How To Set & Manage Permission In Linux Part 1

UNDERSTANDING THE SUBJECT MATTER

File permission is very important in any OS operation. As an administrator, you will always want to safe guard the system against attacks, both externally and internally and as well protect the system from any accidental occurrences, such as deletion of critical files, or running of critical scripts that can break the system.

More so, as an owner of a file or member of a group that owns a file, you may also want to grant different kinds of permissions to your file.

In Linux, every file has an owner (owning user), and a group owner (owning group) as well, and by default, the currently logged on users will be the owning users of a file that they create while the group owner of the file will be the user’s primary group.

To fully understand how permission works in Linux, it will be a good idea to understand the attributes of a file.

Let’s use the “/etc/fstab” file as an example.

[root@lab02 ~]# ls -l /etc/fstab

-rw-r--r--. 1 root root 1237 Jan 12 13:34 /etc/fstab
[root@lab02 ~]#

From the image above, the first group, 123 represents USER (i.e, the owner of the file). The second group, 456 represents GROUP (i.e, the group owner of the file), while the third group, 789 represents OTHERS (i.e, other users on the system who don’t own a file nor are members of a group that owns a file).

For easier comprehension, you can use the acronym, “ugo”, where

u represents user

g represents group, and

o represents others.

You can also see that, in the first group, 123, ( i.e for user), 1 points to “r”, 2 points to “w” while 3 points to “-“

You may begin to wonder what r, w and – means.

This is what it means.

r = read (read permission)

w = write (write permission)

x =execute (execute permission)

– = nothing (no permission)

Hence, on the “/etc/fstab” file from the image above, it means that the user (owner of the file) can read (1), write (2) but cannot execute (3).

Similarly, group owner of the file can read (4), cannot write (5), and cannot execute (6).

More so, others can read (7), cannot write (8), and cannot execute (9).

Another question is, “How do you know the user and the group that own a file?”

From the same file,

The column with no 10 always shows the owner of a file, in this case, the root user is the owner of the file, while the column with no 11 is the group owner of the file which is also the group root.

Others are other users on the system, there is nothing to denote that in the attributes of a file.

---

Every Linux user will agree that, “In Linux, everything is a file”. So, if i use the word, change a file permission, it also cut across changing a directory permission. Just to let you know, and if i need to specifically differentiate what a permission will do on a file and on a directory, i will.

What does a read, write and execute permission do on a file and of course a directory?

When a directory is created on RHEL7 & 8 by the root user, by default, the user will have read, write and execute permission. The group and others will have read and execute permission only.

Let’s create a directory to ascertain this.

[root@lab02 /]# mkdir tekneed2
[root@lab02 /]# ls -ld tekneed2
drwxr-xr-x. 2 root root 4096 Feb  5 19:58 tekneed2

What does this mean?

It means that the owner of the file can do whatsoever they wish to do on the file while the group owner of the file and others can cd into the directory, list the contents in the directory, view the contents of the files in the directory but cannot edit the contents of the file.

For a file, When a file is created by the root user, by default, the user will have a read and write permission only while the group and others will have a read permission only.

Let’s create a file to ascertain this.

[root@lab02 /]# cat >> tekneed3
this is for the tekneed users
^C
[root@lab02 /]# cat tekneed3
this is for the tekneed users
[root@lab02 /]# ls -ld tekneed3
-rw-r--r--. 1 root root 30 Feb  5 20:16 tekneed3
[root@lab02 /]#

What does this mean?

It means that the user can read and edit the contents of the file but cannot execute the file if it is an executable one. For group and others, it means that they can read or view the content of the file but cannot edit or execute the file.

When you set a permission on a file or directory, as an administrator, if you have not been doing it often, it is advisable that you do a test so you can be very sure about it.

For instance, a read and write permission only on a directory doesn’t mean that the group owner of the files in that directory will be able to cd into the directory, let alone edit the files in the directory.

A Read Only Permission In Linux

A read only permission on a directory (RHEL 7 & 8). For user, group and others, it means that they cannot cd into the directory and listing the content in the directory also won’t display the whole directory attributes, it will only display the file name.

A read only permission on a file (RHEL 7 & 8). For user, group and others, it means that they can view the contents of the file but you cannot edit it.

A Write Only Permission In Linux

A write only permission on a directory (RHEL 7 & 8). For user, group and others, it means that they cannot cd into the directory, and cannot even list the content of the directory at all.

A write only permission on a file (RHEL 7 & 8). For user, group and others, it means they cannot view the contents of the file as well as even edit the file. If you can’t view a content in the first place, how can you even edit?

An Execute Only Permission In Linux

An execute only permission on a directory (RHEL 7 & 8). For user, group and others, it means they can cd into a directory but cannot list the contents of the directory at all.

An execute only permission on file (RHEL 7 & 8). For user, group and others, it means means that they cannot even view the contents in the file at all.

Permission In Linux varies, as what read only, read and write only, execute and write only, etc will do and it is directive to the user, group and others. However, we have already listed some certain facts above, and as I have mentioned, it is good to always do a test after setting permissions.

In some scenarios,

When you give a read permission on a file, it means that users can read a file. On the contrary, a read permission when given on a directory does not mean that users can read all the files in a directory, it simply means that users can list or do a “ls” command on all the files in the directory.

Also, when you give a write permission on a file, it means that users can write or modify a file. Similarly, a write permission on a directory simply means that users can modify a directory. That is, add a file to a directory or delete a file from a directory.

Lastly, when you give an execute permission on a file, it means that users can execute a file, that is, run a script if the file contains a script. More so, execute permission on a directory simply means that users can go into a directory and execute what ever file they wish to execute in the directory.

NOTE: The permission on a directory will be invoked before the permission on the files in the directory will be.

---

The command used to set or change file permission in Linux is <chmod> and permission can be set or changed using any of these two modes.

1. Absolute mode

2. symbolic mode.

---

permissions can be changed using numbers. And what does these numbers denote?

r = read = 4

w =write = 2

x = execute =1

Therefore, 4+2+1 = 7 ; that is, read and write and execute

4+2 = 6 ; that is, read and write

4+1 = 5 ; that is, read and execute.

2+1 = 3 ; that is, write and execute

0 ; that is, do nothing

You can now see what these numbers denotes, let’s write them out clearly in descending order again.

7 = read, write and execute (rwx)

6 = read and write (rw-)

5 = read and execute (r-x)

4 = read (r- -)

3 = write and execute (-rx)

2 = write (-w-)

1 = execute (- – x)

0 = do nothing, no read, no write, no execute (- – -)

How does this apply to users, group and others (u,g,o) ?

Let’s make a table for better understanding.

Now, we will give permissions on files using three of these five illustrations in the table above in the “ACTION TIME” section.

---

Permissions In Linux can be changed using symbols. Let’s look at what the symbols denote.

Again, don’t forget u,g,o

For u (user), we can use the following symbols

u+r means, give a read permission to user

u-r means, remove a read permission from user

u+w means, give a write permission to user

u-w means, remove a write permission from user

u+x means, give an execute permission to user

u-x means, remove an execute permission from user

For g (group), we can use the following symbols

g+r means, give a read permission to group

g-r means, remove a read permission from group

g+w means, give a write permission to group

g-w means, remove a write permission from group

g+x means, give an execute permission to group

g-x means, remove an execute permission from group

For o (others), we can use the following symbols

o+r means, give a read permission to others

o-r means, remove a read permission from others

o+w means, give a write permission to others

o-w means, remove a write permission from others

o+x means, give an execute permission to others

o-x means, remove an execute permission from others

There is also the “a” symbol which denotes all. i.e, user, group and others.

For example, if you want to give user,group and others read, write and execute permission, you will use the command

chmod a+rwx <file-name>

Having understood symbolic notations, we will also give permissions on files using three of the five illustrations in the table above in the “ACTION TIME” section

---

As we have now known, every file has a file owner as well as a group owner. For example, the file owner of the file, “amazing_love” in the screen shot below is root, while the group owner of the file is root as well.

As an administrator/root user, the ownership of a file can be changed as well as the group ownership of the file. Note that the only user that can perform these changes is the root user.

The command used to change the ownership of a file is,

chown

while the command used to change the ownership of a group is,

chgrp

The “chown” command can also be used to change the ownership of a group as well. You can use the man page to see how

We will look at some examples in the “ACTION TIME” section.

Other than the read, write and execute permissions in Linux, there are other special permissions in Linux

---

There are other advanced permissions other than the read, write and execute. They are

When you set the permission, set user ID on a file, it means that any user have execute permission on the file and can run the file as their own

On the contrary, set user ID on a directory doesn’t have any effect.

The command used to give the permission, SUID, is

chmod u+s <file-name>

The absolute mode as we mentioned above can also be used to set permissions. The SUID permission has the number 4.

from the screen shot above, if the set user ID permission is set on a file, it will be denoted with the “S” letter indicating that the permission has been set on a file.

The SUID permission in Linux is a very dangerous one. Therefore, be sure you really know what you are doing before using it.

We will look at examples on how to set this kind of permission in the “ACTION TIME” section.

when you set the permission, set group ID on a file, it means that every member of the group have execute permission on that file and can run the file as theirs

On a directory, set group ID means that every group member will inherit the ownership to a newly created files in that directory. set group Id is mostly used in a shared group environment.

The command used to give the permission, SGID, is

chmod g+s <file-name>

The absolute mode as we mentioned above can also be used to set permissions. The SGID permission has the number 2.

From the screen shot above, if the set group ID permission is set on a file, it will be denoted with the “S” letter at the group side, indicating that the permission has been set on a file.

The SGID permission in Linux is a very dangerous one also. Hence, be sure you really know what you are doing before using it.

We will look at some examples on how to set this kind of permission in Linux in the “ACTION TIME” section.

The sticky bit permission on a file doesn’t have any effect, but on a directory, it means that only the owner of the files in the directory can delete the files or the directory itself. What it does, is to prevent other users in a group from deleting the files they don’t own.

For instance, if two or more users are members of a group and have access to the same directory, if one user creates a file in that directory, the other members will only have access according to the permission given on the file,

For example, other members may not be able to edit the file. However, if there is a write permission on the directory, other members will be able to delete the file. To prevent this, the sticky bit permission can be used.

The command used to give the permission, sticky bit is

chmod +t <file-name>

The absolute mode as we mentioned above can also be used to set permissions. The sticky bit permission has the number 1.

From the screen shot above, if the sticky bit permission is set on a file, it will be denoted with the “t” or “T” letter, indicating that the permission has been set on a file.

We will look at some examples on how to set this kind of permission in Linux in the “ACTION TIME” section.

Other Advanced permission is the access control list.

---

You will notice that, from the beginning of this tutorial, setting permissions has focused on giving permissions only to one user and one group on a file.

What if you want to give permissions to more than one user or groups on a file or directory? how do you achieve this? Hence why ACL is important to elude this limitation.

Due to the extensity of ACL, It will be treated as a different subject matter in another article

---

ACTION TIME

Having understood what file permission is, the concept and terminologies, let’s fire down to the examples.

EXAMPLES

[root@lab02 tmp] # ls -l amazing_love

-rw-r--r--. 1 root root 268 Jan 24 10:46 amazing_love

. To give user, group and others the full permission (i.e, read, write and execute) on the file, amazing love above,

using the absolute mode, use the command,

[root@lab02 tmp]# chmod 777 amazing_love

Using the symbolic mode, use the command,

[root@lab02 tmp]# chmod u+rwx,g+rwx,o+rwx amazing_love

OR

[root@lab02 tmp]# chmod u+x amazing_love
[root@lab02 tmp]# chmod g=rwx amazing_love
[root@lab02 tmp]# chmod o=rwx amazing_love

You can see the difference, option A is better instead of doing it one after the other as it is in option B

NOTE: using the symbolic mode can be relative. Always check the file permission before changing the permission. some files, you may need to use the “-” while some may require you use the “+”

---

. To give user, read & write & execute permission; group, read & write permission; and others, nothing.

Using absolute mode, you use the command,

[root@lab02 tmp]# chmod 760 amazing_love

using the symbolic mode, you use the command,

[root@lab02 tmp]# chmod u+rwx,g+rw,o-rwx amazing_love

NOTE: using the symbolic mode can be relative. Always check the file permission before changing the permission. some files, you may need to use the “-” while some may require you use the “+”

---

. To give user, read & write permission; group, read permission; and others, write permission,

Using the absolute mode, you use the command,

[root@lab02 tmp]# chmod 642 amazing_love

Using the symbolic mode, you use the command,

[root@lab02 tmp]# chmod u+rw,g+r,o+w amazing_love

NOTE: using the symbolic mode can be relative. Always check the file permission before changing the permission. some files, you may need to use the “-” while some may require you use the “+”

---

[root@lab02 tmp]# ls -l amazing_love

-rw-r---w-. 1 root root 268 Jan 24 10:46 amazing_love

. To change the user owner of the file above from root to the user, tekneed, use the command,

[root@lab02 tmp]# chown tekneed  amazing_love

[root@lab02 tmp]# ls -l amazing_love
-rw-r---w-. 1 tekneed root 268 Jan 24 10:46 amazing_love

[root@lab02 tmp]#

---

[root@lab02 tmp]# ls -l amazing_love

-rw-r---w-. 1 root root 268 Jan 24 10:46 amazing_love

• To change the group owner of the file above from root to the group tekneed, you use the command,

[root@lab02 tmp]# chgrp tekneed amazing_love

[root@lab02 tmp]# ls -l amazing_love

-rw-r---w-. 1 root tekneed 268 Jan 24 10:46 amazing_love

---

[root@lab02 tmp]# ls -l amazing_love

-rw-r---w-. 1 root tekneed 268 Jan 24 10:46 amazing_love

. To set the set user ID permission on the file, amazing_love above, you use the command,

[root@lab02 tmp]# chmod u+s amazing_love

[root@lab02 tmp]# ls -l amazing_love

-rwSr---w-. 1 root tekneed   268 Jan 24 10:46 amazing_love

---

[root@lab02 tmp]# ls -l amazing_love

-rw-r---w-. 1 root tekneed 268 Jan 24 10:46 amazing_love

. To set group Id on the file, amazing _love above, you use the command,

[root@lab02 tmp]# chmod g+s amazing_love

[root@lab02 tmp]# ls -l amazing_love

-rw-r-S-w-. 1 root tekneed 268 Jan 24 10:46 amazing_love

---

[root@lab02 tmp]# ls -l -d Jesus_loves_me

drwxr-xr-x. 2 root root 4096 Jan 24 19:09 Jesus_loves_me/

. To set the sticky bit permission on the directory, Jesus_loves_me above, you use the command,

[root@lab02 tmp]# chmod +t Jesus_loves_me

[root@lab02 tmp]# ls -l -d Jesus_loves_me

drwxr-xr-t. 2 root root 4096 Jan 24 19:09 Jesus_loves_me/

Your feedback is welcomed. If you love others, you will share with others