File Permissions in Linux Part 2

Linux Tutorial #6

The first part focused on understanding the concept of file permissions. This part is about actually changing the permissions on files.

Changing the permissions through CLI

The command used to change file permissions is chmod. There are two ways to change file permissions with chmod:

• Absolute Permissions

• Symbolic Permssions

Absolute Permissions

Absolute permissions is the older way to set file permission. The file permission is represented in three octal numbers (0-7), for example 640, which is user=read+write, group=read and others=none. To break it down:

• First number is user

• Second number is group

• Third number is others (everyone else).

The different types of privileges are represented with different numbers:

• 0 = none

• 1 = execute

• 2 = write

• 4 = read

3 and 5 - 7 combines two or more privileges together:

• 3 = (2+1) write + execute

• 5 = (4+1) read + execute

• 6 = (4+2) read + write

• 7 = (4+2+1) read+ write+execute

Common combinations of privileges:

Here are some common types of priveleges a file could have:

• 777 = This means that owner, group and everyone has all the rights, i.e. to read, write and execute. This is a dangerous permission to have on any file and you should avoid using it.

• 775 = The user and groups can read, write and execute the file. Others can read and execute but cannot write.

• 755 = The owner can read, write and execute. Group members and everyone else can read and execute but cannot modify (write) the file.

• 700 = You are giving read, write and execute permission to the owner user but the group members and others have no permissions at all.

• 664 = The owner and group can read and write but cannot execute it. Others can read the file but cannot write or execute it. This is normally used for files that are not executable, like text files or audio files.

• 644 = The owner can read and write but cannot execute it. Group members and others can read the file but cannot write or execute it.

• 600 = you are giving read and write permission to the owner user. Group members and others cannot read, write or execute. Even the owner cannot execute the file with this permission set.

• 400 = The file can only be read by the owner. No one can write or execute it.

Invalid Privileges

There are some combinations that can be set but have no practical utility. Because you if you are going to edit or execute a file, you have to have minimum read privileges. Therefore, any combination including these numbers are as good as none:

• 1 = Only execute

• 2 = Only write

• 3 = write + execute

An example of an invalid privilege would be 321 = user can write and execute but cannot read. Group can write but cannot read. Everyone else can execute but cannot read.

Tip: play with this Linux privilege calculator to get a grip on how to set privileges accordingly:

https://linuxhandbook.com/chmod-calculator/

Configure absolute privileges

To view the absolute privileges set on a file, you can use the stat command:

wl@computer:/media/wl/usb/Music$ stat -c "%a %n" *
640 AHHHHH.mp3
640 MI1 Main theme (Amiga).mp3
640 MI2 Introduction (Amiga).mp3

Note: I would not recommend using this command. It’s for demonstration only.

To let everyone (other) read the contents of these files, you could change it to 644:

sudo chmod -R 644 *

Explanation:

• -R = recursive. It means to include subfolders if any

• * = apply to all files in the current directory

wl@computer:/media/wl/usb/Music$ sudo chmod -R 644 *

wl@computer:/media/wl/usb/Music$ stat -c "%a %n" *
644 AHHHHH.mp3
644 MI1 Main theme (Amiga).mp3
644 MI2 Introduction (Amiga).mp3

Symbolic Privileges

Symbolic privileges is the newer way of setting privileges with chmod. The underlying logic is really the same but instead of numbers, it uses letters and symbols to visualize privileges accordingly.

When you do an ls -l command, you can see the symbolic privileges. Those where actually explained part 1:

wl@computer:/media/wl/usb/Music$ ls -l
total 5272
-rw-r--r-- 1 frank frank 1027690 feb.  22  2018  AHHHHH.mp3
-rw-r--r-- 1 frank frank 2104590 sep.  14  2013 'MI1 Main...
-rw-r--r-- 1 frank frank 2263922 sep.  14  2013 'MI2 ...

To recap the important stuff:

Privilege symbols are:

• - = none

• r = read

• w = write

• x = execute

User symbols are:

• u = owner (user)

• g = group

• o = everyone else (other)

Invalid Privileges

As with absolute privileges, any privilege that omits the read privilege are useless. A few examples would be:

• -wx

• -w-

• --x

Configure Symbolic Privileges

Remove privileges

Let’s set the files back to where it was before, i.e. User = read+write, Group = read and others = none.

sudo chmod -R o-r *

This means that:

• read privileges (r);

• will be removed (-);

• for others (o);

• for all files in current directory (*);

• and sub-directories (-R).

wl@computer:/media/wl/usb/Music$ sudo chmod -R o-r *
[sudo] password for wl: 
wl@elenor:/media/wl/usb/Music$ ls -l
total 5272
-rw-r----- 1 frank frank 1027690 feb.  22  2018  AHHHHH.mp3
-rw-r----- 1 frank frank 2104590 sep.  14  2013 'MI1 Main...
-rw-r----- 1 frank frank 2263922 sep.  14  2013 'MI2 ...

Add privileges

To set read privileges back for others, you use a + sign instead:

sudo chmod -R o+r *

Add multiple privileges at the same time

Setting read privileges on mp3 (audio) files are sufficient, but let’s imagine these were executable shell scripts instead. Then it would require execute privileges for everyone, in addition to read. Therefore, let’s grant execute privileges for owner, group and everyone else (others), just for demonstration purposes:

sudo chmod -R ugo+x *

wl@computer:/media/wl/usb/Music$ sudo chmod -R ugo+x *

wl@computer:/media/wl/usb/Music$ ls -l
total 5272
-rwxr-xr-x 1 frank frank 1027690 feb.  22  2018  AHHHHH.mp3
-rwxr-xr-x 1 frank frank 2104590 sep.  14  2013 'MI1 Main theme ...
-rwxr-xr-x 1 frank frank 2263922 sep.  14  2013 'MI2 Introduction ...

As you can see, you can configure multiple kinds of users and multiple kinds of privileges at the same time. To set the equivalent of absolute privilege of 777, the command would be:

sudo chmod -R ugo+rwx *

The only limitation where absolute privileges are more flexible is when you need to set different privileges per user. For example, to set following privileges:

User = Read & Write, Group = Read, Others = none

With Absolute privileges:

wl@computer:/media/wl/usb/Music$ sudo chmod -R 640 *

With symbolic privileges:

wl@computer:/media/wl/usb/Music$ sudo chmod -R ugo-rwx *
wl@computer:/media/wl/usb/Music$ sudo chmod -R ug+r *
wl@computer:/media/wl/usb/Music$ sudo chmod -R u+w *

And that, I believe, is the end of this tutorial.