Linux Permissions Management [File and Directory]
Linux, as a multi-user operating system, provides comprehensive permission and authorization systems to ensure file and directory security. These permissions determine who can access files and directories and what types of operations this access covers. In this article, we will examine file and directory permissions in Linux in detail and with examples.
#Ownership:
Every file or directory is assigned (3) types of owner:
- Owner: the owner is the user who created the file or directory.
- Group: a group can have multiple users. All users in the group have the same permissions to access the file or directory.
- Other: other means those users who are not owners or members of the group.
#Permission:
There are only three (3) types of permissions for a file or directory:
- Read (r): can read the contents of a file. Can list files and directories.
- Write (w): the write permission allows the user to change the content of the file.
- Execute (x): the execute permission allows a file to be executed.
Types of files:
- - Regular (Normal) file
- d Directory
- b Special block file
- c Special character file
- l Symbolic link file
- P Special named pipe file
- s Socket file
✅Example: -rwxr-xr-- "manage.php"
sudo ls -alh manage.php
| - | rwxr-xr-- | 1 | root | helpdesk | 580 | Jul 24 x.x | manage.php / lib -> usr/lib |
| type: | permission: | connection: | owner: | group: | size: | last set: | name/link: |
| Permission | rwx | r-x | r-- |
| Access Rights | (Owner) | (Group) | (Others) |
# Directory and File Permissions: [/ERP - manage.php ]
chmod 750 /ERP # (permissions change)
chmod 640 manage.php # ('')
>>Change: (Owner) & (Group)
chown zafer /ERP # (owner change)
chown faruk manage.php # ('')
chown faruk:helpdesk manage.php (owner+group change)
chgrp helpdesk /ERP # (group change)
chgrp zafer manage.php # ('')
# Status: [/ERP - manage.php ]
ls -alh [/ERP or manage.php]
ls -ald /ERP
ls -ald manage.php
stat -c "%a %n" manage.php #Numeric
# /ERP directory Perm:
drwxr-x--- 2 root zafer 4096 Jul 30 12:08 /ERP/
✦ (owner): Read, write and execute (rwx)
✦ (group): Read and execute (r-x)
✦ (others): No permissions (---)
# manage.php file Perm:
-rw-r----- 1 faruk faruk 0 Jul 29 06:55 manage.php
✦ (owner): Can read and write (rw-) the file, but cannot execute it.
✦ (group): The file can be read (r--), but cannot be executed or written.
✦ (others): Cannot access the file at all (---)
# Recursive Permissions:
chmod -R 755 <dir> or <file>
>Mass Recursive:
find /path/to/directory -type f -exec chmod 644 {} \;
find /path/to/directory -type d -exec chmod 755 {} \;
# Change attribute: Immutable flag: (Lock/Unlock)
#sudo chattr +i /etc/passwd
#sudo chattr -i /etc/passwd
#What is Umask?
Umask (user file creation mode mask) is a command that controls the default permissions of newly created files and directories in Unix and Linux-based operating systems. umask determines which permissions are removed when a new file or directory is created. The umask setting lasts for the duration of the session and is lost when the shell is closed. You can make it permanent.
For Files: The default permissions are set to 666 (rw-rw-rw-)
For Directories: The default permissions are set to 777 (rwxrwxrwx)
$umask #check
$umask -S
$umask 022 #Temporary change command
#UMASK Persistent:
sudo nano /etc/profile (only users)
sudo nano /etc/bash.bashrc (all users)
u file/directory owner
g Users in the same group as the file/directory owner
o Other users than the file/directory owner
a Everyone
s SUID bit (Set User ID) > Special Feature
s SGID bit (Set Group ID) > Special Feature
t STICKY bit > Special Feature
+ Adding permission
– Delete permission
= Permission equalization (Removes other permissions for Access Rights)
##Example: Granting access rights to [myscript.sh]
(owner) : rwx (7)
(group) : r-x (5)
(other) : –x (1)
>Numeric:
chmod 751 myscript.sh
>Symbolic
# chmod u + rwx myscript.sh
# chmod g +r-x myscript.sh
# chmod o +--x myscript.s
##File and Directory Permissions Examples: [Remove and Assign]
Owner Execution Permission:
chmod u+x myscript.sh
chmod u+x /ERP
Remove read and write permissions for Group and Other:
chmod go –rw myscript.sh
chmod go-rw /ERP
Remove Write Permission for a Group:
chmod g-w myscript.sh
chmod g-w /ERP
Grant read permission to the owner and remove all other permissions:
chmod u=r myscript.sh
chmod u=r /ERP
Remove Other Read Permission:
chmod o-r myscript.sh
chmod o-r /ERP
Granting Execute permission to a Group:
chmod g+x myscript.sh
chmod g+x /ERP
Recursively Remove Read and Write Permission for Group and Other:
chmod –R go-rw myscript.sh
chmod -R go-rw /ERP
r--→4r-x→5(4 + 1)rw-→6(4 + 2)rwx→7(4 + 2 + 1)
💡 You can also use File Manager tools to visually edit permissions.
ACL (Access Control List)
A feature used in Unix and Unix-like operating systems to control access to files and directories. ACLs provide more granular and flexible access control than basic file permissions.
SELinux (Security-Enhanced Linux)
SELinux (Security-Enhanced Linux) is a security module integrated with the Linux kernel. It was first developed by the US National Security Agency (NSA) and released as open source. SELinux provides more detailed and configurable access control to increase security in Linux operating systems. https://tr.wikipedia.org/wiki/SELinux
Stay hungry to be learn