Linux Permissions 101 — Part I

In this article we will be looking at the basic file and directory permissions in Linux. To begin with, Permission Parameters, Modifications and Default Permissions are discussed here.

There is no doubt that permissions in Linux play a vital role in system administration from a security standpoint. As a multi-user operating system having large number of users working concurrently, it is essential to have suitable permissions on files and directories to control access rights without risking system security.

Update: Please read for Part 2: Linux Permissions 101 — Part II

Contents

• How to View Permission Settings on Files and Directories
• Understanding Permission Types (read, write and execute)
• Ways to Modify Permissions: 02 Approaches
• How to Modify Permissions: Using Symbolic Notation
• How to Modify Permissions: Using Octal Notation
• Default Permissions
• What is umask ?
• How Default Permissions Calculated ?
• How to Change umask Value ?
• Conclusion

How to View Permission Settings on Files and Directories

We can use ll or ls -l to view details and permissions enforced on a file or a directory. Below output illustrates the output for directory calleddir1 .

Understanding ls -l (or ll) output

Note: File type changes according to the type of the file. For example, it changes to - for regular file, l(lowercase el) for symbolic link. The next nine characters shows the permissions. First 3 characters are applied for user (owner — usually who created the file), next 3 characters for group and last 3 characters are for all others (public) except for user and group respectively. The . after permissions denotes that SELinux is enabled. If it is a + instead of a . it means that Access Control List (ACL) is available.

Now we know users are categorized into three (03) classes namely user (u), group (g) and others (o) respectively. Let’s see what are the permission types.

Understanding Permission Types (read, write and execute)

Following table summarizes the permission types and their allowed actions on files and directories.

Permission Types

Ways to Modify Permissions: 02 Approaches

Permissions can be changed using the chmod command. There are 02 ways to adjust permissions on files and directories.

1. Using Symbolic Notation: uses combination of letters (r,w,x) and mathematical signs to add (+), remove (-) or assign (=) permissions to users, groups and others.
2. Using Octal Notation: uses 3 digit numbering ranging from 0 to 7 to apply permissions for the user classes.

How to Modify Permissions: Using Symbolic Notation

For this demo, we have testfile with only read permission for user, group and others as below; -means that no write and execute permissions are set. Permissions are added, removed and assigned on this file.

-r--r--r--. 1 ec2-user ec2-user 0 Sep 12 07:22 testfile

• Add Write (w) Permission for User (Owner), Group and Others. -v flag shows how the permissions have changed.

$ chmod ugo+w testfile -v
mode of 'testfile' changed from 0444 (r--r--r--) to 0666 (rw-rw-rw-)

• Add Execute (x) Permission for User

$ chmod u+x testfile -v
mode of 'testfile' changed from 0666 (rw-rw-rw-) to 0766 (rwxrw-rw-)

• Remove Write (w) Permission from Others

$ chmod o-w testfile -v
mode of 'testfile' changed from 0766 (rwxrw-rw-) to 0764 (rwxrw-r--)

• Assign Read (r), Write (w) and Execute (x) Permissions for all user categories. This is equivalent to chmod ugo+rwx .

$ chmod a=rwx testfile -v
mode of 'testfile' changed from 0764 (rwxrw-r--) to 0777 (rwxrwxrwx)

In the above examples we could see digits along with the symbolic notations. Next, we will have a look at how to modify permissions using digits.

How to Modify Permissions: Using Octal Notation

First of all we should understand how this 3 digit numbering system works. For that, take a look at the following table.

Permissions: Octal Notation

As per the binary notation we can see that 1 corresponds to r,w and x whereas 0 corresponds to no permissions. Further, in terms of octal values it can be further summarized as below.

Let’s change permissions using octal notations to further understand the process. Similarly to the earlier scenario, we have testfile with only read permission for user, group and others as below; Permissions are added, removed and assigned on this file.

-r--r--r--. 1 ec2-user ec2-user 0 Sep 12 07:22 testfile

• Add Write (w) Permission for User (Owner), Group and Others. -v flag used to show what has changed.

$ chmod 666 testfile -v
mode of 'testfile' changed from 0444 (r--r--r--) to 0666 (rw-rw-rw-)

If you followed along until now quite attentively you might be having a question now.

Question: Write (w) is equal to 2. So, why it is not chmod 222 testfile to set Write permissions for user, group and others?

Explanation: Here we need to preserve our existing permissions (read) and add write permissions as well. Finally, users should have both read and write permissions on the file. Therefore, we have to add relevant digits for both read and write. Also, there are no +, — or = signs used to change permissions.

read (r) = 4
write (w) = 2
Hence, to add write permissions while keeping the existing read permissions we need to add 6 (4 + 2 = 6).

chmod 222 testfile will remove the existing permissions and only set write permissions.

$ chmod 222 testfile -v
mode of 'testfile' changed from 0444 (r--r--r--) to 0222 (-w--w--w-)

Okay, now we know what was happening there. Let’s move on.

• Add Execute (x) Permission for User

$ chmod 766 testfile -v
mode of 'testfile' changed from 0666 (rw-rw-rw-) to 0766 (rwxrw-rw-)

• Remove Write (w) Permission from Others

$ chmod 764 testfile -v
mode of 'testfile' changed from 0766 (rwxrw-rw-) to 0764 (rwxrw-r--)

• Assign Read (r), Write (w) and Execute (x) Permissions for all user categories.

$ chmod 777 testfile -v
mode of 'testfile' changed from 0764 (rwxrw-r--) to 0777 (rwxrwxrwx)

Default Permissions

By default, Linux assigns permissions to a file or directory at the time of creation. For example, at the moment when we create a directory or a file default permissions are set as below.

drwxrwxr-x. 2 ec2-user ec2-user 6 Sep 12 10:54 directory
-rw-rw-r--. 1 ec2-user ec2-user 0 Sep 12 10:52 file

Linux Default Permissions

How Linux defines what permissions should be set by default ?

Default permissions are calculated based on umask value.

What is umask ?

It is a 3 digit value responsible to set permissions automatically on newly created files and directories. In fact, it assigns read, write and execute permissions for owner, group and others. Usually, the default umask value is set to 0022 for the root and 0002 for all regular users. The left most zero (0) represents special permissions, which is not affected by umask hence, it is always defined as 0 to indicate no changes. umask command shows the default umask value and -S shows the same value in symbolic notation.

$ umask
0002
$ umask -S
u=rwx,g=rwx,o=rx

In addition to the umask Linux has predefined initial permissions for files and directories which are 666 (rw-rw-rw-) and 777 (rwxrwxrwx) respectively. Even if the umask values are set 000 these predefined values will be applied. These are fixed and cannot be changed. In contrast, default umask values can be modified.

How Default Permissions Calculated ?

The default permissions are calculated based on the umask values subtracted from the predefined initial permissions. Let’s see how it actually works on files and directories for regular users.

How Default Permissions Calculated

Accordingly, newly created files will have rw-rw-r-- whereas directories will have rwxrwxr-x .

How to Change umask Value ?

Firstly, we should identify the desired default permissions. For example, let’s assume that we want to set the default permissions on files and directories as 640 and 750 respectively. The umask value should be 027. 7 means all permissions from others are removed.

It can be changed temporary (change will be removed after machine restart) and permanently. For this demo, we will change the umask temporary as below just to understand how it works.

$ umask 027

• For Files: 666–027 = 640
• For Directories: 777–027 = 750

Please read for Part 2: Linux Permissions 101 — Part II

Conclusion

We have discussed about Linux permissions and how the permission model works with chmod and umask commands as a beginning. In Part 2, we will see how to work with file / directory ownership modifications and Special Permissions.

I sincerely hope this article will be helpful to understand Linux permissions. I highly value your feedback and support!

Thank you for reading and stay safe!