Linux File Permissions

Introduction:

Linux is an open-source Unix-like operating system, which was initially released by Linus Torvalds in 1991. Though it may not be as user-friendly as some other popular operating systems, Linux is robust and it rarely crashes. Any computing device broadly consists of two main functional blocks, the compute block (this is where the processing happens) and the memory block (this is where the data is stored). The data is stored on the computer in the form of an object called ‘File’. The data could be information, configuration, settings, or commands. Now these files, in general, could be read or tampered with by anybody, causing serious security issues. This developed a need for authorization for each file. File permissions dictate the authorization (who is allowed to do what) of a particular file.

The List (ls) Command:

Before venturing further into the file permissions, let’s have to look into what files we have on the computer. If you’ve access to a Linux-based machine, open the terminal (bash) and you can try the mentioned commands as you read by. Please take note that the pictures that follow show the results which I got in my system and the names of the files or directories do not carry any deeper meaning in the current context. To list out the contents of the directory you’re currently in (present working directory), type the following command:

ls

Fig.1: Output of ‘ls’ command on my system

In Fig.1, the contents highlighted in blue are directories and the rest are files. The ‘ls’ command provides several options (or flags), one of which is the long format (-l) flag. Now type the following command into your terminal:

ls -lh

Fig.2: Output of ‘ls -lh’ command on my system

Fig.2 depicts the output of the aforementioned command on my system. For ease of understanding, the output has been divided into seven sections. The first section from the left is the permissions section. But before discussing it in detail, let’s get the other six sections out of the way first.

The second section denotes the number of links or directories inside that particular directory.

The third section displays the user who owns the file or the directory.

The fourth section contains the group to which that file or directory belongs. As there’re no groups created in my machine, it will show the user itself in the fourth section.

The fifth section shows the size of the file or the directory (the -h flag used along with the -l flag in the command shows the size in human-readable format) in bytes.

The sixth section indicates the date and time (timestamp) when the file was last modified.

The seventh section shows the name of the file or the directory. Again, the names of the directories are highlighted in blue color.

For more information on the ‘ls’ command, try the following:

ls --help

Or

man ls

The [What X Who] Matrix:

The different file permissions can be laid out across two dimensions, which could be called the [What X Who] matrix, meaning who can do what with a file or a directory. The three operations which Linux allows users to perform on a file are ‘Read’, ‘Write’, and ‘Execute’. These three operations constitute the ‘What’ part of the matrix.

· Read: This indicates that the file can be read.

· Write: This indicates that the file can be written onto or overwritten.

· Execute: This indicates that the file is an executable.

The people allowed to do the above-mentioned operations constitute the ‘Who’ part of the matrix. In Linux, the ‘Who’ is segregated as ‘User’, ‘Group’, and ‘Others’.

· User: This indicates the permissions of the user mentioned in the third section of Fig.2.

· Group: This indicates the permissions of the group mentioned in the fourth section of Fig.2.

· Others: This indicates what permissions everybody else has.

Now, let’s try this using an example. From Fig.2, let’s consider the permissions section of the file called ‘first’. The permissions given to this file (located in the first section) are ‘-rw-r — r — ’. Every permission in the first section of Fig.2 consists of 10 placeholders. The first placeholder shows whether the particular content is a file or a directory or a link. Since the file ‘first’ is not a directory, it is denoted by a ‘hyphen (-)’. For a directory, consider ‘guest’, the first place-holder shows the letter ‘d’, indicating that the content is a directory. Similarly, for a link, the first place-holder is represented by the letter ‘l’.

The second, third and fourth place-holders indicate the permissions that the user has. In our example, the user ‘abhichandra1998’ has ‘rw-’ permissions, indicating the fact that the user has read and write permissions but not the execute permission.

The fifth, sixth and seventh place-holders indicate the permissions that the group has. In our example, the group ‘abhichandra1998’ has ‘r — ’ permissions, indicating the fact that the group has only read permission and no write and execute permissions.

The eighth, ninth and tenth place-holders indicate the permissions that everybody else has. In our example, others have ‘r — ’ permissions, indicating the fact that they also have only read permission.

The permissions field ‘rw-r — r — ’ can be summarized as:

·         r              : User can Read the file
·         w              : User can Write to the file
·         -              : User cannot Execute the file
·         r              : Group can Read the file
·         -              : Group cannot Write to the file
·         -              : Group cannot Execute the file
·         r              : Others can Read the file
·         -              : Others cannot Write to the file
·         -              : Others cannot Execute the file

These permissions for our file ‘first’ can be plotted across the [What X Who] matrix as shown:

Table 1: [What X Who] matrix for the file ‘first’

Similarly, let’s consider the example of the directory ‘rasa_files’, the permission set denotes ‘drwxr-xr-x’. The first place-holder ‘d’ indicates that this is a directory. The remaining nine values can be plotted across our matrix as:

Table 2: [What X Who] matrix for the directory ‘rasa_files’

Matrix Scoring:

Now I know what you’re thinking, all this permissions business is good and all, but doesn’t a 9 characters string make it difficult to represent, and quite frankly, messy? Of course, it does, that’s why in Linux, this 9-character string can be represented by a 4 -bit octal (base-8) score, in which every bit represents certain permissions. Consider the 4-bit octal number ‘0755’, the four bits represent the ‘sticky bit’, ‘user permissions’, ‘group permissions’ and ‘others’ permissions’, starting from the left-most bit.

Table 3: Meaning of the 4 Octal bits

Mostly only three bits are used, the sticky bit is set if others have ‘execute’ permission, indicating that files and directories within that directory can only be deleted or renamed by the owner. Each permission (read, write and execute) has a score associated with it. These scores are set as follows,

Table 4: Permissions Scores

These values are added up to represent unique permissions. These scores never produce ambiguous sums, meaning that the sum of any two is always a unique number, which represents a unique set of permissions. If a user has ‘r — ’ permission, then it’s given a score of only 4 (4+0+0). If they have ‘rwx’ permissions, then they’re given a score of 7 (4+2+1). That’s how the user, group and others are given a score based on their permissions. Let’s consider our first example, the file ‘first’, and try to score it.

Table 5: Permission Scores for the file ‘first’

The entire 9-character permissions string ‘rw-r — r — ’ can be represented with the score ‘644’. Now let’s try to score our second example, the directory ‘rasa_files’.

Table 6: Permission Scores for the directory ‘rasa_files’

The permissions score for the directory ‘rasa_files’ is 755.

Changing the Permissions:

Now, what if we want to change these permissions? What if we want to make a file executable, or reassign the permissions? This is where the ‘chmod’ (change mode) command comes into the picture. Let’s try to change the permission of our ‘first’ file, and give the user only executable permission. Try the following command:

chmod u=x <file_name>

You can replace <file_name> with a file on your system. I’ve performed this operation on the file ‘first’. Now list the contents again in a long format:

ls -l

Fig.3: Newly set permissions of the file ‘first’

As shown in Fig.3, the user permission is changed to ‘ — x’. Now, to make the change of permissions simpler, we can also use the scores that should be allotted to each file. To change the permission of the ‘rasa_info’ file to give all permissions to everybody, the score needed is 777. The first 7 indicates the user permissions (4+2+1), the second 7 indicates the group permissions (4+2+1) and the third 7 indicates the others’ permissions (4+2+1). So try the following command:

chmod 777 <file_name>

You can replace <file_name> with a file on your system. I’ve performed this operation on the file ‘rasa_info’. Now, list the contents in the long format again (‘ls -l’).

Fig.4: Newly set permissions of the file ‘rasa_info’

In the above Fig.4, we can see that the permissions for the ‘rasa_info’ file have been changed to ‘rwxrwxrwx’. You can try changing the file permissions to different values and try various flags for the ‘chmod’ command. For instance, using the ‘-R’ flag applies the permission settings to all the files and directories present inside the directory as well.

For more information on ‘chmod’ command, try the following:

chmod --help

Or

man chmod