Linux permissions

From ScientificComputing
Revision as of 08:53, 21 October 2022 by Sfux (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Introduction

In Linux, access to data objects like files and directories is handled via permissions. Typical permission settings for a file/directory can for example look like

File:

[sfux@eu-login-03 ~]$ ls -ltr gurobi.log 
-rw-r--r-- 1 sfux T0000 330 May 18 13:34 gurobi.log

Directory:

[sfux@eu-login-03 ~]$ ls -ltrd bin
drwx------ 2 sfux T0000 4096 Feb  5  2015 bin

In these examples, the so called permission string is marked in bold. The permission string always contains 10 characters which can either be a letter or a dash. The first position in the string is used to specify if the data object is a file (-) or a directory (d). After the first position, the permission string is contains 3 groups of 3 characters for specifying the 3 basic permissions for each of the 3 permission groups

Basic permissions

In Linux there are 3 basic permission.

  • Read permission (r):
    Grants you the permission to read a file/directory.
  • Write permission (w):
    Grants you the permission to write or delete a file/directory.
  • Execute permission (x):
    Grants you the permission to execute a file or to enter a directory.

The basic permissions are represented by a letter if they are set, or by a dash if they are not set.

Permission groups

Permissions are specified on 3 different levels (permission groups)

  • User permission (u)
    Contains the permission settings for the user account (in the example mentioned above, the user would be sfux).
  • Group permission (g)
    Contains the permission settings for the user group (in the example mentioned above, the group would be T0000).
  • Others permission (o)
    Contains the permission settings for all user accounts that are not contained in (u) and (g).

Since a permission group contains a value for each of the 3 basic permissions (r,w,x), there are only 8 patterns possible. Because of this a permission group can also be represented by single number between 0 and 7. The numeric representation of the permission patterns is implemented by assigning values to the basic permissions (r=4, w=2, x=1) that need to be summed up to result in the numeric representation of the permission group.

string representation numerical representation single number representation
--- 000 0
--x 001 1
-w- 020 2
-wx 021 3
r-- 400 4
r-x 401 5
rw- 420 6
rwx 421 7

A permission string can be represented by 3 single number representations of permissions groups which are always specified in the order user,group,other

-rwx------ is equal to 700  
-rwxr-x--- is equal to 750 
-rwxr-xr-x is equal to 755 
-rwxrwxrwx is equal to 777

Displaying permission settings

Permissions of a file/directory can be displayed with the ls -l (files and directories).

[sfux@eu-login-03 ~]$ ls -l
total 112
drwx------  2 sfux T0000  4096 Feb  5  2015 bin
drwxr-x---  2 sfux T0000  4096 Sep 22 14:43 comsol
-rw-r--r--  1 sfux T0000 16330 Sep 30 08:23 comsol_commands
-rw-r--r--  1 sfux T0000   287 Oct  6 09:59 comsolusers
-rw-r--r--  1 sfux T0000   330 May 18 13:34 gurobi.log
drwx------  7 sfux T0000  4096 Sep  4 16:21 inst_instr
drwxr-xr-x  2 sfux T0000  4096 Jul 24 13:36 lics
-rwxr-xr-x  1 sfux T0000   812 Jul  2  2014 lsf_drmaa.conf
-rw-r--r--  1 sfux T0000   934 Oct  6 12:40 lsf.o10527387
drwxr-xr-x  2 sfux T0000  4096 Oct  2 08:53 mathematica
drwxr-xr-x  2 sfux T0000  4096 May 22 09:26 openfoam
drwx------  6 sfux T0000  4096 Apr 29 16:38 prog
drwxr-xr-x  3 sfux T0000  4096 Jul 13 15:49 R
drwx------  2 sfux T0000  4096 Jul 24 08:02 rre7
drwx------  2 sfux T0000  4096 Apr  9  2014 scratch
drwx------  3 sfux T0000  4096 Oct  8 15:34 shellscript
drwxr-x---  2 sfux T0000  4096 Dec 18  2014 sources
drwxr-xr-x 11 sfux T0000  4096 Oct  7 15:01 test
drwxr-xr-x 33 sfux T0000  4096 Sep 17 09:58 testrun

Changing permission settings

Permissions of a file/directory can be changed with the chmod command. In order to specify the change of the permission, you can either provide the numerical representation of a permission string or specify which basic permission should be changed for which permission group. If single parts of the permission string are changed, then +/- is used add/remove a permission.

As a starting point, we use the following file with given permissions:

[sfux@eu-login-03 ~]$ ls -l gurobi.log 
-rw-r--r-- 1 sfux T0000 330 May 18 13:34 gurobi.log

Removing the write permission for user sfux can be achieved by executing the command chmod u-w gurobi.log.

[sfux@eu-login-03 ~]$ chmod u-w gurobi.log
[sfux@eu-login-03 ~]$ ls -l gurobi.log
-r--r--r-- 1 sfux T0000 330 May 18 13:34 gurobi.log

It is also possible to combine permission changes. If chmod ugo+x is used instead of chmod u-w, execute permission is added for all permission groups.

[sfux@eu-login-03 ~]$ chmod ugo+x gurobi.log
[sfux@eu-login-03 ~]$ ls -l gurobi.log 
-rwxr-xr-x 1 sfux T0000 330 May 18 13:34 gurobi.log

For changing the permission pattern to 755 you would execute the command chmod 755 gurobi.log

[sfux@eu-login-03 ~]$ chmod 755 gurobi.log
[sfux@eu-login-03 ~]$ ls -l gurobi.log
-rwxr-xr-x 1 sfux T0000 330 May 18 13:34 gurobi.log

Links

wikipedia:File_system_permissions

wikipedia:Modes_(Unix)

wikipedia:Chmod

https://www.freebsd.org/doc/handbook/permissions.html

http://www.unix.com/tips-and-tutorials/19060-unix-file-permissions.html