When you list directories in long format (the -l switch), you’ll be presented with a long list of information. What does it all mean? The first column on the far left represents permissions. The first character is a marker to define what the object is. For example, ‘-’ for a file, ‘d’ for a directory, ‘l’ for a link, and so on. The next nine characters define access permissions. By default, a standard Linux user account doesn’t have access to the entire system. Some directories and files are inaccessible, or even invisible, without the correct permissions. The root user, as the system administrator, is the only user who has full access to the entire system. Permissions are broken down into three categories as seen in the table below. Every user on a system belongs to a group. A group is simply a method of relating users and makes it easier for system administrators to manage things such as permissions for an entire set of users at once. Any permissions set on a file for a group automatically apply to all users belonging to that group.
For each category, one or all of the access permissions can be toggled for both files and directories. The diagram (right) shows the type of permissions and categories displayed when you list a directory in long format. If you’re wondering why you need to concern yourself with permissions, keep in mind that Linux is a secure multiuser platform designed to service many users. While you may not have a need to use these varied permissions yourself, you need to be aware of how they work. Later you’ll discover how some services can only be operated from the root account (to ensure that sensitive services are accessed only by those qualified to have access). You can change permissions the new, trendy way using your favorite GUI file manager (just right-click on a file and check out the permissions), or the traditional way using the command line. Just because we have such a strong sense of adventure, we’ll show you how to do it the way real users do it.
You can change permissions (or modes) for an object on the command line using the chmod(1) command. The syntax is easy and is based on adding, removing, or directly setting specific permissions. Each permission category and value is represented as follows: [u]ser, [g]roup, [o]thers, [a]ll, [r]ead, [w]rite, e[x]ecute.
To add or remove permissions you can use the ‘+’ and ‘-’ switches to change the state of permissions. For example, to add executable permission to all categories of a file you would use the following command:
┌──[jason@192.168.1.2]─[~/Documents] └──╼ ╼ $ chmod +x [file] |
To remove write and executable permissions for the group and other users only, you would use:
┌──[jason@192.168.1.2]─[~/Documents] └──╼ ╼ $ chmod go-wx [file] |
It is important to note that adding or removing permissions this way will only modify the current permissions. For example, the above command would not remove writeable and executable permission from the owner if it were present. By contrast, setting specific permissions allows you to set permissions by category.
To change, for example, the permissions on a file to set the user (owner) and group categories to have only executable permission, and leaving permissions for other users alone, you would use:
┌──[jason@192.168.1.2]─[~/Documents] └──╼ ╼ $ chmod ug=x [file] |
To change permissions recursively for a directory (and thus all the files and directories within it) so that:
- the owner has read, write and execute permission;
- the group has read and execute permission;
- other users don’t have any permission to access the object at all;
you would use the command:
┌──[jason@192.168.1.2]─[~/Documents] └──╼ ╼ $ chmod -R u=rwx,g=rx,o= [directory] |
It goes without saying that you can only change permissions of files and directories that you have permission to change. The root account can change permissions for any file or directory on the system.
Red Hat and Mandrake use a system called User Private Groups, which is a way of ensuring that files created by each user are private by default. When a new user is created, a new group is created with the same name as the user, with that user as the only member. Sound confusing? If we added a new user called ‘pocketbooks’, for example, a group would also be created called ‘pocketbooks’. The only member of the group that would be, you guessed it, ‘pocketbooks’. In Linux, each user has a set of default permissions (known technically as a umask) for files they create. For Red Hat and Mandrake Linux, this umask is set to allow full access to the user and the user’s group, and no access to other users. What has been covered in this section is enough for day-to-day tasks, but there is far more to permissions than there is space here to cover. The curious Linux user will delve deeper into permissions and show you how to change more than just the access permissions of files and directories. In the meantime, you can learn more with man chmod.