Aren’t Linux permissions weird? Don’t you miss Windows/OS X where permissions rarely, if ever, matter?
Well, I’ve felt your pain before, and am here to help. With just a few minutes of reading, I’ll teach you what permissions are, why they are important, how to interpret them, and how to change them. I promise, the machine shall not win!
WTF Are Permissions?
An excellent question! Permissions decide who can manage a file or directory, and what they can do to it.
Think of a hotel. When you check-in and get a room, the front desk hands you a keycard. This keycard allows you access to your room, and in some cases, access to a few hotel amenities (swimming pool here I come).
Well, the maids have keycards too. Except their’s allow them into everyone’s room, including yours, the amenities areas, and certain staff areas. And security has keycards that give them other access.
Well, just like the hotel keycards give specific access to certain people, the Linux operating system has a mechanism, called user permissions, that gives users specific access to certain directories and files.
Why Bother With User Permissions?
Another excellent question!
Let’s go back to the hotel keycards for a second. I hope you agree that giving every guest a keycard that accesses every room is unwise and potentially dangerous.
Well, for similar reasons, it is unwise to give every user on a computer access to every file and directory. At a minimum, it would make decimating another user’s files and settings trivial, and it would open gaping attack vectors (geek-speak for security holes) for anyone trying to compromise your computer.
A basic principle of computer security is to give every user the least amount of access required to do their tasks. Linux is better suited to do this than any other major operating system. Linux’s reputation for security and stability is due, in no small part, to its user permissions.
How Do They Work?
In Linux, there are three explicit operations you can do to a file or directory.
The first operation is to read it. This means you can see what it contains. If it’s a file, you can open it. If it’s a directory, you can see the files and subdirectories inside it.
The second operation is to write to it. This means you can modify and delete the file or directory.
The third operation is to execute it.
In the context of a file, this tells Linux it’s okay to “run” the file. For documents, execution doesn’t make sense, but some Linux files are programs (called binaries) and scripts that need to “run” to work.
In the context of a directory, this means the ability to enter the directory using a file manager, the cd command in a terminal, or any other equivalent method.
User/Group Specific Permissions
Those three operations are okay for specifying what can be done to a file or directory. But they become truly awesome when you tailor the permissions to specific users.
Where permissions are concerned, there are three entities for which you can specify permissions. I’m going to call them permission entities because I’m creative that way.
The first permission entity, the owner, is the person who owns the file. Upon the creation of a file, the owner is the user who created it, but this is possible to change later on.
Groups are collections of users who all share a commonality. If ten users all need access to something, it is bad form to give those ten users permissions individually. Instead, you add the users to a group and give the group the permissions. Grouping doesn’t seem useful when there are only one or two users accessing a machine. But when you have to manage hundreds, thousands, or even millions of users, the true power of grouping becomes more obvious.
A file or directory can take advantage of this group construct. You can assign the file or directory to a group, and specify permissions for that group.
And the last entity is simply everyone who isn’t the owner or a member of the assigned group.
With these three types of permissions applied to the three permission entities, you have extraordinary control over the users on your computer.
How Do I See Permissions?
If your Linux has a graphical user interface, it most likely has a graphical tool to see and manage permissions. Usually, this is done by opening the file manager program, browsing to your file or directory, and opening the properties.
But, there’s also a way to do it in the terminal. If you’ve read our post, The Essential Primer For The Linux Terminal, you should know why the terminal is important, and already be familiar with the command to do it. Executing the ls -l command in the terminal lists files and directories, and the details about them.
As you can see from the not at all disturbing listing of my Documents directory, I have three items. Let’s take that first entry, and analyze the left part of the line.
drwxr-xr-x 2 john john
Ignore the number in the second column, that isn’t applicable right now. We want the first, third, and fourth columns.
The very first character, ‘d‘ is indicating that this entry is a directory. If the entry is a file, the ‘d‘ is replaced with a dash, ‘–‘, as you can see with the second entry in the screenshot. The remaining nine characters tell you which of the three permission types (read, write, execute) are granted to the three distinct permission entities (owner, group, everyone else).
To make it visually clearer, let’s break those nine characters into three groups of three characters.
rwx r-x r-x
Each of those groups corresponds to one of the three permission entities. The first, is the permissions for the owner. The second, for the group. And the last, for everyone else.
The letter ‘r‘ stands for read. ‘w‘ stands for write. And ‘x‘ stands for execute. So putting it into English, those nine characters tells us that the owner has read, write, and execute permissions. The directory’s group has read and execute permissions, but not write permission. And everyone else also has read and execute, but not write permission.
So that information is all excellent, but what if we need to know who the owner is and which group the file or directory has assigned? Well, that’s what the third and fourth columns are for. The third column is the user who owns the file, and the fourth column is the name of the group assigned. In this case, both the user and the group are named john.
Let’s move on to the second line from the screenshot for “Solve World Hunger.txt.”
-rw------- 1 john minions
The very first character tells us it’s a file, not a directory. The next nine characters give us the permissions. The first group of three is for the owner. In this case, the owner has read and write permissions. The second is for the group associated with the file. The group has no permissions. And the third is for everyone else. They too have no permissions.
Going to the third column, we see that the owner is john, and the fourth column tells us that the group associated with it is minions.
So I have a file named “Solve World Hunger.txt”, but no one can see or alter it, not even minions. That’s not mysterious or disconcerting is it?
And now it’s your turn. Go to the World Domination line, and figure out what the permissions are.
Can I Change Permissions?
Absolutely! You can change permissions using the graphical tool if you have one, or by using the ‘chmod‘ command. I highly recommend checking out the man page for this command (available here). I’m only going to give a few very basic examples. The command can do much more.
First, let me make a quick reference table. The table will link a special letter code with the permission entities we discussed above. This will help out in a second.
|Permission Entity||Letter Code||Memory Trick|
|Owner||u||Think ‘u’ as in ‘you’. This file belongs to ‘u’.|
|Group||g||Think ‘g’ as in the first letter of ‘group’.|
|Everyone Else||o||Instead of ‘everyone else’, think ‘other’. ‘o’ is the first letter.|
|All Three Entities||a||‘a’ is the first letter in all.|
Okay, ‘chmod‘ takes two arguments. The first is an expression explaining the permissions you want. The second is the file or directory on which to set the permissions.
You create the expression using the letter codes in the table above connected to the r, w, or x you want that entity to have with either a plus sign, ‘+’, a minus sign, ‘-‘, or an equal sign, ‘=’. The plus sign indicates you want to add the specified permission, the minus sign that you want to remove it, and the equal sign that you want the permissions to equal what you specify.
I know, that sounds incredibly confusing, but it will make sense if we look at a few examples.
chmod g+w Blackmail
That command adds write permissions for the associated group to the Blackmail directory.
chmod u-w Blackmail
This takes away write permission to Blackmail from the owner.
chmod o=rw Blackmail
And this one sets the permission for everyone who’s not an owner or a group member for the Blackmail directory to read and write only, no execute.
chmod a=r "World Domination"
And this gives all three entities read permission only for the World Domination directory.
As I said, there are other ways to use ‘chmod‘, and you should check out the man page, but this will get you started.
Permissions frighten many Linux newcomers. Operating systems like Windows and OS X gloss over the idea of permissions to the point where most people never know they exist. Linux doesn’t gloss over them.
However, as I hope you learned, permissions aren’t difficult to understand, and with graphical tools, they are easy to manipulate.
Just remember, you apply read, write, and execute permissions to the owner, the group, and everyone else. From there, you can figure out the rest with a quick man page peek or a simple Google search.
Let me know if any of this was difficult to understand, or if you have any questions, in the comments below.