Coding With Fun
Home Docker Django Node.js Articles Python pip guide FAQ Policy

UNIX file permissions

May 23, 2021 UNIX Getting started

Table of contents

1. File permissions

2. The permission descriptor

3. File access mode

4. Directory access mode

5. Change permissions

6. Chmod is used in symbol mode

7. Absolute permissions are used in chmod commands

8. Change the owner and the group to which it belongs

9. Change the owner relationship

10.. Change the group relationship

11.. SUID and SGID file permissions

File permissions

File ownership is an important part of UNIX and provides a secure way to store files. Each file in UNIX has the following properties:

  • Owner permissions: The owner's permissions determine what the owner of the file can do with the file.
  • Group permissions: Group permissions determine what a member of the group can do with files he owns.
  • Other people's permissions: Other people's permissions represent what everyone else can do with the file.

The permission descriptor

When using the ls -l command, the various permissions associated with the file are presented as follows: 

$ls -l /home/amrood
-rwxr-xr--  1 amrood   users 1024  Nov 2 00:10  myfile
drwxr-xr--- 1 amrood   users 1024  Nov 2 00:10  mydir

The first column of the output represents the access pattern or permissions associated with the file or directory.

Permissions are divided into three groups, each of which represents a specific permission, read (r), write (w), and execute (x):

  • The first three characters (2-4) represent the permissions of the file's creator. For -rwxr-xr-- that the owner of the file has permission to read (r), write (w), and execute (x).
  • The three characters of the second group (5-7) contain the permissions of the group to which the file belongs. For -rwxr-xr-- that the group it belongs to has permission to read (r) and execute (x), but does not have write permissions.
  • The last set of three characters (8-10) represents someone else's permissions. For -rwxr-xr-- that others have only read (r) permissions.

File access mode

File permissions are the first line of defense against UNIX system security. The basic component of UNIX permissions is read, write, and execute permissions, as follows:

  1. Read: Assign permissions to read and view the contents of a file.
  2. Write: Assign permissions to modify or delete the contents of a file.
  3. Execution: Permission to allow the user to execute the file as a program.

Directory access mode

Directory access patterns are organized in the same way as other files. However, there are some differences that need to be mentioned:

  1. Read: Accessing the directory means that the user can read the contents of the directory. Users can view the file names in the directory.
  2. Write: This permission means that the user can delete or create a new file under the directory.
  3. Execution: Executing a directory doesn't really make sense, so treat it as a permission to traverse the directory.

The user must first access the bin directory in order to execute the ls or cd command.

Change permissions

To change the permissions of a file or directory, you can use the chmod command. There are two ways to use chmod: symbol mode and absolute mode.

Chmod is used in symbol mode

For beginners, using symbol patterns is the easiest way to modify permissions for a file or directory. You can use the symbols in the following table to add, remove, or specify the permissions you want to set.

Chmod operator Describe
+ Add the specified permissions to the file or directory.
- Permission to delete a file or directory.
= Set the specified permissions.

The following is an example of a testfile file. Running ls -l on a testfile file displays the permissions of the file as if: 

$ls -l testfile
-rwxrwxr--  1 amrood   users 1024  Nov 2 00:10  testfile

Next, run the chmod command in the previous table on testfile, and here's how you can see the file permissions change after ls -l runs: 

$chmod o+wx testfile
$ls -l testfile
-rwxrwxrwx  1 amrood   users 1024  Nov 2 00:10  testfile
$chmod u-x testfile
$ls -l testfile
-rw-rwxrwx  1 amrood   users 1024  Nov 2 00:10  testfile
$chmod g=rx testfile
$ls -l testfile
-rw-r-xrwx  1 amrood   users 1024  Nov 2 00:10  testfile

Here's how to combine the above commands into one line: 

$chmod o+wx,u-x,g=rx testfile
$ls -l testfile
-rw-r-xrwx  1 amrood   users 1024  Nov 2 00:10  testfile

Absolute permissions are used in chmod commands

The second way to modify permissions with the chmod command is to use a number to specify some column permissions for a file.

Each permission is assigned a value, as shown in the table below, and provides a value for the sum of each permission set.

Numerical Permission octals are represented Reference
0 There are no permissions ---
1 Executable permissions --x
2 Write permissions -w-
3 Execution and write permissions: 1 (execution) s 2 (write) s 3 -wx
4 Read permissions r--
5 Read and execute permissions: 4 (read) s 1 (execute) s 5 r-x
6 Read and write permissions: 4 (read) s 2 (write) s 6 rw-
7 All permissions: 4 (read) s 2 (write) s 1 (executed) s 7 rwx

The following is an example of a testfile file. Running the ls-l command shows the permissions associated with the file as follows: 

$ls -l testfile
-rwxrwxr--  1 amrood   users 1024  Nov 2 00:10  testfile

Run each chmod sample command in the table above on testfile, as follows, after ls -l, you can see the change in permissions in the following command: 

$ chmod 755 testfile
$ls -l testfile
-rwxr-xr-x  1 amrood   users 1024  Nov 2 00:10  testfile
$chmod 743 testfile
$ls -l testfile
-rwxr---wx  1 amrood   users 1024  Nov 2 00:10  testfile
$chmod 043 testfile
$ls -l testfile
----r---wx  1 amrood   users 1024  Nov 2 00:10  testfile

Change the owner and the group to which it belongs

When you create an account on UNIX, each user is assigned an owner ID and a group ID. All of the permissions mentioned above are also assigned based on owners and groups.

The following two commands can change the owners and groups of a file:

  1. Chown:chown means "change owner" and it is used to change the owner of a file.
  2. chgrp:chgrp means "change group" and it is used as a group to which a file belongs.

Change the owner relationship

The chown command is used to change the owner of a file, and its basic syntax is as follows: 

$ chown user filelist

The user in the command above can be neither the user name of the system nor the id (uid) of the user in the system. Example: 

$ chown amrood testfile
$

Change the owner of the testfile file to an amrood user.

Note: Super users, root users, have unrestricted permissions to change the owners of all files, but the average user can only modify the owner of the files they own.

Change the group relationship

The chgrp command is used to modify the group to which the file belongs. The basic syntax is as follows: 

$ chgrp group filelist

The group in the command above can be neither the name of the group that exists in the system nor the ID (GID) of the group that exists in the system.

Example: 

$ chgrp special testfile
$

The group that changes a given file is the special group.

SUID and SGID file permissions

Typically, when you execute a command, it must have some special permissions in order to complete the task.

For example, when you change your password using the passwd command, your new password is stored /etc/shadow

As an ordinary user, you don't have access to this file for security reasons, but when you change your password, you need to have permission to write to the file. This means that the passwd program must give you additional permissions so that you can write a file /etc/shadow which means that additional permissions are required.

You can give the program additional permissions by setting the user ID (SUID) and group ID (SGID) bits.

When you execute a SUID-enabled program, you inherit the permissions of the program owner. Users who start a modified program can run the program directly without setting up a SUID.

This also applies to SGIDs. Typically, a program is executed by group permission unless your group changes the owner of the group to which the program belongs.

If SUID and SGID permissions are available, they will appear in a low-key "s". T he "s" bit of the SUID is usually next to the owner execution permission in the permission. As follows: 

$ ls -l /usr/bin/passwd
-r-sr-xr-x  1   root   bin  19031 Feb 7 13:47  /usr/bin/passwd*
$

The above shows that the SUID is set and that the command is owned by the root user. T he execution bit is not set when the capital letter S is used instead of the lowercase letter.

If you set the anti-delete bit (sticky bit) on a directory, you can delete the file only if you are any of the following users:

  • The owner of the directory
  • The owner of the deleted file
  • Super user, root user

You can set the SUID and SGID bits for any directory in the following way. 

$ chmod ug+s dirname
$ ls -l
drwsr-sr-x 2 root root  4096 Jun 19 06:45 dirname
$

Related

UNIX file management

UNIX file permissions

UNIX Shell function

How to use ssh agent and ssh-add in unix?

UNIX Shell if... Else statement

UNIX regular expressions and SEDs

What is unix and what's unix-like?

UNIX pipes and filters

UNIX Shell reference mechanism

What is unix command prompt?