column (2) shows the number of links (directory entries that refer to the file),
  • The third one (nicolasg) shows the owner of the file,
  • The fourth one (oinstall) shows the group the file belongs to.
  • The other columns show the file's size (4096) in bytes, date and time of last modification, and the filename.

5.4 - Backup/Diff

With the find commando

  • Search for files which have read and write permission for their owner, and group, but which other users can read but not write to. Files which meet these criteria but have other permissions bits set (for example if someone can execute the file) will not be matched.
find . -perm 664
  • Search for files which have read and write permission for their owner and group, and which other users can read, without regard to the presence of any extra permission bits (for example the executable bit). This will match a file which has mode 0777, for example.
find . -perm -664
  • Search for files which are writable by somebody (their owner, or their group, or anybody else).
find . -perm /222
  • Search for files where the owner has no write access.
find . ! -perm /u=w
  • Search for files which are writable by either their owner or their group. (The files don’t have to be writable by both the owner and group to be matched; either will do.)
# All three of these commands do the same thing but with a different syntax
find . -perm /220 # octal  representation  of the file mode
find . -perm /u+w,g+w # use the symbolic form
find . -perm /u=w,g=w # use the symbolic form
  • search for files which are writable by both their owner and their group.
# Both these commands do the same	thing;	
find . -perm -220
find . -perm -g+w,u+w
  • Search for files that are readable for everybody (-perm -444 or -perm -a+r), have at least on write bit set (-perm /222 or -perm /a+w) but are not executable for anybody (! -perm /111 and ! -perm /a+x respectively)
# Both these commands do the same	thing;	
find . -perm -444 -perm /222 ! -perm /111
find . -perm -a+r -perm /a+w ! -perm /a+x

6 - Documentation / Reference

os/linux/file_permission.txt · Last modified: 2018/12/06 14:28 by gerardnico