Understanding Linux Permissions

A basic description of linux file permissions

The 3 Permission groups

By now you've been running ls -l or other commands and writing scripts, and are wondering what exactly are linux permissions. Everything in Linux is considered a file this allows everything to be managed by the same file permissions there are 3 basic groups for permissions.

People

Permissions

Owner (u, for user) - Left Most 3

Read

Group (g, for the group) - Middle set of 3

Write

Other (o, for everyone else) - Right most 3

Execute

So there are three main entities: the Owner of the file this is typically the original creator. The Group this is typically the same primary group as the owner. And other or all this is everyone and thing on the system that is not either the owner or in the approved group. Owner and user will be used interchangeably here.

Further there are three main levels of permissions. Read which only allows a user/group to read a file. Write which allows a user/group to make changes a file. And execute which is required for users/groups to run scripts and enter directories.

Each of these permission levels also has a corresponding number. A user/group with all three permissions would have a value of 7 - the highest. And a user/group with the lowest permission would have a vaule of 1 - the lowest. This may be confusing as there are only 3 permission levels but the break down is as follows.

Permission level

Numeric Value

Read (r)

4

Write (w)

2

Execute (x)

1

So you see if a user/group has read, write, and execute permissions for a file they have a vaule of 7. If they only have read and write for a file they would have a value of 6. Despite having a value of 6 a user would still not be able to execute a script or enter a directory without the execute permission level.

Changing the permission level. If the numbers confuse you, you can also set a file permission using the corresponding levels.

chmod +rwx myfile # chmod or change mode is the basic command to 
# edit file permissions "+rwx" adds read, write, and execute
# But let's say we don't need the execute bit how would we change this?
chmod -x myfile # the "-" subtracts permissions from the file. 
# You can also specify the user level 
# Let's remove write permission for the group
chmod g-w myfile # the "g" refers to the group the "-w" removes write
# permission for the aforementiond group
# by default without arguments chmod makes changes to the owner (user)

You can also utilize numbers to change file permissions. The correspond to three places the first is owner(user), group, then other. So a 100 permission would enable execute permission for the user, but not for the group or anyone else. Setting permissions this way will override whatever setting is previously configured if you forget to give a user/group permission you''ll have to change them. By default root always has access to everything and supercedes any and all permission settings. As root is the system owner.

Setting permissions with numbers. Truthfully, I believe this to be simpler. Please utilize the above table to follow along. Try to predict the output!

chmod 777 myfile # Gives all permissions to all user levels
# However, doing this especially on all files is poor security
# let's make our permissions more restrictive. 
# output is: rwxrwxrwx <- this is the output that `ls -l` displays

chmod 700 myfile # that's better now only the user can do things. 
# But does the user need to execute the file? Is it a script? 
# If not this is unnecessary. Let's follow the rule of least privilege
# output is: rwx------ dashes mean no permission allowed
# rember this is split in threes, user, group, and other
# you can look at these permissions as: rwx,---,---

chmod 600 myfile # Perfect!
# However, what if "myfile" is actually a directory? At that it's a 
# directory we want everyone to be able to access
# ouput rw-------

chmod 711 myfile # this allows everyone to access the directory 
# but with only a the executable bit no one can read the contents
# of the directory. Let's change that
# output rwx--x--x

chmod 755 myfile # Now everyone can read and enter the directory 
# But what if we want the user and group to be able to enter, read,
# and change files, but no one else? Let's see:
# output rwxrw-rw-

chmod 770 myfile
# output rwxrwx---

To learn more about linux permissions ask RedHat! After all they taught me. And as always refer to the man pages they are your best friend in the terminal. Type man chmod to get the full list of possible uses and configuration.

Last updated