Rob's web

Accessmode attributes

File systems use permissions and attributes to regulate the level of interaction that system processes can have with files and directories.

Warning: When used for security purposes, permissions and attributes only defend against attacks launched from the booted system. To protect the stored data from attackers with physical access to the machine, one must also implement data-at-rest encryption.

Viewing permissions

Use the ls command's -l option to view the permissions (or file mode) set for the contents of a directory, for example:

$ ls -l /path/to/directory

total 128
drwxr-xr-x 2 archie archie  4096 Jul  5 21:03 Desktop
drwxr-xr-x 6 archie archie  4096 Jul  5 17:37 Documents
drwxr-xr-x 2 archie archie  4096 Jul  5 13:45 Downloads
-rw-rw-r-- 1 archie archie  5120 Jun 27 08:28 customers.ods
-rw-r--r-- 1 archie archie  3339 Jun 27 08:28 todo
-rwxr-xr-x 1 archie archie  2048 Jul  6 12:56 myscript.sh

The first column is what we must focus on. Taking an example value of drwxrwxrwx+, the meaning of each character is explained in the following tables:

drwxrwxrwx+
The file type, technically not part of its permissions. See info ls -n "What information is listed" for an explanation of the possible values. The permissions that the owner has over the file, explained below. The permissions that the group has over the file, explained below. The permissions that all the other users have over the file, explained below. A single character that specifies whether an alternate access method applies to the file. When this character is a space, there is no alternate access method.
A . character indicates a file with a security context, but no other alternate access method.
A file with any other combination of alternate access methods is marked with a + character, for example in the case of Access Control Lists.

Each of the three permission triads (rwx in the example above) can be made up of the following characters:

Permission triads
 CharacterEffect on filesEffect on directories
Read permission (first character) - The file cannot be read. The directory's contents cannot be shown.
r The file can be read. The directory's contents can be shown.
Write permission (second character) - The file cannot be modified. The directory's contents cannot be modified.
w The file can be modified. The directory's contents can be modified (create new files or directories; rename or delete existing files or directories); requires the execute permission to be also set, otherwise this permission has no effect.
Execute permission (third character) - The file cannot be executed. The directory cannot be accessed with cd.
x The file can be executed. The directory can be accessed with cd; this is the only permission bit that in practice can be considered to be "inherited" from the ancestor directories, in fact if any directory in the path does not have the x bit set, the final file or directory cannot be accessed either, regardless of its permissions; see path_resolution(7) for more information.
s The setuid bit when found in the user triad; the setgid bit when found in the group triad; it is not found in the others triad; it also implies that x is set.
S Same as s, but x is not set; rare on regular files, and useless on directories.
t The sticky bit; it can only be found in the others triad; it also implies that x is set.
T Same as t, but x is not set; rare on regular files.

Tip: You can view permissions along a path with namei -l path.

Changing permissions

chmod is a command in Linux and other Unix-like operating systems that allows to change the permissions (or access mode) of a file or directory.

Text method

To change the permissions - or access mode - of a file, use the chmod command in a terminal. Below is the command's general structure:

chmod who=permissions filename

Where who is any from a range of letters, each signifying who is being given the permission. They are as follows:

uthe user that owns the file.
gthe user group that the file belongs to.
othe other users, i.e. everyone else.
aall of the above; use this instead of typing ugo.

The permissions are the same as discussed in #Viewing permissions (r, w and x).

Now have a look at some examples using this command. Suppose you became very protective of the Documents directory and wanted to deny everybody but yourself, permissions to read, write, and execute (or in this case search/look) in it:

Before: drwxr-xr-x 6 archie web 4096 Jul 5 17:37 Documents

$ chmod g= Documents
$ chmod o= Documents

After: drwx------ 6 archie web 4096 Jul 6 17:32 Documents

Here, because you want to deny permissions, you do not put any letters after the = where permissions would be entered. Now you can see that only the owner's permissions are rwx and all other permissions are -.

This can be reverted with:

Before: drwx------ 6 archie web 4096 Jul 6 17:32 Documents

$ chmod g=rx Documents
$ chmod o=rx Documents

After: drwxr-xr-x 6 archie web 4096 Jul 6 17:32 Documents

In the next example, you want to grant read and execute permissions to the group, and other users, so you put the letters for the permissions (r and x) after the =, with no spaces.

You can simplify this to put more than one who letter in the same command, e.g:

$ chmod go=rx Documents

Note: It does not matter in which order you put the who letters or the permission letters in a chmod command: you could have chmod go=rx file or chmod og=xr file. It is all the same.

Now let us consider a second example, suppose you want to change a foobar file so that you have read and write permissions, and fellow users in the group web who may be colleagues working on foobar, can also read and write to it, but other users can only read it:

Before: -rw-r--r-- 1 archie web 5120 Jun 27 08:28 foobar

$ chmod g=rw foobar

After: -rw-rw-r-- 1 archie web 5120 Jun 27 08:28 foobar

This is exactly like the first example, but with a file, not a directory, and you grant write permission (just so as to give an example of granting every permission).

Text method shortcuts

The chmod command lets add and subtract permissions from an existing set using + or - instead of =. This is different from the above commands, which essentially re-write the permissions (e.g. to change a permission from r-- to rw-, you still need to include r as well as w after the = in the chmod command invocation. If you missed out r, it would take away the r permission as they are being re-written with the =. Using + and - avoids this by adding or taking away from the current set of permissions).

Let us try this + and - method with the previous example of adding write permissions to the group:

Before: -rw-r--r-- 1 archie web 5120 Jun 27 08:28 foobar

$ chmod g+w foobar

After: -rw-rw-r-- 1 archie web 5120 Jun 27 08:28 foobar

Another example, denying write permissions to all (a):

Before: -rw-rw-r-- 1 archie web 5120 Jun 27 08:28 foobar

$ chmod a-w foobar

After: -r--r--r-- 1 archie web 5120 Jun 27 08:28 foobar

A different shortcut is the special X mode: this is not an actual file mode, but it is often used in conjunction with the -R option to set the executable bit only for directories, and leave it unchanged for regular files, for example:

$ chmod -R a+rX ./data/

Copying permissions

It is possible to tell chmod to copy the permissions from one class, say the owner, and give those same permissions to group or even all. To do this, instead of putting r, w, or x after the =, put another who letter. e.g:

Before: -rw-r--r-- 1 archie web 5120 Jun 27 08:28 foobar

$ chmod g=u foobar

After: -rw-rw-r-- 1 archie web 5120 Jun 27 08:28 foobar

This command essentially translates to "change the permissions of group (g=), to be the same as the owning user (=u). Note that you cannot copy a set of permissions as well as grant new ones e.g.:

$ chmod g=wu foobar

In that case chmod throw an error.

Numeric method

chmod can set permissions using numbers.

Using numbers is another method which allows you to edit the permissions for all three owner, group, and others at the same time, as well as the setuid, setgid, and sticky bits. This basic structure of the code is this:

$ chmod xxx filename

Where xxx is a 3-digit number where each digit can be anything from 0 to 7. The first digit applies to permissions for owner, the second digit applies to permissions for group, and the third digit applies to permissions for all others.

In this number notation, the values r, w, and x have their own number value:

r4
w2
x1

To come up with a 3-digit number you need to consider what permissions you want owner, group, and all others to have, and then total their values up. For example, if you want to grant the owner of a directory read write and execution permissions, and you want group and everyone else to have just read and execute permissions, you would come up with the numerical values like so:

Owner: rwx = 4 + 2 + 1 = 7
Group: r-x = 4 + 0 + 1 = 5
Other: r-x = 4 + 0 + 1 = 5

$ chmod 755 filename

This is the equivalent of using the following:

$ chmod u=rwx filename
$ chmod go=rx filename

To view the existing permissions of a file or directory in numeric form, use the stat(1) command:

$ stat -c %a filename

Where the %a option specifies output in numeric form.

Most directories are set to 755 to allow reading, writing and execution to the owner, but deny writing to everyone else, and files are normally 644 to allow reading and writing for the owner but just reading for everyone else; refer to the last note on the lack of x permissions with non executable files: it is the same thing here.

If this were an executable the number would be 774 if you wanted to grant executable permission to the owner and group. Alternatively if you wanted everyone to only have read permission the number would be 444. Treating r as 4, w as 2, and x as 1 is probably the easiest way to work out the numerical values for using chmod xxx filename.

You can also use the numeric method to set the setuid, setgid, and sticky bits by using four digits.

setuid4
setgid2
sticky1

For example, chmod 2777 filename will set read/write/executable bits for everyone and also enable the setgid bit.

Bulk chmod

Generally directories and files should not have the same permissions. If it is necessary to bulk modify a directory tree, use find to selectively modify one or the other.

To chmod only directories to 755:

$ find directory -type d -exec chmod 755 {} +

To chmod only files to 644:

$ find directory -type f -exec chmod 644 {} +