Linux Permissions
Linux and Unix systems use a permission mechanism that is simple and robust.
Ownership
Each file has an owner and group-owner. The original file owner is the creator of the file; the superuser (root) can reassign the ownership of the file. The default group of the creator of the file is the original group-owner; the current owner of the file can change the group-owner to be any of the groups to which she belongs, or the superuser can change the group to any group on the sytem.
Here's an example: imagine that the user Jane belongs to the groups toronto (default group), seneca, and baseball. She creates the file "automate"; viewing the file with ls -l
shows this display:
-rwxrw-r-- 1 jane toronto 2019 2008-09-15 11:25 automate
Note that jane is the owner, and toronto is the group-owner.
Jane cannot change the user, but the superuser can change it to any user of the system using the chown
command.
Jane can change the group-owner to seneca or baseball, or the superuser can change it to any group on the system, using the chgrp
command.
Communities
There are three communities of users in the system:
- user - the owner of the file
- group - users in the group that is the group-owner of the file
- other - everyone else
The order and initials of these communities is important: u-g-o
Permissions
Each of the three communities has three permissions:
- read - the ability to read (view, play, copy) the file
- write - the ability to write (change, truncate, append) the file
- execute - the ability to execute (run) the file
These permissions are interpreted slightly differently on a directory:
- read - the ability to search for files within the directory (e.g., "ls" or use ambiguous filenames.
- write - the ability to add files to the directory, remove files from the directory, or change the names of files in the directory.
- execute - the ability to open files and directories within the directory.
Note that a user with read but not execute permission on a directory may see the files in a directory but not use them; a user with execute but not read permission may use files in the directory but must know the exact filename (because they can't list the directory contents).
Permission Mode
A full permission mode consists of the three permissions for each of the three communities. In addition, there may be some Extended Permissions (see below).
Symbolic Representation
A permission may be represented as a string of nine r, w, x, and - characters. The first three characters represent the permissions for the user, the second set of three represent the permissions for the group, and the last three represent the permissions for others. Each group consists of the letters r, w, and x in order for permissions that are turned on, or - for permissions that are not turned on.j
The output of ls -l
starts with character representing the file type (- for regular files, d for directories, and other characters for special files) followed by the 9-character symbolic representation of the permission mode:
-rwxrw-r-- 1 jane toronto 2019 2008-09-15 11:25 automate
In this case, the mode is rwxrw-r--
, which breaks down as:
- user permission: rwx (read, write, and execute permission are enabled/granted to the user jane)
- group permission: rw- (read and write permission are granted to users in the toronto group, but execute permission is denied)
- other permission: r-- (read permission is granted for all other users, write and execute permission is denied)
Octal Representation
It is also possible to represent a permission as a group of octal digits. Each digit represents the permission for one community, in u-g-o order. The value of the digit is the sum of the enabled permissions using these values:
- read: 4
- write: 2
- execute: 1
Therefore, the symbolic mode "rwxrw-r--" can be encoded in represented in octal as 764, since:
- user permission = rwx = 4+2+1 = 7
- group permission = rw- = 4+2 = 6
- other permission = r-- = 4
Viewing the Permission Mode
You can view the permission on a file using the -1
argument to the ls
command. You can also view file permissions using most graphical file managers, such as Nautilus (GNOME) or Konqueror (KDE), although you will need to change from the default view settings.
Setting the Permission Mode
Permissions are set from the command line using the chmod
command. (You can also change permissions with most graphical file managers).
Setting the Permission in Octal
To set a permission using an octal value:
chmod mode filenames...
For example,
chmod 0751 newscript chmod 0769 oldscript1 oldscript2
Which will change the permission mode to rwxr-x--x on the file "newscript" and rwxrw---- on "oldscript1" and "oldscript2".
Setting the Permission using Relative Symbolic Notation
You can also set a permission using a variation on symbolic notation. Multiple relative permissions are given, using this format:
community operator permissions
Where
- community is any combination of u, g, o (user/group/other) or a for all (which is the same as "ugo").
- operator is + to add a permission, - to remove a permission, or = to set a permission
- permissions is any combination of r, w, x (read/write/execute)