File Permissions & Ownership

Permission

Each file is associated with an owner and a group as well as being assigned permission access rights for the three different classes of users:

file owner

group members

and everybody else

The first three characters (rw-) define the user permissions, the next three (r–) the group pemissions, and the final three (r–) the other permissions.

ls -l

Before you see how to use chmod, you should know its options. ls -l lists file permisssions

-v : output a diagnostic for every file processed
-c : like verbose but report only when a change is made
–reference=FILE : use FILE’s mode instead of MODE values
–R : change permissions recursively

Note that using -v option report if change were made or if nothing needed to be done. When combined with -R option, -v can produce a lot of output. –reference=FILE let you use the current permission mode of FILE as the permissions to set on the target file. Note this option requires a double-dash prefix (–) not (-).

chown & chgrp are used to change file ownership while chmod is used to set the permissions, those permissions can be viewed using the ls -l command:

read permission
write permission
execute permission

ls -l filename.txt

# ___  OUTPUT
-rw-r--r-- 12 linuxize users 12.0K Apr  8 20:51 filename.txt
|[-][-][-]-   [------] [---]
| |  |  | |      |       |
| |  |  | |      |       +-----------> 7. Group
| |  |  | |      +-------------------> 6. Owner
| |  |  | +--------------------------> 5. Alternate Access Method
| |  |  +----------------------------> 4. Others Permissions
| |  +-------------------------------> 3. Group Permissions
| +----------------------------------> 2. Owner Permissions
+------------------------------------> 1. File Type

First character shows the file type. It can be
- a regular file -
- directory d
- symbolic link l, or
- any other special type of file.
Next nine characters represent the file permission, broken down in three triplets of three characters each
- The first triplet shows the owner permissions rw- (read & write)
- The second one group permissions, and r- - (read only permission)
- The last triplet shows everybody else permissions: r- - (read only permission)
Each of the three permission triplets can be constructed of the following characters and have a different effects, depending on whether they are set to a file or to a directory:

Effect of Permissions on Files

Permission	Character	Meaning on File
Read	`-`	The file is not readable. You cannot view the file contents.
	`r`	The file is readable.
Write	`-`	The file cannot be changed or modified.
	`w`	The file can be changed or modified.
Execute	`-`	The file cannot be executed.
	`x`	The file can be executed.
	`s`	If found in the `user` triplet it sets the `setuid` bit. If found in the `group` triplet, it sets the `setgid` bit. It also means that `x` flag is set. When the `setuid` or `setgid` flags are set on an executable file, the file is executed with the file’s owner and/or group privileges.
	`S`	Same as `s` but the `x` flag is not set. This flag is rarely used on files.
	`t`	If found in the `others` triplet it sets the `sticky` bit. It also means that `x` flag is set. This flag is useless on files.
	`T`	Same as `t` but the `x` flag is not set. This flag is useless on files.

Recap File Permissions

As described in details in Permissions page: The first three characters (rw-) define the user permissions, the next three (r–) the group pemissions, and the final three (r–) the other permissions.

$ echo "Who can read this file?" > my_new_file
$ more my_new_file
Who can read this file?
$ ls -l my_new_file
-rw-r--r-- 1 theia users 25 Dec 22 17:47 x

Here we’ve echoed the string "Who can read this file?" into a new file called my_new_file. The next line uses the more command to print the contents of the new file. Finally, the ls command with the -l option displays the file’s (default) permissions: rw-r--r--

The first three characters (rw-) define the user permissions, the next three (r--) the group pemissions, and the final three (r--) the other permissions.

So you, being the user, have the permission rw-, which means you have read and write permissions by default, but do not have execution permissions. Otherwise there would be an x in place of the last -.

Thus by looking at the entire line, rw-r--r--, you can see that anyone can read the file, nobody can execute it, and you are the only user that can write to it.

Effect of Permissions on Directories (Folders)

In Linux, Directories are special types of files that contain other files and directories.

Permission	Character	Meaning on Directory
Read	`-`	The directory’s contents cannot be shown.
	`r`	The directory’s contents can be shown. (e.g. You can list files inside the directory with `ls` .)
Write	`-`	The directory’s contents cannot be altered.
	`w`	The directory’s contents can be altered. (e.g. You can create new files , delete files ..etc.)
Execute	`-`	The directory cannot be changed to.
	`x`	The directory can be navigated using `cd` .
	`s`	If found in the `user` triplet, it sets the `setuid` bit. If found in the `group` triplet it sets the `setgid` bit. It also means that `x` flag is set. When the `setgid` flag is set on a directory the new files created within it inherits the directory group ID (GID), instead of the primary group ID of the user who created the file. `setuid` has no effect on directories.
	`S`	Same as `s` but the `x` flag is not set. This flag is useless on directories.
	`t`	If found in the `others` triplet it sets the `sticky` bit. It also means that `x` flag is set. When the sticky bit is set on a directory, only the file’s owner, the directory’s owner, or administrative user can delete or rename the files within the directory.
	`T`	Same as `t` but the `x` flag is not set. This flag is useless on directories.

chmod [OPTIONS] [ugoa…][-+=]perms…[,…] FILE...

chmod

The first set of flags ([ugoa…]), users flags, defines which users classes the permissions to the file are changed.

u - The file owner.
g - The users who are members of the group.
o - All other users.
a - All users, identical to ugo.

If the users flag is omitted, the default one is a and the permissions that are set by umask are not affected.

The second set of flags ([-+=]), the operation flags, defines whether the permissions are to be removed, added, or set:

- Removes the specified permissions.
+ Adds specified permissions.
= Changes the current permissions to the specified permissions. If no permissions are specified after the = symbol, all permissions from the specified user class are removed.

The permissions (perms...) can be explicitly set using either zero or one or more of the following letters: r, w, x, X, s, and t. Use a single letter from the set u, g, and o when copying permissions from one to another users class.

When setting permissions for more than one user classes ([,…]), use commas (without spaces) to separate the symbolic modes.

Examples

# ___  Give group members permission to read the file
chmod g=r filename

# ___  Remove the execute permission for all users
chmod a-x filename

# ___  Recursively remove write permission for other users
chmod -R o-w dirname

# ___  Remove read, write and execute permission for all except file owner
chmod og-rwx filename
# ___  Could be written like this
chmod og= filename

# ___  Give rwx to owner, r to group, none to all others
chmod u=rwx,g=r,o= filename

# ___  Add owner permissions to group permissions
chmod g+u filename

# ___  Add a sticky bit to a given directory
chmod o+t dirname

chmod calculator

You can use this calculator to convert symbolic mode to absolute.

In absolute mode

chmod 777

# ___ Recursive option to change permission on all files in direc and sub-directories
chmod -R 755 directory

# ___  Give rwx permission to owner, group, and public
chmod 777 filename

chmod 755

To give a file the execution bit. Often after downloading an executable file you will need to add this permission before using it. To give owner, group and everyone else permission to execute file:

# ___  Give all permissioin to execute file
chmod +x /path/to/file
# ___  Only owner w, rx for else: rwxr-xr-x
chmod 755 /path/to/file

chmod 700

# ___  Give owner all permissions and none for group and others
chmod 700 filename
# ___  In symbolic mode
chmod u=rwx filename

chmod 666

# ___ rw to all
chmod -c 666 /path/to/file

Command	Description
`chmod`	Change the file permissions for a file or directory
`chown`	Change the owner of a file or directory
`chgrp`	Change the group of a file or directory

Revoke Permission

You can revoke read permissions from your group and all other users by using the chmod command. Ensure successful modification by using the ls -l command again:

chmod go-r my_new_file
ls -l my_new_file
-rw------- 1 theia users 24 Dec 22 18:49 my_new_file

Examples

View Permissions

I have files saved in the directory that we’ll use for demonstration
Remember, Each file and each directory in your Linux system has permissions set for three permission categories: the ‘user’, the ‘group’, and ‘all users’ (or ‘other’).

The following permissions are set for each file and directory:

Permission Symbol

read r

write w

execute x

To see the permissions currently set for a file, run the ls command with the -l option

Permission	Symbol
read	`r`
write	`w`
execute	`x`

$ ls -l usdoi.txt
# OUTPUT
-rw-r--r-- 1 theia users 8121 Sep 28  2022 usdoi.txt

The permissions set here are rw-r--r--. The - preceeding these permissions indicates that usdoi.txt is a file. If it were a directory, you would see a d instead of the -.

The first three entries correspond to the current user, the next three correspond to the group, and the last three are for all others. You can see the user has read and write permissions, while the user group only has read permission, and all other users have only read permission. No users have execute permission, as indicated by the - instead of an x in the third position for each user category.

Change Permissions

chmod

The chmod or change mode command lets you change the permissions set for a file.

Specify which permissions to change with a combination of the following characters:

Option	Description
`r`, `w`, `x`	Permissions: read, write, and execute
`u`,`g`, `o`	User categories: user, group, and all others
`+`, `-`	Operations: grant and revoke

revoke permission to all

The following command revokes read permissions for all users (user, group, and other) on the file usdoi.txt:

$ chmod -r usdoi.txt  
$ ls -l usdoi.txt
# OUTPUT
--w------- 1 theia users 8121 Sep 28  2022 usdoi.txt

grant to all users

$ chmod +r usdoi.txt                
$ ls -l usdoi.txt
# OUTPUT
-rw-r--r-- 1 theia users 8121 Sep 28  2022 usdoi.txt

remove read for ‘other’

$ chmod o-r usdoi.txt
$ ls -l usdoi.txt
# OUTPUT
-rw-r----- 1 theia users 8121 Sep 28  2022 usdoi.txt

Directory Permissions

The permissions for directories are similar but distinct for files. Though directories use the same rwx format, the symbols have slightly different meanings.

The following table illustrates the meanings of each permission for directories:

Directory Permission	Permissible action(s)
`r`	List directory contents using `ls` command
`w`	Add or remove files or directories
`x`	Enter directory using `cd` command

Setting appropriate permissions on directories is a best practice for both security and stability reasons. Though this reading focuses on security, you will learn more about other reasons for setting file permissions and ownership later in this course.

Examples

Let’s move to a new directory and create a new directory and check permissions

$ cd /home/project
$ mkdir test
$ ls -l
# OUTPUT
total 12
drwxr-sr-x 2 theia users 4096 Sep 24 12:34 test
-rw-r----- 1 theia users 8121 Sep 28  2022 usdoi.txt

The owner of test, have read, write, and execute permissions set by default.
But all others only have read and execute permissions set and cannot write to your test directory.
This means users outside your group can’t add or remove files from test.
They can, however, explore your directory to see what files and directories exist there.

You might be wondering what that s permission is in the execute slot for your group. The s stands for “special permission”. It means that any new files created within the directory will have their group ownership set to be the same as the directory owner. We won’t go into this level of detail in this course, but you can learn more about advanced Linux permissions here: Linux permissions: SUID, SGID, and sticky bit.

Verify for yourself that you have permission to run the following commands. Change the directory to your test directory, create a new directory within it, then return to your parent directory:

$ cd test
$ mkdir test2
$ cd ../

remove execute permission

Remove your user execute permissions on test using the following command:

What happens when I try to go into the directory test?
I get an error
As you just removed execute permissions for yourself on your test directory, you can no longer make it your present working directory. However, you can still “read” it with the ls command
Even though you have “write” permissions set, you can’t actually create a new directory within test, because removing execute permissions overrides write permissions. For example, entering mkdir test/test3 will throw an error as well

$ chmod u-x test
$ cd test
bash: cd: test: Permission denied

restore execute permission

$ chmod u+x test
$ chmod u-w test
$ ls -l
# OUTPUT
total 12
dr-xr-sr-x 3 theia users 4096 Sep 24 12:38 test
-rw-r----- 1 theia users 8121 Sep 28  2022 usdoi.txt

Now you can go into it but still can’t write to it

$ cd test
$ mkdir test_again
# OUTPUT
mkdir: cannot create directory ‘test_again’: Permission denied