How Do Linux File Permissions Work?

If you share a Linux (or Unix) system, you will undoubtedly have private files that you want to keep private, as well as files that you want to be public. You can control access to your files by setting the permission flags and ownership for your files. How to Tell What Access Your Files Have

When we discussed using the ls command, you may have been wondering about that gibberish in the first few columns of the ls -l command (stuff like -rw, r--, and so on). Here's an example of output from the ls -l command showing the contents of a directory:

Permissions User Group Size Date Name
-rw-r----- 1 hermie users 64183 Feb 14 22:07 cow_info
-rw-r----- 1 hermie users 115032 Jan 06 11:14 dog_info
-rw-r--r-- 1 hermie users 248 Jan 16 09:18 pig_info
-rw-r--r-- 1 hermie users 45090 Mar 23 23:17 cat_info
-rwx--x--- 1 hermie users 45198 Jan 23 11:14 zippity
drwxr-x--- 1 hermie friends 1024 Feb 28 06:12 slugs

For each file you see listed a set of permissions; the owning user; a group name; and the size, creation date, and name of the file. We'll focus on the permission first by dissecting the file-access permissions for the cow_info file. Specifically, these permissions are shown in the string of characters preceding the file in the first column: -rw-r-----. Note that the permissions data is made up of ten characters, each of which has meaning.

To understand how to read file permissions, let's start by splitting apart those ten characters for cow_info:

Directory? User's Access Group Access Others' Access
- 	 r w -	 r - - - - -
 | | | | | |
 Readable ---+ | | | | +--- Not executable
 Writable -----+ | | +----- Not writable
 Not executable -----+ +------- Readable

The character in the first position, a dash (-), indicates that this is a file and not a directory. Directories are marked with a d, as in drwxr-x--- (this precedes the directory slugs).

The next three characters (rw-) tell us whether the file's owner (hermie) can read, write, and execute the file. An r in the first position means that the file can be read; a w in the second position means that the file can be written to (updated); and an x in the third position means that the file can be executed (run). In all three cases, if a dash appears in place of an r, w, or x, that specific privilege is removed. For example, rw- means that the file can be read and written to, but not executed.

The next sets of three characters define read, write, and execute access for the users in a particular group (the users group, in this case), along the same lines as above. For example, the characters r-- that appear in these positions for cow_info tell us that the users group can read this file but can't write to or execute it.

The final set of three characters (all dashes, in this case) defines access for those who are not the owner or in the listed group. This one's easy: No one outside the listed group has any kind of access to this file.

Note: Groups are a convenient way to give a set of users the same access to a bunch of files. Only a superuser can add to or remove users from groups. To find out what groups you belong to, use the groups command.

In sum, access to the cow_info file is controlled like so: The user (hermie) can read and update the file, but cannot execute it. People in the users group can only read the file, and everybody else on the system gets no access at all.

Here's another example:

-rwx--x--- 1 hermie users 45198 Jan 23 11:14 zippity

The characters that precede the file name zippity tell us that this file is readable, writable, and executable by hermie; only members of the users group can execute it; and others outside the users group have no access to it.

Note: You can give execute permission to any file, but it doesn't make sense to do so unless the file is actually a program.

Look at the listing for slugs:

drwxr-x--- 1 hermie friends 1024 Feb 28 06:12 slugs

You can see first that it's a directory (signified by the d in the first position). User hermie has read and write access, which in the case of a directory translates into the ability to list files and to create and delete files. Hermie also has execute access, which in the case of a directory means the ability to use cd to change to it. Those in the friends group can list files in the directory and use cd to make it the current directory, but others have no access whatsoever to the directory.

Note: Unless you are administering a large Unix system with lots of users, groups are not very important. In these examples, users is just the name of a group that all users belong to by default in a Linux system. If your primary group is users, all files you create will show that as the group name, unless you use the chgrp command to change it. If you're curious, use the man chgrp command to find out more.

Previous Lesson: The Nine Deadly Keystrokes
Next Lesson: Changing File Permissions