[HowTo] File permissions and ownership

[Hallvor]

Introduction

Linux was created as a multi-user system from day one. Different permissions and ownership was therefore a necessity to make the system secure. Understanding permissions and ownership is essential in order to maintain security and controlling access. For a beginner, however, understanding Linux permissions can be a challenge.

In this how-to, I will explain file permissions and ownership. I will illustrate these with practical examples and present a few best practices for management.


1. Basics of file permissions and ownership

1.1. File Permissions Overview

There are tree types of permissions (read, write, and execute), and also three permission levels (user, group, others)

Read (r) gives permission to view the content of a file, or the names of files in a directory
Write (w) gives permission to modify a file, creating nrew files or deleting files in a directory
Execute (x) gives permission to run executable files, for instance Bash scripts


User (u) refers to the owner of a file or directory
Group (g) refers to the group in which the user belongs. Multiple users can be members of the same group in Linux, so they can have collective permissions
Others (o) refer to all users who are not owners or members of the group associated with the file or directory.

When we combine different permission types and levels, we can decide who can do what. It is for instance not very secure if if all users can alter system files. Not everyone needs that permission. However, all users will need some. If they for instance don't have write access in a production system, the system is unusable.

There are two notations of permissions in Linux, namely sumbolic and numeric. Here's an explanation of both the symbolic notation (e.g., rwxr-xr-x) and the numeric notation (e.g., 755) used for representing and setting permissions.

Here we can see the numeric notation to the left, the symbolic notation in the middle, and the meaning on the right hand side.

0 = --- = no access

1 = --x = permission to execute code

2 = -w- = permission to write

3 = -wx = permission to write and execute code

4 = r- = permission to read

5 = r-x = permission to read and execute code

6 = rw- = permission to read and write

7 = rwx = permission to read, write and execute code



1.2 Symbolic notations of permissions


To view the permissions of the files within a directory, this command can be used:

Code: Select all

$ ls -la

To view the permission of a single file, you can use this command:

Code: Select all

$ ls -l filename

For instance like this:

Code: Select all

hallvor@debian:~$ ls -l .transcoder.sh
-rwxr-xr-x 1 hallvor hallvor 1201 mars  25 17:00 .transcoder.sh

Let's see what this means, from left to right:

"-" shows that it is a regular file. If it was a directory, there would be a d as first character
"rwx" shows the permissions for the owner of the file. The owner can read (r), write (w) and execute (x) the script. In short, the owner can read and edit the script, delete the script, or run the code.
"r-x" shows the permissions for the group. The group can read (r) and execute (x) the script. The "-" means that permissions are lacking, so they do not have permission to write to it.
"r-x" shows the permissions for the other users not owning the file and not part of the group. They can also read and execute the script, but lack permissions to do anything else.



1.3 Numeric notations of permissions

The values above can also be set numerically.

Each permission has the following value:

read (r) = 4
write (w) = 2
execute (x) = 1

Let's see an example: 740

User: read (4) + write (2) + execute (1) = 7
Group: read (4) = 4
Others: no permissions = 0

The first number (7) represents the owner's permissions. This number can only be achieved by summarizing 4 (read) + 2 (write) + 1 (execute). So 7 means that the owner can read, write and execute. In short: The owner has all permissions.

The second number (4) represents the group's permissions. As we can see, the only possibility to get 4 is the read digit. So members of the group have read only access.

The third number (0) represents other users not owning the file and not part of a group. 0 means that others do not have any permissions. They can't read, write or execute the file.

740 is therefore the same as -rwxr-----

We can use the chmod command to set permissions. If this was a multi-user system where I wanted to restrict access to the script for other users, I could issue chmod 700 to tighten permissions:

Code: Select all

hallvor@debian:~$ ls -l .transcoder.sh
-rwxr-xr-x 1 hallvor hallvor 1201 mars  25 17:00 .transcoder.sh
hallvor@debian:~$ chmod 700 .transcoder.sh
hallvor@debian:~$ ls -l .transcoder.sh
-rwx------ 1 hallvor hallvor 1201 mars  25 17:00 .transcoder.sh

As you can see, I set the perissions to 700 with chmod. This means that I (the owner) have permissions to read, write and execute the file, while other users have no permissions to read, write to or execute the script at all.


2. Understanding ownership

Ownership can de divided into two parts, namely user ownership and group ownership.


2.1 User ownership

When a user creates files or directories, they become owners of these files or directories. As owner, this user can set the permissions for the owner itself and for other users with access to the file or directory. User ownership is very important for reasons of security (protecting data from unauthorized access or sabotage), accountability (modifications to a file can be traced to a specific user) and determining the current owner of a file or directory.

Let's take a look at a single file with stat:

Code: Select all

hallvor@debian:~$ stat .transcoder.sh
  Fil: .transcoder.sh
  Størrelse: 1201      [tab]Blokker: 8          IO Blokk: 4096   regular file
Device: 254,1   Inode: 28346084    Links: 1
Access: (0700/-rwx------)  Uid: ( 1000/ hallvor)   Gid: ( 1000/ hallvor)
Access: 2023-03-25 17:00:59.893258143 +0100
Modify: 2023-03-25 17:00:59.893258143 +0100
Change: 2023-07-12 12:55:13.741566146 +0200
Birth: 2023-03-25 17:00:59.893258143 +0100
hallvor@debian:~$ 

As we can see above, only the owner has read, write and execution privileges. This is written both in numeric (0700) and symbolic form (-rwx------). There are no privileges for other users. We can also see that there is information about the user ID and group ID of a user or process. Each user has an unique numeric identifier (UID) in Linux systems. In this case, the user's UID is 1000. The GID is a unique numeric identifier assigned to each group. As we can see here, the group's name is also hallvor, and the Group ID (GID) is 1000.


2.2 Group ownership

In addition to user ownership, group ownership is another way to organize file and directory access. Group ownership allows many users to belong to a group where they have shared access to files and directories and their own group permissions. Group permissions allows the owner to share files and directories to all users of the group without giving access to each user individually. This greatly simplifies access management.

We can check group ownership with the following command:

Code: Select all

$ ls -l document.odt
-rw-r--r--  1 hallvor  users  1024 Jul  13 10:30 document.odt

As we can see, "hallvor" is the owner with read (r) and write (w) permissions. Since this is a document, it doesn't need execution (x) privileges. The group "users" have read (r) access, but can't edit or delete the file.

(The stat command, as shown above, can also be used to view user/group ownership.)

Let's say that we want to create a new group in a multi-user environment. We can achieve it with this command, followed by the name of your choosing, for instance:

Code: Select all

 # addgroup myowngroup

In order to add a user to this group, enter usermod followed by the group's name and the user you want to add, for instance:

Code: Select all

# usermod -aG myowngroup hallvor

3. Setting file permissions and ownership

There are two main commands to set file permissions and ownership, namely the chmod and chown commands. We will take a closer look at both of them below. Please keep in mind that you need sufficient permissions to change ownership.


3.1 chmod (change mode)

The chmod command is used to modify file permissions. With this command, we can add or remove specific permissions (read, write, execute) for each of the three levels mentioned above (user, group, others)

chnmod can be used with the following syntax:

chmod [options] permissions fileordirectoryename

Options can be used with the chmod command. We can for instance use the -R option to apply our permissions recursively. (Please be careful when using this command, because recursive changes can have far-reaching consequences.)
Permissions can be specified in both numeric and symbolic form.
Fileordirectoryname refers to the file or directory you want to modify the permissions of.

Type this in your command line interface to read more about the syntax:

Code: Select all

$ man chmod

Here are a few examples:

Add write permissions for the group to a file:

Code: Select all

chmod g+w document.odt

Remove execute permission for others:

Code: Select all

chmod o-x script.sh

Grant read, write, and execute permissions for the user, read and execute permissions for the group, and read-only permissions for others:

Code: Select all

chmod u+rwx,g+rx,o+r script.sh

This command will do the same, but with much simpler numeric values:

Code: Select all

chmod 754 script.sh

Set permissions of a directory and its contents to read, write, and execute for the owner and read and execute for others:

Code: Select all

chmod -R u+rwx,go+rx /path/to/my/directory/

The same command with numeric values:

Code: Select all

chmod -R 755 /path/to/my/directory/

Remove write permissions for group and others from a file:

Code: Select all

chmod go-w script.sh

3.2 chown (change owner)

While chmod is made to change permissions, chown is made to change ownership of files and directories. As mentioned above, each file has an owner and a group in which it belongs. The chown command allows us to transfer ownership to a different user or group.

Here are a few examples:


Change the owner to hallvor

Code: Select all

chown hallvor document.odt

Change the owner to hallvor and the group to mygroup

Code: Select all

chown hallvor:mygroup document.odt

Change the owner of a directory and its content recursively to hallvor

Code: Select all

chown -R hallvor /path/to/my/directory/

Change the owner to "hallvor" and group to "mygroup" of a directory

Code: Select all

chown hallvor:mygroup /path/to/my/directory/

Change the group ownership of a file to mygroup. The owner is not changed.

Code: Select all

chown :mygroup file.txt

Type this in your command line interface to read more about the syntax:

Code: Select all

$ man chown

3.3 Creating different groups with different privileges

Let's create two groups. For the sake of simplicity, let's call them group1 and group2.

Code: Select all

addgroup group1
addgroup group2

We can now add two work directories for these groups

Code: Select all

mkdir /path/to/directory1
mkdir /path/to/directory2

We will assign group1 to directory1 and group2 to directory2

Code: Select all

chown :group1 directory1
chown :group2 directory2

We want group1 to have both read and write access to directory1, while group2 should not have access.

Give read and write permissions to the group (g):

Code: Select all

chmod g+rw directory1

Deny access to others (o), for instance group 2:

Code: Select all

chmod o-rwx directory1 

Give read only access to group2 in directory2

Code: Select all

chmod g+r directory2

Deny access to others, for instance group1

Code: Select all

chmod o-rwx directory2

Finally we can start adding users. New users can be added with the adduser command, for instance:

Code: Select all

# adduser hallvor

To assign a user (hallvor) to a group, you can use the usermod command:

Code: Select all

# usermod -aG group1 hallvor

This user is added to group1 and will have read and write access in directory1, but will not have access to directory2.

The parameter -aG means that the users are added to a new group without removing them from other groups they belong to.


We can also create a new user (hallvor) and assign this user to group1 with a single command. However, this command will not do anything if the user already exists:

Code: Select all

# adduser hallvor group1

If you want to remove a user (hallvor) from group1, this can be achieved with deluser. For instance:

Code: Select all

# deluser -g group1 hallvor

4. The principle of least privilege (PoLP)

Granting minimum "need only access" privileges to users is an old principle that will contribute greatly to system security. The principle of least privilege means that users on a multi-user system will only get the minimum of necessary privileges to complete their tasks. In case of a bad actor for instance gaining control over this user account, the access is limited and the possibility to compromise the entire system is reduced.

In order to implement this, one should do the following:

1. Define user roles. Read: What do different groups of users *need* access to?
2. Assign the users to corresponding groups and make permissions accordingly. Make sure that there are no unnecessary privileges.
3. Keep permissions up-to-date. Some users may need extra permissions and should be assigned to a different group. Other users may no longer need the permissions they have, and should also be moved to a different group.

Please keep in mind that privileges is just one of many facets to secure GNU/Linux systems. Timely security updates, intrusion detection, running only the minimum of services, etc. are also part of the picture.


5. Summary

As we have seen, mastering file permission and ownership is essentual to control access and maintain security on a GNU/Linux system. There are three types of permissions, namely read (r), write (w) and execute (x). There are also three ownership levels, namely user, group and others. Combining permissions and ownership allows fine-grained access control. The chmod command modifies permissions, while chown can be utilized to change ownership. The principle of least privilege involves giving only the bare minimum of privileges to different users. In a multi-user environment, users should be placed in different groups according to their needs and be given just enough privileges to complete their tasks.



Further reading:
https://www.redhat.com/sysadmin/linux-f ... -explained
https://www.guru99.com/file-permissions.html
https://www.pluralsight.com/blog/it-ops ... ermissions
https://www.geeksforgeeks.org/permissions-in-linux/

Edits:
14.07.23: Changed groupadd to addgroup. Added command to create user and assign user to a group with a single command. Thanks to CynicalDebian. Also added information on how to remove a user from a group.

[lindi]

Good summary. One more thing to add: If the output of ls includes "+" after the permissions, there are additional access control lists (ACL) set for the file. ACLs give you more flexibility since you don't even need to create a group to grant multiple users access to a specific file. You can see these with getfacl:

Code: Select all

$ ls -ld /dev/bus/usb/001/002
crw-rw-r--+ 1 root root 189, 1 Jul 13 23:40 /dev/bus/usb/001/002
$ getfacl /dev/bus/usb/001/002
getfacl: Removing leading '/' from absolute path names
# file: dev/bus/usb/001/002
# owner: root
# group: root
user::rw-
user:lindi:rw-
group::rw-
mask::rw-
other::r--

These are used in the default Debian installation but still seem to confuse a lot of people when they try to debug permissions when for example accessing USB devices. For example, if you hit ctrl-alt-f1 to switch to another virtual console the above ACL entry is automatically removed. If you don't know that ACLs exist this will lead to a lot of confusion.

[CynicalDebian]

Very good guide... I struggled with permissions for a long time before I buckled down and learned them. I especially like your explanation of changing file bits with chmod, and how you cover both numbers and the human readable u=rx syntax.

My only gripes is...

Code: Select all

# groupadd myowngroup
# usermod -aG myowngroup hallvor

We have fancy frontends for a reason

Code: Select all

# addgroup myowngroup
# adduser hallvor myowngroup

:D