Basic file permissions#
Access types#
The three basic file access types are read, write and execute and for each file each permission can either be granted or not.
File access#
For file access theses permission have the following interpretation:
Permission |
Symbol |
Meaning |
|---|---|---|
read |
|
ability to read the contents of a file |
write |
|
ability to modify the contents of file |
execute |
|
ability to run an file/program |
While read and write permissions should be obvious, the permission to execute a file is less intuitive. It is not enough for a file to be an executable program (opposed to an image file for example), Linux does not allow execution without the correct permission. This has mainly historical reasons, but is still useful from time to time.
Note
If the file is not an ELF file, but for example a script, also read permissions are necessary to run the file. A common pitfall is to download or create a script and running it without granting execute permission first:
[john@laptop ~]$ ./script.sh
/bin/bash: ./script.sh: Permission denied`
Granting the correct permissions solve that problem: chmod u+rx script.sh
Directory access#
For directories the permissions are interpreted slightly differently:
Permission |
Symbol |
Meaning |
|---|---|---|
read |
|
ability to list the names of the files inside the directory |
write |
|
ability to modify directory contents, i.e. create, delete or rename files inside |
execute |
|
ability to “search” inside the directory, i.e. access file contents, metadata |
Note
Note there is no permission to delete a file. To delete the content of file (i.e. truncate it to 0 bytes) write permission to that file is necessary. The delete (or unlink) the file entirely, write permissions on the containing directory are needed. This makes sense after reading the section about dentries and inodes.
Access classes#
There are three access classes which define for whom the permissions r, w, x apply. These are user, group and other.
Each file is associated to exactly one user and one group. It also said the file is owned by the user and the group. The read, write, execution permissions apply for the associated user, the associated group and for the rest (other):
Access class |
Symbol |
Meaning |
|---|---|---|
user |
|
the single user that is owner of the file |
group |
|
all users that belong to the group associated with the file |
other |
|
all users that are neither owner nor member of the file’s group |
The r, w, x permissions for u, g and o entities respectively make a total 9 permissions to be set or denied.
Note
A common pitfall is to misinterpret “o” as abbreviation for owner instead of other. Then granting permission to the “o”-class may be disastrous.
This permission scheme is very restrictive. For example, two users with the same groups and none of them is the file owner share the same access rights (those of the class other). Neither is it possible to separate the permissions of the users within the associated group of a file. They all share the permissions of the group class. To work around these limitations access control list are necessary.
Special permissions#
There are three special permission which rather modify a file’s execution behavior than granting a permission. They are called set-uid, set-gid, and sticky mode. Again the meaning is different for files and directories:
Special permissions on files#
Each program has also an associated user and an associated group. Normally these are inherited from the calling user. The set-uid and set-gid change this behavior.
Permission |
Symbol |
Meaning |
|---|---|---|
set-uid |
|
run the file as the file’s owner |
set-gid |
|
run the file as the file’s associated group |
sticky |
|
no effect |
A typical use case is a program owned by root with enabled set-uid, for example /usr/bin/passwd or /usr/bin/su. Any user can run such programs, but they will be executed with root privileges. This allows users certain predefined tasks like changing passwords or impersonating other users which would otherwise require system administrator privileges.
Special permissions on directories#
Permission |
Symbol |
Meaning |
|---|---|---|
set-uid |
|
no effect |
set-gid |
|
newly created sub-directories inherit the associated group from their parent directory |
sticky |
|
directory |
The sticky mode is common for shared /tmp or /scratch directories. Many users have write permissions but cannot delete or modify one anthers files.