Directories & Files
This course will get you up to speed with the fundamentals of Linux and prepare you for further study.
In today's lesson we'll be talking about symbolic permissions, numeric permissions, file versus directory permissions, how to change permissions, how to work with groups and the file creation mask. Here is some output from an ls -l command and if you look at the permission string, the first character will indicate whether it's a regular file by beginning with a dash or it will begin with a d if it's a directory or an l if it's a symbolic link.
Other characters that you'll encounter in the permissions string include r, w and x. R, w and and x represent the three main types of permissions. They are read, which is r right, which is w and execute, which is x. If you have read permission to a file, that means you can see its contents. For example, you could run CA against the file and you would see the file's contents. If you have write permissions to a file, you can modify it. You can change its contents. If you have execute permissions, you can run that file as a program.
Read, write and execute are fairly self-explanatory when they're applied to files, however, they have a slightly different meaning when they're applied to directories. For example, when read permissions are applied to a directory, that means you can see the file names in the directory. If you don't have read permissions to a directory, you will not be able to see the directory's contents. The write permission when applied to directories, allows entries to be modified within the directory. So you can edit files that are in the directory. The execute permission gives you the ability to see metadata about the files that are in the directory. Read permissions give you the ability to see file names, whereas the execute permissions give you the ability to see modification dates and owner and group information, just like you would see an ls -l long listing output.
There are categories of users that these read, write and execute permissions can be applied to. These categories are user, group, other and all. And like the permission types, each one is represented by a single letter. For example, u represents the user that owns the file. The users that are in the file's group are represented by g. Users that are not the owner, or are not in the file's group are considered other, represented by o. A is used to represent all or everybody. Every user on a Linux system belongs to at least one group, called their primary group. However, users can belong to many groups.
For example, if members of the sales team need access to some of the same files and directories, they can be placed into the sales group. Run the groups command to see what groups you are a member of. If you supply another user's ID as an argument to the group's command, you'll see a list of groups to which that user belongs. You can also use id -Gn as a synonym for groups. It will give you the same output.
In this example, running the groups command shows that I'm in the Jason group and the sales group. You can also see that id -Gn returns the same value as the groups' command does. If you run the group's command followed by another username, you'll see the groups that they are in. For instance, Pat is in the finance and New York groups. The admin user is only in the admin user group.
At this point, you finally have enough background information to start decoding the permission string. We covered that the first character is the type, be it a directory, a file, or a link. The next three characters represent the permissions available to the user, also known as the owner of the file. The next three characters represent the permissions available to the members of the file's group. The final three characters represent the permissions available to all users.
With permissions, order has meaning. So permissions will always be displayed in this order, user, followed by group and finally others. Also, the permission types of read, write and execute are always displayed in that order too. So if a particular permission is not granted, a hyphen will take its place. Permissions are also known as modes. That's why the command you use to change permissions is called, chmod, which is short for change mode. The format of the chmod command is, chmod, mode, file, and there are a couple of different ways to specify the mode.
One is symbolic notation and the other is numeric notation. To specify modes or permissions with symbolic notation, run the chmod command, followed by user, group, other or all and an operator to add, subtract or set permissions, followed by the permissions themself, read, write, or execute. You can add, subtract or set permissions using user category and permission pairs. So pick a category, user, group, other or all.
Let's pick group. What we wanna do, add, subtract or set the permission. Let's add. You can add, read, write, or execute, so let's just add the write permission. You can see that an extra w shows up in the permissions string in the appropriate place for group. You can undo this by removing or subtracting that permission. You can also change more than just one permission at a time, so we can specify the group, have write and execute permissions.
If you wanna set different permissions for different user categories, you can separate the specifications with a comma. So for instance, we can specify something for the user, let's add read, write, execute, and for group, let's take away execute. And you can see that that change has taken effect. When you specify an equal sign, that sets the permission to exactly what you specify.
So let's say all is set to read. And we can see now that the owner or the user, the group and other are all set to just read permission. Also, if he don't specify permissions after the equal sign, all the permissions are removed. So let's set the user read, write, execute group to read, execute and we'll give no permissions to others.
In addition to symbolic mode, octal mode or numeric mode can be used with chmod to set file and directory permissions. In octal mode, permissions are based in binary. Each permission type is treated as a bit that is either set to off, zero or on, one. Again, in permissions, order has meaning. So permissions are always in read, write and execute order. So f, r, w and x are all set to off, the binary representation is zero, zero, zero. If they're all set to on, the binary representation is one, one, one. If you wanna omit the right permission, the binary representation would be one, zero, one.
To get a number that you can use with chmod, convert the binary representation into base 10 or decimal. So really the shortcut here is to remember that read equals four, write equals two and execute equals one. The permissions number is determined by adding up all the values for each permission type. There are eight possible values from zero to seven, hence the name octal mode. This graphic lists all eight possible options. The user categories are always in user, group and other order.
So once you determine the octal value for each category, you specify them in that order. So for example, to get read, write, execute for user, read and execute for group, and just read for other, you would specify chmod, space, 754, space, the file name. Here are the most commonly used permissions.
So 700 ensures that a file can be read, edited and executed by the owner and no one else on the system will have access to that file. The 755 permission allows everyone on the system to execute the file, but only the user or the owner of the file can edit that file. 664 allows a group of people to modify the file and let others read it and 660 allows a group of people to modify the file and not let others read it.
Mode 644 allows everyone on the system to read the file, but only the user or the owner of that file can edit that file. If you're ever tempted to use 777 or 666 for permissions, ask yourself if there's a better way to do that, because giving 777 permissions gives everyone on the system full access to that file or directory. For example, if a program or a script is set to 777 permission, then anyone on the system can make changes to that script or program. Since the execute bid is set for everyone, that program can be executed by anyone on the system. So if malicious code was either inserted on purpose or by accident, it could cause unnecessary trouble. If multiple people need write access to a file, consider using groups and limiting that access to the members of that group. In general, it's good to avoid 777 and 666 permission modes.
Jason is the founder of the Linux Training Academy as well as the author of "Linux for Beginners" and "Command Line Kung Fu." He has over 20 years of professional Linux experience, having worked for industry leaders such as Hewlett-Packard, Xerox, UPS, FireEye, and Amazon.com. Nothing gives him more satisfaction than knowing he has helped thousands of IT professionals level up their careers through his many books and courses.