File Permissions#

Command

Action

id

Print the user’s UID and group memberships

chmod

Change the access permissions of a file

umask

Chnage the default permissions of new files

su

Run a shell as root or another user

sudo

Run a command as root

chown

Change the owner of a file

chgrp

Change the group of a file

passwd

Change your password

adduser
deluser

Add and remove users from the system

usermod

Modify user attributes

The Power of root#

The root user of a Linux system is the administrator, also called the superuser. The root user is allowed to perform all functions that are available to Linux, many that are unavailable to unprivileged users. On Debian/Ubuntu systems you can access the power of root one command at a time using sudo (pronounced soo-doo).

File and Directory Permissions#

Files and directories have permissions settings that control who can access them. The permissions in the UNIX file system are more primitive than Windows, which uses an access control list. On a UNIX system there are three subjects that are important for controlling access.

Subject

Description

User

The owner of the file or directory

Group

The group the file or directory belongs to

Others

Anyone that’s not the owner or in the group

When you run the ls -l command you see three sets of permissions that contain a letter or a dash (-). The letters indicate what the subject is allowed to do. Possible accesses are:

Access

Description

Read (r)

For files this allows the subject to read the file. For directories allows ls to read the contents of the directory.

Write (w)

For files this allows the subject to change the contents of the file (but not delete it). For directories this allows you to create and remove files in the directory.

Execute (x)

For files this allows them to be executed. For directories this allows cd to change into the directory.

Here’s an example of ls -l:

simben90@opus3:~$ ls -l 
total 76
drwxr-xr-x 2 simben90 simben90  4096 Mar  1 22:27 bin
-rw-r----- 1 simben90 simben90     0 Dec  3 22:12 butt
-rw-r--r-- 1 simben90 simben90    30 Dec  3 22:07 cis90.contribution
drwxrwxr-x 4 simben90 simben90  4096 Mar  1 21:58 class
-rw------- 1 simben90 simben90   373 Feb 12 08:07 dead.letter
drwxrwxr-x 2 simben90 simben90  4096 Mar  1 22:28 docs

Here’s how to understand the permissions on the cis90.contribution file:

User (simben90)

Group (simben90)

Other

rw-

r--

r--

Read/Write

Read Only

Read Only

File Permissions and Binary#

File permissions are expressed in binary. Counting in binary is easy once you get the hang of it. It’s just like counting in decimal but you use powers of two instead of powers of 10. Let’s start with powers of 10. Let’s consider the number 237. Each number is in a place that has a place value.

Hundred’s Place
\(10^2\)

Ten’s Place
\(10^1\)

One’s Place
\(10^0\)

2

3

7

Add the value of all of the places together and you get the number. Binary works the same way, but instead of multiplying each place by 10 you multiply each place by 2. Here’s the number 237 in binary:

128’s Place
\(2^7\)

64’s Place
\(2^6\)

32’s Place
\(2^5\)

16’s Place
\(2^4\)

8’s Place
\(2^3\)

4’s Place
\(2^2\)

2’s Place
\(2^1\)

1’s Place
\(2^0\)

1

1

1

0

1

1

0

1

In each place where there is a 1 you add the pace value. When you add all the places in the number above you get:

\(128 + 64 + 32 + 8 + 4 + 1 = 237\)

Not clicking for you? This table will help you remember the binary numbers to permissions mapping.

Permission Decimal

Permission Binary

Permission Flags

Description

0

000

---

No access

1

001

--x

Execute only. Not generally useful

2

010

-w-

Write only. Not generally useful

3

011

-wx

Write and execute. Not generally useful

4

100

r--

Read only.

5

101

r-x

Read and execute. Common for directories. Allows the use of directories. Files can be changed but cannot be created or deleted.

6

110

rw-

Read write. Common for files.

7

111

rwx

Read, write and execute. For files allows the execution of a file as a program. For directories allows full access.

Changing File Permissions#

There are two ways to change the file permissions. You can do it absolutely using a binary number that represents the file permission. For example:

$ chmod 640 dead.letter 
$ ls -l dead.letter 
-rw-r----- 1 simben90 simben90 373 Feb 12 08:07 dead.letter

You can also change permissions relatively by adding or subtracting access. For example to add the ability for the group to write the dead.letter file you would run the command:

$ chmod g+w dead.letter 

To subtract the ability for the group and everyone to read or write the dead.letter file you would run the command:

$ chmod go-rw dead.letter

Controlling Default Permissions with umask#

The umask command controls the permissions of files and directories when they are created. The “mask” in umask signifies that bits in the umask disable or mask the corresponding permission bits. That means that the umask shows you the opposite of the permissions that will be created. Run umask without arguments on opus3 and you can see what the default umask is.

$ umask 
0002

This says that new files and directories will not be writable. This table will help you remember umask values.

umask Decimal

umask Binary

Default Permission Flags

0

000

rwx

1

001

rw-

2

010

r-x

3

011

r--

4

100

-wx

5

101

-w-

6

110

--x

7

111

---