Introduction
File access permissions and security are at the heart of *nix-based operating systems. File objects can belong to users and/or groups, and at times they need to be shared with various combinations of those two. There are multiple ways in *nix systems to reinforce secure sharing of these objects.
We use the
chmodutility to change or modify the file permissions.
This guide discusses file permissions and how we can change them with chmod. While the explanations and code should work for almost all *nix-based systems, this guide was specifically written for Linux.
Ownership and Permissions
Before we could get into chmod, let's go over the basics of file and directory ownership in Linux. The files and directories that you find or create have access permissions provided in three categories of owners:
| Owners | Symbolic Representation | Description |
|---|---|---|
| Users | u | The primary owner of the file/directory object |
| Groups | g | A user can be part of one or many groups |
| Others | o | Other users who also aren't part of the group |
These owners can have one or many of the following access permissions assigned:
| Permission | Symbolic Representation | Octal Representation | Description |
|---|---|---|---|
| Read | r | 4 | Permission to read, copy from directory |
| Write | w | 2 | Permission to write/edit, delete, add new files to directory |
| Execute | x | 1 | Permission to execute the binary |
Let's get hands-on experience with chmod commands and permissions by first creating an empty file:
$ touch temp.txt
We will also be using the ls -l command very often to check access permissions. The ls command is used to list files, but the -l flag returns them in the long format, which also includes the information regarding access permissions:
$ ls -l temp.txt
-rw-r--r-- 1 ubuntu ubuntu 0 Apr 20 22:17 temp.txt
The left-hand side of the result contains information on access permissions. Though, they're not as intuitive as the two tables from just a moment ago. The result has several components:
The permissions can be split into three parts - each corresponding to the owners in the order - Users, Groups, and Others. You may have also noticed the name of the owners i.e. the user and the group to which the object belongs to.
The order of the permission for each codon of 3 is of the structure rwx. If one of these permissions is unavailable, the missing permission is replaced with a dash (-) like rw-. The other details are related to the file itself: its size, creation date, and name.
The chmod Utility
The chmod utility helps us to assign permissions to file/directory objects. It has a special set of arguments, corresponding to the ownership and permissions:
| Permission | Symbolic Representation | Octal Representation |
|---|---|---|
| read | r | 4 |
| write | w | 2 |
| execute | x | 1 |
| no permission | - | 0 |
For each owner, these permissions can be summed (for Octal Representation - e.g. 4+2 = 6 denotes read & write permissions) or combined (for Symbolic Representation - e.g. rw denotes read & write permissions).
This is key to understanding how the chmod command works. Let's modify the access permissions of the temp.txt file, and allow read, write and execute permissions to the User, but disallow any access to the Group and Others.
You can use either Octal Representation or Symbolic Representation for this:
$ chmod 700 temp.txt
The octal notation - 700 can be broken down as:
- The first octal integer position corresponds to the User and the number 7 itself is an octal representation of all permissions (
rwx) i.e. 4+2+1 = 7. - The second and third octal integer positions correspond to the Group and Others, where the number 0 shows that there aren't any permissions to access the object.
Let's take a look at the permission on the temp.txt file now:
$ ls -l temp.txt
-rwx------ 1 ubuntu ubuntu 0 Apr 20 22:19 temp.txt
We can perform the same command, and assign the permissions in much the same way if we rewrite the 700 argument using the symbolic notation:
Check out our hands-on, practical guide to learning Git, with best-practices, industry-accepted standards, and included cheat sheet. Stop Googling Git commands and actually learn it!
$ chmod u+rwx,g-rwx,o-rwx temp.txt
We remove permissions using a - sign, and added by +. When using the symbolic representation, owners are separated by commas ,. Here, we've added the rwx permission to u, but removed it from g and o.
This results in the same access permissions:
$ ls -l temp.txt
-rwx------ 1 ubuntu ubuntu 0 Apr 20 22:19 temp.txt
Now, let's consider another command:
$ chmod u+rwx,g-rw+x,o-rw+x temp.txt
Here, we've intertwined pluses and minuses:
'u+rwx'denotes that the read, write and execute permissions are provided to the User.'g-rw+x'and'o-rw+x'show that the Group and the Others are denied to perform any of the read/write operations but they are allowed to perform executions.
This is equivalent to chmod 711 temp.txt using octal representation.
Let's check the file again:
$ ls -l temp.txt
-rwx--x--x 1 ubuntu ubuntu 0 Apr 20 22:19 temp.txt
We can also use an '=' sign to set/overwrite permissions to the corresponding owner. The aforementioned command could also be written as:
$ chmod u=rwx,g=x,w=x temp.txt
This, yet again, results in:
$ ls -l temp.txt
-rwx--x--x 1 ubuntu ubuntu 0 Apr 20 22:19 temp.txt
Advanced chmod Usage - SUID, GUID and Sticky Bits
Now that the basics of chmod are clear, let's take it one step further by reviewing an extra set of special execution/deletion-only permissions that act as the fourth level of security to the existing read, write and execute permissions. These include:
| Special Permission | Symbolic Representation | Octal Representation | Description |
|---|---|---|---|
| SUID (Set UserID) | rw**s**------ | 4 | Execution-Only permission defined at the User Level. It is used to provide user-like privileges to whoever executes the file(s) inside the directory objects. |
| SGID (Set GroupID) | ---rw**s**--- | 2 | Execution-Only permission defined at the Group Level. It is used to provide group-like privileges to whoever executes the file(s) inside the directory objects. |
| Sticky Bit | ------rw**t** | 1 | Defined at the Others Level. It prevents the file or object from getting deleted. Only the Owner or Root can delete the file or object. |
When calling the chmod utility, and setting the argument - the special permission precedes the regular permissions. If we want to add a special permission to our regular 700 argument, we simply add a digit beforehand:
$ chmod 5700 temp.txt
$ ls -l temp.txt
-rws-----T 1 ubuntu ubuntu 0 Apr 20 22:19 temp.txt
Here, the 5 defines the sum of 4+1, which is a combination of the SUID and Sticky Bit permission. 700 represents the 'rwx' permission for the Owner only. SUID overrides the owner permission, and whoever executes the file will always execute as the owner of the file. In addition to this, only the owner of the file will be able to delete it. In the output, notice the presence of the character 'T', which denotes that the Sticky Bit is set.
Let's rewrite the command, using symbolic representation:
$ chmod u+srwx,g-rwx,o+t-rwx temp.txt
$ ls -l temp.txt
-rws-----T 1 ubuntu ubuntu 0 Apr 20 22:19 temp.txt
Let's breakdown the argument by commas, since it's getting a bit long:
u+srwx: The user has aSUIDpermission attached to it, along withrwx.g-rwx: The group is devoid of therwxpermissions.o+t-rwx: The+tdenotes the addition of aSticky Bitpermission and the others are devoid of therwxpermissions.
If you happen to have another user, try switching to that user and check if you can delete the file. You should be getting a prompt just like this:
$ sudo su unknown
$ rm temp.txt
rm: remove write-protected regular empty file 'temp.txt'?
Conclusion
In this guide, we learned about file and directory ownership and permissions in Linux. We then used chmod to modify them. These commands can be quite useful in securing the files or directories with much ease in *nix-based Operating Systems.
