The Linux operating system is a multi-user operating system. It has a security system in place that controls which users and groups have access to the files and directories in the system.
The commands used in this tutorial were tested in bash, but should work in other POSIX-compliant shells as well.
2. Security Concepts
In Linux, users can belong to one or more groups. Also, both users and groups can be the owners of files and directories. As well as details of ownership, each file has metadata about its access permissions.
3. Ownership and Access Rights
As mentioned earlier, the file metadata contains information about the user and group that owns the file. Also, it contains information about who is allowed to read, write and execute it.
We can list this information by using ls:
$ ls -l total 20 -rw-rw-r--. 1 bob bob 16433 Oct 7 18:06 document.docx
There are two parts of information that are of particular interest to us:
From left to right, this means that the file document.docx is owned by user bob and its owning group is also called bob. This is possible because, by default, Linux creates a private group for each user with the user's name.
These are the access permissions. The first character describes the file type. The remaining characters come in three groups of three characters, respectively describing the access rights of the owner, the owning group and then everyone else.
In each group, the first character is for read access (r), followed by write access (w) and the right to execute (x). A dash means that the permission is turned off.
Therefore, full permissions for everyone on the system would look like:
In Linux, files and directories are treated similarly. The main difference between access rights for files and directories is that the x permission on a file grants permission to execute it, where on a directory, it grants permission to enter it.
4. Transferring Ownership with chown
Files can be transferred between users with chown. The name chown is an abbreviation for “change owner”.
We can change the owner of document.docx by calling:
chown alice document.docx
The document is now owned by Alice:
$ ls -l total 20 -rw-rw-r--. 1 alice bob 16433 Oct 7 18:06 document.docx
The owning group of the document is still bob. We only told chown to change the owner, not the group. As a result, by means of group membership, both Alice and Bob now have read and write access to this document.
To change the group to alice, we could do one of three things.
We can change the owner and group to alice:
chown alice:alice document.docx
Because we want to change the owning group to the default group of the user, we could omit the group:
chown alice: document.docx
Or alternatively, as we only want to change the owning group, we could call:
chown :alice document.docx
And then, the result will be:
$ ls -l total 20 -rw-rw-r--. 1 alice alice 16433 Oct 7 18:06 document.docx
In Linux, as a regular user, it's not possible to give away the ownership of our files to someone else. We either have to be running as root, or have privileges to run chown through sudo:
sudo chown alice:alice document.docx
5. Changing Access Permissions with chmod
File access permissions can be modified via the chmod command. The name chmod is short for “change mode”.
We can use two ways of calling chmod, symbolic or octal notation.
5.1. Symbolic Notation
In symbolic notation, we provide chmod with a comma-separated string using references for user (u), group (g) and others (o).
Let's remember the access permissions of document.docx: -rw-rw-r–
We can set these same permissions with the symbolic notation:
chmod u=rw,g=rw,o=r document.docx
It's also possible to add permissions incrementally. For example, we can add write permissions for others:
chmod o+w document.docx
Or similarly, we can take away write access for the group by calling:
chmod g-w document.docx
We should note that incremental changes only operate on the group and flag specified, leaving the other access permissions as they were.
We can combine references to set permissions all at once. To make the document read-only for group and others, we can use:
chmod go=r document.docx
There even is a shorthand notation – a – to set permissions for all references. For example, we can make our document read-only for every user and group with:
chmod a=r document.docx
5.2. Octal Notation
A widely used, often shorter, form of calling chmod is by use of the octal notation. This is a combination of three numbers by which we can represent all combinations of access rights.
The following table shows the equivalent octal and symbolic notations:
r/w/x | binary | octal --- | 000 | 0 --x | 001 | 1 -w- | 010 | 2 -wx | 011 | 3 r-- | 100 | 4 r-x | 101 | 5 rw- | 110 | 6 rwx | 111 | 7
Each possible combination of access permissions can be written as a binary number, with 1 and 0 meaning the permission is turned on or off. These binary numbers represent digits 0 to 7, the 8 digits that make up the octal numeral system.
Going back to the example of the previous section, the equivalent of:
chmod u=rwx,g=rx,o= document.docx
in octal notation is:
chmod 750 document.docx
We should also note that in octal notation, it is not possible to add permissions incrementally.
6. Common Examples
Finally, let's look at some common examples and what they do.
6.1. Recursively Change Ownership of a Directory
chown -R alice:alice /path/to/directory
In this example, the -R switch makes chown recursive.
6.2. Share a Directory with Others
chmod u=rwx,go=rx /path/to/directory
chmod 755 /path/to/directory
6.3. Protect a SSH Private Key
chmod u=rw,og= ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
We should note that many Linux security configurations will prevent keys in the .ssh folder from being used to allow SSH access if they do not have the correct permissions applied.
6.4. Make a Script Executable
chmod +x script.sh
In this article, we looked at how to leverage chown and chmod to manage access to our files and folders.
We saw how the permission model works, connecting owning users and groups with the access control flags on each file and directory.
We should note that it is good practice to be as restrictive about access permissions as possible. Incorrectly configured groups and permissions are a security risk to our private information.