Articles‎ > ‎Linux‎ > ‎

Linux Permissions

Linux permissions are simple to describe, but can be more complex to understand and use.

For the purpose of this discussion, Unix and Linux are the same. This article is about Linux permissions but almost everything would also apply to Unix.
Linux systems manage everything as files. A Windows user might be familiar with drives which contain files and folders, and folders alone can contain other files and folders. Folders and directories are essentially the same thing, they're a place that exists to contain other things. In reality they are a special type of file that makes it easier to organize things. As directories contain files and more directories, and those directories contain more directories, the structure described with a picture begins to resemble an upside down tree. In fact, sometimes the structure is referred to as a tree and the very top (or bottom of the tree) is referred to as the root. Every folder or file is stored somewhere inside the root in Linux.

The root directory is shown on a command line and referenced with the slash: / .
Using the ls command to see permissions
Typical Linux systems have directories of bin, home, etc, dev, proc, var and mount with a few additional ones that vary. To reference the bin directory in the root, you would refer to /bin and to reference to the home directory in the root, you'd refer to /home. Since they are actually files, you can see them with the same command you use to list information about any other file: ls. So to get a list of the files in the root, you could type the command: ls / or to get the list of information about the files in the etc directory in the root, you could type: ls /etc but there is additional information available with a long listing which includes the permissions. To get a long listing, you use the command: ls -l.To get that information about a directory, you need to tell the ls command that it should include the extended information rather than then contents of the directory with ls -ld.

If you use the command ls -ld / to see the root directory, you can expect to see something like this:
dr-xr-xr-x 1 root root 258 2011-05-19 21:25 /

The first part describes the permissions: dr-xr-xr-x

That's going to break down into four parts, so lets color code this one: dr-xr-xr-x

Each set of permissions has a single description at the beginning, then three types of settings for three potential users. The d here indicates that the file is a directory, then the breakdown is for r-x for the owner (the first r-x) and for r-x for the group (the second r-x) and the last r-x is for anyone else.

The three types of permissions are read, write and execute. Read is indicated with an "r" and write is indicated with a "w" and execute is indicated with an "x." For this listing, you can see that it is:
  1. A directory
  2. Readable and Executable by the owner
  3. Readable and Executable by the group
  4. Readable and Executable by everyone else
In order to see the contents of a directory, it must be set to executable for whatever user you happen to be. Our listing also tells us who the owner is and what group the file belongs to, with the owner first and the group second. Both are root in this example, so another example is helpful.

Consider this listing:
drwxrwxr-x 1 root pg21 0 2011-07-09 23:40 /var/www/nginx-default/local

Note that it is also a directory and that the owner is root, but the group is pg21. The permission set: drwxrwxr-x tells us:
  1. This is a directory
  2. It is Readable, Writable and Executable by the owner (root)
  3. It is Readable, Writable and Executable by the group (pg21)
  4. It is Readable and Executable by everyone else
In simple terms, we know now that anyone who is a member of the pg21 group can edit the contents of the directory but users who aren't can only view it. The user "root" is a special user that can access or modify anything, so it can be assumed to have control anyway if needed, but it is explicitly stated here as the owner so group pg21 membership is required for any normal user that would need to modify the contents.

Lets examine a regular file, for this we'll use the command: ls -l /home/normal/authorized_keys
which shows this listing:
-rw-r----- 1 normal pg21 457 2011-07-20 22:08 /home/normal/authorized_keys

In this case the owner is the user called "normal" and the group is "pg21."
We can tell:
  1. This is a regular file, it is not a directory, a link or a block device
  2. The owner (normal) has Read and Write permissions (but not Execute so it isn't able to run as a program)
  3. The group (pg21) can Read but also can't Write or Execute
  4. Other users cannot do anything with the file
When trying to change or view multiple things at once, it is possible to specify part of a name and let the system complete the rest. With most commands you can use the * to refer to unknown or multiple options. Using the command ls /etc/host* for example would return a list that would include /etc/hosts and /etc/hosts.allow and /etc/hosts.deny and potentially others.
When using commands in Linux or programming, the ability to affect multiple levels of folders and files. With commands like ls -R you see not only the directory that you're targeting, but all the files and folders that they contain.

Modifying permissions

Permissions are modified with the chmod command. To give the group permission to read and write to a file /home/normal/authorized_keys you would use: chmod g+rw /home/normal/authorized_keys and to take away read access for users that are other than the owner and group from the same file you could use chmod o-r /home/normal/authorized_keys

Permissions are stored in binary so it is possible to specify the permission change that way as well. You'll often see directions to run a command so it is helpful to know a couple of them as well.
chmod 0774 would give (7 aka 1+2+4) execute, and read and write permissions to the owner and the same to the group but only read to others. Execute is permission 1, Read is permission 2 and Write is permission 4. With this combination, you can know that chmod 754 makes the file (1+2+4) Executable, Writable and Readable for the owner, Executable and Readable for the group and readable for others.

Directories need to be set to Read, Write and Execute in order for someone to list contents and change contents, so it isn't uncommon to see instructions to use the command: chmod 777 -R directory_name. This command makes directory_name and everything it contains and that subdirectories contain able to be read, written or executed by anyone.

Modifying ownership

Ownership is managed with the chown command. It is how you can change the owner or group that a file belongs to. To change the owner of /home/normal/myfile so that it belongs to the user called "bob" you would use the command: chown bob /home/normal/myfile but if  you wanted to change the group to pg21 at the same time, you could use chown bob:pg21 /home/normal/myfile instead.

Changing group ownership without changing the owner is also possible with chgrp which works mostly the same way, but without the need to specify an owner. To change the group membership you could use chgrp pg21 /home/normal/myfile

Bonus Section - SE Linux

SE Linux, aka Security Enhanced Linux, is basically the standard Linux kernel hacked up to be super secure by the NSA then reviewed and further tweaked by companies like Red Hat and Google. SE Linux goes a long way to ensuring your server or desktop is hard to break into.

However, it can be a bit of a nuisance to deal with.

Fortunately, I've found things that make it much easier:
  1. yum install policycoreutils-python lets you use: audit2allow -w -a which shows you the last few blocks with easier to understand descriptions and easier to understand instructions for allowing it.
  2. restorecon -Rv /var/www/html/test.html/var/www/html to reset access to the normal controls for that path (like when you copy the HTML folder from another server or backup)
  3. chcon -R --reference /var/www/html/index.html /var/www/html/newpage(s).withProblem.html to set the permissions on one or more files so that they match the permissions of a reference file that has the desired permissions.