File and Directory Permissions
The course is part of this learning path
This course covers the security features that you can use in order to secure your files and directories on Linux. We look at permissions, data sharing, special modes, file attributes, ACLs, and rootkits. You will also have the chance to follow along with guided demonstrations which will give you a practical understanding of the concepts covered.
- Learn how Linux file and directory permissions work and how to apply the proper permissions to files and directories
- Learn how to share data securely with groups and multiple users on a Linux system
- Understand how special modes add extra security to file systems
- Learn how to make files unchangeable even by the root user and how to secure the log files on a Linux system by making them append-only
- Learn how to secure files and directories using ACLs
- Learn about rootkits and how to discover and remove them
This course is intended for anyone who wants to understand how to secure their Linux systems.
To get the most out of this course, you should already have a good working knowledge of Linux. If you want to brush up on your Linux skills, consider taking our Learn Linux in 5 Days learning path first.
In today's lesson, we'll be talking about symbolic permissions, numeric permissions, file versus directory permissions, how to change permissions, how to work with groups, and the file creation mask. Here is some output from an ls -l command. And if you look at the permission string, the first character will indicate whether it's a regular file by beginning with a dash, or it will begin with a D if it's a directory, or an L if it's a symbolic link. Other characters that you'll encounter in the permission string include R, W, and X. R, W, and X represent the three main types of permissions. They are read, which is R, write, which is W, and execute, which is X. If you have read permission to a file that means you can see its contents. For example, you could run cat against the file and you would see the file's content. If you have write permissions to a file, you can modify it. You can change its contents. If you have execute permissions, you can run that file as a program. Read, write, and execute are fairly self-explanatory when they're applied to files. However, they have a slightly different meaning when they're applied to directories. For example, when read permissions are applied to a directory that means you can see the file names in the directory. If you don't have read permissions to a directory you will not be able to see the directory's contents. The write permission when applied to directories allows entries to be modified within the directory. So you can edit files that are in the directory. The execute permission gives you the ability to see metadata about the files that are in the directory. Read permissions give you the ability to see file names, whereas the execute permissions give you the ability to see modification dates, and owner, and group information, just like you would see in an ls -l long listing output. There are categories of users that these read, write, and execute permissions can be applied to. These categories are user, group, other, and all. And like the permission types, each one is represented by a single letter. For example, U represents the user that owns the file. The users that are in the file's group are represented by G. Users that are not the owner or are not in the file's group are considered other represented by O. A is used to represent all or everybody. Every user on a Linux system belongs to at least one group called their primary group. However, users can belong to many groups. For example, if members of the sales team need access to some of the same files and directories, they can be placed into the sales group. Run the groups command to see what groups you are a member of. If you supply another user's ID as an argument to the groups command you'll see a list of groups to which that user belongs. You can also use ID, space, dash, capital G, lowercase N as a synonym for groups. It will give you the same output. In this example, running the groups command shows that I'm in the Jason group and the sales group. You can also see that ID, space, dash, capital G, lowercase N returns the same value as the groups command does. If you run the groups command followed by another username you'll see the groups that they are in. For instance, Pat is in the finance and New York groups. The admin user is only in the admin user group. At this point, you finally have enough background information to start decoding the permission string. We covered that the first character is the type, be it a directory, a file, or a link. The next three characters represent the permissions available to the user, also known as the owner of the file. The next three characters represent the permissions available to the members of the file's group. The final three characters represent the permissions available to all users. With permissions order has meaning. So permissions will always be displayed in this order: user followed by group, and finally others. Also the permission types of read, write, and execute are always displayed in that order too. So if a particular permission is not granted, a hyphen will take its place. Permissions are also known as modes. That's why the command you use to change permissions is called chmod, which is short for change mode. The format of the chmod command is chmod, mode, file, and there are a couple of different ways to specify the mode. One is symbolic notation and the other is numeric notation. To you specify modes or permissions with symbolic notation, run the chmod command followed by user, group, other, or all, and an operator to add, subtract, or set permissions followed by the permissions themself, read, write, or execute. You can add, subtract, or set permissions using user category and permission pairs. So pick a category. User, group, other, or all. Let's pick group. What we want to do. Add, subtract, or set the permission. Let's add. We can add read, write, or execute. So let's just add the write permission. You can see that an extra W shows up in the permission string in the appropriate place for group. You can undo this by removing or subtracting that permission. You can also change more than just one permission at a time. So we can specify the group have write and execute permissions. If you want to set different permissions for different user categories, you can separate the specifications with a comma. So for instance, we can specify something for the user. Let's add read, write, execute. And for group, let's take away execute. And you can see that that change has taken effect. When you specify an equal sign, that sets the permission to exactly what you specify. So let's say all is set to read. And we can see now that the owner or the user, the group and other are all set to just read permission. Also, if you don't specify permissions after the equal sign, all the permissions are removed. So let's set the user read, write, execute, group to read, execute, and we'll give no permissions to others. In addition to symbolic mode, octal mode or numeric mode can be used with chmod to set file and directory permissions. In octal mode, permissions are based in binary. Each permission type is treated as a bit that is either set to off, zero, or on, one. Again, in permissions, order has meaning. So permissions are always in read, write, and execute order. So if R, W, and X are all set to off, the binary representation is 000. If they're all set to on, the binary representation is 111. If you want to omit the write permission the binary representation would be 101. To get a number that you can use with chmod, convert the binary representation into base 10 or decimal. So really the shortcut here is to remember that read equals four, write equals two, and execute equals one. The permissions number is determined by adding up all the values for each permission type. There are eight possible values from zero to seven, hence the name octal mode. This graphic lists all eight possible options. The user categories are always in user, group, and other order. So once you determine the octal value for each category you specify them in that order. So for example, to get read, write, execute for user, read and execute for group, and just read for other, you would specify chmod, space, 754, space, the file name. Here are the most commonly used permissions. So 700 ensures that a file can be read, edited, and executed by the owner, and no one else on the system will have access to that file. The 755 permission allows everyone on the system to execute the file, but only the user or the owner of the file can edit that file. 664 allows a group of people to modify the file and let others read it. And 660 allows a group of people to modify the file and not let others read it. Mode 644 allows everyone on the system to read the file, but only the user or the owner of that file can edit that file. If you ever attempted to use 777 or 666 for permissions, ask yourself if there's a better way to do that. Because giving 777 permissions gives everyone on the system full access to that file or directory. For example, if a program or a script is set to 777 permission, then anyone on the system can make changes to that script or program. Since the execute bit is set for everyone that program can be executed by anyone on the system. So if malicious code was either inserted on purpose or by accident, it could cause unnecessary trouble. If multiple people need write access to a file, consider using groups and limiting that access to the members of that group. In general, it's good to avoid 777 and 666 permission modes.
Jason is the founder of the Linux Training Academy as well as the author of "Linux for Beginners" and "Command Line Kung Fu." He has over 20 years of professional Linux experience, having worked for industry leaders such as Hewlett-Packard, Xerox, UPS, FireEye, and Amazon.com. Nothing gives him more satisfaction than knowing he has helped thousands of IT professionals level up their careers through his many books and courses.