Ownership and Permissions

Earlier in this chapter, when you tried to cd to root's login directory, you received the following message:

[sam@halloween sam]$cd /root bash: /root: Permission denied [sam@halloween sam]$

That was one demonstration of Linux's security features. Linux, like UNIX, is a multiuser system, and file permissions are one way the system protects against accidental or malicious tampering.

One way to gain entry when you are denied permission is to su to root, as you learned earlier. This is because whoever knows the root password has complete access to the system.

[sam@halloween sam]$su Password: your_root_password [root@localhost sam]#cd /root [root@localhost /root]#

But switching to the root user is not always convenient or recommended, because it is easy to make mistakes and alter important configuration files as root.

All files and directories are "owned" by the person who created them. If, for example, you created the file sneakers.txt in your login directory, then sneakers.txt belongs to you.

That means you can specify who is allowed to read the file, write to the file, or (if it is an application instead of a text file) who can execute the file.

Reading, writing, and executing are the three main settings in permissions. Because users are placed into a group when their accounts are created, you can also specify whether certain groups can read, write to, or execute a file.

Take a closer look at sneakers.txt with the ls command using the -l (long) option (see Figure 8-8).

[sam@halloween sam]$ls -l sneakers.txt -rw-rw-r--    1 sam sam     150 Mar 19 08:08 sneakers.txt

There is a lot of detail provided here. You can see who can read (r) and write to (w) the file, as well as who created the file (sam), and to which group the owner belongs (sam). Remember that, by default, the name of your group is the same as your login name.

click to expand
Figure 8-8. Permissions for sneakers.txt

Other information to the right of the group includes file size, date and time of file creation, and file name. The first column shows current permissions; it has ten slots. The first slot represents the type of file. The remaining nine slots are actually three sets of permissions for three different categories of users.


Those three sets are: the owner of the file, the group in which the file belongs, and "others," meaning users and groups not yet specified.

-    (rw-)   (rw-)   (r--) 1 sam sam |      |       |       | type  owner  group   others

The first item, which specifies the file type, can show one of the following:

  • d — A directory

  • - (dash) — A regular file (rather than directory or link)

  • l — A symbolic link to another program or file elsewhere on the system

Beyond the first item, in the following three sets, you will see one of the following:

  • r — File can be read

  • w — File can be written to

  • x — File can be executed (if it is a program)

When you see a dash in owner, group, or others, it means that particular permission has not been granted. Look again at the first column of sneakers.txt and identify its permissions.

[sam@halloween sam]$ls -l sneakers.txt -rw-rw-r--    1 sam sam     150 Mar 19 08:08 sneakers.txt [sam@halloween sam]$

The file's owner (in this case, sam) has permission to read and write to the file. The group, also called sam, has permission to read and write to sneakers.txt as well. It is not a program, so neither the owner or the group has permission to execute it because it simply cannot be executed. People not in the sam group can only read the file. They cannot write to it or execute it.

The chmod Command

Use the chmod command to change permissions easily. This example shows how to change the permissions on sneakers.txt with the chmod command.

The original file looks like this, with its initial permissions settings:

-rw-rw-r--    1 sam sam     150 Mar 19 08:08 sneakers.txt

If you are the owner of the file or are logged into the root account you can change any permissions for the owner, group, and others.

Right now, the owner and group can read and write to the file (rw-). Anyone outside of the group can only read the file (r--).


Remember that file permissions are a security feature. Whenever you allow anyone else to read, write to, and execute files, you are increasing the risk of files being tampered with, altered, or deleted. As a rule, you should only grant read and write permissions to those who truly need them.

In the following example, you want to allow everyone to write to the file, so they can read it, write notes in it, and save it. That means you will have to change the "others" section of the file permissions.

Take a look at the file first. At the shell prompt, type:

ls -l sneakers.txt

The command displays this file information:

-rw-rw-r--    1 sam sam     150 Mar 19 08:08 sneakers.txt

Now, type the following:

chmod o+w sneakers.txt

The chmod o+w command tells the system you want to give others write permission to the file sneakers.txt. To check the results, list the file's details again. Now, the file looks like this:

-rw-rw-rw-    1 sam sam     150 Mar 19 08:08 sneakers.txt

Now, everyone can read and write to the file.

Figure 8-9. Changing Permissions for sneakers.txt

To remove read and write permissions from sneakers.txt use the chmod command to take away both the read and write permissions.

chmod go-rw sneakers.txt

By typing chmod go-rw, you are telling the system to remove read and write permissions for the group and for others from the file sneakers.txt.

The result will look like this:

-rw-------    1 sam sam     150 Mar 19 08:08 sneakers.txt

Think of these settings as a kind of shorthand when you want to change permissions with chmod, because all you really have to do is remember a few symbols and letters with the chmod command.

Here is a list of what the shorthand represents:

  • Identities:

    • u — The user who owns the file (that is, the owner)

    • g — The group to which the user belongs

    • o — Others (not the owner or the owner's group)

    • a — Everyone or all (u, g, and o)

  • Permissions:

    • r — Read access

    • w — Write access

    • x — Execute access

  • Actions:

    • + — Adds the permission

    • - — Removes the permission

    • = — Makes it the only permission

Want to test your permissions skills? Remove all permissions from sneakers.txt — for everyone.

chmod a-rwx sneakers.txt

Now, see if you can read the file:

[sam@halloween sam]$ cat sneakers.txt cat: sneakers.txt: Permission denied [sam@halloween sam]$

Removing all permissions, including your own, successfully locked the file. But because the file belongs to you, you can always change its permissions back (refer to Figure 8-9).

[sam@halloween sam]$ chmod u+rw sneakers.txt [sam@halloween sam]$ cat sneakers.txt buy some sneakers then go to the coffee shop then buy some coffee bring the coffee home take off shoes put on sneakers make some coffee relax! [sam@halloween sam]$

Here are some common examples of settings that can be used with chmod:

  • g+w — Adds write access for the group

  • o-rwx — Removes all permissions for others

  • u+x — Allows the file owner to execute the file

  • a+rw — Allows everyone to read and write to the file

  • ug+r — Allows the owner and group to read the file

  • g=rx — Lets the group only read and execute (not write)

By adding the -R option, you can change permissions for entire directory trees.

Because you cannot really "execute" a directory as you would an application, when you add or remove execute permission for a directory, you are really allowing (or denying) permission to search through that directory.

To allow everyone read and write access to every file in the example directory tigger, type

 chmod -R a+rw tigger 

If you do not allow others to have execute permission to tigger, it will not matter who has read or write access: no one will be able to get into the directory unless they know the exact filename they want.

For example, type

 chmod a-x tigger 

to remove everyone's execute permissions.

Here is what happens now when you try to cd into tigger:

[sam@halloween sam]$cd tigger bash: tigger: Permission denied [sam@halloween sam]$

Next, restore your own and your group's access.

chmod ug+x tigger

Now, if you check your work with ls -dl you will see that only others will be denied access to the tigger directory.

Changing Permissions with Numbers

Remember the reference to the shorthand method of chmod? Here is another way to change permissions, although it may seem a little complex at first.

Go back to the original permissions for sneakers.txt (type ls -l sneakers.txt).

-rw-rw-r--    1 sam sam     150 Mar 19 08:08 sneakers.txt

Each permission setting can be represented by a numerical value:

  • r = 4

  • w = 2

  • x = 1

  • - = 0

When these values are added together, the total is used to set specific permissions. For example, if you want read and write permissions, you would have a value of 6; that is, 4 (read) + 2 (write) = 6.

For sneakers.txt, here are the numerical permissions settings:

-  (rw-)   (rw-)  (r--)      |       |      |    4+2+0   4+2+0  4+0+0

The total for the user is six, the total for the group is six, and the total for others is four. The permissions setting is read as 664.

If you want to change sneakers.txt so those in your group will not have write access but can still read the file, remove the access by subtracting two (2) from that set of numbers.

The numerical values, then, would become six, four, and four (644).

To implement these new settings, type:

chmod 644 sneakers.txt

Now verify the changes by listing the file. Type:

ls -l sneakers.txt

The output should be:

-rw-r--r--    1 sam sam     150 Mar 19 08:08 sneakers.txt

Now, neither the group nor others have write permission to sneakers.txt. To return the group's write access for the file, add the value of w (2) to the second set of permissions.

chmod 664 sneakers.txt

Setting permissions to 666 will allow everyone to read and write to a file or directory. Setting permissions to 777 allows everyone read, write, and execute permission. These permissions could allow tampering with sensitive files, so in general, it is not a good idea to use these settings.

Table 8-4 shows a list of some common settings, numerical values, and their meanings.

Table 8-4: Example Permission Settings


What It Means

-rw------- (600)

Only the owner has read and write permissions.

-rw-r--r-- (644)

Only the owner has read and write permissions; the group and others have read only permissions.

-rwx------ (700)

Only the owner has read, write, and execute permissions.

-rwxr-xr-x (755)

The owner has read, write, and execute permissions; the group and others have only read and execute permissions.

-rwx--x--x (711)

The owner has read, write, and execute permissions; the group and others have only execute.

-rw-rw-rw- (666)

Everyone can read and write to the file. (Be careful with these permissions.)

-rwxrwxrwx (777)

Everyone can read, write, and execute. (Again, this permissions setting can be hazardous.)

drwx------ (700)

Only the user can read or write in this directory.

drwxr-xr-x (755)

Everyone can read the directory, but its contents can only be changed by the user.

The Red Hat Documentation Team - Official Red Hat Linux User's Guide
The Red Hat Documentation Team - Official Red Hat Linux User's Guide
Year: 2002
Pages: 223

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net