Manipulating Owner and Group Information in Linux and Unix

As I mentioned in in a my post about file security every file and directory in Linux has an owner and a group associated with it. The need commonly arises where the user or group ownership for files or directories needs to be changed. For example, if user the sally, in group finance is responsible for a number of files and Sally gets transferred to the purchasing group the ownership of the files might need to be changed to marge because Marge is the user who is taking Sally’s place in finance. The chown command is used to change file or directory ownership.

As another example if a number of files that are currently accessed by the test group are ready for production and need to be changed to the prod group, the chgrp command can be used to give access to the prod group.

Actually the chown command can be used to change both user and group ownership, while the chgrp command can only be used to change group ownership. This command will be covered later in this chapter. When using either chown or chgrp commands, the system will first check the permissions of the user issuing the commands to make certain they have sufficient permissions to make the change.

Now we’ll look at some examples of how to use the chown and chgrp commands. We’ll start with the chgrp command, then look at chown and then finally see how chown can be used to do the work of both!

Change Group Ownership

The chgrp command is used to change the group with which a file is associated. The first thing you will need to provide this command is the group which you want to change the file or directory to. After that you can list a single file or directory to be changed or list separate entities separated by spaces. The chgrp command will not have any affect on the access granted to the group (the rw- in the middle of the three permissions sets) but will change who can use those permissions.

Using the chgrp Command on a File

# ls -l
total 12
-rw-rw-r-- 1 tclark authors 2229 Jan 13 21:35 declaration.txt
-rw-rw-r-- 1 tclark authors 1310 Jan 13 17:48 gettysburg.txt
-rw-rw-r-- 1 tclark authors 360 Jan 13 17:48 preamble.txt
# chgrp presidents gettysburg.txt
# ls -l
total 12
-rw-rw-r-- 1 tclark authors 2229 Jan 13 21:35 declaration.txt
-rw-rw-r-- 1 tclark presidents 1310 Jan 13 17:48 gettysburg.txt
-rw-rw-r-- 1 tclark authors 360 Jan 13 17:48 preamble.txt

The chgrp command works the same for directories as it does for files. In the following example, the group ownership of the directory called examples will be changed. Directories are identified by the letter d in the first column of the ls –l display.

Using the chgrp Command on a Directory

# ls -l
total 4
-rw-rw-r-- 1 tclark tclark 0 Jan 13 21:13 example1.fil
-rw-rw-r-- 1 tclark tclark 0 Jan 13 21:13 example2.xxx
drwxrwxr-x 2 tclark tclark 4096 Jan 13 21:35 examples
# chgrp authors examples
# ls -l
total 4
-rw-rw-r-- 1 tclark tclark 0 Jan 13 21:13 example1.fil
-rw-rw-r-- 1 tclark tclark 0 Jan 13 21:13 example2.xxx
drwxrwxr-x 2 tclark authors 4096 Jan 13 21:35 examples

You can change the group for multiple files and/or directories by using the –R (recursive) option for the chgrp command. This is one of the few commands (we’ll see two of the others shortly) which use an upper-case R for the recursive option. When applied on a directory the –R option will apply the chgrp command to the directory and all its subdirectories and files. Care should be taken when using the –R option.

Next we’ll look at changing the ownership of files.

Change User Ownership

The chown (change owner) command can be used to change ownership of a file or directory. The syntax is very similar to chgrp.

# ls -l
total 12
-rw-rw-r-- 1 tclark authors 2229 Jan 13 21:35 declaration.txt
-rw-rw-r-- 1 tclark authors 1310 Jan 13 17:48 gettysburg.txt
-rw-rw-r-- 1 tclark authors 360 Jan 13 17:48 preamble.txt
# chown abe gettysburg.txt
# ls -l
total 12
-rw-rw-r-- 1 tclark authors 2229 Jan 13 21:35 declaration.txt
-rw-rw-r-- 1 abe authors 1310 Jan 13 17:48 gettysburg.txt
-rw-rw-r-- 1 tclark authors 360 Jan 13 17:48 preamble.txt

Just like with chgrp we see that chown accepts the username of the user who should get ownership and the file or directory to change. Again we could list multiple files or directories here with spaces separating them.

The chown command can be used to change the group ownership instead of the user ownership of a file or directory. If you wish to use chown to change the group ownership you can list a group preceded with either a colon (:) or a period (.). Here’s an example of how to use chown to change the group ownership of a file:

# ls -l
total 12
-rw-rw-r-- 1 tclark authors 2229 Jan 13 21:35 declaration.txt
-rw-rw-r-- 1 abe authors 1310 Jan 13 17:48 gettysburg.txt
-rw-rw-r-- 1 tclark authors 360 Jan 13 17:48 preamble.txt
# chown :presidents gettys*
# ls -l
total 12
-rw-rw-r-- 1 tclark authors 2229 Jan 13 21:35 declaration.txt
-rw-rw-r-- 1 abe presidents 1310 Jan 13 17:48 gettysburg.txt
-rw-rw-r-- 1 tclark authors 360 Jan 13 17:48 preamble.txt

If you wish to simultaneously change both the user and group ownership of a file you can specify the user and group in the format of user:group.

In the following example the user will be changed back to tclark and the group back to authors using a single command.

Using the chown Command to Change File Ownership

# ls -l
total 12
-rw-rw-r-- 1 tclark authors 2229 Jan 13 21:35 declaration.txt
-rw-rw-r-- 1 abe presidents 1310 Jan 13 17:48 gettysburg.txt
-rw-rw-r-- 1 tclark authors 360 Jan 13 17:48 preamble.txt
# chown tclark:authors gettys*
# ls -l
total 12
-rw-rw-r-- 1 tclark authors 2229 Jan 13 21:35 declaration.txt
-rw-rw-r-- 1 tclark authors 1310 Jan 13 17:48 gettysburg.txt
-rw-rw-r-- 1 tclark authors 360 Jan 13 17:48 preamble.txt

Here we see the user and group has been changed with a single command. Just like with chgrp the chown command will take the –R (recursive) option and apply the chown command to a directory and its subdirectories. This should be used with care.

Easy Linux CommandsFor more tips like this check out my book Easy Linux Commands, only $19.95 from Rampant TechPress.

Buy it now!


unix, linux, system administration, sysadmin, security, file security, permissions, owner, group

Steve Jobs – Thoughts on Music and DRM

Ever wonder what the CEO of one of the world’s leading music retailers thinks of Digital Rights Management? Today Steve Jobs of Apple Inc. told us in a message titled “Thoughts on Music” which I hope we will some day look back on as the beginning of the end for DRM.

In the post Jobs clearly presents the current situation (each vendor has their own library of music, protected by their own DRM which will only work on their own software and devices) and offers up three possible futures, the most interesting of which is the third:

The third alternative is to abolish DRMs entirely. Imagine a world where every online store sells DRM-free music encoded in open licensable formats. In such a world, any player can play music purchased from any store, and any store can sell music which is playable on all players. This is clearly the best alternative for consumers, and Apple would embrace it in a heartbeat. If the big four music companies would license Apple their music without the requirement that it be protected with a DRM, we would switch to selling only DRM-free music on our iTunes store. Every iPod ever made will play this DRM-free music.

Why would the big four music companies agree to let Apple and others distribute their music without using DRM systems to protect it? The simplest answer is because DRMs haven’t worked, and may never work, to halt music piracy.

If you are interested in DRM or would like to learn more about it and why it’s such a hot topic right now, I highly recommend reading Jobs’ entire post. Remember, Apple is currently ahead in this field and if anything has the most to loose if they lost their brand lock-in.

drm, digital rights management, music, mp3, aac, apple, computer, records

A different kind of programming contest

Nobody will argue that testing your code is an essential, but often neglected step to good development. Effective testing not of the whole application, but portions of it is the focus of the Oracle Development Tools User Group PL/SQL Test-A-Thon to be held Febuary, 28-March, 1 of this year in California.

Here’s how the challenge works:
After the end of sessions on the first day, you will be presented with four programs that perform typical operations—nothing exotic. Along with those programs come supporting test data, a list of tests that you need to perform, and the results you should get for each test (most will be successful, but some will fail). You will then have one hour to write a test to show which tests succeed and which fail for the programs. Your test results should be self-verifying. That is, we will not manually verify your tests to see if they worked or not.

Check out more about the contest and about the Oracle Development Tools User Group conference. While not overly active the Oracle Development Tools User Group site has some interesting content as well.

sql, plsql, oracle, development, software development, database, dba

Linux and UNIX File Security

Linux file security is quite simplistic in design, yet quite effective in controlling access to files and directories.

Directories and the files which are stored in them are arranged in a hierarchical tree structure. Access can be controlled for both the files and the directories allowing a very flexible level of access.

File Security Model

In Linux, every file and every directory are owned by a single user on that system. Each file and directory also has a security group associated with it that has access rights to the file or directory. If a user is not the directory or file owner nor assigned to the security group for the file, that user is classified as other and may still have certain rights to access the file.

Each of the three file access categories, owner, group, and other, has a set of three access permissions associated with it. The access permissions are read, write, and execute.

A user may belong to more than one group. Regardless of how many groups a user belongs to if permissions are granted on a file or directory to one of the user’s groups they will have the granted level of access. You can check what groups a user belongs to with the groups command.

$ groups tclark
tclark : authors users

The groups command is called with one argument, the username you want to investigate. As you can see in the output above the output lists the username and all the groups they belong to. In this output tclark belongs to the groups authors and users.

From the information previously presented about file and directory commands, using the –l option with the ls command will display the file and directory permissions as well as the owner and group as demonstrated below:

Viewing permissions, owner and group


The ls –l command is the best way to view file and directory ownership and permissions. Now let’s look at what each of these permissions do.

File Permissions

File permissions are represented by positions two through ten of the ls –l display. The nine character positions consist of three groups of three characters. Each three character group indicates read (r), write (w), and execute (x) permissions.

The three groups indicate permissions for the owner, group, and other users respectively.

Breakdown of the permissions listing


In the example above, both the owner and the group have read (r) and write (w) permissions for the file, while other users have only read (r) permission.

The example below indicates read, write, and execute (rwx) permissions for the owner, read and execute (r-x) permissions for the group, and no permissions for other users (—).

Another permission listing breakdown


The alphabetic permission indicators are commonly assigned numeric values according to the scheme shown in the table below:

Alpha Numeric Permission
0 No permission granted
x 1 Execute permission granted
w 2 Write permission granted
r 4 Read permission granted

Then, each three character permission group can be assigned a number from zero to seven calculated by adding together the three individual numeric permissions granted. For example, if the owner has read, write, and execute permissions, the owner’s permissions can be represented by the single digit 7 (4+2+1). If the group has read and execute permissions, that can be represented by the single digit 5 (4+0+1). If other users have no permissions, that can be represented by the single digit 0 (0+0+0). These three numbers would then be listed in the order of owner, group, other, in this case 750 as a way to definitively describe the permissions on this file.

There are some additional abbreviations that can be used with commands that manipulate permissions. These abbreviations are:

  • u: user owner’s permissions
  • g: group’s permissions
  • o: other’s permissions

These abbreviations can also be used to change permissions on files. As we will see later, they will allow you to manipulate one level of the permissions (perhaps just the permissions granted to group) without changing the others.

Of course just being able to read these permissions isn’t enough… we want to be able to manipulate them. Stay tuned for more on that in the near future.

Easy Linux CommandsFor more tips like this check out my book Easy Linux Commands, only $19.95 from Rampant TechPress.

Buy it now!


unix, linux, system administration, sysadmin, hidden files, config files