Permissions are one of the first lines of defense when securing a Linux system. From my days as a LAMP-stack admin at a web host, I remember frequently explaining different PHP handlers to customers – both their security implications and trade offs. The security consideration was largely due to system permissions.
In this tutorial, we’ll cover basic Linux permissions. Doing so will help us understand what files can be accessed by which users and processes.
- The Three Basic File Permissions
- Understanding the Letter Values
- RWX Form
- Viewing Permissions
- File Permission Sections
- Understanding Numeric Form
- Combining Permissions
- Common Permission Combinations
THE THREE BASIC FILE PERMISSIONS
When dealing with Linux file permissions, there are three basic types: read, write, and execute. Depending on which permissions are available to a user or process, it will determine how that user or process can interact with the file/folder in question.
The “read” permission means that a user, or process, can view the contents of a file/folder. For example, if it’s a text file, you may read it:
[[email protected] ~]$ cat foo.txt Hi! This is an example of a file you can view.
If it’s a directory, you may view the contents of the directory:
[[email protected] ~]$ ls /var/ adm crash empty gopher lib lock mail opt run tmp cache db games kerberos local log nis preserve spool yp
The “write” permission means that you can change a file. So, you can edit, rename, or delete the file.
[[email protected] ~]$ echo Hello! > foo.txt [[email protected] ~]$ cat foo.txt Hello! [[email protected] ~]$ ls foo.txt [[email protected] ~]$ mv foo.txt bar.txt [[email protected] ~]$ ls bar.txt [[email protected] ~]$ rm bar.txt
If it’s a plain text file, you can change its contents. If it’s an image file you can overwrite it. If it’s a spreadsheet, you may add/remove entries from it. If it’s a directory, you may edit the directory; i.e., rename or delete it.
NOTE: Singular Write Permission
If you only have the “write” permission to a file, while you might not be able to see/view the file, you can still modify or delete it.
The “execute” permission, in conjunction with the “read” permission, means that you can run the file/program. If you have the “execute” permission only, you won’t be able to run the file/program. For example, when you execute any command on Linux, it’s because you have “read” and “execute” permissions for that command.
NOTE: Linux Commands
While you might be able to execute most commands, you’ll likely find that you won’t be able to edit those commands because you won’t have the “write” permission for it.
For example, you can execute the
hostname command with or without the full path:
[[email protected] ~]$ /bin/hostname centos07.domain.lan [[email protected] ~]$ hostname centos07.domain.lan
UNDERSTANDING THE LETTER VALUES
To truncate things, each permission has a shorthand letter assigned to it:
- r – read
- w – write
- x – execute
To view the permissions of a specific file, use the
ls command with the
-l flag and the file name:
ls -al /<PathToFile>.
[[email protected]$ ls -l ~/.bashrc -rw-r--r-- 1 penguin penguin 193 Aug 8 2019 /home/penguin/.bashrc
Similarly, to view the permissions of all files in a directory, use the
ls command with the
-l flag and the directory name:
ls -al /<PathToDirectory>/.
[[email protected] ~]$ ls -l /etc/ total 1060 -rw-r--r--. 1 root root 16 Sep 23 2019 adjtime -rw-r--r--. 1 root root 1518 Jun 7 2013 aliases -rw-r--r--. 1 root root 12288 Sep 23 2019 aliases.db drwxr-xr-x. 2 root root 236 Nov 20 2019 alternatives -rw-------. 1 root root 541 Aug 8 2019 anacrontab -rw-r--r--. 1 root root 55 Aug 8 2019 asound.conf drwxr-x---. 3 root root 43 Nov 20 2019 audisp drwxr-x---. 3 root root 83 Nov 20 2019 audit drwxr-xr-x. 2 root root 22 Nov 20 2019 bash_completion.d ...
You’ll find the permissions for each file, in RWX form, on the left side of the terminal.
File Permission Sections
Now that you know where the permissions can be viewed, let’s break down each section. We’ll only be focusing on the first few fields – Here is an example:
[[email protected] ~]$ ls -l example.txt -rwxr-x---. 1 penguin bear 0 Jul 18 16:09 example.txt
NOTE: The First Character
The first character tells us the type of file:
“-” = A normal file
“d” = A directory/folder
“l” = Link (a shortcut to another file)
Ignore the first character,
-, and look at the next three characters after that (2-4); these represent the user’s permissions. The user that’s being referenced is the first name you see to the right of the permissions (the third field). In the example above, the permissions are
rwx for the
penguin user. This means that the
penguin user can read, write, and execute the
The middle three characters (5-7) represent a group’s permissions. The group that’s being referenced is the second name you see to the right of the permissions (the fourth field). Using the same example, the permissions are
r-x for the
bear group. This means that any users that are a part of the
bear group can only read and execute the
The last three characters (8-10) represent others’ permissions. There’s no need to display this field because it’s simply everyone else that’s not the
penguin user or a part of the
bear group. In the example, there are no permissions for others:
---. Others may not read, write, or execute the
UNDERSTANDING NUMERIC FORM
-rwxr-x--- every time you want to define permissions would be inconvenient; luckily, there is a functional shorthand available by using numbers instead of letters.
Each permission has a numeric value assigned to it:
---= no permission
So, for a single file, if the user has write permissions, a group has read permissions, and others have execute permissions, the RWX form would be
--w-r----x while the numeric equivalent would be
Here’s several examples of changing and viewing the permissions for
example.txt using singular values: “4-2-1-0”:
[[email protected] ~]$ chmod 241 example.txt ;ls -l example.txt --w-r----x. 1 penguin bear 0 Jul 19 19:01 example.txt [[email protected] ~]$ chmod 214 example.txt ;ls -l example.txt --w---xr--. 1 penguin bear 0 Jul 19 19:01 example.txt [[email protected] ~]$ chmod 124 example.txt ;ls -l example.txt ---x-w-r--. 1 penguin bear 0 Jul 19 19:01 example.txt [[email protected] ~]$ chmod 142 example.txt ;ls -l example.txt ---xr---w-. 1 penguin bear 0 Jul 19 19:01 example.txt [[email protected] ~]$ chmod 412 example.txt ;ls -l example.txt -r----x-w-. 1 penguin bear 0 Jul 19 19:01 example.txt [[email protected] ~]$ chmod 421 example.txt ;ls -l example.txt -r---w---x. 1 penguin bear 0 Jul 19 19:01 example.txt
Now, if a user or group has multiple permissions to a file, you simply add the numeric values together. For example, if a user has both read and write permissions, you would add
2 to get
No matter how you combine permissions, you’ll always get a unique numeric value for it:
rwx= read, write, & execute
rw-= read & write
r-x= read & execute
-wx= write & execute
Common Permission Combinations
Here are a few common combinations you’ll see on Linux systems:
- Only the user can edit the file, while others can view it
- Folders & executable commands:
- A folder in which everyone can see its contents
- A command that everyone can run
- Temporary files/directories:
- For special cases or testing
- Not secure at all
- Secure files/folders:
- A privileged file that only the user can read and write
Great! We’ve gone over various aspects of file permissions which enables us to understand access to those files:
- Basic permissions
- Letter values
- Numeric values
Moreover, we’ve only covered basic file permissions – There are more permissions for special cases.