Filesystem permissions are at the base of a system’s security model. They define who, or what, can access files and directories on the filesystem. Let’s create a new directory called “demo”, then a directory called “dir1”, and a file called “file1”.
Setup
mkdir demo # Create demo directory
cd demo # Change directory to the new demo directory
mkdir dir1 # Create a directory called dir1
touch file1 # Create a file called file1Exploring the permissions
Permissions Table:
| Fyle Type | Owner | Group | Others |
|---|---|---|---|
| (-/d/l) | rwx | rwx | rwx |
ls -l # list the contents of the current directoryOutput:
total 4
drwxr-xr-x 2 user1 group1 4096 Oct 25 12:50 dir1
-rw-r--r-- 1 user1 group1 0 Oct 25 12:50 file1Let’s break down what we’re looking at. When using ls -l to display the permissions, you’re seeing Symbolic Notation. For “dir1” we have drwxr-xr-x, and for file1 we have -rw-r--r--.
File Type
In the first column, “d” designates that this object is a directory. Also notice that, by default, directories have the “x” (execute) permission. If a directory does not have the execute permission, you will not be able to execute any commands against that directory. You won’t be able to cd to that directory, or list the contents.
On “file1”, the first column is -. This means it is not a directory, and is not a linked file l, so it’s a regular file.
Owner
With “dir1”, we have rwx, meaning user1 (the owner of the file based on the output above) can read from the directory, write to the directory, and execute on the directory (cd, ls, etc…).
For “file1”, it is rw-, telling us that user1 can read from the file, or write to the file. The w (write permission) also means the user can delete the file.
Group
On “dir1”, the group permissions are r-x. Anyone who is a member of “group1” will be able to read the contents of “dir1” or execute on the directory (cd, ls, etc…). They do not have w, so they will not be able to make any changes to the directory.
“file1” has r--, meaning that anyone that is a member of “group1” will be able to read the contents of file1.
Other Users
The last column set applies to any user created on the system, including service acounts and normal users.
“dir1” has r-x, telling us any user on the system will be able to read the contents of “dir1” or execute on the directory (cd, ls, etc…). They do not have w, so they will not be able to make any changes to the directory.
On “file1”, the permissions are r--, meaning any user on the system will have the ability to read the contents of the file.
Octal Notation
Octal notation is used to represent file permissions in Linux by using 3 digits, one for user, one for group, and one for others. It uses a sum of values to determine what the permission is.
Mapping permissions to numbers
Read (r) = 4 Write (w) = 2 Execute (x) = 1
We can set the mode (permission) by adding these numbers together. For example, If I wanted to give read and write access to a file, I would add read (4) and write (2) together to make 6. If I wanted to give read and execute, I would add 4 and 1 to make 5.
Here’s a table:
| Octal | File Mode (permission) |
|---|---|
| 0 | — (no permissions) |
| 1 | –x (execute) |
| 2 | -w- (write) |
| 3 | -wx (write+execute) |
| 4 | r– (read) |
| 5 | r-x (read+execute) |
| 6 | rw- (read+write) |
| 7 | rwx (read+write+exec) |
Change Mode (permissions)
Changing the permissions of a file or directory is done with the chmod command. Let’s see some examples using “file1”.
Currently, our permissions are -rw-r--r--. Let’s add the ability to execute this file as if it were a script.
Example 1
chmod +x file1 # Adds execute permission for Owner, Group, and Others using Symbolic Notation
chmod 755 file1 # Sets the permissions for Owner, Group, and Others using Octal NotationIn this example, Symbolic notation easily adds the execute bit for owner, group, and everyone else by only specifying +x without needing to consider what the permissions already are. Pay attention to this, as adding permissions in this way can potentially make the permissions too broad.
In the octal notation example, we need to consider what the previous mode was, -rw-r--r--, which translates to 644, and use that to calculate a new mode. Since execute is represented by a 1, we simply need to add one to each number, so 6+1, 4+1, 4+1. This gives us 755.
What if we want to restrict access only to the owner and members of the file’s group? The current mode, if you’re following along, is -rwxr-xr-x. We want it to become -rwxr-x---.
Example 2
chmod o=- file1 # Sets the permissions for other users to nothing using Symbolic Notation
chmod 750 file1 # Sets the permissions for other users to nothing using Octal NotationNotice this time in the symbolic notation, we now have an equal sign followed by a dash. The o represents other users, = means to set the mode, - is no permissions.
In octal notation, we need to consider the previous mode of 755. Since we’re only restricting other users, the first two stay the same, and the last digit becomes a 0.
Let’s now consider this, we want members of the file’s group to be able to read the file, but we don’t want them to be able to execute the file. Our current mode is -rwxr-x---, we want it to become -rwxr-----.
Example 3
chmod g-x file1 # Does nothing more than removing the execute permission from members of the group using Symbolic Notation
chmod 740 file1 # Sets the permissions for the group to read-only using Octal NotationLike before, symbolic notation sets the permissions relative the the previous mode. Octal notation defines it based off of the requirements we set – Owner can read/write/execute, group can read, other users have no access.
Other Considerations
Giving wide-open access to files and directories is dangerous, so here’s a couple things to help you keep that in check.
Read/Write for all
Since read is 4, and write is 2, giving read/write would be 6. The number “666” is commonly thought of as an evil number. Don’t be evil by doing chmod 666 file1.
Read/Write/Execute for all
Since read is 4, write is 2, and execute is 1, giving read/write/execute would be 7. The number “777” is often considered a lucky number as if you see it in a casino, you’ve likely hit a jackpot. Don’t let someone else hit the jackpot by doing chmod 777 file1.