Linux was created as a multi-user system from day one. Different permissions and ownership was therefore a necessity to make the system secure. Understanding permissions and ownership is essential in order to maintain security and controlling access. For a beginner, however, understanding Linux permissions can be a challenge.
In this how-to, I will explain file permissions and ownership. I will illustrate these with practical examples and present a few best practices for management.
1. Basics of file permissions and ownership
1.1. File Permissions Overview
There are tree types of permissions (read, write, and execute), and also three permission levels (user, group, others)
Read (r) gives permission to view the content of a file, or the names of files in a directory
Write (w) gives permission to modify a file, creating nrew files or deleting files in a directory
Execute (x) gives permission to run executable files, for instance Bash scripts
User (u) refers to the owner of a file or directory
Group (g) refers to the group in which the user belongs. Multiple users can be members of the same group in Linux, so they can have collective permissions
Others (o) refer to all users who are not owners or members of the group associated with the file or directory.
When we combine different permission types and levels, we can decide who can do what. It is for instance not very secure if if all users can alter system files. Not everyone needs that permission. However, all users will need some. If they for instance don't have write access in a production system, the system is unusable.
There are two notations of permissions in Linux, namely sumbolic and numeric. Here's an explanation of both the symbolic notation (e.g., rwxr-xr-x) and the numeric notation (e.g., 755) used for representing and setting permissions.
Here we can see the numeric notation to the left, the symbolic notation in the middle, and the meaning on the right hand side.
0 = --- = no access
1 = --x = permission to execute code
2 = -w- = permission to write
3 = -wx = permission to write and execute code
4 = r- = permission to read
5 = r-x = permission to read and execute code
6 = rw- = permission to read and write
7 = rwx = permission to read, write and execute code
1.2 Symbolic notations of permissions
To view the permissions of the files within a directory, this command can be used:
Code: Select all
$ ls -laCode: Select all
$ ls -l filenameCode: Select all
hallvor@debian:~$ ls -l .transcoder.sh
-rwxr-xr-x 1 hallvor hallvor 1201 mars 25 17:00 .transcoder.shLet's see what this means, from left to right:
"-" shows that it is a regular file. If it was a directory, there would be a d as first character
"rwx" shows the permissions for the owner of the file. The owner can read (r), write (w) and execute (x) the script. In short, the owner can read and edit the script, delete the script, or run the code.
"r-x" shows the permissions for the group. The group can read (r) and execute (x) the script. The "-" means that permissions are lacking, so they do not have permission to write to it.
"r-x" shows the permissions for the other users not owning the file and not part of the group. They can also read and execute the script, but lack permissions to do anything else.
1.3 Numeric notations of permissions
The values above can also be set numerically.
Each permission has the following value:
read (r) = 4
write (w) = 2
execute (x) = 1
Let's see an example: 740
User: read (4) + write (2) + execute (1) = 7
Group: read (4) = 4
Others: no permissions = 0
The first number (7) represents the owner's permissions. This number can only be achieved by summarizing 4 (read) + 2 (write) + 1 (execute). So 7 means that the owner can read, write and execute. In short: The owner has all permissions.
The second number (4) represents the group's permissions. As we can see, the only possibility to get 4 is the read digit. So members of the group have read only access.
The third number (0) represents other users not owning the file and not part of a group. 0 means that others do not have any permissions. They can't read, write or execute the file.
740 is therefore the same as -rwxr-----
We can use the chmod command to set permissions. If this was a multi-user system where I wanted to restrict access to the script for other users, I could issue chmod 700 to tighten permissions:
Code: Select all
hallvor@debian:~$ ls -l .transcoder.sh
-rwxr-xr-x 1 hallvor hallvor 1201 mars 25 17:00 .transcoder.sh
hallvor@debian:~$ chmod 700 .transcoder.sh
hallvor@debian:~$ ls -l .transcoder.sh
-rwx------ 1 hallvor hallvor 1201 mars 25 17:00 .transcoder.sh2. Understanding ownership
Ownership can de divided into two parts, namely user ownership and group ownership.
2.1 User ownership
When a user creates files or directories, they become owners of these files or directories. As owner, this user can set the permissions for the owner itself and for other users with access to the file or directory. User ownership is very important for reasons of security (protecting data from unauthorized access or sabotage), accountability (modifications to a file can be traced to a specific user) and determining the current owner of a file or directory.
Let's take a look at a single file with stat:
Code: Select all
hallvor@debian:~$ stat .transcoder.sh
Fil: .transcoder.sh
Størrelse: 1201 [tab]Blokker: 8 IO Blokk: 4096 regular file
Device: 254,1 Inode: 28346084 Links: 1
Access: (0700/-rwx------) Uid: ( 1000/ hallvor) Gid: ( 1000/ hallvor)
Access: 2023-03-25 17:00:59.893258143 +0100
Modify: 2023-03-25 17:00:59.893258143 +0100
Change: 2023-07-12 12:55:13.741566146 +0200
Birth: 2023-03-25 17:00:59.893258143 +0100
hallvor@debian:~$ 2.2 Group ownership
In addition to user ownership, group ownership is another way to organize file and directory access. Group ownership allows many users to belong to a group where they have shared access to files and directories and their own group permissions. Group permissions allows the owner to share files and directories to all users of the group without giving access to each user individually. This greatly simplifies access management.
We can check group ownership with the following command:
Code: Select all
$ ls -l document.odt
-rw-r--r-- 1 hallvor users 1024 Jul 13 10:30 document.odt(The stat command, as shown above, can also be used to view user/group ownership.)
Let's say that we want to create a new group in a multi-user environment. We can achieve it with this command, followed by the name of your choosing, for instance:
Code: Select all
# addgroup myowngroupIn order to add a user to this group, enter usermod followed by the group's name and the user you want to add, for instance:
Code: Select all
# usermod -aG myowngroup hallvor3. Setting file permissions and ownership
There are two main commands to set file permissions and ownership, namely the chmod and chown commands. We will take a closer look at both of them below. Please keep in mind that you need sufficient permissions to change ownership.
3.1 chmod (change mode)
The chmod command is used to modify file permissions. With this command, we can add or remove specific permissions (read, write, execute) for each of the three levels mentioned above (user, group, others)
chnmod can be used with the following syntax:
chmod [options] permissions fileordirectoryename
Options can be used with the chmod command. We can for instance use the -R option to apply our permissions recursively. (Please be careful when using this command, because recursive changes can have far-reaching consequences.)
Permissions can be specified in both numeric and symbolic form.
Fileordirectoryname refers to the file or directory you want to modify the permissions of.
Type this in your command line interface to read more about the syntax:
Code: Select all
$ man chmodHere are a few examples:
Add write permissions for the group to a file:
Code: Select all
chmod g+w document.odtRemove execute permission for others:
Code: Select all
chmod o-x script.shGrant read, write, and execute permissions for the user, read and execute permissions for the group, and read-only permissions for others:
Code: Select all
chmod u+rwx,g+rx,o+r script.shCode: Select all
chmod 754 script.shSet permissions of a directory and its contents to read, write, and execute for the owner and read and execute for others:
Code: Select all
chmod -R u+rwx,go+rx /path/to/my/directory/The same command with numeric values:
Code: Select all
chmod -R 755 /path/to/my/directory/Remove write permissions for group and others from a file:
Code: Select all
chmod go-w script.sh3.2 chown (change owner)
While chmod is made to change permissions, chown is made to change ownership of files and directories. As mentioned above, each file has an owner and a group in which it belongs. The chown command allows us to transfer ownership to a different user or group.
Here are a few examples:
Change the owner to hallvor
Code: Select all
chown hallvor document.odtChange the owner to hallvor and the group to mygroup
Code: Select all
chown hallvor:mygroup document.odtChange the owner of a directory and its content recursively to hallvor
Code: Select all
chown -R hallvor /path/to/my/directory/Change the owner to "hallvor" and group to "mygroup" of a directory
Code: Select all
chown hallvor:mygroup /path/to/my/directory/Change the group ownership of a file to mygroup. The owner is not changed.
Code: Select all
chown :mygroup file.txtType this in your command line interface to read more about the syntax:
Code: Select all
$ man chown3.3 Creating different groups with different privileges
Let's create two groups. For the sake of simplicity, let's call them group1 and group2.
Code: Select all
addgroup group1
addgroup group2Code: Select all
mkdir /path/to/directory1
mkdir /path/to/directory2Code: Select all
chown :group1 directory1
chown :group2 directory2Give read and write permissions to the group (g):
Code: Select all
chmod g+rw directory1Deny access to others (o), for instance group 2:
Code: Select all
chmod o-rwx directory1 Give read only access to group2 in directory2
Code: Select all
chmod g+r directory2Deny access to others, for instance group1
Code: Select all
chmod o-rwx directory2Finally we can start adding users. New users can be added with the adduser command, for instance:
Code: Select all
# adduser hallvorTo assign a user (hallvor) to a group, you can use the usermod command:
Code: Select all
# usermod -aG group1 hallvorThe parameter -aG means that the users are added to a new group without removing them from other groups they belong to.
We can also create a new user (hallvor) and assign this user to group1 with a single command. However, this command will not do anything if the user already exists:
Code: Select all
# adduser hallvor group1If you want to remove a user (hallvor) from group1, this can be achieved with deluser. For instance:
Code: Select all
# deluser -g group1 hallvor4. The principle of least privilege (PoLP)
Granting minimum "need only access" privileges to users is an old principle that will contribute greatly to system security. The principle of least privilege means that users on a multi-user system will only get the minimum of necessary privileges to complete their tasks. In case of a bad actor for instance gaining control over this user account, the access is limited and the possibility to compromise the entire system is reduced.
In order to implement this, one should do the following:
1. Define user roles. Read: What do different groups of users *need* access to?
2. Assign the users to corresponding groups and make permissions accordingly. Make sure that there are no unnecessary privileges.
3. Keep permissions up-to-date. Some users may need extra permissions and should be assigned to a different group. Other users may no longer need the permissions they have, and should also be moved to a different group.
Please keep in mind that privileges is just one of many facets to secure GNU/Linux systems. Timely security updates, intrusion detection, running only the minimum of services, etc. are also part of the picture.
5. Summary
As we have seen, mastering file permission and ownership is essentual to control access and maintain security on a GNU/Linux system. There are three types of permissions, namely read (r), write (w) and execute (x). There are also three ownership levels, namely user, group and others. Combining permissions and ownership allows fine-grained access control. The chmod command modifies permissions, while chown can be utilized to change ownership. The principle of least privilege involves giving only the bare minimum of privileges to different users. In a multi-user environment, users should be placed in different groups according to their needs and be given just enough privileges to complete their tasks.
Further reading:
https://www.redhat.com/sysadmin/linux-f ... -explained
https://www.guru99.com/file-permissions.html
https://www.pluralsight.com/blog/it-ops ... ermissions
https://www.geeksforgeeks.org/permissions-in-linux/
Edits:
14.07.23: Changed groupadd to addgroup. Added command to create user and assign user to a group with a single command. Thanks to CynicalDebian. Also added information on how to remove a user from a group.
