Source
Useful links
- TLDP 3.4 File Security
- ArchWiki File Permissions and Attributes
- Dave Eisenberg chmod
- Stack Overflow - umask
Linux Permissions
-
first bit can be
d
(directory),l
(link),-
(regular file) -
other bits are in groups of three, can be either
r/w/x
(set) or-
(unset) -
the last bit can also be
t
, which is the “sticky bit” (see special permissions under numeric permissions) -
ugo
= user, group, other- user = file owner
- group = file group
- other = any user who is not the owner and not in the group
-
rwx
= read, write, execute- read = view file
- write = write to file
- execute = run the file as a program
Note
There is also
s
which can be in thex
permission location under user. This is forsetuid
which essentially means that a user can run the program as if they were the program’s owner. Only used for executable files.
chgrp
and chown
Change the group or owner of a file or directory.
Syntax
Note
The
-R
flag operates recursively through directories
chmod
Syntax
[u,g,o,a]
: optional, specify user, group, other, or all of the above for the given permission{-,+,=}
: remove, add, or set the given permission, respectively{r,w,x}
: read, write or execute permission
Note
You can also run with multiple of
u,g,o
and/orr,w,x
specified. E.g.:
Note
Other (o) can also be referred to as world (w) in some cases. In Debian’s case, other (o) is used.
Examples
Numeric permissions
Shorthand for permissions - less user friendly, but I tend to find this easier/quicker.
- X = user
- Y = group
- Z = other
- W = special permissions
- 1 = sticky bit - prevent accidental file deletion by users who are not the file owner
- 2 = setgid - command should always run as its group owner
- 4 = setuid - command should always run as its owner
for user, group, other:
- read = 4
- write = 2
- exec = 1
…then add them up!
e.g. 4+2 is read + write or rw-
commonly used:
644
is-rw-r--r--
755
is-rwx-r-xr-x
400
is-r--------
Binary breakdown
I rarely actually think through it this way, but for some reason knowing the binary explanation always helps me to grasp the concept (e.g. subnetting).
If you think of rwx
as a three digit binary number - recall that 1000
in binary is decimal 8, so it follows that the options would be decimal 1-7 - and imagine that a 1 in that binary place is the permission “flipped on” and a 0 in that binary place is the permission “flipped off” - then it follows that:
rwx
= binary111
= decimal 7 = read (4) + write (2) + execute (1)rw-
= binary110
= decimal 6 = read (4) + write (2)r-x
= binary101
= decimal 5 = read (4) + execute (1)r--
= binary100
= decimal 4 = read (4)-wx
= binary011
= decimal 3 = write (2) + execute (1)-w-
= binary010
= decimal 2 = write (2)--x
= binary001
= decimal 1 = execute (1)---
= binary000
= decimal 0 = no permissions
Implementation: find
examples
Notes on permissions in directories
- read: list files in the directory
- write: add files to or remove files from the directory
- execute: view information about files in the directory, as well as do things such as
cd
into the directory- typical directory permissions for group and other are
r-x
: list the directory’s contents, act on files in the directory, but not write to the directory.
Tips from today
ll
is alias forls -l
- You can use
\( \)
(escaped parentheses) to group logical operations in thefind
command - Use
tr -s ' '
to remove extra spaces in stdout - Comma separated list of fields in
cut
command works if you only want specific fields
EOF