Understanding UNIX and Linux Filesystem Permissions

When you’re working with files on Linux or UNIX systems, you’ll notice that file permissions are a lot different than how they work on Windows. You’ll notice that Linux assigns a number. If you’ve followed instructions for installing web software, you may have seen where you need to change the permissions to “777” or if you’re dealing with a private SSH key, you may have encountered a message that the permissions were too open.

Breaking down file permission groups

Something that you may not have noticed right away (or maybe you did if you’re really observant) is that file permissions are broken down into 3 groups: User, Group, and World (or Other). When you list out files in the CLI, you’ll see it displayed like this:

drwx------ 3 root root 17 Oct 28 11:41 .ansible
-rw-------. 1 root root 12884 Oct 31 18:25 .bash_history
-rw-r--r--. 1 root root 18 Aug 12 2018 .bash_logout
-rw-r--r--. 1 root root 176 Aug 12 2018 .bash_profile
-rw-r--r--. 1 root root 176 Aug 12 2018 .bashrc

The “drwx——” and “-rw-r–r–” are the file permissions for the respective files. But where are the groups?

The first character you see defines if it’s a file or directory. If you see a d, that means it’s a directory. Files will be a dash. Next, you’ll see 3 spaces, typically with letters. If we look at the .ansible directory for example, you’ll see “rwx”. These are the permissions for User. r means read, w means write, and x means execute.  You’ll see three more places and then another three. These are the Group and Other permissions, respectfully. Using our .ansible directory, Group and Other have no permissions to that directory. Just the root user. However, if we look at the .bashrc file (remember, I know this is a file because the first character is a dash) you will see that the root user can read and write the file, the root group can read the file, and others can read the file.

Hint: The dot you see at the end of some of the example files means that SELinux is enabled on the system and an ACL is in use. You won’t see this on all systems.

So how do these translate into numbers like 640, 600, 777, etc.? Let’s talk about that next.

Translating permissions numbers

Each of the file permissions translate into a number. Most commonly, you’ll see verbiage that says “and change the permissions to 640 on this file.” So what permissions are you setting?

Number Octal Permission Reference
0 No permission
1 Execute permission –x
2 Write permission -w-
3 Execute + Write permission (1+2 = 3) -wx
4 Read permission r–
5 Read + Execute permission (4+1 = 5) r-x
6 Read + Write permission (4+2 = 6) rw-
7 All permissions (4+2+1 = 7) rwx

 

Now you can understand when software documentation says “change permissions to 640 on this file”, you’re setting user permissions to rw-, group permissions to r–, and other permissions to —. Or in English: the user can read and write to the file, users in the group can read the file, but everyone else has no permissions.

If you’re coming from Windows, you might wonder how others would have permissions to the file. After all, on NTFS, you can set a lot of permissions on a single file. In UNIX (and Linux), things are simplified. For example, the Apache web server typically runs as the user apache in the group apache (or on Ubuntu systems, www-data user in the group www-data). Since the web server runs as apache, your default web directory (/var/www/html) needs to have at least read permissions. When software says that a directory needs to have the permissions 777, they’re saying that user, group, and other needs to be able to read, write, and execute anything in that directory. So if you have a directory you want others to access, they need to be members of the group that has access to that directory. It’s just that by default on Linux, there is a 1:1 match between a user and a group. Every user is a member of a group with their username. So if there is a folder that only “accounting” members should access, then you would need to add all the users to the “accounting” group.

Just the basics

This was just an introductory tour into the file permissions. We’ll dive in deeper in future articles!

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.