Understanding Basic Linux Permissions

Photo from Unsplash by Alex Pudov

Permissions are one of the first lines of defense when securing a Linux system. From my days as a LAMP-stack admin at a web host, I remember frequently explaining different PHP handlers to customers – both their security implications and trade offs. The security consideration was largely due to system permissions.

OVERVIEW

In this tutorial, we’ll cover basic Linux permissions. Doing so will help us understand what files can be accessed by which users and processes.

Outline

  • The Three Basic File Permissions
    • Read
    • Write
    • Execute
  • Understanding the Letter Values
    • RWX Form
    • Viewing Permissions
    • File Permission Sections
  • Understanding Numeric Form
    • 4-2-1-0
    • Combining Permissions
    • Common Permission Combinations

Prerequisites

THE THREE BASIC FILE PERMISSIONS

When dealing with Linux file permissions, there are three basic types: read, write, and execute. Depending on which permissions are available to a user or process, it will determine how that user or process can interact with the file/folder in question.

Read

The “read” permission means that a user, or process, can view the contents of a file/folder. For example, if it’s a text file, you may read it:

[[email protected] ~]$ cat foo.txt
Hi!
This is an example of a file you can view.

If it’s a directory, you may view the contents of the directory:

[[email protected] ~]$ ls /var/
adm    crash  empty  gopher    lib    lock  mail  opt       run    tmp
cache  db     games  kerberos  local  log   nis   preserve  spool  yp

Write

The “write” permission means that you can change a file. So, you can edit, rename, or delete the file.

[[email protected] ~]$ echo Hello! > foo.txt
[[email protected] ~]$ cat foo.txt
Hello!
[[email protected] ~]$ ls
foo.txt
[[email protected] ~]$ mv foo.txt bar.txt
[[email protected] ~]$ ls
bar.txt
[[email protected] ~]$ rm bar.txt

If it’s a plain text file, you can change its contents. If it’s an image file you can overwrite it. If it’s a spreadsheet, you may add/remove entries from it. If it’s a directory, you may edit the directory; i.e., rename or delete it.

NOTE: Singular Write Permission
If you only have the “write” permission to a file, while you might not be able to see/view the file, you can still modify or delete it.

Execute

The “execute” permission, in conjunction with the “read” permission, means that you can run the file/program. If you have the “execute” permission only, you won’t be able to run the file/program. For example, when you execute any command on Linux, it’s because you have “read” and “execute” permissions for that command.

NOTE: Linux Commands
While you might be able to execute most commands, you’ll likely find that you won’t be able to edit those commands because you won’t have the “write” permission for it.

For example, you can execute the hostname command with or without the full path:

[[email protected] ~]$ /bin/hostname
centos07.domain.lan
[[email protected] ~]$ hostname
centos07.domain.lan

UNDERSTANDING THE LETTER VALUES

RWX Form

To truncate things, each permission has a shorthand letter assigned to it:

  • r – read
  • w – write
  • x – execute

Viewing Permissions

To view the permissions of a specific file, use the ls command with the -l flag and the file name: ls -al /<PathToFile>.

[[email protected]$ ls -l ~/.bashrc
-rw-r--r-- 1 penguin penguin 193 Aug 8  2019 /home/penguin/.bashrc

Similarly, to view the permissions of all files in a directory, use the ls command with the -l flag and the directory name: ls -al /<PathToDirectory>/.

[[email protected] ~]$ ls -l /etc/
total 1060
-rw-r--r--.  1 root root       16 Sep 23  2019 adjtime
-rw-r--r--.  1 root root     1518 Jun  7  2013 aliases
-rw-r--r--.  1 root root    12288 Sep 23  2019 aliases.db
drwxr-xr-x.  2 root root      236 Nov 20  2019 alternatives
-rw-------.  1 root root      541 Aug  8  2019 anacrontab
-rw-r--r--.  1 root root       55 Aug  8  2019 asound.conf
drwxr-x---.  3 root root       43 Nov 20  2019 audisp
drwxr-x---.  3 root root       83 Nov 20  2019 audit
drwxr-xr-x.  2 root root       22 Nov 20  2019 bash_completion.d
...

You’ll find the permissions for each file, in RWX form, on the left side of the terminal.

File Permission Sections

Now that you know where the permissions can be viewed, let’s break down each section. We’ll only be focusing on the first few fields – Here is an example:

[[email protected] ~]$ ls -l example.txt
-rwxr-x---. 1 penguin bear 0 Jul 18 16:09 example.txt

NOTE: The First Character
The first character tells us the type of file:
“-” = A normal file
“d” = A directory/folder
“l” = Link (a shortcut to another file)

Ignore the first character, -, and look at the next three characters after that (2-4); these represent the user’s permissions. The user that’s being referenced is the first name you see to the right of the permissions (the third field). In the example above, the permissions are rwx for the penguin user. This means that the penguin user can read, write, and execute the example.txt file.

The middle three characters (5-7) represent a group’s permissions. The group that’s being referenced is the second name you see to the right of the permissions (the fourth field). Using the same example, the permissions are r-x for the bear group. This means that any users that are a part of the bear group can only read and execute the example.txt file.

The last three characters (8-10) represent others’ permissions. There’s no need to display this field because it’s simply everyone else that’s not the penguin user or a part of the bear group. In the example, there are no permissions for others: ---. Others may not read, write, or execute the example.txt file.

UNDERSTANDING NUMERIC FORM

Writing out -rwxr-x--- every time you want to define permissions would be inconvenient; luckily, there is a functional shorthand available by using numbers instead of letters.

4-2-1-0

Each permission has a numeric value assigned to it:

  • 4 = r-- = read
  • 2 = -w- = write
  • 1 = --x = execute
  • 0 = --- = no permission

So, for a single file, if the user has write permissions, a group has read permissions, and others have execute permissions, the RWX form would be --w-r----x while the numeric equivalent would be 241.

Here’s several examples of changing and viewing the permissions for example.txt using singular values: “4-2-1-0”:

[[email protected] ~]$ chmod 241 example.txt ;ls -l example.txt
--w-r----x. 1 penguin bear 0 Jul 19 19:01 example.txt
[[email protected] ~]$ chmod 214 example.txt ;ls -l example.txt
--w---xr--. 1 penguin bear 0 Jul 19 19:01 example.txt
[[email protected] ~]$ chmod 124 example.txt ;ls -l example.txt
---x-w-r--. 1 penguin bear 0 Jul 19 19:01 example.txt
[[email protected] ~]$ chmod 142 example.txt ;ls -l example.txt
---xr---w-. 1 penguin bear 0 Jul 19 19:01 example.txt
[[email protected] ~]$ chmod 412 example.txt ;ls -l example.txt
-r----x-w-. 1 penguin bear 0 Jul 19 19:01 example.txt
[[email protected] ~]$ chmod 421 example.txt ;ls -l example.txt
-r---w---x. 1 penguin bear 0 Jul 19 19:01 example.txt

Combining Permissions

Now, if a user or group has multiple permissions to a file, you simply add the numeric values together. For example, if a user has both read and write permissions, you would add 4 and 2 to get 6.

No matter how you combine permissions, you’ll always get a unique numeric value for it:

  • 7 = rwx = read, write, & execute
  • 6 = rw- = read & write
  • 5 = r-x = read & execute
  • 3 = -wx = write & execute

Common Permission Combinations

Here are a few common combinations you’ll see on Linux systems:

  • Files: 644
    • Only the user can edit the file, while others can view it
  • Folders & executable commands: 755
    • A folder in which everyone can see its contents
    • A command that everyone can run
  • Temporary files/directories: 777
    • For special cases or testing
    • Not secure at all
  • Secure files/folders: 600
    • A privileged file that only the user can read and write

CONCLUSION

Great! We’ve gone over various aspects of file permissions which enables us to understand access to those files:

  • Basic permissions
  • Letter values
  • Numeric values

Moreover, we’ve only covered basic file permissions – There are more permissions for special cases.

Leave a Reply