Photo from Unsplash by Alex Pudov
Permissions are one of the first lines of defense when securing a Linux system. From my days as a LAMP-stack admin at a web host, I remember frequently explaining different PHP handlers to customers – both their security implications and trade offs. The security consideration was largely due to system permissions.
OVERVIEW
In this tutorial, we’ll cover basic Linux permissions. Doing so will help us understand what files can be accessed by which users and processes.
Outline
- The Three Basic File Permissions
- Read
- Write
- Execute
- Understanding the Letter Values
- RWX Form
- Viewing Permissions
- File Permission Sections
- Understanding Numeric Form
- 4-2-1-0
- Combining Permissions
- Common Permission Combinations
Prerequisites
THE THREE BASIC FILE PERMISSIONS
When dealing with Linux file permissions, there are three basic types: read, write, and execute. Depending on which permissions are available to a user or process, it will determine how that user or process can interact with the file/folder in question.
Read
The “read” permission means that a user, or process, can view the contents of a file/folder. For example, if it’s a text file, you may read it:
[penguin@centos07 ~]$ cat foo.txt
Hi!
This is an example of a file you can view.If it’s a directory, you may view the contents of the directory:
[penguin@centos07 ~]$ ls /var/
adm crash empty gopher lib lock mail opt run tmp
cache db games kerberos local log nis preserve spool ypWrite
The “write” permission means that you can change a file. So, you can edit, rename, or delete the file.
[penguin@centos07 ~]$ echo Hello! > foo.txt
[penguin@centos07 ~]$ cat foo.txt
Hello!
[penguin@centos07 ~]$ ls
foo.txt
[penguin@centos07 ~]$ mv foo.txt bar.txt
[penguin@centos07 ~]$ ls
bar.txt
[penguin@centos07 ~]$ rm bar.txtIf it’s a plain text file, you can change its contents. If it’s an image file you can overwrite it. If it’s a spreadsheet, you may add/remove entries from it. If it’s a directory, you may edit the directory; i.e., rename or delete it.
NOTE: Singular Write Permission
If you only have the “write” permission to a file, while you might not be able to see/view the file, you can still modify or delete it.
Execute
The “execute” permission, in conjunction with the “read” permission, means that you can run the file/program. If you have the “execute” permission only, you won’t be able to run the file/program. For example, when you execute any command on Linux, it’s because you have “read” and “execute” permissions for that command.
NOTE: Linux Commands
While you might be able to execute most commands, you’ll likely find that you won’t be able to edit those commands because you won’t have the “write” permission for it.
For example, you can execute the hostname command with or without the full path:
[penguin@centos07 ~]$ /bin/hostname
centos07.domain.lan
[penguin@centos07 ~]$ hostname
centos07.domain.lanUNDERSTANDING THE LETTER VALUES
RWX Form
To truncate things, each permission has a shorthand letter assigned to it:
- r – read
- w – write
- x – execute
Viewing Permissions
To view the permissions of a specific file, use the ls command with the -l flag and the file name: ls -al /<PathToFile>.
[penguin@centos07$ ls -l ~/.bashrc
-rw-r--r-- 1 penguin penguin 193 Aug 8 2019 /home/penguin/.bashrcSimilarly, to view the permissions of all files in a directory, use the ls command with the -l flag and the directory name: ls -al /<PathToDirectory>/.
[penguin@centos07 ~]$ ls -l /etc/
total 1060
-rw-r--r--. 1 root root 16 Sep 23 2019 adjtime
-rw-r--r--. 1 root root 1518 Jun 7 2013 aliases
-rw-r--r--. 1 root root 12288 Sep 23 2019 aliases.db
drwxr-xr-x. 2 root root 236 Nov 20 2019 alternatives
-rw-------. 1 root root 541 Aug 8 2019 anacrontab
-rw-r--r--. 1 root root 55 Aug 8 2019 asound.conf
drwxr-x---. 3 root root 43 Nov 20 2019 audisp
drwxr-x---. 3 root root 83 Nov 20 2019 audit
drwxr-xr-x. 2 root root 22 Nov 20 2019 bash_completion.d
...You’ll find the permissions for each file, in RWX form, on the left side of the terminal.
File Permission Sections
Now that you know where the permissions can be viewed, let’s break down each section. We’ll only be focusing on the first few fields – Here is an example:
[penguin@centos07 ~]$ ls -l example.txt
-rwxr-x---. 1 penguin bear 0 Jul 18 16:09 example.txtNOTE: The First Character
The first character tells us the type of file:
“-” = A normal file
“d” = A directory/folder
“l” = Link (a shortcut to another file)
Ignore the first character, -, and look at the next three characters after that (2-4); these represent the user’s permissions. The user that’s being referenced is the first name you see to the right of the permissions (the third field). In the example above, the permissions are rwx for the penguin user. This means that the penguin user can read, write, and execute the example.txt file.
The middle three characters (5-7) represent a group’s permissions. The group that’s being referenced is the second name you see to the right of the permissions (the fourth field). Using the same example, the permissions are r-x for the bear group. This means that any users that are a part of the bear group can only read and execute the example.txt file.
The last three characters (8-10) represent others’ permissions. There’s no need to display this field because it’s simply everyone else that’s not the penguin user or a part of the bear group. In the example, there are no permissions for others: ---. Others may not read, write, or execute the example.txt file.
UNDERSTANDING NUMERIC FORM
Writing out -rwxr-x--- every time you want to define permissions would be inconvenient; luckily, there is a functional shorthand available by using numbers instead of letters.
4-2-1-0
Each permission has a numeric value assigned to it:
4=r--= read2=-w-= write1=--x= execute0=---= no permission
So, for a single file, if the user has write permissions, a group has read permissions, and others have execute permissions, the RWX form would be --w-r----x while the numeric equivalent would be 241.
Here’s several examples of changing and viewing the permissions for example.txt using singular values: “4-2-1-0”:
[penguin@centos07 ~]$ chmod 241 example.txt ;ls -l example.txt
--w-r----x. 1 penguin bear 0 Jul 19 19:01 example.txt
[penguin@centos07 ~]$ chmod 214 example.txt ;ls -l example.txt
--w---xr--. 1 penguin bear 0 Jul 19 19:01 example.txt
[penguin@centos07 ~]$ chmod 124 example.txt ;ls -l example.txt
---x-w-r--. 1 penguin bear 0 Jul 19 19:01 example.txt
[penguin@centos07 ~]$ chmod 142 example.txt ;ls -l example.txt
---xr---w-. 1 penguin bear 0 Jul 19 19:01 example.txt
[penguin@centos07 ~]$ chmod 412 example.txt ;ls -l example.txt
-r----x-w-. 1 penguin bear 0 Jul 19 19:01 example.txt
[penguin@centos07 ~]$ chmod 421 example.txt ;ls -l example.txt
-r---w---x. 1 penguin bear 0 Jul 19 19:01 example.txtCombining Permissions
Now, if a user or group has multiple permissions to a file, you simply add the numeric values together. For example, if a user has both read and write permissions, you would add 4 and 2 to get 6.
No matter how you combine permissions, you’ll always get a unique numeric value for it:
7=rwx= read, write, & execute6=rw-= read & write5=r-x= read & execute3=-wx= write & execute
Common Permission Combinations
Here are a few common combinations you’ll see on Linux systems:
- Files:
644- Only the user can edit the file, while others can view it
- Folders & executable commands:
755- A folder in which everyone can see its contents
- A command that everyone can run
- Temporary files/directories:
777- For special cases or testing
- Not secure at all
- Secure files/folders:
600- A privileged file that only the user can read and write
CONCLUSION
Great! We’ve gone over various aspects of file permissions which enables us to understand access to those files:
- Basic permissions
- Letter values
- Numeric values
Moreover, we’ve only covered basic file permissions – There are more permissions for special cases.
