Managing File Permissions

In order to see what permissions have been set on a file the ls command can be used.

>ls -l

So what does all that mean? All of the lines start with a string like -rw-rw-r– or drwxrwxr-x. Lets brake this down. The first character can be either – or d, – denotes a file and d a directory.

The remaining characters are split into three groups of three characters. The first group denotes the permissions assigned to the user or the owner of the file. The next three are the permissions assigned to the group of the file and the last 3 are the permissions assigned to others.

The characters follow a simple scheme.

  • r = read
  • w = write
  • x = execute
  • – = no permission assigned

In the diagram above the user who created the file has read and write permissions but does not have execute permissions. The same permissions apply to the group. All other users only have read permissions.

Note the x -execute permission shown on the directory in the screenshot above means that the folder can be accessed by the user or group it is applied to.

Changing File Permissions

A useful command for managing file permissions is chmod which can be used in two ways, absolute mode or symbolic mode. Absolute mode uses numerals to define permissions whilst symbolic defines the permissions using letters.

Absolute Permissions

AbsolutePermission TypeSymbolic
0No Permission
3Execute + Write-wx
5Read + Executer-x
6Read +Writerw-
7Read + Write +Executerwx

For example, using absolute mode to set the permissions of a file to user to read+write+execute, group to read+write, other to read, you would run the command:

>chmod 764 file1.txt

Symbolic Permissions

User Denotations
+Adds a permission to a file or directory
Removes the permission
=Sets the permission and overrides the permissions set earlier.

Achieving the same permissions via symbolic commands as we did above looks like this:

>sudo chmod u=rwx file1.txt

Changing File Ownership

If you want to change who has access to a file you use the chown command. For example to change the user and group with access to a file:

>sudo chown user:group file

As an example
>sudo chown fbloggs:testgrp file1.txt

Now, file1.txt is able to be accessed by the fbloggs account or members of the testgrp.

Setting ACLs for Additional Users and Groups

All this is a bit limiting though, one user and one group per file, does not allow for much flexibility. The good news is that there is a way around this using Access Control lists.

To see whether a an ACL is set run the ls command

>ls -l

If you see a + at the end of the access control list then an ACL has been applied as is shown on fu.txt in the image below.

To see the acl use the getacl command.

> getacl fu.txt

In this case both the file owner ffugazi and another user and group fbloggs have access to the file.

To set an ACL on a file run setfacl.

To add an additional user or modify an existing user:
>setfacl -m u:username:rwx ./fu.txt
To add an additional group or modify an existing user:
>setfacl -m g:group:rwx ./fu.txt

To remove all permissions for a user:
>setfacl -x u:username ./fu.txt
To remove all permissions for a group:
>setfacl -x g:group ./fu.txt

Setfacl and getfacl can both be used on directories too. In the case of directories, a d is prepended to the permissions.

The Sticky Bit

One other extended permission that is worth mentioning is the sticky bit. Say for example you have a shared directory that all users of a system can access and edit. What is to stop a user from accidentally deleting files that were created by another user? Enter the sticky bit. This is a flag on a file or directory which lets only the owner of the file or the root user delete the file. How do we set this?

>sudo chmod +t fudir
>sudo chmod +t fu.txt

To remove a sticky bit use the -t option.

>chmod -t fu.txt