A Little About Linux: File Ownership and Permissions

One of the most important things you can learn when starting with Linux is how you control access to files.  If you've used Unix in the past, you probably won't need this little guide as it's the same (or at least very, very similar), but if you've just come from Windows, then this may come as a little bit of a shock to you, so hold on while we dive straight in.

To start with, you need to know the basics;
  1. Every file will have a user account associated with it. (Owner)
  2. Every file will also have a group associated with it. (Owner Group)
  3. As you might expect, a group can contain any number of user accounts.
  4. Every file will have a set of permissions associated with it.
That was pretty easy wasn't it?  Now lets expand on that...

Firstly lets see how Linux shows all of this information so that you can see where the starting point is.  Using ls (list) command as any non-root user will give a layout similar to this (obviously the contents will be different, but it's the layout of ls command that we're concentrating on);

ls -lh

-rw-rw-r--.  1 palindrome palindrome 1.6K Jun 15 17:05 hello.txt

So, what have we got here, well this is a listing of what files are available in my home directory, as you can see there is only one (at least there is one standard, non-hidden file of which we will come onto elsewhere.)  We are interested in the third and fourth column... the part that shows palindrome palindrome.  As you might be able to deduce from the first two points on the 'list of basics' that we started with, these are the Owner and Owner Group.

In most cases, when a file is created the Owner and Owner Group are the same as the user account who created the files, but this is not always the case and obviously, these owner details can be changed.

Also, as is the case in Windows, the owner details are shown in human readable format i.e. palindrome palindrome is replaced by numbers that represent these accounts when Linux deals with these things internally.

Changing the File Ownership
At some point, you will want to change a File Owner and this can be done using the chown (change owner) command.  This command can only be run as root (because you could potentially lock yourself out of accessing your own files) and you can either change the Owner account, Owner Group or both.  So, as an example lets change the Owner of the example hello.txt file we viewed earlier;

chown johng:palindrome hello.txt

Then perform the ls command again;

ls -lh

-rw-rw-r--.  1 johng palindrome 1.6K Jun 15 17:05 hello.txt

You can see that the Owner has changed but the Owner Group hasn't.  

If you're logged on as a non-root user, you still have the option of changing the Owner Group but not the Owner itself by using;

chgrp palindrome hello.txt

Both the chown and chgrp commands have various options, but the most useful is -R which recursively changes the ownership on all files in the file hierarchy, below the current location.

So, as these examples stand, If I log on as user johng or my account is in the palindrome group, I will be able gain some sort of access to the hello.txt file and the level of this access is described in the next section...

Changing Permissions
Now, if you've come from a Windows background, you're probably thinking "that file ownership thing is a little strange, but it seems reasonably straight forward", and it is indeed straight forward, but the permissions side may seem very strange and archaic as it involves adding octal numbers together.

If you remember from the ownership section, we used the ls command to see the ownership of a file, well we'll use it again to find out the permissions on a file;

 ls -lh

-rw-rw-r--.  1 johng palindrome 1.6K Jun 15 17:05 hello.txt

This time we're interested in the first column, the one that seems incomprehensible!  So, lets break this down.  Firstly, there will always be 10 characters here (and this is true for any Unix system.) In this case, there is also a '.' at the end but this isn't to do with the file permissions, so we'll ignore it for now.  Let's break those 10 characters down even further by splitting them up into columns of their own;

File Type     File Owner     Other Members Of The Group     Everyone Else
   -        rw-              rw-                r--

File Type: Is the file a normal file (-), a directory (d) or a symbolic link (l).
File Owner: These are the permissions set for the owner of the file (johng).
Other Members Of Group: These are the permissions set for anyone other than the owner and who are in the group specified (palindrome).
Everyone Else: As you might guess, this is the the level of access for anyone else accessing the file.

So, now on to what the letters mean.  There are three letters that need to be understood;

r = READ
w = WRITE
x = EXECUTE

So from the above example, the File Owner can read and write, Other Members Of The Group (other than the owner) can read and write and Everyone Else can only read.  Nobody can execute anything.

So, now that's everything about permissions?  Well, not quite, what if we want to change the the individual permission bits to allow the File Owner to read, write AND execute?  This is where the adding of octal numbers comes into play!  Throughout any type of Unix, the read, write and execute bits are assigned octal numbers;

r = 4
w = 2
x = 1

By adding these numbers together, you can work out the permissions e.g.

r-- = 4     rw- 4+2 = 6     r-x 4+1 = 5     rwx 4+2+1 = 7

Therefore setting the File Owner to read, write and execute whilst maintaining the current permissions on the other settings, would be 764.  Now that you've worked out the hard part, we only need to introduce a command that you can place in front of the octal digits to carry out the operation and that command is chmod.

chmod 764 hello.txt

The one last thing you need to know is that root is impervious to these permissions, even if you set the rwx bits to 000, the superuser account still can access all files and change all permissions.

Special Permission Bits
These are special bits that can be added to the end of the list of permissions.

Sticky Bit - A special bit which when used on shared directories protects files from being deleted by those who don't own the files.  When set on a directory, only the file owner, directory owner or root can delete.  It is designated by the t at the end.  Typically the /tmp folder has this set already.

-rwxrwxrwxt

SET USER ID (SUID) - When used in conjunction with executable files, it runs the program with the permissions of who owns the files, rather than that of the user who runs the program.  It is designated by the s at user's execute bit position.

-rwsrwxrwx

SET GROUP ID (SGID) - Sets the group of the running program to group of the file.  It is designated by the s at groups's execute bit position.

-rwxrwsrwx

Setting Default Modes and Groups
Now, this bit is going to probably be a bit hard to understand if you come from a complete Windows background, but lets keep it simple and work through it together...

When a file is created in Linux, it inherits a default owner and set of permissions.  The default owner is the user who created the file initially and the default group is the user's primary group.  This is the first simple part.

The default permissions that the newly created file is created with, can be changed by altering the User Mask (umask).  Now this part is the difficult bit, so concentrate, if you've come across the principle of 'masking' before, it will set you in good stead for this!

First off, you will need to know the initial permission for files and directories in order to create the defaults.  Files = 0666 and Directories = 0777

These defaults are further configured by using an octal 'mask' to define the final default permissions and inverse to the actual permissions.  The bit settings are;

0 –Full permissions (Read, Write, Execute)
1 –Write and read
2 –Read and execute
3 –Read only
4 –Write and execute
5 –Write only
6 –Execute only
7 –No permissions


So, lets work through some examples for configuring default permissions on files. 

1) Read, Write and Execute (All)
Start with: 666
Add Mask: 000
Final Permissions: 666

2) Read, and Execute (All)
Start with: 666
Add Mask: 002
Final Permissions: 664

3) Read, Write and Execute (Owner and Group) Read (Everyone Else) 
Start with: 666
Add Mask: 002
Final Permissions: 664

4) Read and Execute (Owner and Group) Read (Everyone Else) 
Start with: 666
Add Mask: 112
Final Permissions: 554

Now, there are two ways to work out what to set the UMASK value to, the easy way and the slightly more complicated but more accurate way.  I'll cover the easy way here, but will add a page in the future explaining the full masking procedure.  It's important to note that although the easy way gets the correct answer, it's not the correct procedure!

So, the easy way to work out the UMASK figure is to start with the actual permissions you want to be default and work backwards to get to the initial permissions (those are 666 and 777 figures I showed earlier.)  As an example, lets say we want the owner to have Read, Write and Execute permissions, owner group to have Read and Write permissions but everyone else to have Read only for a directory.  Displaying this in octal would be 7 (RWX), 6 (RW), 4 (R) and subtracting this from the initial permissions should give you the UMASK settings you need.

777 - 764 = 013  = Therefore this is the UMASK setting.

To see what the current UMASK setting is use;

umask

After running this command, you'll probably see something like 0002, which is what most Linux distros will be set to (this means that the default file permissions will be 664 and the default directory permissions will be 775.)  Setting the UMASK can be done by using;

umask 013

If you want for this to survive a reboot, set it in /etc/bashrc and /etc/profile.

If you really can't work out UMASK settings, some kind soul at IBM has listed them here.

No comments :