According to the creators, Linux systems are multi-user and Multiple Access Rights operating systems, i.e. they allow multiple users to work with the same system without interfering with each other. But users who share file access risk revealing sensitive information or even losing data if other users gain access to their files or directories.
To solve this problem, Linux has added mechanisms for ownership and access rights to files (or directories) to indicate what permissions each user has over a particular file (or directory).
Types of users in Linux
Each file and directory in Linux has three categories of users:
- Owner: the user who created the file/directory.
- Group: all users belonging to a certain specified group will have the same group permissions to access the file. Let’s say you have a project where several people require access to a file. Instead of manually assigning access rights to each user, you can add them all to the same group and assign group access rights to the file so that only members of this group (and no one else) can read or modify files. Even if you are the only user of the system, you will still be part of many groups.
- Others (all other users): any other user who has access to the file. It is not the owner of the file, and it does not belong to a group that could own the file.
In other words, An owner is a single user, a group is a collection of users, and the rest is a collection of all other users in the system.
Note: In this article, I will use the general term “file”, but all actions can also be applied to directories.
Now let’s imagine this situation: suppose we have two users A and B, we need to make sure that user A cannot influence the file containing vital information/data of user B. The question arises: “How does Linux distinguish between these user categories?”. For example, you don’t want your colleague who works on your Linux computer to view your images. This is where the access rights that determine user behavior come into play.
Access Rights/Permissions
Each file and directory in Linux has the following three types of permissions for all three of the user categories described above:
- Reading/View (Read): This gives you the right to open and read the file. Permission to read a folder allows you to view its contents.
- Record/Change (Write): This gives you the right to change the contents of the file. The directory writes permission gives you the right to add, delete, and rename files stored in the directory. Consider a scenario where you have permission to write to a file, but no permission to write to the directory where the file is stored. You can change the contents of the file, but you can’t rename, move, or delete the file from the directory.
- Execution (eXecute): On Linux, you won’t be able to run a program if you don’t have to execute permission, but you can still see/modify the program code (assuming read and write permissions are set), but not run it.
Practical example
Consider the following example:
Here is the owner (azahar) of the file test.txt (which I created in advance in the folder /home/azahar/Documents) has access to its “Read and Write”, while other members of its group (its name is the same as the owner’s name-azahar), as well as all other users who are not part of this group, have access to “Read Only”. So they can open the file, but they can’t make changes to it.
To change the file permissions, the user can open the drop-down menu and select the appropriate permission for each user category. Alternatively, you can make a file executable, allowing it to run as a program by checking the box "Allow executing file as program".
Note: This command is used to display the contents of directories and information about files. The key –lis used to display detailed information about access rights, owner, file size, and so on.
If you apply the command ls -lto our file test.txt, then we will observe the following output:
The output contains the following information:
Let’s look at it in detail:
- Type: Indicates the type of object. This can be a regular file (
-), directory (d), or link (l). - Permissions: This field displays a set of permissions for the file, which we’ll discuss later.
- Hard link: Displays the number of links available to the file. The default value is set to
1. - Owner: Name of the user who owns the file. Often (but not always) matches the name of its creator.
- Group: A group that has access to the file. Only one group can own a file at a time.
- Size: Indicates the file size in bytes.
- Modification date: Date and time when the file was last modified.
- File Name: Indicates the Name of the file.
Information about access rights to the file is grouped into a string of characters preceded by -. At the same time, each letter sets a certain resolution, namely:
r(read): permission to read/view the file;-
w(write): permission to write/modify the file; x(execute): permission to execute the file;–: there is no permission set.
Users who have Read permission can see the contents of the file (or files in the directory), but they cannot change it (or add/remove files in the directory). On the other hand, those who have to Write permissions can edit (add and delete) files. Finally, the ability to do This means that the user can run the file. This option is mainly used to run scripts.
Permissions always go in this order, that is rwx. And then, they are set for all three categories of users in order Owner, Group, and Others/Other services:
So, if you arm yourself with the above picture and look at the output of the commandls –l, you can tell the following things about file access rights: test.txt:
-rw-rw-r-- 1 azahar azahar 216 Oct 31 10:54 /home/azahar/Documents/test.txt
What do we see?
The owner of azahar has read and write access to the file.
The azahar group has read-only permissions.
Other users (everyone who has access to the system) can also read the file only. You don’t need to know who this other user is, because all other users are treated differently.
Now let’s try applying the same command ls -lto a different file:
azahar@azahar-HP-Pavilion-Notebook:~$ ls -l /bin/ping
-rwxr-xr-x 1 root root 77432 Oct 31 10:54 /bin/ping
What do we see?
The owner of the file is the root user, who has access rights to read, modify, and execute the file (rwx).
All members of the root group have access to read and execute the file (r-x).
Other users also have access to read and execute the file (r-x).
Note that a single user can be a member of several groups, but only the main user group can be assigned to a file. The main user group can be found using the commandid, for example,-gn <username>id. Leave Username blank if you want to get information about your primary group.
Now you know how to find out the file permissions, let’s see how you can change them and the file owner.
Change of access rights using the chmod command
Let’s say that you don’t want your coworker to see your images. This can be achieved by changing the file permissions using the command chmod(abr. from “change mode”). Using this command, we can set access rights (Read, Write, Execute) to the file/directory for the Owner, Group, and all of them All other users.
The command syntax chmodis as follows:
chmod [permissions] [filename]
There are two ways to use the command chmod: symbolic and numeric.
Using the chmod command in character mode
To set permission parameters for each user category, use the following symbols:
u — owner;
g — group;
o — other users;
a – for all three categories (Owner + Group + The rest).
The following mathematical symbols are also used:
+ – adding permissions;
– – delete permissions;
= – overriding existing permissions with a new value.
Now that you know how it works, let’s try using the command chmodin character mode and set new permissions for the previously mentioned file test.txt as follows:
read, write, and execute for Owner’s name;
read and write for group members;
reading for All other users.
chmod u=rwx,g=rw,o=r /home/azahar/Documents/test.txt
As a result, we get:
azahar@azahar-HP-Pavilion-Notebook:~$ chmod u=rwx,g=rw,o=r /home/azahar/Documents/test.txt
azahar@azahar-HP-Pavilion-Notebook:~$ ls -la /home/azahar/Documents/test.txt
-rwxrw-r-- 1 azahar azahar 216 Oct 31 10:54 /home/azahar/Documents/test.txt
As you can see, the file permissions have changed from -rw-r--r--to-rwxrw-r--, which is exactly what we needed.
And if we now want to remove the permission to read the file for users who are not part of our group and are not the owner of the file, just do the following:
chmod o-r /home/azahar/Documents/test.txt
Result:
zahar@azahar-HP-Pavilion-Notebook:~$ chmod o-r /home/azahar/Documents/test.txt
zahar@azahar-HP-Pavilion-Notebook:~$ ls -la /home/azahar/Documents/test.txt
-rwxrw---- 1 azahar azahar 216 Oct 31 10:54 /home/azahar/Documents/test.txt
File permissions changed from -rwxrw-r--to -rwxrw----.
After thinking about it, we decide to give full rights (except for execution rights) to absolutely all users of the system, and execute the command:
azahar@azahar-HP-Pavilion-Notebook:~$ chmod a+rw-x /home/azahar/Documents/test.txt
Result:
azahar@azahar-HP-Pavilion-Notebook:~$ chmod a+rw-x /home/azahar/Documents/test.txt
azahar@azahar-HP-Pavilion-Notebook:~$ ls -la /home/azahar/Documents/test.txt
-rw-rw-rw- 1 azahar azahar 216 Oct 31 10:54 /home/azahar/Documents/test.txt
File permissions changed from -rwxrw----to -rw-rw-rw-. All users can read and modify our file, but no one has the right to execute it.
Using the chmod command in numeric mode
Another way to specify file permissions is to use the command chmodin numeric mode. In this mode, each file resolution is represented by a certain number (in octal notation):
r (read/view) = 4
w (write/edit) = 2
x (execution) = 1
– (not set) = 0
You can combine these numeric values so that a single number can be used to represent the entire set of permissions. The following table shows the figures for all types of permissions:
Because you have to define permissions for each user category (Owner, Group, Others), the command will include three numbers (each of which represents the sum of privileges).
As an example, let’s take a look at our file test.txt, whose rights, let me remind you, we configured (in character mode) using the command:
chmod u=rwx,g=rw,o=r /home/azahar/Documents/test.txt
The same permission parameters, but in numeric format, can be defined as follows::
chmod 764 /home/azahar/Documents/test.txt
Now let’s change the file permissions so that the owner could read and write, the Group could only read, and the Owner could only write. The rest of them didn’t have access rights at all. Judging by the table above, for the Owner, the numeric representation of access rights corresponds to a number 6(rw-), for the Group-to a number 4(r--), and for the rest — 0(---). Together, you should get 640(rw-r-----):
azahar@azahar-HP-Pavilion-Notebook:~$ chmod 640 /home/azahar/Documents/test.txt
Result:
azahar@azahar-HP-Pavilion-Notebook:~$ chmod 640 /home/azahar/Documents/test.txt
azahar@azahar-HP-Pavilion-Notebook:~$ ls -la /home/azahar/Documents/test.txt
-rw-r----- 1 azahar azahar 216 Oct 31 10:54 /home/azahar/Documents/test.txt
As you can see, the rights have changed from -rwxrwr--to-rw-r-----, which is exactly what we wanted.
Change of owner and group
In addition to changing access rights to files, you may encounter a situation where you need to change the owner of the file or even the entire group. Performing any of these tasks requires you to have root privileges. To do this, I will use the utility sudo.
To change the owner of a file, use the command chown(abr. from “change owner”), the syntax of which is quite simple:
chown [username] [filename]
If you want to change not only the owner but also the group for a file or directory, then the syntax is as follows:
chown [username]: [group] [filename]
If you just want to change the group and keep the owner the same, then the syntax looks like this:
chown :[group] [filename]
Alternatively, use the command chgrp(abr. from “change group“), specifically used to change the group owner of a file or directory:
chgrp [group] [filename]
As a training exercise, let’s change the owner and group of the file test.txt for the root user and the root group (you may need superuser rights here):
azahar@azahar-HP-Pavilion-Notebook:~$ sudo chown root:root /home/azahar/Documents/test.txt
[sudo] password for azahar:
azahar@azahar-HP-Pavilion-Notebook:~$ ls -la /home/azahar/Documents/test.txt
-rw-r----- 1 root root 216 Oct 31 10:54 /home/azahar/Documents/test.txt
azahar@azahar-HP-Pavilion-Notebook:~$
As you can see, the owner and group of the file have changed from azahar:azaharto root:root.
Note that I had to use sudowith chown. This is because the root user is involved here, and you need superuser rights to deal with it.
Is there a priority in file access rights?
Imagine a situation where the owner does not have any permissions to access the file, the group has read permission, while other users have read and write permissions.
----r--rw- 1 azahar mygroup 216 Oct 31 10:54 /home/azahar/Documents/test.txt
Now, if an azahar user tries to read the file with the cator command less, will they be able to do so? The answer is no because it doesn’t have read permission.
But how so? After all, the user azahar is part of the mygroup group, and the group has read access. And even all other users have read and write permission! This should mean that everyone (including user azahar) can read and modify the file, right? Wrong!
On Linux systems, access rights are read first to the owner, then to the Group, and only after that to the rest of us. The system determines who initiated the process (cat or lessin our example). If the user who initiated the process is also the owner of the file, the permission bits are for the owner.
If the process was initiated by not owner of the file, then the system checks the Group. If the user who initiated the process is in the same Group as the File Owner Group, the permission bits for the Group are read.
If, however, initiated the process the user is not If the user is the owner of the file and is not a member of the corresponding Group, then the permission bits are set as for All other users.
Hints
The file /etc/groupcontains all the groups defined in the system.
You can use the command groupsto find all the groups that you are a member of:
You can use the command newgrpto work as a member of a group other than your default group:
Two groups cannot own the same file.
There are no nested groups in Linux. One group cannot be a subgroup of another.
x – directory execution means permission to “enter” the directory and get possible access to its subdirectories.
Summing up
Linux systems are multi-user systems where file and directory permissions are applied.
In Linux systems, there are three categories of users, namely: Owner, Group, and the others/Other.
File access rights are divided into Read/Views rights, Records/Changes, and Tasks indicated by the lettersr, wand x.
Access rights to the file can be changed by a command chmodthat supports both numeric and symbolic modes for setting access rights.
The command chowncan change the owner of a file/directory.
The command chgrpcan change the group that owns the file.