Managing access permissions with chmod, chgrp, chown, and umask

Lead Image © erwin Wirapratama,

Access Granted!

The shell comes with some simple commands for managing access to files and directories.

Granular access privileges for files and directories make Linux a safe operating system. A precise definition of who is permitted to read, modify, or execute data provides excellent protection against prying eyes and intentional misconfiguration. The root user is subject to no restrictions, and this includes assigning read, write, and execute permissions to other users throughout the system.

If you are the owner of a file or directory, you can grant access to these resources to other accounts. If you are also a member of a specific group, you can modify the group ownership of files and folders for more granular permission assignments to files.

Rights and Obligations

For every file (and thus for directories, device files, etc.), Linux defines who may read, write, and execute that file. Also, every file belongs to an owner and to a group. The following three permissions are assigned separately for owners, groups, and other users:

  • Read permission (r flag): Users can display the contents of a file or folder on screen, copy the file, and do a few other things. Directories should additionally have the x flag (see below) to allow users to change to that folder; otherwise, only a list of files can be displayed.
  • Write permission (w flag): Users can change files and directories and store their changes. Write permission also includes the ability to delete.
  • Execute permission (x flag): For programs, this means that the user is permitted to run the program. Execute permission for a directory means that the user is permitted to change to the directory (the user additionally needs read permission to be able to view the folder content).

To discover the permissions for a file at the command line, you can simply set the -l flag with the ls command (Figure 1).

Figure 1: Listing permissions at the command line.

Permissions are indicated by the letters r (for "read"), w (for "write"), and x (for "execute"). In the ls output, note the three sets of r, w, and x (or -) at the beginning of the file name entry.

The first block shows the permissions for the owner, the second block refers to the group, and the third block refers to all users. Folders are indicated by a d (for "directory") at the start of the list, regular files by a single dash (-), symlinks by an l (for "link"), block devices like /dev/sda1 by a b, and character devices (e.g., /dev/tty1) by a c.

Your file manager (e.g., Dolphin, Nautilus) also can show file permissions if you reset the default view (Figure 2) from the View menu.

Figure 2: Changing file manager view options.

Special Permissions

Linux has two special permissions: the s bit (also known as the setuid/setgid bit) and the t bit (also known as the sticky bit). Both replace the x in the rwx block of three. The s is commonly seen with executable files, whereas the t bit is more common with directories.

The setuid/setgid bit (set user ID and set group ID) executes a program with the permissions of the user or group, no matter who runs the program. In this way, nonprivileged users can access resources they would not normally be able to access. Although this is a potential security risk, the s bit has its uses. Many programs, including su, sudo, mount, or passwd rely on the s bit (Listing 1).

Listing 1

Programs that use the setuid/setgid bit

01 -rwsr-xr-x 1 root root 31124  Jul 31 15:55 /bin/su
02 -rwsr-xr-x 1 root root 123448 Jun 22 18:14 /usr/bin/sudo
03 -rwsr-xr-x 1 root root 72188  Oct 22 23:54 /bin/mount
04 -rwsr-xr-x 1 root root 41292  Jul 31 15:55 /usr/bin/passwd

Permissions and Priorities

Permissions for the user, group, and all others have different priorities. If you are the owner of a file, permissions for the owner apply (the first block of the three letters). If you're not the owner, but belong to the group, the second block applies. If you're neither the owner nor a group member, the third set of permissions apply.

The passwd program, for example, modifies passwords, accessing the /etc/shadow file in the process of entering the new password.

By default, the file is protected against write access by nonprivileged users and reserved for use by the administrator to prevent just anybody from being able to manipulate the passwords. The s bit executes the passwd program as the root user and enters the new password in /etc/shadow "on behalf" of root.

The other special permission, the t bit, commonly occurs in shared directories (read, write, and execute permissions for all) in place of the execute flag to ensure that users are only allowed to modify – and therefore delete – their own data. The sticky bit is typically set for /tmp (Figure 1). This stores temporary files for multiple users.

If everybody had the right to read, write, and execute these files, in theory, everybody would be able to clean up the system and delete arbitrary data. The t bit ensures that users can delete only their own files (or those files for which they have write permission). The exception to this rule is that the owner of the folder with the sticky bit is allowed to delete within that folder.

Buy this article as PDF

Express-Checkout as PDF

Pages: 4

Price $2.95
(incl. VAT)

Buy Raspberry Pi Geek

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content