Skip to content

Permissions

Linux permissions control who can access and modity files and directories on a system. They're divided into three categories: owner (user), group, and others, with each category having three types of permissions: read, write, and execute.

Ownership

If you run ls -l while in a directory, you may see something like:

total 256
drwxr-sr-x  4 myname myrsrchGrp  53 Mar 10 11:20 ARCHIVE
drwxr-sr-x  3 alfred myrsrchGrp  28 Jun 15  2021 alfred
drwx------  3 myname myrsrchGrp  24 Mar 31  2021 myname
drwxrwsr-x  4 myname myrsrchGrp  57 May  3 12:45 software
-rw-rw-r--  1 myname myrsrchGrp   4 May  4 12:04 somefile.txt

  • The 1st column shows permissions (more details below)

  • The 3rd column indicates the user that owns the resource (e.g. myname and alfred above)

  • The 4th column indicates the group that owns the resource (e.g. myrsrchGrp above)

  • The 6th - 8th columns show the timestamp (either date and time, or date and year depending on age of the file or directory)

  • The 9th column shows the name of the file or directory

To learn more, visit the manual page for ls

Intepreting Permissions from ls Output

The first column shows the permissions on the directories:

drwxr-s-r-x

Here, the first character d indicates a directory. In the example, there are 4 directories shown in the listing.

The next set of 9 characters indicate the permissions. These are grouped into sets of 3.

  • the first set is for the owner (user)
  • the second set is for the group (i.e. users belonging to the group myrsrchGrp)
  • the third set is for others (i.e. not the owner, and other users not belonging to myrsrchGrp)

The meanings of the characters are:

  • - = no permissions (cannot read, cannot write, cannot execute)
  • r = permission to read
  • w = permission to write
  • x =
    • for files, x means permission to execute (e.g. a program, or a script)
    • for directories, x means permission to list the directory and to cd into it
  • s in the group column of a directory means any new file or directory created in that directory would have its group set to the group of that top-level directory; in this case, any new files or directories created in the ARCHIVE directory would have the group set to myrsrchGrp. This setting is called the "setgid bit" (said "set gee eye dee bit"). Further, subdirectories will inherit the s.

For more detail, see Jack Wallen's article at Linux Foundation.

Changing Permissions

Permissions on files and directories can be changed only by their owners, i.e. the user listed in column 3 of the ls -l output.

To grant permission, you would specify u (user or owner), g (group), or o (other) and the permission to grant with a +. For example:

[myname@picotte001 myrsrchGrp]$ ls -l somefile.txt
-rw-rw-r--  1 myname myrsrchGrp   6 May  4 12:06 somefile.txt

[myname@picotte001 myrsrchGrp]$ chmod o+w somefile.txt

[myname@picotte001 myrsrchGrp]$ ls -l somefile.txt
-rw-rw-rw- 1 myname myrsrchGrp 6 May  4 12:06 somefile.txt

To remove permission, use - instead:

[myname@picotte001 myrsrchGrp]$ ls -l somefile.txt
-rw-rw-rw- 1 myname myrsrchGrp 6 May  4 12:06 somefile.txt

[myname@picotte001 myrsrchGrp]$ chmod o-w somefile.txt

[myname@picotte001 myrsrchGrp]$ ls -l somefile.txt
-rw-rw-r-- 1 myname myrsrchGrp 6 May  4 12:08 somefile.txt

You can also specify more than one user class:

chmod ugo+x somedirectory
chmod go-rw somefile.txt

Numeric Permissions

The permissions are actually a binary number. Recall binary numbers use base 2. So, a 3-digit binary number would be something like:

\[ 101_2 = 1 * 2^2 + 0 * 2^1 + 1 * 2^0 = 4 + 0 + 1 = 5 \]

The permissions have 3 places, e.g. rwx, corresponding to the places in binary numbers. The first place corresponds to 22, the second to 21, and the third to 20.

So, we can translate the permissions to a binary number, and then to a normal decimal number (technically, we need only octal because the value is no more than 22 + 21 + 20 = 7). A 1 (one) means the permission is present; a 0 (zero) means the permission is not present.

rwx  =  4 + 2 + 1  =  7
rw-  =  4 + 2 + 0  =  6
r--  =  4 + 0 + 0  =  4
---  =  0 + 0 + 0  =  0
r-x  =  4 + 0 + 1  =  5

So, if you want a file to have permissions rw-rw-r--, that translates to a set of 3 octal numbers: 664. Rather than using chmod multiple times as in the previous section, you can do:

[myname@picotte001 myrsrchGrp]$ ls -l otherfile.txt
-r-------- 1 myname myrsrchGrp 0 May  4 12:24 otherfile.txt

[myname@picotte001 myrsrchGrp]$ chmod 664 otherfile.txt
-rw-rw-r--  1 myname myrsrchGrp   0 May  4 12:24 otherfile.txt

umask

Most users will want their umask to be 0002.

The umask is a per-user setting which defines the default permissions on any new files or directories which are created. The value of umask can be seen by issuing the umask command:

[juser@picotte001 ~]$ umask
0022

This should be thought of as a set of 4 octal numbers.

The value 2 = 21 which is the 2nd place in the binary number representing permissions. It removes ("masks out") the w (write) permissions from the created file or directory.

We ignore the first digit in the 4-digit umask in this article, and only consider the 3 last digits.

The value 0000 is the most permissive:

  • new files will have permissions rw-rw-rw
  • new directories will have permissions rwxrwxrwx

The value 0022 (default) means:

  • new files will have permissions rw-r--r--
  • new directories will have permissions r-xr-xr-x

The value 0002 means:

  • new files will have permissions rw-rw-r--
  • new directories will have permissions rwx-rwx-r-x

As mentioned above, the setgid bit will be inherited by any new directories created. And any new files created in a directory with the setgid bit would have the group of that parent directory.

Access Control Lists (ACLs)

Certain filesystems (local disk, NFSv4, etc.) may have more fine-grained permissions mechanisms called Access Control Lists (ACLs). However, on the /ifs filesystem on Picotte, we use NFSv3 for performance reasons, which does not support ACLs.