Source

Useful links

Linux Permissions

ll /path/to/dir # "long listing" of files in a directory
 ___________ first bit
|  _________ owner permissions
| |    _____ group permissions
| |   |    _ other / world permissions
| |   |   | 
d rwx rwx rwx
  • first bit can be d (directory), l (link), - (regular file)

  • other bits are in groups of three, can be either r/w/x (set) or - (unset)

  • the last bit can also be t, which is the “sticky bit” (see special permissions under numeric permissions)

  • ugo = user, group, other

    • user = file owner
    • group = file group
    • other = any user who is not the owner and not in the group
  • rwx = read, write, execute

    • read = view file
    • write = write to file
    • execute = run the file as a program

Note

There is also s which can be in the x permission location under user. This is for setuid which essentially means that a user can run the program as if they were the program’s owner. Only used for executable files.

chgrp and chown

Change the group or owner of a file or directory.

Syntax

ch{grp,own} {group or user} file.txt

Note

The -R flag operates recursively through directories

chmod

Syntax

chmod [u,g,o,a]{-,+,=}{r,w,x} file.txt
  • [u,g,o,a]: optional, specify user, group, other, or all of the above for the given permission
  • {-,+,=}: remove, add, or set the given permission, respectively
  • {r,w,x}: read, write or execute permission

Note

You can also run with multiple of u,g,o and/or r,w,x specified. E.g.:

# add all permissions for user and group
chmod ug+rwx file.txt
ls -l file.txt
# output: -rwxrwxrwx
 
# set read and write permissions for user, group, and other
chmod a=rw file.txt
ls -l file.txt
# output: -rw-rw-rw-

Note

Other (o) can also be referred to as world (w) in some cases. In Debian’s case, other (o) is used.

Examples

touch file.txt
ls -l file.txt
# output: -rw-r--r--
# user can read and write but not execute
# group and other can read but not write nor execute
 
# add execute permission without specifying ugo
chmod +x file.txt
ls -l file.txt
# output: -rwxr-xr-x
# adds execute permission to all 3 ugo
chmod -x file.txt # reverts
chmod g+x file.txt
ls -l file.txt
# output: -rw-r-x-r--
# adds execute permission to JUST group
 
# grab an existing script
cp ~/.local/bin/vimv .
ls -l vimv
# output: -rwxr-xr-x
./vimv # I, the owner, can execute!
chmod u-x vimv
./vimv
# zsh: permission denied: ./vimv - I can no longer execute!
 
# add a user for testing
sudo useradd -m bob
sudo usermod -s /bin/bash bob
sudo passwd bob # set password
 
# switch to that user and try to execute the file
sudo su bob
./vimv # bob can execute!
exit
 
# add bob to currentuser group
sudo usermod -aG currentuser bob
 
chmod u+x ./vimv
chmod g-x ./vimv
 
sudo su bob
./vimv
# bash: ./vimv: Permission denied
# currentuser group can no longer execute! Only the file owner and others can
 
# remove the user
sudo userdel bob
sudo rm -rf /user/bob

Numeric permissions

Shorthand for permissions - less user friendly, but I tend to find this easier/quicker.

chmod [W]XYZ file.txt # where X, Y, and Z are numbers 0-7 and W is 1, 2, or 4
  • X = user
  • Y = group
  • Z = other
  • W = special permissions
    • 1 = sticky bit - prevent accidental file deletion by users who are not the file owner
    • 2 = setgid - command should always run as its group owner
    • 4 = setuid - command should always run as its owner

for user, group, other:

  • read = 4
  • write = 2
  • exec = 1
    …then add them up!

e.g. 4+2 is read + write or rw-

commonly used:

  • 644 is -rw-r--r--
  • 755 is -rwx-r-xr-x
  • 400 is -r--------

Binary breakdown

I rarely actually think through it this way, but for some reason knowing the binary explanation always helps me to grasp the concept (e.g. subnetting).

If you think of rwx as a three digit binary number - recall that 1000 in binary is decimal 8, so it follows that the options would be decimal 1-7 - and imagine that a 1 in that binary place is the permission “flipped on” and a 0 in that binary place is the permission “flipped off” - then it follows that:

  • rwx = binary 111 = decimal 7 = read (4) + write (2) + execute (1)
  • rw- = binary 110 = decimal 6 = read (4) + write (2)
  • r-x = binary 101 = decimal 5 = read (4) + execute (1)
  • r-- = binary 100 = decimal 4 = read (4)
  • -wx = binary 011 = decimal 3 = write (2) + execute (1)
  • -w- = binary 010 = decimal 2 = write (2)
  • --x = binary 001 = decimal 1 = execute (1)
  • --- = binary 000 = decimal 0 = no permissions

Implementation: find examples

# find all files in /var/www/html and change permissions to 644
# find all directories in /var/www/html and change permissions to 755
find /var/www/html \
	\( -type f -execdir chmod 644 {} \; \) \
-o  \( -type d -execdir chmod 755 {} \; \)
# find all files in current directory with abnormal (not 644) permissions and display their permissions
# use tr to squeeze extra spaces into one space
# use cut to display only the permissions and filepath
find . \( -not -perm 644 -a -type f \) -exec ls -l {} \; | tr -s ' ' | cut -d' ' -f1,9

Notes on permissions in directories

  • read: list files in the directory
  • write: add files to or remove files from the directory
  • execute: view information about files in the directory, as well as do things such as cd into the directory
  • typical directory permissions for group and other are r-x: list the directory’s contents, act on files in the directory, but not write to the directory.

Tips from today

  • ll is alias for ls -l
  • You can use \( \) (escaped parentheses) to group logical operations in the find command
  • Use tr -s ' ' to remove extra spaces in stdout
  • Comma separated list of fields in cut command works if you only want specific fields

EOF