Understand Linux File Permissions Using Chmod And Chown Commands
Teaching an old dog new tricks is definately not an easy task. People are used to doing the same things over and over and since learning can be a quite tedious activity, they most times don’t take the time and effort to elaborate a bit in order to harvest some goods out of that process. Don’t take that personally because i am probably the one that does that more than a lot.
The first problem that i had with a Linux system was that i coudn’t really understand how file permissions work. Eveything was very new to me. Being a regular Windows User for many years, i wouldn’t even bother about file permissions. However, once you understand the idea, it’s actually pretty easy. Windows is an operating system that (at least in Windows XP and previous versions) is not really doing much in terms of security. Of course, it is becoming more secure in the latest versions, but at the previous ones it was really a mess securitywise. About 7-8 years ago, on Windows 9x systems anyone could enter ring 0 via a simple user based exception handler, manipulating debug registers and stuff. This is probably why i would never bother understanding the Unix system better at that time.
When the time comes for you to use Linux or any Unix based system, you will quite soon understand why using file permissions is really a very concrete idea. In this post, i will describe how unix permissions work and also describe the essential chown and chmod commands and their proper usage.
File Permissions Overview
If you think about it, the file permissions system is actually a very logical implementation in order to protect files. The first and most important idea is that a file has an owner. The own attribute is the most important permission over a file. Whoever owns a file can do anything he likes to it whether that involves deleting, changing permissions or editing the file. The next most important attributes of a file are read, write and execute.
Always bear in mind that a certain subject has a permission over an object. Therefore, a user A has a permission P over a file F. I don’t want to go too deep into permission control, but if you want to learn more about the internals of this system, definately take a look at Matt Bishop’s book Computer Security : Art and Science.
Now, as i told you, the owner of the file is the god over it. Thus, he is able to specify the permissions that other users have over his files. In Unix, there are mainly 3 types of subjects that have permissions over objects. The owner of the file, the group and others. You already know who the owner is. The group is actually what you get out of the name. It is a group of people who are able to have certain permissions over a file. Suppose that we have a printer program that we want certain people to be able to execute it only. These people belong to a group named printer and have the needed permissions to operate that program. Finally, there are the others. Others are all those people that do not belong to a group and are not the owner of the file. Therefore, they correspond to everyone else.
You may be asking yourself why the owner of a file needs to specify permissions for his own self. Since he is the owner of the file, he can do anything to it, right ? Well, actually this is more of a protective measure. For instance, you may have a file that you do not wish to accidentally delete. If you do not specify a write permission for that file to yourself, you won’t be able to erase it. This is why the owner sets permissions for himself as well as for the group and others.
As i already told you, there are 3 main permission types, being the read, write and execute pemission. The read permission refers to being able to actually read a file, the write refers to editing or deleting a file and the execute permissions refers on programs or folders. Having it over a folder means that we can open the folder and view its contents or having it over a program means that we can execute it (this is why we give execute permission over, say, a bash script before running it). There is also another important attribute that you should carefully use and that is the setuid one (mostly an attribute and not a permission though). When set, it means that those who are able to execute a file, gain ownership over that file as well. Be extra careful when using it as a root user because it can present a serious threat to your whole system if any malicious user exploits that.
Setting Owners and Permissions
Now that we know what permissions are, we need to know how to set them. Setting the owner of a file is actually very easy and can be done via the command chown (change owner). Of course, this command can be executed only by the previous owner of the file or the superuser of the system of course. Using this command is very easy:
chown hthought:staff new
As you can see, chown can also change the group of a file as well. The above command specifies that the file “new” belongs to hthought and the group staff gets rights over it(the ones specified by the owner of the file).
Changing the owner and the group of a file is pretty trivial as you see. However, the chmod command can be a bit more challenging and needs more explanations. As with chown, only the owner of a certain file can use chmod (and the superuser as always). There is a pretty messy system that people sometimes like to use in order to change the permissions of a file and that is the arithmetic system, using the well known 755 and the likes. You may feel that it is a bit complicated to remember but here is an easy way to know what value you need. First of all think of our 3 subjects, the user(owner), the group and the other users. Each one of them has 3 possible permissions over a file, being r for read, w for write and x for execute. Take a look at this example specifying permissions for a certain file F:
User has rwx meaning 111 Group has rx meaning 101 Others have x meaning 001
The user/owner has rwx permissions over a file. When a certain permission is set, the bit becomes 1 and when it is not set it becomes 0. Thus, since all three permissions are set, both 3 bits are 1. For the group, the permissions are 101 (has read, does not have write, has execute) and for the others are 001 (has no read or write but has execute). As you can see, the full permission string is :
111 101 001
Now, the next thing is convert that from binary to decimal. This should be very easy for you if you know basic binary (most of you will be able to count to at least 16 easily in binary). The only tricky part is that you have to convert them in chunks of three bits as they are. So, 111 is one binary number, 101 is another binary number and 001 is the last binary number. Put this together and you get the decimal number 751. Using chmod now :
chmod 751 new
Executing this command now gives the exact permissions(to file “new”) that we discussed above. Simple? Well, i agree. It is simple but it can be time consuming. Thankfully, there is a much better way..
Chmod The Non Leet Way (or better, the convenient way)
Most of us wouldn’t go about finding out this numbers though. We don’t want to start thinking about them just to change a permission. Luckily, there is a much easier way to do that. Picture u for user, g for group and o for others. Then also think of r for read, w for write, x for execute(doh). How do we state that we want to give the read and write permission to our group and the others ? This very easy way :
chmod go+rw new
Isn’t that very convenient ? We just use + to add r and w permissions to go(group and others). In the same way we remove permissions, using -. Thus, removing the read permission for ourselves(the user and owner of the file) :
chmod u-r new
Chmod For Many Files and Folders (The Recursive Way)
Many times we need to change the permissions of not only a single file but the whole folder and its subfolders. We can do this very easily using the -R switch (works also for chown if you need it). Thus specifying something like :
chmod -R g-rwx folder
would remove all the rights a group has over a folder and its containing subfolders and files as well. If you just want to do this for the files inside the folder, you specify it as :
chmod -R g-rwx folder/*
This is just about it. You now know more than the basics about file permissions in Unix/Linux. They will certainly come in handy many times. Have fun trying them out !