Linux file security is quite simplistic in design, yet quite effective in controlling access to files and directories.
Directories and the files which are stored in them are arranged in a hierarchical tree structure. Access can be controlled for both the files and the directories allowing a very flexible level of access.
File Security Model
In Linux, every file and every directory are owned by a single user on that system. Each file and directory also has a security group associated with it that has access rights to the file or directory. If a user is not the directory or file owner nor assigned to the security group for the file, that user is classified as other and may still have certain rights to access the file.
Each of the three file access categories, owner, group, and other, has a set of three access permissions associated with it. The access permissions are read, write, and execute.
A user may belong to more than one group. Regardless of how many groups a user belongs to if permissions are granted on a file or directory to one of the user’s groups they will have the granted level of access. You can check what groups a user belongs to with the groups command.
$ groups tclark
tclark : authors users
The groups command is called with one argument, the username you want to investigate. As you can see in the output above the output lists the username and all the groups they belong to. In this output tclark belongs to the groups authors and users.
From the information previously presented about file and directory commands, using the â€“l option with the ls command will display the file and directory permissions as well as the owner and group as demonstrated below:
The ls â€“l command is the best way to view file and directory ownership and permissions. Now let’s look at what each of these permissions do.
File permissions are represented by positions two through ten of the ls â€“l display. The nine character positions consist of three groups of three characters. Each three character group indicates read (r), write (w), and execute (x) permissions.
The three groups indicate permissions for the owner, group, and other users respectively.
In the example above, both the owner and the group have read (r) and write (w) permissions for the file, while other users have only read (r) permission.
The example below indicates read, write, and execute (rwx) permissions for the owner, read and execute (r-x) permissions for the group, and no permissions for other users (—).
The alphabetic permission indicators are commonly assigned numeric values according to the scheme shown in the table below:
|–||0||No permission granted|
|x||1||Execute permission granted|
|w||2||Write permission granted|
|r||4||Read permission granted|
Then, each three character permission group can be assigned a number from zero to seven calculated by adding together the three individual numeric permissions granted. For example, if the owner has read, write, and execute permissions, the ownerâ€™s permissions can be represented by the single digit 7 (4+2+1). If the group has read and execute permissions, that can be represented by the single digit 5 (4+0+1). If other users have no permissions, that can be represented by the single digit 0 (0+0+0). These three numbers would then be listed in the order of owner, group, other, in this case 750 as a way to definitively describe the permissions on this file.
There are some additional abbreviations that can be used with commands that manipulate permissions. These abbreviations are:
- u: user ownerâ€™s permissions
- g: groupâ€™s permissions
- o: otherâ€™s permissions
These abbreviations can also be used to change permissions on files. As we will see later, they will allow you to manipulate one level of the permissions (perhaps just the permissions granted to group) without changing the others.
Of course just being able to read these permissions isn’t enough… we want to be able to manipulate them. Stay tuned for more on that in the near future.