[Unix-Linux] File Permission & Access Modes

Date:     Updated:

Categories:

Tags:

📋 This is my note-taking from what I learned in the UNIX/LINUX Tutorial!


File Permission and Access Modes in Unix

File ownership is an important component of Unix that provides a secure method for storing files.

Every file in Unix has the following attributes:

  • Owner permissions: The owner’s permissions determine what actions the owner of the file can perform on the file.
  • Group permissions: The group’s permissions determine what actions a user, who is a member of the group that a file belongs to, can perform on the file.
  • Other (world) permissions: The permissions for others indicate what action all other users can perform on the file.

ls

  1. ”..” represents the parent directory. When you use ls .., it lists the contents of the parent directory, showing what files and directories are present in the directory one level above the current directory.
  2. ”~” represents the home directory of the current user. When you use ls ~, it lists the contents of your home directory, showing what files and directories are present in your home directory.
  3. ”*” is a wildcard character that represents zero or more characters. When used with ls, it matches any file or directory name. For example, ls *.txt will list all files in the current directory that have the “.txt” extension.
  4. “t*” is also a wildcard pattern, but it matches filenames that start with the letter “t”. For example, ls t* will list files like “test.txt”, “temp”, “testfile”, and so on, that start with the letter “t”.
  5. “-l” is an option used with the ls command to display the directory listing in long format. In the long format, each file or directory is displayed with detailed information, including permissions, ownership, size, and modification date. The alphabets and symbols in the long format output have specific meanings, such as:
    • The first character represents the file type (d for directory, - for a regular file).
    • The next three characters represent the file’s owner permissions, followed by the group permissions, and finally the permissions for others.
    • Other alphabets and symbols represent various file attributes, such as special permissions, links, file size, owner, group, and modification timestamp.


The Permission Indicators

While using ls -l command, it displays various information related to file permission as follows:

  • read (r), write(w), execute(x)
$ls -l /home/amrood
-rwxr-xr--  1 amrood   users 1024  Nov 2 00:10  myfile
drwxr-xr--- 1 amrood   users 1024  Nov 2 00:10  mydir
-rwxr-xr–    
First 3 char (2-4) Second 3 char (5-7) Last 3 char (8-10)
Represent the permissions for the file’s owner Consist of the permissions for the group to which the file belongs Represent the permissions for other (everyone else)
rwx r-x r–
Represent that the owner has read(r), write(w), and execute(x) permission Represent that the group has read(r), and execute(x) permission, but no write permission Represent that there is read(r) only permission

File of Directory?

  • If -, File
  • If d, Directory

Example!

  • User → Student num
  • Group → Student
  • Other → If you are not in User or Group, you must be in Other


File Access Modes

The permissions of a file are the first line of defense in the security of a Unix system.

The basic building blocks of Unix permissions are the read, write, and execute permissions, which have been described below:

  • Read: Grants the capability to read, i.e., view the contents of the file.
  • Write: Grants the capability to modify, or remove the content of the file.
  • Execute: User with execute permissions can run a file as a program.


Directory Access Modes

Directory access modes are listed and organized in the same manner as any other file.

There are a few differences that need to be mentioned:

  • Read: Access to a directory means that the user can read the contents. The user can look at the filenames inside the directory.
  • Write: Access means that the user can add or delete files from the directory.
  • Execute: Executing a directory doesn’t really make sense, so think of this as a traverse permission. A user must have execute access to the bin directory in order to execute the ls or the cd command.


Changing Permissions

To change the file or the directory permissions, you use the chmod (change mode) command. There are two ways to use chmod — the symbolic mode and the absolute mode.

The chmod command modifies the mode bits and the extended access control lists (ACLs) of the specified files or directories. The mode can be defined symbolically or numerically (absolute mode).

Why do you want to change the owner of the file? → Whatever the file is, the owner is available to use!!!

Using chmod in Symbolic Mode

The easiest way for a beginner to modify file or directory permissions is to use the symbolic mode. With symbolic permissions you can add, delete, or specify the permission set you want by using the operators in the following table.

Sr.No. Chmod operator & Description
1 + → Adds the designated permission(s) to a file or directory.
2 - → Removes the designated permission(s) from a file or directory.
3 = → Sets the designated permission(s).
  1. Run ls -l on the testfile shows that the file’s permissions are as follows:
    $ls -l file
    -rwxrwxr--  1 amrood   users 1024  Nov 2 00:10  testfile
    
  2. Then each example chmod command from the preceding table is run on the testfile, followed by ls –l, so you can see the permission changes:

    -- Add write and execute permissions to other
    $chmod o+wx testfile
    $ls -l testfile
    -rwxrwxrwx  1 amrood   users 1024  Nov 2 00:10  testfile
    
    -- Remove execute permission from user
    $chmod u-x testfile
    $ls -l testfile
    -rw-rwxrwx  1 amrood   users 1024  Nov 2 00:10  testfile
    
    -- Set only read and execute permissions(not write!) to group
    $chmod g = rx testfile
    $ls -l testfile
    -rw-r-xrwx  1 amrood   users 1024  Nov 2 00:10  testfile
    
  3. Combine these commands on a single line:
    -- 1. Add write and execute permissions to other
    -- 2. Remove execute permission from user
    -- 3. Set write and execute permissions to group
    $chmod o+wx,u-x,g = rx testfile
    $ls -l testfile
    -rw-r-xrwx  1 amrood   users 1024  Nov 2 00:10  testfile
    

Using chmod with Absolute Permissions

The second way to modify permissions with the chmod command is to use a number to specify each set of permissions for the file.

Each permission is assigned a value, as the following table shows, and the total of each set of permissions provides a number for that set.

r w x
4’s 2’s 1’s
Number Octal Permission Representation Ref
0 No permission
1 Execute permission –x
2 Write permission -w-
3 Execute and write permission: 1 (execute) + 2 (write) = 3 -wx
4 Read permission r–
5 Read and execute permission: 4 (read) + 1 (execute) = 5 r-x
6 Read and write permission: 4 (read) + 2 (write) = 6 rw-
7 All permissions: 4 (read) + 2 (write) + 1 (execute) = 7 rwx
  1. Run ls -l on the testfile shows that the file’s permissions are as follows:
     $ls -l testfile
     -rwxrwxr--  1 amrood   users 1024  Nov 2 00:10  testfile
    
  2. Then each example chmod command from the preceding table is run on the testfile, followed by ls –l, so you can see the permission changes:

     $ chmod 755 testfile
     $ls -l testfile
     -rwxr-xr-x  1 amrood   users 1024  Nov 2 00:10  testfile
    
     $chmod 743 testfile
     $ls -l testfile
     -rwxr---wx  1 amrood   users 1024  Nov 2 00:10  testfile
    
     $chmod 043 testfile
     $ls -l testfile
     ----r---wx  1 amrood   users 1024  Nov 2 00:10  testfile
    


Changing Owners and Groups

While creating an account on Unix, it assigns a owner ID and a group ID to each user. All the permissions mentioned above are also assigned based on the Owner and the Groups.

Two commands are available to change the owner and the group of files:

  • chown
    • The chown command stands for "change owner" and is used to change the owner of a file.
    • The chown command changes the owner of the file or directory specified by the File or Directory parameter to the user specified by the Owner parameter. The value of the Owner parameter can be a user name from the user database or a numeric user ID. Optionally, a group can also be specified.
  • chgrp
    • The chgrp command stands for "change group" and is used to change the group of a file.
    • The chgrp command changes the group of the file or directory specified by the File or Directory parameter to the group specified by the Group parameter. The value of the Group parameter can be a group name from the group database or a numeric group ID.

Changing Ownership

The chown command changes the ownership of a file. The basic syntax is as follows:

$ chown user filelist

The value of the user can be either the name of a user on the system or the user id (uid) of a user on the system.

The following example will help you understand the concept:

$ chown amrood testfile

Changes the owner of the given file to the user amrood.

NOTE − The super user, root, has the unrestricted capability to change the ownership of any file but normal users can change the ownership of only those files that they own.{: .notice–danger}

Changing Group Ownership

The chgrp command changes the group ownership of a file. The basic syntax is as follows:

$ chgrp group filelist

The value of group can be the name of a group on the system or the group ID (GID) of a group on the system.

Following example helps you understand the concept:

$ chgrp special testfile

Changes the group of the given file to special group.


SUID and SGID File Permission

Often when a command is executed, it will have to be executed with special privileges in order to accomplish its task.

As an example, when you change your password with the passwd command, your new password is stored in the file /etc/shadow.

As a regular user, you do not have read or write access to this file for security reasons, but when you change your password, you need to have the write permission to this file. This means that the passwd program has to give you additional permissions so that you can write to the file /etc/shadow.

Additional permissions are given to programs via a mechanism known as the Set User ID (SUID) and Set Group ID (SGID) bits.

When you execute a program that has the SUID bit enabled, you inherit the permissions of that program’s owner. Programs that do not have the SUID bit set are run with the permissions of the user who started the program.

This is the case with SGID as well. Normally, programs execute with your group permissions, but instead your group will be changed just for this program to the group owner of the program.

The SUID and SGID bits will appear as the letter "s" if the permission is available. The SUID "s" bit will be located in the permission bits where the owners’ execute permission normally resides.

For example, the command:

$ ls -l /usr/bin/passwd
-r-sr-xr-x  1   root   bin  19031 Feb 7 13:47  /usr/bin/passwd*

Shows that the SUID bit is set and that the command is owned by the root. A capital letter S in the execute position instead of a lowercase s indicates that the execute bit is not set.

If the sticky bit is enabled on the directory, files can only be removed if you are one of the following users −

  • The owner of the sticky directory
  • The owner of the file being removed
  • The super user, root

To set the SUID and SGID bits for any directory try the following command:

$ chmod ug+s dirname
$ ls -l
drwsr-sr-x 2 root root  4096 Jun 19 06:45 dirname


sudo

The sudo command lets us use our account and password to execute system commands with root privileges, whereas the su command allows us to switch to a different user and execute one or more commands in the shell without logging out from our current session.

⇒ “apt install curl” assumes you have the necessary privileges to install packages, while “sudo apt install curl” explicitly requests administrative privileges to install the package. If you encounter a permission error when running “apt install curl,” using “sudo” can resolve the issue by executing the command with root privileges.

  1. apt install curl: This command is used to install the “curl” package using the APT package manager. APT (Advanced Package Tool) is the package management system used in Debian-based Linux distributions, such as Ubuntu. When you run this command without “sudo,” it assumes you have sufficient privileges to install packages and doesn’t require administrative rights. It will attempt to install the “curl” package for the current user.
  2. sudo apt install curl: The “sudo” command stands for “SuperUser Do” and is used to execute a command with administrative privileges. When you prefix a command with “sudo,” it requests elevated privileges and prompts you to enter your password. By using “sudo” before “apt install curl,” you ensure that the installation command is executed with administrative rights. This is necessary if you need root access to install packages or modify system configurations.


su

The command “su” stands for “substitute user.” It is used in Unix-like operating systems to switch to another user account, typically with superuser (root) privileges.

By running the “su” command followed by the username of the desired account, you can assume the identity and privileges of that user. If no username is specified, the default behavior is to switch to the superuser (root) account.

For example, if you want to switch to the “john” user account, you would use the following command:

su john

After entering the user’s password, you will be logged in as the “john” user and have access to their permissions and privileges.


getent

getent passwd seyeonjo
getent passwd all_users
getent group seyeonjo
getent group all_users


adduser

adduser user1
sudo adduser user1

Touch

re -rf Docs
ls -l
unzip archive.zip .
cat /etc/passwd | grep backup
cat /etc/passwd | grep backup | cut -c1-4 ⇒ back
cat /etc/passwd | grep backup | cut -c1-6 ⇒ backup

ifconfig → IP address


SSH

SSH or Secure Shell is a network communication protocol that enables two computers to communicate (c.f http or hypertext transfer protocol, which is the protocol used to transfer hypertext such as web pages) and share data.




Back to Top

See other articles in Category Unix-Linux

Leave a comment