From the course: Ubuntu Linux: Essential Commands and System Administration

File permissions

From the course: Ubuntu Linux: Essential Commands and System Administration

Start my 1-month free trial Buy for my team

File permissions

On a multi-user system, we need a way of keeping users' files and system files secure from unauthorized viewing and modification. To do that, Linux has a system of permissions that divide access to files into a few categories. They define what users and groups of users can do with a file and what kind of actions are allowed by each group. Let's bring a file from my Documents directory back to my Home directory, and then I'll type ls -l. Here's that file. When we list the files in the directory, there's a row of characters for each file. This row is divided up into a few sections. After the initial character, which represents the type of file, there's three sections of three characters that determine permissions for the file. The first section represents the owner of the file, as determined by the user here. The second group represents the file's group ownership. A group can have more than one user defined in it, so more than one user can access the file. The file's group ownership is indicated here in this column. And the last group of three characters represents everyone else, that is, any other user on the system. And the various letters here represent, in each particular place, whether that classification can read, write, or execute, r, w, or x for the given file. So this notation makes it easy to read what the permissions on a file are, but we need to have a way of telling the system what permissions should be for a given file. There's two ways to do that, so let's take a look. You can think of the permissions like a little grid or matrix. On the top of the grid, we have who can do something, the user who owns the file, members of the group that owns the file, and everyone else. The specific actions that each of these could take are read, write, and execute. And in our grid here, we can list those along the side. And then for a given file or a resource, we can put together a pattern that defines access. So for the file we saw earlier, we could indicate it like this. rw- in the user area indicates read and write. rw -in the group also indicates read and write. And r- for others means that they can only read. So we know, as humans looking at this grid, which group can do what, but we need to communicate this to the system somehow. So instead, we assign each action a different number: 4 for write, 2 for read, and 1 for execute. And then we add them up. In this way, there's never an ambiguous sum for each column. So we can encode a lot of information in just a single digit. This is called octal notation because the value is an octal value in the range from zero to seven. There's another way of indicating changes in permissions too, which is a little bit more symbolic. Instead of using octal digits to represent coded permissions, we can simply take the letter for each of our sections, u for user, g for group, and o for others, and then use equal, plus, or minus to set, add, or remove specific permissions for a file. And then we can use r, w, and x to say what those specific changes are. And sometimes we'll see usages like +x. In that case, the missing specifier before the operator means that it applies to all three sections. So these same permissions that were 664 in the previous example are now u=rw to give read and write access to the user, g=rw to give read and write access to the group, and o=r, giving others only read access. Let's move back to the command line and see how this works. Like before, I can see that my file here, mytext, has permissions of rw-rw-r--. And I can even see the octal permission notation with a stat command. I'll type stat mytext. And here, I can see the permissions represented as octal notation, 664. Let's say this file is very sensitive and I want to deny everyone except the file's owner access to even read and write it. Those permissions would look like this. We'd represent this in octal notation as 600. In the first place, we'd have 4 for write and 2 for read, but no execute, so we don't add the 1. And in the other two slots, we have nothing, so they're both zero. Or in symbolic notation, we'd say u=rw. Then for both group and others, we would subtract read, write, and execute. It's important to be able to switch between these notations on the fly, but it does take some practice. The command that we use to set the permissions or the mode is chmod or chmod or chmod, though chmod sounds better to me. After chmod, we put the octal or symbolic notation for the permission change we want to make. In this case, I'll write chmod 600, and the file name, in this case, mytext. And then when I list the directory again, I can see that that's changed. Let's use the symbolic notation to give the group some access as well. For that, I'll write chmod g+rw for group, add read and write, and then the name of my file, mytext. And if we list the directory again, we can see that the read and write permissions for the group have been restored. I could also set this file to 000, removing access from the user, the group, and all other users to read, write, or execute it. And if I try to take a look at the contents of this file, even though I'm the owner, I'm denied permission. Now let's put it back to how it was with chmod 664. And now it's back to how we found it. And once again, I can read the contents.

Contents