File Permissions

TipOverview

• Teaching: 20
• Exercises: 15
• Questions:
  • How does Linux know who can access files?
  • How can I see what permissions a file has?
  • How can I set or change the permissions on a file?
• Objectives:
  • View file permissions
  • Understand the structure of the permissions string
  • Change owners and permissions of files
  • Use binary references to change permissions of files

Every file or folder in Linux has a set of permissions associated with it. These define who can access the file or folder and see or interact with them. Each file or folder has three types of entities that can have permissions assigned to them. These are, User, Group and all others. They have the following definitions:

• owner - The Owner permissions apply only the owner of the file or directory, they will not impact the actions of other users.

• group - The Group permissions apply only to the group that has been assigned to the file or directory, they will not effect the actions of other users.

• all users - The All Users permissions apply to all other users on the system, this is the permission group that you want to watch the most.

For example, if a file had the following set of permissions:

	user	group	all
read	yes	yes	no
write	yes	no	no
execute	no	no	no

it would mean that:

• the file’s owner can read and write it, but not run it;
• other people in the file’s group can read it, but not modify it or run it; and
• everybody else can do nothing with it at all.

Let’s start by going back to the alkanes/ directory and quickly viewing the permissions of the methane.pbd file.

cd alkanes
ls -l methane.pdb

-rw-r--r--  1 nelle  bio   422B  8 Aug  2019 methane.pdb

The command ls -l lists the files in the current folder and displays them in the long listing format. While this may initially look complex, we can break this down in the following left to right order:

1. A set of ten permission flags
2. Link count (which is irrelevant to this course)
3. The owner of the file
4. The associated group
5. The size of the file in bytes
6. The data that the file was last modified
7. The name of the file

The permission flags are the important thing we want to look at here. We can further break these down into the following three basic permission types:

• Read - Which refers to a user’s capability to read the contents of the file.
• Write - Which refer to a user’s capability to write or modify a file or directory.
• Execute - Which affects a user’s capability to execute a file or view the contents of a directory.

Each of these permission types is listed in the _rwxrwxrwx section of the output. The first character marked by an underscore is the special permission flag that can vary. It shows things like whether the item is a directory.

• The following set of three characters (rwx) is for the owner permissions.
• The second set of three characters (rwx) is for the Group permissions.
• The third set of three characters (rwx) is for the All Users permissions.

NoteOn users and groups

When listing the contents of a directory you may come across files that have the same text for both the user and group. An example of this is in the output

-rw-r--r--  1 nelle  nelle   422B  1 Sep  2019 test.txt

In Linux, users will usually have a group associated with them that shares the same name that the user does. While this can seem strange, make sure that you understand the difference in the output so you know who has access to your files.

NoteCan you spot the difference here? What does it mean?

Let’s take a look at some files in a different folder.

cd Desktop/shell-lesson-data/north-pacific-gyre
ls -l

-rw-r--r-- 1 nelle  bio  4406  8 Aug  2019 NENE01729A.txt
-rw-r--r-- 1 nelle  bio  4400  8 Aug  2019 NENE01729B.txt
-rw-r--r-- 1 nelle  bio  4371  8 Aug  2019 NENE01736A.txt
-rw-r--r-- 1 nelle  bio  4411  8 Aug  2019 NENE01751A.txt
-rw-r--r-- 1 nelle  bio  4409  8 Aug  2019 NENE01751B.txt
-rw-r--r-- 1 nelle  bio  4401  8 Aug  2019 NENE01812A.txt
-rw-r--r-- 1 nelle  bio  4395  8 Aug  2019 NENE01843A.txt
-rw-r--r-- 1 nelle  bio  4375  8 Aug  2019 NENE01843B.txt
-rw-r--r-- 1 nelle  bio  4372  8 Aug  2019 NENE01971Z.txt
-rw-r--r-- 1 nelle  bio  4381  8 Aug  2019 NENE01978A.txt
-rw-r--r-- 1 nelle  bio  4389  8 Aug  2019 NENE01978B.txt
-rw-r--r-- 1 nelle  bio  3517  8 Aug  2019 NENE02018B.txt
-rw-r--r-- 1 nelle  bio  4391  8 Aug  2019 NENE02040A.txt
-rw-r--r-- 1 nelle  bio  4367  8 Aug  2019 NENE02040B.txt
-rw-r--r-- 1 nelle  bio  4381  8 Aug  2019 NENE02040Z.txt
-rw-r--r-- 1 nelle  bio  4386  8 Aug  2019 NENE02043A.txt
-rw-r--r-- 1 nelle  bio  4393  8 Aug  2019 NENE02043B.txt
-rwxr-xr-x 1 nelle  bio   345  8 Aug  2019 goodiff
-rwxr-xr-x 1 nelle  bio   218  8 Aug  2019 goostats

The data files in this folder, e.g NENE01978A.txt have a different permission set to goodiff. Can you tell why this is and explain what this might mean for the goodiff file?

TipSolution

The goodiff file has the execution flags set for user, group and all. Which will allow anyone to execute the file. It’s therefore likely that goodiff is a script that preforms some actions. In theory you could run this script using ./goodiff

NoteChallenge

Lets take a further look at things by looking at in the folder above this.

cd ..
ls -l

drwxr-xr-x 21 nelle  bio  672  8 Aug  2019 2012-07-03 exercise-data
drwxr-xr-x 21 nelle  bio  672  8 Aug  2019 2012-07-03 north-pacific-gyre

Can you guess what the d at the beginning of the output line means?

TipSolution

The d indicates whether the file has any special type associated with it. In this case it’s indicating that this is a directory.

Modifying Permissions

Let’s say we want to modify who can access some of the files in the alkanes/ directory. We’ll assume here that we’re members of the bio on our system. On the cluster, all users must be members of cluster group to run jobs on the system. Each lab has a group associated with it, so we can use this method to share files with other members of the same lab.

We’ll start by changing the ownership of the methane.pdb file so everyone who is a member of the bio group is able to read this file.

NoteGroups

You’ll find that if you try to assign a group to a file and the group does not exist you’ll get something similar to the following output.

chown: bio: illegal group name

If you’re trying to do this locally, you can list the groups you’re currently a member of using the groups command like so:

groups

Just pick one of these groups to demonstrate the method shown below.

cd Desktop/shell-lesson-data/exercise-data/alkanes
chown nelle:compbio methane.pdb

We can break the chown command down into the following parts. The command itself, chown. The user we want to set nelle. The group we want to set, compbio and the filename methane.pdb. When we list the contents of the directory again, we would see the change reflected like so:

total 48
-rw-r--r-- 1 nelle  bio    1158  8 Aug  2019 cubane.pdb
-rw-r--r-- 1 nelle  bio     622  8 Aug  2019 ethane.pdb
-rw-r--r-- 1 nelle  compbio 422  8 Aug  2019 methane.pdb
-rw-r--r-- 1 nelle  bio    1828  8 Aug  2019 octane.pdb
-rw-r--r-- 1 nelle  bio    1226  8 Aug  2019 pentane.pdb
-rw-r--r-- 1 nelle  bio     825  8 Aug  2019 propane.pdb

Now lets say we want to allow members of the group to be able to make changes to this methane.pdb file but don’t want anyone else to see or edit this file. To do this, we’ll need to change the permissions of the file. To explicitly define permissions you will need to reference the Permission Group and Permission Types.

The Permission Groups used are:

• u - Owner
• g - Group
• o - Other / All Users
• a - All (Owner, Group and All Users)

The Permission Types that are used are:

• r - Read
• w - Write
• x - Execute

The potential Assignment Operators are + (plus) and - (minus); these are used to tell the system whether to add or remove the specific permissions.

First, let’s remove the ability for other users to read the methane.pdb file. We can do this by specifying the a permission group, the r permission type and the - (minus) operator. The command that we use to modify permissions is chmod (whose name stands for “change mode”).

chmod o-r methane.pdb

Checking this has gone through using ls -l:

total 48
-rw-r--r-- 1 nelle  bio    1158  8 Aug  2019 cubane.pdb
-rw-r--r-- 1 nelle  bio     622  8 Aug  2019 ethane.pdb
-rw-r----- 1 nelle  compbio 422  8 Aug  2019 methane.pdb
-rw-r--r-- 1 nelle  bio    1828  8 Aug  2019 octane.pdb
-rw-r--r-- 1 nelle  bio    1226  8 Aug  2019 pentane.pdb
-rw-r--r-- 1 nelle  bio     825  8 Aug  2019 propane.pdb

Good, we can see that the r flag has been removed from the other users section of the ten permission sets.

Now lets continue by allowing all members of the bio group to write or edit the file.

chmod g+w methane.pdb

And again, checking this has gone through using ls -l:

total 48
-rw-r--r-- 1 nelle  bio    1158  8 Aug  2019 cubane.pdb
-rw-r--r-- 1 nelle  bio     622  8 Aug  2019 ethane.pdb
-rw-rw---- 1 nelle  compbio 422  8 Aug  2019 methane.pdb
-rw-r--r-- 1 nelle  bio    1828  8 Aug  2019 octane.pdb
-rw-r--r-- 1 nelle  bio    1226  8 Aug  2019 pentane.pdb
-rw-r--r-- 1 nelle  bio     825  8 Aug  2019 propane.pdb

Excellent, now all members of the group can both read and write to the methane.pdb file. You can apply this same method to any files that you have write permissions over.

NoteChanging permissions for all files in a directory?

Say we want to change the permissions for all the files in the alkanes/ directory, how we would do this? Let’s try and give apply what we’ve just learnt to give all other users write permissions over the files.

TipSolution

There’s actually a few ways we can go about this and it really depends on how we target the files to change. First, we could use the wildcards we learnt about previously to target files based on a specific pattern. In this case a simple * would suffice to pick out every file in the current folder, e.g:

chmod o+w *

We could also use the recursive flag avaliable to the chmod command to run through every file in a directory (including sub-directories) and apply a set of permissions to every file. E.g:

cd ..
chmod -R o+w alkanes/

Either method works in this case, however be wary that as the -R flag works through the folder and all sub-folders, you may end up changing the permission on something you didn’t intend.

Using Binary References to Set permissions

Now that you understand the permissions groups and types this one should feel natural. However, there is another way to set the permission using binary references. This replaces the explicitly defined permissions with binary references to these. While more complex than the previous method, we can use this to define multiple different permissions to all three permissions groups with a single command.

A sample permission string would be chmod 640 methane.pdb, which means that the owner has read and write permissions, the group has read permissions, and all other user have no rights to the file.

The first number represents the Owner permission; the second represents the Group permissions; and the last number represents the permissions for all other users. The numbers are a binary representation of the rwx string where;

• r = 4
• w = 2
• x = 1

You add the numbers to get the integer/number representing the permissions you wish to set. You will need to include the binary permissions for each of the three permission groups.

For example, issuing the follow command changes the permissions assigned to methane.pdb to allow the owner both read and write to the file, group members read the file and everyone else read the file. Or, the original permissions this file had.

chmod 644 methane.pdb
ls -l methane.pdb

-rw-r--r--  1 nelle  bio   422B  8 Aug  2019 methane.pdb

NoteUsing binary references, how can you make a file executable?

Now we’ve seen how to use binary references to change permissions on a file. Can you change the methane.pdb file to make it executable? In this case, you can’t actually execute the file as it doesn’t contain the right data to do this, but it will teach you how to do this for other files in future, most notably scripts.

TipSolution

To ensure that we don’t make unintended changes to the other permissions currently assigned to the file, we need to first check what permissions it currently has

ls -l methane.pdb

-rw-r--r--  1 nelle  compbio   422B  8 Aug  2019 methane.pdb

We can see that both the read permission flags are set for groups and others. This makes creating the binary reference here easy as we only need to take the integer 4 for both these flags. Now we have the end of the binary reference, we need to add up the rest to give execute permissions to the file. As we already have read and write permissions as the owner of the file, we only need to add 1 to the binary reference to get 7. Therefore, the full binary reference we need to set is 744.

cd ..
chmod 744 methane.pdb

-rwxr--r--  1 nelle  compbio   422B  8 Aug  2019 methane.pdb

Here, the first 7 assigns read, write, execute to owner, the first 4 adds read to the group, and the last 4 adds read permissions to others.

NoteNecessary But Not Sufficient

The fact that something is marked as executable doesn’t actually mean it contains a runnable program. Marking an HTML file executable won’t make it run as a program; the OS may instead open it in the associated application.

. vs ..

Before we go any further, let’s run ls -a -l to get a long-form listing that includes directory entries that are normally hidden:

ls -a -l

total 48
drwxr-xr-x 1 nelle  bio        0  8 Aug  2019 .
drwxr-xr-x 1 nelle  bio     8192  8 Aug  2019 ..
-rw-r--rw- 1 nelle  bio     1158  8 Aug  2019 cubane.pdb
-rw-r--rw- 1 nelle  bio      622  8 Aug  2019 ethane.pdb
-rwxr--r-- 1 nelle  compbio  422  8 Aug  2019 methane.pdb
-rw-r--rw- 1 nelle  bio     1828  8 Aug  2019 octane.pdb
-rw-r--rw- 1 nelle  bio     1226  8 Aug  2019 pentane.pdb
-rw-r--rw- 1 nelle  bio      825  8 Aug  2019 propane.pdb

The permissions for . and .. (this directory and its parent) start with a ‘d’. But look at the rest of their permissions: the ‘x’ means that “execute” is turned on. What does that mean? A directory isn’t a program—how can we “run” it?

In fact, ‘x’ means something different for directories. It gives someone the right to traverse the directory, but not to look at its contents. The distinction is subtle, so let’s have a look at an example.

Nelle’s home directory has three subdirectories called venus, mars, and pluto:

Each of these has a subdirectory in turn called notes, and those sub-subdirectories contain various files.

• If a user’s permissions on venus are ‘r-x’, then if she tries to see the contents of venus and venus/notes using ls, the computer lets her see both.
• If her permissions on mars are just ‘r–’, then she is allowed to read the contents of both mars and mars/notes.
• But if her permissions on pluto are only ‘–x’, she cannot see what’s in the pluto directory: ls pluto will tell her she doesn’t have permission to view its contents. If she tries to look in pluto/notes, though, the computer will let her do that. She’s allowed to go through pluto, but not to look at what’s there. This trick gives people a way to make some of their directories visible to the world as a whole without opening up everything else.

TipKey Points

• We can list permissions for a file or folder using the -l flag with ls
• The order of permissions groups is owner, group and others
• The types of permissions are read, write and others
• Use the chown command to change both owner and group associated with a file/folder
• Use chmod to change permissions.
• Binary reference is made up of r=4, w=2 and x=1

← Previous

Next →