Linux permissions
Contents
Introduction
In Linux, access to data objects like files and directories is handled via permissions. Typical permission settings for a file/directory can for example look like
File:
[sfux@eu-login-03 ~]$ ls -ltr gurobi.log -rw-r--r-- 1 sfux T0000 330 May 18 13:34 gurobi.log
Directory:
[sfux@eu-login-03 ~]$ ls -ltrd bin drwx------ 2 sfux T0000 4096 Feb 5 2015 bin
In these examples, the so called permission string is marked in bold. The permission string always contains 10 characters which can either be a letter or a dash. The first position in the string is used to specify if the data object is a file (-) or a directory (d). After the first position, the permission string is contains 3 groups of 3 characters for specifying the 3 basic permissions for each of the 3 permission groups
Basic permissions
In Linux there are 3 basic permission.
- Read permission (r):
- Grants you the permission to read a file/directory.
- Write permission (w):
- Grants you the permission to write or delete a file/directory.
- Execute permission (x):
- Grants you the permission to execute a file or to enter a directory.
The basic permissions are represented by a letter if they are set, or by a dash if they are not set.
Permission groups
Permissions are specified on 3 different levels (permission groups)
- User permission (u)
- Contains the permission settings for the user account (in the example mentioned above, the user would be sfux).
- Group permission (g)
- Contains the permission settings for the user group (in the example mentioned above, the group would be T0000).
- Others permission (o)
- Contains the permission settings for all user accounts that are not contained in (u) and (g).
Since a permission group contains a value for each of the 3 basic permissions (r,w,x), there are only 8 patterns possible. Because of this a permission group can also be represented by single number between 0 and 7. The numeric representation of the permission patterns is implemented by assigning values to the basic permissions (r=4, w=2, x=1) that need to be summed up to result in the numeric representation of the permission group.
string representation | numerical representation | single number representation |
--- | 000 | 0 |
--x | 001 | 1 |
-w- | 020 | 2 |
-wx | 021 | 3 |
r-- | 400 | 4 |
r-x | 401 | 5 |
rw- | 420 | 6 |
rwx | 421 | 7 |
A permission string can be represented by 3 single number representations of permissions groups which are always specified in the order user,group,other
-rwx------ is equal to 700 -rwxr-x--- is equal to 750 -rwxr-xr-x is equal to 755 -rwxrwxrwx is equal to 777
Displaying permission settings
Permissions of a file/directory can be displayed with the ls -l (files and directories).
[sfux@eu-login-03 ~]$ ls -l total 112 drwx------ 2 sfux T0000 4096 Feb 5 2015 bin drwxr-x--- 2 sfux T0000 4096 Sep 22 14:43 comsol -rw-r--r-- 1 sfux T0000 16330 Sep 30 08:23 comsol_commands -rw-r--r-- 1 sfux T0000 287 Oct 6 09:59 comsolusers -rw-r--r-- 1 sfux T0000 330 May 18 13:34 gurobi.log drwx------ 7 sfux T0000 4096 Sep 4 16:21 inst_instr drwxr-xr-x 2 sfux T0000 4096 Jul 24 13:36 lics -rwxr-xr-x 1 sfux T0000 812 Jul 2 2014 lsf_drmaa.conf -rw-r--r-- 1 sfux T0000 934 Oct 6 12:40 lsf.o10527387 drwxr-xr-x 2 sfux T0000 4096 Oct 2 08:53 mathematica drwxr-xr-x 2 sfux T0000 4096 May 22 09:26 openfoam drwx------ 6 sfux T0000 4096 Apr 29 16:38 prog drwxr-xr-x 3 sfux T0000 4096 Jul 13 15:49 R drwx------ 2 sfux T0000 4096 Jul 24 08:02 rre7 drwx------ 2 sfux T0000 4096 Apr 9 2014 scratch drwx------ 3 sfux T0000 4096 Oct 8 15:34 shellscript drwxr-x--- 2 sfux T0000 4096 Dec 18 2014 sources drwxr-xr-x 11 sfux T0000 4096 Oct 7 15:01 test drwxr-xr-x 33 sfux T0000 4096 Sep 17 09:58 testrun
Changing permission settings
Permissions of a file/directory can be changed with the chmod command. In order to specify the change of the permission, you can either provide the numerical representation of a permission string or specify which basic permission should be changed for which permission group. If single parts of the permission string are changed, then +/- is used add/remove a permission.
As a starting point, we use the following file with given permissions:
[sfux@eu-login-03 ~]$ ls -l gurobi.log -rw-r--r-- 1 sfux T0000 330 May 18 13:34 gurobi.log
Removing the write permission for user sfux can be achieved by executing the command chmod u-w gurobi.log.
[sfux@eu-login-03 ~]$ chmod u-w gurobi.log [sfux@eu-login-03 ~]$ ls -l gurobi.log -r--r--r-- 1 sfux T0000 330 May 18 13:34 gurobi.log
It is also possible to combine permission changes. If chmod ugo+x is used instead of chmod u-w, execute permission is added for all permission groups.
[sfux@eu-login-03 ~]$ chmod ugo+x gurobi.log [sfux@eu-login-03 ~]$ ls -l gurobi.log -rwxr-xr-x 1 sfux T0000 330 May 18 13:34 gurobi.log
For changing the permission pattern to 755 you would execute the command chmod 755 gurobi.log
[sfux@eu-login-03 ~]$ chmod 755 gurobi.log [sfux@eu-login-03 ~]$ ls -l gurobi.log -rwxr-xr-x 1 sfux T0000 330 May 18 13:34 gurobi.log
Links
wikipedia:File_system_permissions
https://www.freebsd.org/doc/handbook/permissions.html
http://www.unix.com/tips-and-tutorials/19060-unix-file-permissions.html