File Permissions
Linux is a multi-user environment where many users can run programs and share data. File permissions are used to protect users and system files by controlling who can read, write, and execute files. The types of permissions a file can have are:
| Read Permissions | Write Permissions | Execute Permissions |
|---|---|---|
| r | w | x |
Furthermore, files and directories have 3 levels of permissions: User, Group and World. When displayed, permissions are arranged into three sets of three characters each. The first set is the User (owner) permissions, the second is Group permissions, and finally, permissions for Others or everyone else on the system (World). In the following example, the owner can read and write the file, while group and all others have read access only.
| User (owner) | Group | Others (everyone else) |
|---|---|---|
| rw- | r-- | r-- |
Displaying File Permissions
You can view a file's permissions by using the "long list" option ls -l,
which outputs the permissions as a character string at the beginning of the
row for each file or directory. The string will begin with a d
for a directory or a - for a file. The next nine characters refer
to the file permissions in the order discussed above. Other information included
per row of the output is (in order) links to the file, username of the owner,
group, file size, date and time of last edit, and filename. For example:
$ ls -l $HOME
-rw-r--r-- 1 jdoe jdoe 796631 2009-11-20 14:25 image_data.dat
-rwxrwxr-- 1 jdoe community_group 355 2010-02-18 15:50 my_script.sh
In this example, user "jdoe" owns the two files: "image_data.dat"
and "my_script.sh". For the first file, we can tell that "jdoe"
has read and write access (but not execute permissions) because of the rw-
in the -rw-r--r-- character string on that row. Similarly,
we can see that the group only has read access (-rw-r--r--)
and all others on the system only have read access (-rw-r--r--).
The second file can be read, written, and executed by "jdoe" and others who
are in the "community_group".
Changing File Permissions
You can use the chmod command to change permissions on a file or
directory (use chmod -R for recursive). This command changes the
file permission bits of each file according to a given mode, which can be either
a symbolic representation (characters) of changes to be made or an octal number
representing the bit pattern for the new mode bits.
Symbolic Mode
The syntax of the command in symbolic mode is
chmod [references][operator][modes] file- references can be "u" for user, "g" for group, "o" for others, or "a" for all three types
- operator can be "+" to add, "-" to remove permissions, and "=" to set the modes exactly
- modes can be "r" for read, "w" for write, and "x" for execute
In the following example, we are giving the owner read, write, and execute permissions, while the group and everyone else is given no permissions.
$ chmod u+rwx my_script.sh
$ ls -l my_script.sh
-rwx------ 1 jdoe community_group 355 2010-02-18 15:50 my_script.sh
The u+ adds permissions for the user, and the rwx specifies which permissions to add. A common use for this method is to make a script that you have written executable.
The command chmod u+x my_script.sh will make the script executable by the owner. Once you have changed the permissions, you can run the script by issuing ./my_script.sh.
Alternatively, you can run a script with the source command, in which case it is not necessary for the script file to be executable. However, be aware that doing source my_script.sh will run the commands from
my_script.sh as if you were typing them into the current shell. Thus, any
variables defined or changed in the script will remain defined or changed in your current
shell environment, unlike what happens when you run an executable script, which does not affect your current environment.
Numeric Mode
Numeric mode uses numbers from one to four octal digits (0-7). The rightmost digit selects permissions for the World, the second digit for other users in the group, and the third digit (leftmost) is for the owner. The fourth digit is rarely used.
The value for each digit is derived by adding up the bits with values 4 (read only), 2 (write only), and 1 (execute only). For example, to give read and write permissions, but not execute permissions, you would use a 6. The value 0 removes all permission for the specified set, whereas the value 7 turns on all permissions (read, write, and execute).
Let's say you have an executable that you would like others in your group to be able to read and execute, but you do not want anybody else to be able to have any access. First you need to set the read, write, and execute permission for yourself (7), then give read and execute to your group (5), and finally no permissions for everybody else (0). So the full number you would use is 750.
$ ls -l my_script.sh
rw-r--r-- 1 jdoe community_group 355 2010-02-18 15:50 my_script.sh
$ chmod 750 my_script.sh
$ ls -l my_script.sh
-rwxr-x--- 1 jdoe community_group 355 2010-02-18 15:50 my_script.shFor more on user permissions, see Root and Sudo later in Optional Topics.