Linux Permissions

Linux permissions are simple to describe, but can be more complex to understand and use.

For the purpose of this discussion, Unix and Linux are the same. This article is about Linux permissions but almost everything would also apply to Unix.

Linux systems manage everything as files. A Windows user might be familiar with drives which contain files and folders, and folders alone can contain other files and folders. Folders and directories are essentially the same thing, they're a place that exists to contain other things. In reality they are a special type of file that makes it easier to organize things. As directories contain files and more directories, and those directories contain more directories, the structure described with a picture begins to resemble an upside down tree. In fact, sometimes the structure is referred to as a tree and the very top (or bottom of the tree) is referred to as the root. Every folder or file is stored somewhere inside the root in Linux.

The root directory is shown on a command line and referenced with the slash: / .

Using the ls command to see permissions

Typical Linux systems have directories of bin, home, etc, dev, proc, var and mount with a few additional ones that vary. To reference the bin directory in the root, you would refer to /bin and to reference to the home directory in the root, you'd refer to /home. Since they are actually files, you can see them with the same command you use to list information about any other file: ls. So to get a list of the files in the root, you could type the command: ls / or to get the list of information about the files in the etc directory in the root, you could type: ls /etc but there is additional information available with a long listing which includes the permissions. To get a long listing, you use the command: ls -l.To get that information about a directory, you need to tell the ls command that it should include the extended information rather than then contents of the directory with ls -ld.

In order to see the contents of a directory, it must be set to executable for whatever user you happen to be. Our listing also tells us who the owner is and what group the file belongs to, with the owner first and the group second. Both are root in this example, so another example is helpful.

Consider this listing:

drwxrwxr-x 1 root pg21 0 2011-07-09 23:40 /var/www/nginx-default/local

Note that it is also a directory and that the owner is root, but the group is pg21. The permission set: drwxrwxr-x tells us:

In simple terms, we know now that anyone who is a member of the pg21 group can edit the contents of the directory but users who aren't can only view it. The user "root" is a special user that can access or modify anything, so it can be assumed to have control anyway if needed, but it is explicitly stated here as the owner so group pg21 membership is required for any normal user that would need to modify the contents.

Lets examine a regular file, for this we'll use the command: ls -l /home/normal/authorized_keys

which shows this listing:

-rw-r----- 1 normal pg21 457 2011-07-20 22:08 /home/normal/authorized_keys

In this case the owner is the user called "normal" and the group is "pg21."

We can tell:

Modifying permissions

Permissions are modified with the chmod command. To give the group permission to read and write to a file /home/normal/authorized_keys you would use: chmod g+rw /home/normal/authorized_keys and to take away read access for users that are other than the owner and group from the same file you could use chmod o-r /home/normal/authorized_keys Permissions are stored in binary so it is possible to specify the permission change that way as well. You'll often see directions to run a command so it is helpful to know a couple of them as well.chmod 0774 would give (7 aka 1+2+4) execute, and read and write permissions to the owner and the same to the group but only read to others. Execute is permission 1, Read is permission 2 and Write is permission 4. With this combination, you can know that chmod 754 makes the file (1+2+4) Executable, Writable and Readable for the owner, Executable and Readable for the group and readable for others. Directories need to be set to Read, Write and Execute in order for someone to list contents and change contents, so it isn't uncommon to see instructions to use the command: chmod 777 -R directory_name. This command makes directory_name and everything it contains and that subdirectories contain able to be read, written or executed by anyone. Modifying ownership

Wildcards

When trying to change or view multiple things at once, it is possible to specify part of a name and let the system complete the rest. With most commands you can use the * to refer to unknown or multiple options. Using the command ls /etc/host* for example would return a list that would include /etc/hosts and /etc/hosts.allow and /etc/hosts.deny and potentially others.

Recursion

When using commands in Linux or programming, the ability to affect multiple levels of folders and files. With commands like ls -R you see not only the directory that you're targeting, but all the files and folders that they contain.

Ownership is managed with the chown command. It is how you can change the owner or group that a file belongs to. To change the owner of /home/normal/myfile so that it belongs to the user called "bob" you would use the command: chown bob /home/normal/myfile but if  you wanted to change the group to pg21 at the same time, you could use chown bob:pg21 /home/normal/myfile instead.

Changing group ownership without changing the owner is also possible with chgrp which works mostly the same way, but without the need to specify an owner. To change the group membership you could use chgrp pg21 /home/normal/myfile

Bonus Section - SE Linux

SE Linux, aka Security Enhanced Linux, is basically the standard Linux kernel hacked up to be super secure by the NSA then reviewed and further tweaked by companies like Red Hat and Google. SE Linux goes a long way to ensuring your server or desktop is hard to break into.

However, it can be a bit of a nuisance to deal with.

Fortunately, I've found things that make it much easier: