Generic Top

I just announced the new Learn Spring course, focused on the fundamentals of Spring 5 and Spring Boot 2:

>> CHECK OUT THE COURSE

1. Overview

The Linux operating system is a multi-user operating system. It has a security system in place that controls which users and groups have access to the files and directories in the system.

In this short tutorial, we're going to have a look at two tools for enabling users to access files: chown and chmod.

The commands used in this tutorial were tested in bash, but should work in other POSIX-compliant shells as well.

2. Security Concepts

In Linux, users can belong to one or more groups. Also, both users and groups can be the owners of files and directories. As well as details of ownership, each file has metadata about its access permissions.

chown and chmod are the tools we use to manipulate ownership and access permissions of files and directories.

3. Ownership and Access Rights

As mentioned earlier, the file metadata contains information about the user and group that owns the file. Also, it contains information about who is allowed to read, write and execute it.

We can list this information by using ls:

$ ls -l
total 20
-rw-rw-r--. 1 bob bob 16433 Oct  7 18:06 document.docx

There are two parts of information that are of particular interest to us:

bob bob

From left to right, this means that the file document.docx is owned by user bob and its owning group is also called bob. This is possible because, by default, Linux creates a private group for each user with the user's name.

Next there's:

-rw-rw-r--

These are the access permissions. The first character describes the file type. The remaining characters come in three groups of three characters, respectively describing the access rights of the owner, the owning group and then everyone else.

In each group, the first character is for read access (r), followed by write access (w) and the right to execute (x). A dash means that the permission is turned off.

Therefore, full permissions for everyone on the system would look like:

-rwxrwxrwx

In Linux, files and directories are treated similarly. The main difference between access rights for files and directories is that the x permission on a file grants permission to execute it, where on a directory, it grants permission to enter it.

4. Transferring Ownership with chown

Files can be transferred between users with chown. The name chown is an abbreviation for “change owner”.

We can change the owner of document.docx by calling:

chown alice document.docx

The document is now owned by Alice:

$ ls -l
total 20
-rw-rw-r--. 1 alice bob 16433 Oct 7 18:06 document.docx

The owning group of the document is still bob. We only told chown to change the owner, not the group. As a result, by means of group membership, both Alice and Bob now have read and write access to this document.

To change the group to alice, we could do one of three things.

We can change the owner and group to alice:

chown alice:alice document.docx

Because we want to change the owning group to the default group of the user, we could omit the group:

chown alice: document.docx

Or alternatively, as we only want to change the owning group, we could call:

chown :alice document.docx

And then, the result will be:

$ ls -l 
total 20 
-rw-rw-r--. 1 alice alice 16433 Oct 7 18:06 document.docx

In Linux, as a regular user, it's not possible to give away the ownership of our files to someone else. We either have to be running as root, or have privileges to run chown through sudo:

sudo chown alice:alice document.docx

5. Changing Access Permissions with chmod

File access permissions can be modified via the chmod command. The name chmod is short for “change mode”.

We can use two ways of calling chmod, symbolic or octal notation.

5.1. Symbolic Notation

In symbolic notation, we provide chmod with a comma-separated string using references for user (u), group (g) and others (o).

Let's remember the access permissions of document.docx: -rw-rw-r–

We can set these same permissions with the symbolic notation:

chmod u=rw,g=rw,o=r document.docx

It's also possible to add permissions incrementally. For example, we can add write permissions for others:

chmod o+w document.docx

Or similarly, we can take away write access for the group by calling:

chmod g-w document.docx

We should note that incremental changes only operate on the group and flag specified, leaving the other access permissions as they were.

We can combine references to set permissions all at once. To make the document read-only for group and others, we can use:

chmod go=r document.docx

There even is a shorthand notation – a – to set permissions for all references. For example, we can make our document read-only for every user and group with:

chmod a=r document.docx

5.2. Octal Notation

A widely used, often shorter, form of calling chmod is by use of the octal notation. This is a combination of three numbers by which we can represent all combinations of access rights.

The following table shows the equivalent octal and symbolic notations:

r/w/x | binary | octal
 ---  |  000   |   0
 --x  |  001   |   1
 -w-  |  010   |   2
 -wx  |  011   |   3
 r--  |  100   |   4
 r-x  |  101   |   5
 rw-  |  110   |   6
 rwx  |  111   |   7

Each possible combination of access permissions can be written as a binary number, with 1 and 0 meaning the permission is turned on or off. These binary numbers represent digits 0 to 7, the 8 digits that make up the octal numeral system.

Going back to the example of the previous section, the equivalent of:

chmod u=rwx,g=rx,o= document.docx

in octal notation is:

chmod 750 document.docx

We should also note that in octal notation, it is not possible to add permissions incrementally.

6. Common Examples

Finally, let's look at some common examples and what they do.

6.1. Recursively Change Ownership of a Directory

chown -R alice:alice /path/to/directory

In this example, the -R switch makes chown recursive.

6.2. Share a Directory with Others

chmod u=rwx,go=rx /path/to/directory

or

chmod 755 /path/to/directory

6.3. Protect a SSH Private Key

chmod u=rw,og= ~/.ssh/id_rsa

or

chmod 600 ~/.ssh/id_rsa

We should note that many Linux security configurations will prevent keys in the .ssh folder from being used to allow SSH access if they do not have the correct permissions applied.

6.4. Make a Script Executable

chmod +x script.sh

7. Conclusion

In this article, we looked at how to leverage chown and chmod to manage access to our files and folders.

We saw how the permission model works, connecting owning users and groups with the access control flags on each file and directory.

We should note that it is good practice to be as restrictive about access permissions as possible. Incorrectly configured groups and permissions are a security risk to our private information.


Generic bottom

I just announced the new Learn Spring course, focused on the fundamentals of Spring 5 and Spring Boot 2:

>> CHECK OUT THE COURSE

Leave a Reply

avatar
  Subscribe  
Notify of