Linux Academy https://linuxacademy.

com/cp/socialize/index/type/community_post/id/12593

Understanding Linux Permissions

11/29/2016 - COURSE:
Linux Essentials Certification
Instructor Approved
Table of Contents

1. Introduction
2. Requirements
3. Getting Started
1. Users
2. Groups
3. Types of Permissions
4. Viewing Permissions
5. Changing Permissions
6. Default Permissions
7. Access Control Lists
1. Viewing ACL
2. Setting ACL
3. Removing ACL
8. Additional Resources
Introduction
Linux is a multiuser operating system. In a multiuser environment, it is necessary to ensure that a user
cannot access or modify files or directories that they arent supposed to. File permissions provide a
protection mechanism for controlling access to files and directories.

Linux's file security model is based on that of Unix. Each file or directory can be accessed or modified
by the user who created it, or a group of users who have been given permission to do so. Permissions
can also be defined for other users that do not belong to either of these two categories.

In this guide, we will go over how file permissions work in Linux for beginners. We'll cover how you can
view the permissions associated with files and directories and also how you can change them.

Requirements
To follow this guide, youll need access to a Linux or Mac machine. Youll need some familiarity with
using the terminal to execute commands.

If you arent familiar with using the terminal, feel free to take advantage of the resources available at
Linux Academy to get up to speed. These resources are listed at the end of this guide.

Getting Started
Before we delve deeper into permissions, there are a few concepts to cover. As mentioned before, the
file or directory can be accessed or modified by the user who created it (the owner), a group of users
who are allowed to do so, or other users who arent either of the two. There are three types of
permissions read, write, and execute. Lets look at all of these in detail.

Users

Users are people who use the operating system. The operating system recognizes each user by their
unique user ID or uid. This information is stored in the /etc/passwd file. Each line in this file contains
information about the users of system such as their username, uid, group ID, their home directory, etc.

Groups

Groups are a collection of users. For example, the users from the accounts department can be added
to the accounts group. Grouping users together makes it easier to manage permissions. For example,
when the accounts group is given read-only access to a certain file, all the users in that group are
automatically given that access. This is simpler than having to individually assign permissions to each
user who is in the accounts department.

Information about groups is stored in /etc/group file. Each line of this file contains information like the
name of the group, the ID of the group or gid, the username of the members, etc.

Types of Permissions

There are three types of permissions - read, write, and execute. Read permission allows the user to
view the contents of a file. Write permission allows the user to overwrite or append new data to the file
or delete it. The execute permission allows the user to execute the code contained in the file.

Now that we have covered some of the basics, lets go ahead with viewing and modifying permissions.

Viewing Permissions
Open your terminal and execute the following command:

me@home:~$ ls -l /etc/passwd
-rw-r--r-- 1 root root 2627 Aug 1 16:55 /etc/passwd

passwd is a regular file so the first character is a dash. The next three characters show the permissions
for the owner - read, write, but not execute. The next three characters show the permission for the
group - only read. All other users can only read the file. The first root is the name of the owner and the
second root is the name of the group whose users can read this file.

Now execute the following command:

me@home:~$ ls -l /bin/ls
-rwxr-xr-x 1 root root 126584 Feb 18 2016 /bin/ls

The command executed above shows the permissions associated with the ls command. The last r-x
means that everybody is allowed to execute the code inside it. Finally, execute the following command:

me@home:~$ ls -l /
drwxr-xr-x 2 root root 12288 Oct 21 23:06 bin

Were listing everything in the / directory. The output shows the permissions for the /bin directory. Since
it is a directory, the first character is d.

The permissions are stored in the inode associated with the file or directory. The permissions take 9
bits; 3 for each of user, owner, and others.

Changing Permissions
chmod (change mode) command is used to change the permissions associated with a file or directory.
The permissions can be changed either by using numeric or alphanumeric options along with chmod.
Lets begin by creating a file and changing its permissions. Execute the following commands:

me@home:~$ touch script.sh

me@home:~$ ls -l script.sh
-rw-rw-r-- 1 me me 0 Oct 28 11:09 script.sh

The touch command made an empty file named script.sh. The file has been created with permissions
rw-rw-r--. This is a script file in which well write some commands a little later. To execute the script, we
need to add the execute permission. Execute the following commands:

me@home:~$ chmod 755 script.sh

me@home:~$ ls -l script.sh
-rwxr-xr-x 1 me me0 Oct 28 11:09 script.sh

To use chmod, you specify the permissions to be associated with the file and the path to the file. Since
the file is in the same directory as we are, we just specify the name. The permissions here are
represented by 755. This gives read, write, and execute permission to the owner, and read and execute
permissions to the group and others. Heres what the numbers mean:

0 - No permissions granted.

4 - Read permission granted.

2 - Write permission granted.

1 - Execute permission granted.

Since we want to give the owner read, write, and execute permissions, we add together 4, 2, and 1 and
specify a 7 in the first place. Similarly, we specify a 5 for group and others to give them read and
execute permission.

The permissions always follow the order of user, group, and others. So the first 7 applies to the user,
the 5 applies to the group and the last 5 applies to others.

Permissions can be written using the alphanumeric options as:

me@home:~$ chmod u+rwx,g+rx,o+rx script.sh

The + and - operators are used to either add or remove permissions. The different combinations can be
separated by commas or can be grouped together. The above command can be written more
compactly as:

me@home:~$ chmod u+rwx,go+rx script.sh

Here, group and others will be given the read and execute permission. When using alphanumeric
options, user is represented by u, group by g, and others by o. The read permission is represented by r,
write by w, and execute by x.

What style you use is just a matter of preference.

Now, execute the following:

me@home:~$ echo "echo hello" >> script.sh

me@home:~$ ./script.sh
hello

1 of 3 Without the appropriate permissions, you wouldnt have been able to execute the script. 7/22/17, 5:17 PM
Linux Academy https://linuxacademy.com/cp/socialize/index/type/community_post/id/12593

What style you use is just a matter of preference.

Now, execute the following:

me@home:~$ echo "echo hello" >> script.sh

me@home:~$ ./script.sh
hello

Without the appropriate permissions, you wouldnt have been able to execute the script.

bash: ./script.sh: Permission denied

Weve only modified the permissions associated with the file script.sh. Permissions are also associated
with directories. However, since directories are different from files, each of the permissions means
something different. Heres a quick comparison of how the permissions differ in meaning when
associated with a file or a directory:

Read

File - View the contents of the file.

Directory - See the files, directories, and subdirectories.

Write

File - Overwrite or append new content. Delete the file.

Directory - Add or remove files and directories.

Execute

File - Run the code within the file.

Directory - Navigate into the directory, execute program within a directory.

Default Permissions
When we create a file, its given a permission of rw-rw-r-- by default and a directory is given the
permissions rwxrwxr-x. These permissions are determined by umask. The umask command is used to
view or set the file creation mask. Execute the following command to view the default umask:

me@home:~$ umask
me@home:~$ 0002

Ignoring the first 0, the umask value of 002 maps to the permission 755 (rwxrwxr-x) for a directory and
644 (rw-rw-r--) for a file. We can also change the default permissions associated with files and
directories by using the umask command. Execute the following commands:

me@home:~$ umask 777

me@home:~$ touch script2.sh
me@home:~$ ls -l script2.sh
me@home:~$ ---------- 1 me me 0 Oct 28 16:35 script2.sh

As you can see, the default permissions have changed. These changes to default permission, however,
are temporary. If you close and reopen the terminal to create a new file or directory, they will be created
with the default permissions that were mentioned earlier. If you want to make the umask permanent,
add it to your ~/.bashrc file.

Access Control Lists

Sometimes, basic file and directory permissions arent enough and you need a more flexible way to set
permissions. Access Control Lists, or ACL for short, provide a more robust and flexible way to assign
permissions. ACL allow a user to give permissions to other

setfacl is used to set an ACL for a file and getfacl is used to view it. Only the owner of the file can
change the ACL associated with it.

Note that the file system must be mounted with ACL enabled for them to be used.

Viewing ACL

To view the ACL associated with the script file, execute the following command:

me@home:~$ getfacl -l script.sh

# file: script.sh
# owner: me
# group: me
user::rwx
group::r-x
other::r-x

Setting ACL

To set the ACL for the file, use the setfacl command. You modify the ACL by using the -m flag and
remove the ACL using the -x flag.

The following command gives the user john read, write, and execute access to the script file.

me@home:~$ setfacl -m u:john:rwx script.sh

me@home:~$ getfacl script.sh
# file: script.sh
# owner: me
# group: me
user::rwx
user:john:rwx
group::rwx
mask::rwx
other::r-x

The u indicates that the ACL permissions are being modified for a user. This is followed by the
username and the permissions to grant.

You can also set group permissions using setfacl using the g flag. The following command gives the
accounts group read, write, and execute access to the script file.

me@home:~$ setfacl -m g:accounts:rwx script.sh

me@home:~$ getfacl script.sh
# file: script.sh
# owner: me
# group: me
user::rwx
user:john:rwx
group::rwx
group:accounts:rwx
mask::rwx
other::r-x

Running ls -l on the script file will show you an additional + being displayed along with the permissions.
This indicates that an ACL is associated with this file

me@home:~$ ls -l script.sh
-rwxrwxr-x+ 1 me me 0 Oct 28 21:31 script.sh

Removing ACL

You can remove an existing permission using the -x flag. To remove the user john, execute the
following command:

me@home:~$ setfacl -x u:john script.sh

Similarly, you can remove a group using the g option followed by the name of the group.

me@home:~$ setfacl -x g:accounts script.sh

This brings us to the end of the guide on Linux permissions. The following section lists the resources
available on Linux Academy that will help you with this guide.

Additional Resources
If you are new to the Linux operating system, take a look at the Linux Essentials course available at
Linux Academy. The course will give you a basic understanding of Linux and give you a gentle
introduction to the command line.

https://linuxacademy.com/cp/modules/view/id/38

If youd like to master the terminal, have a look at Mastering Linux Command Line:

https://linuxacademy.com/cp/modules/view/id/10

To take your skills to the expert level, take a look at Linux by Example from Novice to Pros:

https://linuxacademy.com/cp/modules/view/id/19

Of course, Linux Academy offers a wide range of online training in Linux and many other topics like
2 of 3 AWS , DevOps , Azure 7/22/17, 5:17 PM
Linux Academy https://linuxacademy.com/cp/socialize/index/type/community_post/id/12593

https://linuxacademy.com/cp/modules/view/id/10

To take your skills to the expert level, take a look at Linux by Example from Novice to Pros:

https://linuxacademy.com/cp/modules/view/id/19

Of course, Linux Academy offers a wide range of online training in Linux and many other topics like
AWS , DevOps , Azure
, and Big Data .

17 30
... Show Previous Comments

3 of 3 7/22/17, 5:17 PM