File Permissions on Linux
Every file and directory on a Linux/Unix system has a set of access permissions associated with it. These include the owner of a file, the group a file is associated with, and who has read, write, and execute permission on that file. These permissions allow you to choose who can use your files, and control what they can do with them.
Using File Permissions
How to see what permissions are set on a file or directory
With the command ls
, you can see the contents of a directory:
username@machine:~ $ ls accounts.txt backgrounds ChessClassDiagram cs240 cs312
If you use ls -l
, you see extra information about each file:
username@machine:~ $ ls -l -rw-r--r-- 1 username guest 107 Jan 10 10:06 accounts.txt drwxr-xr-x 3 username guest 4096 Mar 29 2002 backgrounds -rw-r--r-- 1 username guest 2414 Apr 1 08:28 ChessClassDiagram drwx------ 5 username guest 4096 Mar 14 14:25 cs240 drwxr-xr-x 6 username guest 4096 Apr 16 2002 cs312 | | | | | | ⌊The name of the file or directory. | | | | | | | | | | | ⌊The date or (date and time, if recent) that the file or directory was last modified | | | | | | | | | ⌊The size of the file in bytes. Directories usually just show 4096. | | | | | | | ⌊The group that the file or directory is associated with. | | | | | ⌊The user that owns the file or directory. | | | ⌊The number of items in the directory; files will always show a 1. | ⌊The permissions set on the file or directory
Explanation of permissions
Permission attributes are the first field of output for ls -l
. They are shown as ten characters where each character represents a specific attribute. If the first character on the left is a 'd', the item is a directory; if it is a '-' it is a file. The other nine attributes can be one of the following permissions.
r = read w = write x = execute X = conditional execute s = set id t = sticky
r, w, and x are simple permissions which grant that type of access to the specified category of user. X, s, and t can be somewhat complicated and will not be discussed in this document. Consult the chmod man page for more information about any of these permissions.
Permissions can be granted to three different categories of users: user (u), group (g), and other (o). The user permissions pertain to the current owner of the file, which is normally who created it. The group permission pertain to users who are listed in the group to which the file is assigned. All other users belong to the other category. The other category is often referred to as “world”. Additionally, you can choose to grant a permission to all types of user (a).
Each category of user is described with three characters in the output of ls -l
: read, write, and execute. The first three (after the file/directory flag) describe user permissions, the second three pertain to the group, and the last three are world permissions. As an example, let's look at the permissions for the directory 'backgrounds'. They are broken up from left to right in four parts.
d This is a directory. rwx Owner Permissions: Read, write, and execute permissions are set, so the owner can do anything he or she desires with the directory. r-x Group Permissions: Anyone who is a member of the group can read or access the directory, but not modify it (create new files). r-x World Permissions: Anyone who is a not the owner of the file or a member of the group can read or access the directory, but not modify it.
Setting permissions
Setting permissions on files and directories is done using the command chmod
. This document presents a simple explanation of chmod
. For a detailed explanation, check the man page using man chmod
.
The basic syntax of chmod
is chmod <permissions> <filename>
. The permission mode is set using the one letter code for the user category, an operator such as + to add the permission and - to remove the permission, and the one letter code for the permission. If we want to add user execute permissions to the file accounts.txt
, for example, we should use the command chmod u+x accounts.txt
. The output from ls -l accounts.txt
now reads:
-rwxr--r-- 1 username guest 107 Jan 10 10:06 accounts.txt
Now we can tell the operating system to execute this file. Of course since this is a text file, executing it can have strange effects.
If you want to change multiple permissions for multiple types of users, you can use the numeric representation of the permission modes. See the next section for an explanation of numeric permission modes.
Setting Permissions Numerically
You can also set your permissions via a numeric system:
- eXecute
- Write
- eXecute and Write (1 + 2 = 3)
- Read
- eXecute and Read (1 + 4 = 5)
- Write and Read (2 + 4 = 6)
- eXecute, Write, and Read (1 + 2 + 4 = 7)
For example, chmod 754 <filename>
will give the owner the rights rwx
, the group r-x
, and all users r–
. This is another useful way to set permissions. I find it pretty easy to remember. For more information, read chmod
's man page.
Defining Default Permissions
The command umask
defines the default permissions that will be given to all new files created by a user. Although umask
takes arguments in a manner similar to chmod
, the arguments represent permissions that will not be granted (they will be masked
). These arguments can be presented in symbolic mode, or as octal numbers (such as chmod
's numeric representation). Hence, the line umask ugo+x
means that a newly created file will have permissions of -rw-rw-rw-
, and umask 077
yields default permissions of -rw-------
. The default umask
on a system can usually be found in /etc/bashrc
. If you want your files to have different permissions than the system default, you should set the umask
in your .bashrc
file using a line such as this:
umask 077
Note that umask
does not affect the executable permissions of a file. Files cannot have the executable bit set by default; you must manually administer that change to permissions with chmod
. Directories will have the executable bit set by default, as this bit enables users to view inside them.
Important permissions to set
Prevent Unauthorized Access
To prevent others from accessing your home directory, you should make sure that your home directory is not world or group readable or writable. You do this with the command chmod -R go-wr ./
executed from your home directory.
Make sure that you do not grant world or group write permissions on your directories. Users can add and remove files, that they do not own, from a directory where they have write permission. World and group write permissions on your home directory allow other users to delete all of your files or add unauthorized files to your home directory.
Setting Permissions for Webpages
For the web server to correctly serve pages from your account, it needs permissions to access your public_html directory. For this reason you need to set the following permissions:
- Your home directory must be world executable.
- Your public_html directory must be world readable and executable.
- All html files that you want served must be world readable.
- None of your files should be world writable!