Linux file permissions and Access modes

Source: Internet
Author: User

For more secure storage of files, Linux gives different permissions to different files, each with the following three permissions:

    • Owner permissions: What the file owner can do
    • Group permissions: Actions that can be made by the user group to which the file belongs
    • External permissions (other permissions): Actions that other users can make.
View File Permissions

Use the ls-l command to view information related to file permissions:

$ls-L/home/amrood-rwxr-xr--  1 amrood   users 1024x768  2 00:10  MYFILEDRWXR-XR---1 amrood   users 1024  Nov 2 00:10  Mydir

The first column contains the permissions for the file or directory.
The characters in the first column can be divided into three groups, each of which has three, and each character nonalphanumeric represents a different permission, read (R), write (w), and execute (x), respectively:

    • The first set of characters (2-4) represents the permissions of the owner of the file, and-rwxr-xr--indicates that the owner has read (R), write (w), and execute (x) permissions.
    • The second set of characters (5-7) represents the permissions of the user group to which the file belongs, and-rwxr-xr--indicates that the group has read (R) and execute (x) permissions, but no write permission.
    • The third set of characters (8-10) represents the permissions of all other users, and rwxr-xr--indicates that other users can only read (r) files.
File access mode

File permissions are the first security line of the Linux system, with basic permissions to read (R), write (w), and execute (x):

    • READ: The user can read the file information and view the contents of the file.
    • Write: The user can edit the file, write to the file, or delete the contents of the file.
    • Execute: The user can run the file as a program.
Directory Access mode

The access mode of the directory is similar to the file, but slightly different:

    • READ: Users can view files in a directory
    • Write: Users can delete files or create files in the current directory
    • Execute: Execute permissions give the user the right to traverse the directory, such as the Execute CD and the LS command.
Change permissions

You can use the chmod command to change the access permissions for a file or directory, which can be represented by symbols or numbers.

Using symbols to represent permissions

The simplest thing for beginners is to use symbols to change the permissions of a file or directory, you can add (+) and delete (-) permissions, or you can specify specific permissions.

symbols Description
+ Add permissions to a file or directory
- Permission to delete a file or directory
= Set the specified permissions

The following example modifies the permissions of the Testfile file:

$ls-L testfile-rwxrwxr--  1 amrood   users 1024x768  2 00:10  testfile$chmod o+wx testfile$ls-l testfile-rwxrwxrwx  1 Amrood   users 1024x768  2 00:10  testfile$chmod u-x testfile$ls-l testfile-rw-rwxrwx  1 Amrood   users 1024x768  2 00:10  testfile$chmod g=rx testfile$ls-l testfile-rw-r-xrwx  1 Amrood   users  2 00:10  testfile

You can also use multiple symbols at the same time:

$chmod O+wx,u-x,g=rx testfile$ls-l testfile-rw-r-xrwx  1 amrood   users 1024x768  2 00:10  testfile
Use numbers to represent permissions

In addition to symbols, you can use octal numbers to specify specific permissions, as shown in the following table:

Digital Description Permissions
0 Does not have any permissions ---
1 Execute permissions --x
2 Write permissions -w-
3 Execute permissions and Write permissions: 1 (Execute) + 2 (write) = 3 -wx
4 Read permissions r--
5 Read and Execute permissions: 4 (Read) + 1 (execution) = 5 R-x
6 Read and Write permissions: 4 (Read) + 2 (write) = 6 rw-
7 All rights: 4 (Read) + 2 (write) + 1 (execution) = 7 Rwx

In the following example, first use the ls-1 command to view the permissions of the Testfile file, and then use the chmod command to change the permissions:

$ls-L testfile-rwxrwxr--  1 amrood   users 1024x768  2 00:10  testfile$ chmod 755 testfile$ls-l testfile-rwx R-xr-x  1 Amrood   users 1024x768  2 00:10  testfile$chmod 743 testfile$ls-l testfile-rwxr---wx  1 Amrood   users  2 00:10  testfile$chmod 043 testfile$ls-l testfile----R---wx  1 amrood   Users  2 00:10  testfile
Change owners and user groups

In Linux, each new user is assigned a user ID and a group ID, and the file permissions mentioned above are assigned based on the user and group.
There are two commands that can change the owner or group of a file:

    • chown: The chown command is the "change owner" abbreviation that is used to alter the owner of the file.
    • chgrp: The CHGRP command is the "change group" abbreviation for changing the group in which the file resides.

The chown command is used to change the file owner with the following syntax:

$ chown User FileList

User can be either a username or a user ID, such as

$ chown Amrood testfile$

Change the owner of the testfile file to Amrood.
Note: Superuser Root can change the owner and user group of the file without restriction, but ordinary users can only change the owner's own files or directories.
The chgrp command is used to change the group to which the file belongs, with the following syntax:

$ CHGRP Group FileList

Group can be a group name or group ID, such as

$ CHGRP Special testfile$

Change the group of files testfile to special.

Suid and Sgid Bits

In Linux, some programs require special permissions to complete user-specified actions.
For example, the user's password is saved in the/etc/shadow file, and for security reasons, the user does not have read and write permissions. But when we use the passwd command to change the password, we need to have write access to the/etc/shadow file. This means that the passwd program must give us some special permission to write to the/etc/shadow file.
Linux gives ordinary users special privileges by setting SUID (set User ID) and Sgid (set Group ID) bits to the program. When we run a program with a suid bit, we inherit the permissions of the program owner, and if the program does not take suid bits, it will run according to the permissions of the program's users.
The same is true of Sgid. In general, the program will run according to your group permissions, but after you set sgid for the program, it will run according to the group permissions of the group in which the program is located.
If the program sets the SUID bit, the ' s ' letter appears where the file owner can execute the permission, and if Sgid is set, the ' s ' letter appears where the file group can execute the permission. As shown below:

$ ls-l/usr/bin/passwd-r-sr-xr-x  1   root   bin  19031 Feb 7 13:47  /usr/bin/passwd*$

The fourth character in the first column above is not ' X ' or '-', but ' s ', indicating that the/usr/bin/passwd file is set suid bit, and the normal user will execute the passwd program with the root user's permission.
Note: The lowercase letter ' s ' indicates that the file owner has execute permissions (x), and the capital letter ' s ' indicates that the program owner does not have execute permissions (x).
If the Sgid bit appears in the location that represents group permissions, then only three categories of users can delete files in that directory: Directory owner, file owner, Superuser root.
You can use the following command to set the SUID and Sgid bits for a directory:

$ chmod ug+s dirname$ ls-ldrwsr-sr-x 2 root root  4096 June 06:45 dirname$

Linux file permissions and Access modes

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.