Linux permission system explained

When you are new to Linux or don't use Linux on a daily basis, finding out how file permissions work can be challenging. Here is an as short as possible guide, which can be applied on UNIX, Linux, Mac OS X, FreeBSD, OpenBSD, and other UNIX-like operating systems. We'll call those systems *nix in this guide.

*nix splits permissions in thee groups for files and directories:

  1. Owner This is the person/account that owns the file.
  2. Group This refers to a set of users. 1 or more persons/accounts can be member of a group.
  3. World If you'r not the Owner, and not part of a Group for a specific file or directory, you automatically match World. Normally the permissions given to World, are restricted.

Besides ownership of files and directories, certain permissions can be given as well:

  1. Read The entity (Owner, Group or World) is allowed to read a file.
  2. Write The entity is allowed to write a file, or to create files in the directory for which these permissions are set.
  3. Execute The entity is allowed to execute the file (scripts or binaries) or to change into this directory.

These permissions are set using chmod. (Change Mode.) Ownership of file is altered with chown. (Change Owner)

Chmod wants to know what permissions you give to a file or directory. This value is built up on four fields.

The zeroth field represents the special bits. (Set User id, Set Group id and Stikcy bit, see below.) Most users will not set this bit, which makes it "0" by default, which means: "No special permissions set."
The first field represents the permissions you give to the Owner.
The second field represents the permissions you give to the Group.
The third fiels represents the permissions you give to the World.

Chmod uses numerical arguments to set permissions, to illustrate it a bit: chmod 750 myscript.sh would change permissions for the file myscript.sh.

Read permissions equals a value of 4.
Write permissios equals a value of 2.
Execute permissions equals a value of 1.

Add the numbers representing the permissions you'd like to give to a Owner, Group or World.

So here is a list of common permissions:

  • 750 - The Owner may read, write and execute. The Group may read and execute. (but not write) The world may not do anything with this file.
  • 755 - Same as above, but the world may now also read and execute the file.
  • 700 - The Owner may do everything, the Group and the world may not do anything.
  • 640 - The Owner may read and write, the Group may read and the world may not do anything.
  • 644 - Same as above, but the world may now also read the file.
  • 600 - The Owner may read and write, the rest may not do anything.

Some "weird" permissions, mostly because they are broken or very rare:

  • 000 - Nobody may do anything with this file. Effectively archive the file. Maybe removing the file would be more appropriate.
  • 007 - The Owner and Group can't do anything, but the World can. I can't think of a situation where this would apply.
  • 100 and 300 - The Owner may execute but not read, so the execute will not work.
  • 200 - The owner may write, but not read. The only situation I could imagine is a logfile where some application may write to, but is not allowed to read the file.

There are some special permissions you can give, these permissions go into the zeroth field. You'd use chmod like this to set no special permissions: chmod 0750 myscript.sh.

  1. Sticky bit A value of 1. This bit is commonly set to directories and means that you may only remove file in such a directory that are owned by you. The filesystem /tmp is commonly set with that bit; everyone can write there, but you can only remove/rename files that are owned by yourself.
  2. Set Group id A value of 2. The file is executed as the Group of the file. Some groups have quite some premissions. Imagine /bin/rm (to remove files and directories) having a Set Group id bit, all users in the Group of /bin/rm may remove a whole lot of files. When you are using Set User id or Set Group id bits, you should be very sure you know what you are doing.
  3. Set User id A value of 4. If this permission is given, the program is executed as the Owner of the file. Could be dangerous; think of a PHP script that tries to reboot a machine...

So 4750 would mean the file may be executed by the owner and the group, and will be executed as the owner.

Imagine a script would have 4775 permissions and would be owned by root:users; a user could edit the script, and the world could execute it with roots permission!

Just to remind you once more; Set Group or User id bits are dangerous, know what you are doing when using them!