Linux Command Line: Permissions
User Permissions id
Let's talk some history before we get into the technicalities..
A multi-user system
Before the advent of the personal computer, computer systems were centralized. For example, in a university, a computer would be located in one building on campus, while multiple users in other buildings accessed it via ssh (secure shell, just a way to login to another computer via the command line).
Since there were multiple users accessing this centralized computer at once, computer architects had to come up with a way to secure files and folders.
For example in the figure above, we needed a way for Professor Paul to read and edit students' grades files, while Bobby, Anna and Joe could only read their respective grade reports.
Thus, scientists came up with user permissions to manage the security threats of hosting a multi-user system.
Three groups for accessions
There are three groups in the Linux world in which permissions apply to.
- The creator of the file, who has control over the file's accessions.
- One or more users who are given access to the file/directories.
- World (all)
- Everyone else.
Using id to see who you are
To display the user and group names and numeric IDs of a calling process, use the
uid=501(JohnDoe) gid=20(staff) groups=20(staff)
When accounts are created, they are given a
uid (user ID), which is then mapped to a username.
The user can then be assigned a primary
gid (group ID).
Using who to see who is logged in
To display all current users logged in, use the
$ who JohnDoe console Aug 3 12:56 JohnDoe ttys000 Aug 30 21:17 JohnDoe ttys002 Sep 5 21:49 JohnDoe ttys003 Sep 6 19:35
To display just the terminal session where the commands are coming from, user:
JohnDoe ttys000 Aug 30 21:17
Last logged in users
The to check who was last logged in, use the
JohnDoe ttys000 Mon Apr 20 12:00 - 16:28 (2+04:27) JohnDoe ttys002 Mon Apr 20 11:27 - 11:48 (00:21) JohnDoe ttys001 Mon Apr 20 11:27 - 11:48 (00:21) JohnDoe ttys000 Mon Apr 20 11:27 - 11:48 (00:21) JohnDoe console Mon Apr 20 11:26 - 12:46 (94+01:19) reboot ~ Mon Apr 20 11:26 shutdown ~ Mon Apr 20 11:26 JohnDoe ttys002 Mon Apr 20 00:17 - 11:26 (11:08) JohnDoe ttys001 Sun Apr 19 23:09 - 11:26 (12:16) JohnDoe ttys000 Sun Apr 19 20:17 - 11:26 (15:08) JohnDoe ttys000 Sun Apr 19 09:32 - 19:25 (09:53)
Important files regarding permissions
There are two main files that store permission information on uid and gid.
The /etc/passwd is a file that contains information about every registered user on a system. It is a colon-separated file that contains the username, encrypted password, and user ID number.
The /etc/group text file defines which groups users belong to.
This file contains encrypted passwords and information about accounts and password reset dates. This information is held secure from normal users, and is only accessible by root.
This is a directory that contains the base files and directories moved into a new user's home folder upon creation.
File and Directory types and modes -d, rwx
Displaying a file's access attributes
To display a file's access attributes, use the
ls command with a
$ ls -l helloWorld.txt
-rwxr--r-- 1 JohnDoe staff Apr 01 10:45 helloWorld.txt
-rwxr--r-- are called the file attributes. They are made up of the file type, and file modes, as you can see in the figure below.
The first character represents the file type. Here are the options it can have.
- Just a regular file.
- A directory.
- A symbolic link.
- Note that the file modes for a symbolic link will always be
rwxrwxrwx, which are just dummy variables.
- A character device that handles data as a stream of bytes.
- eg. terminal/modem.
- A block special file.
- eg. hard drive, cd-rom.
- Named pipe.
- A socket that permits network and bidirectional links.
You'll mainly be dealing with
- (regular files) and
The next nine characters represent the file modes for owner, group and all, respectively.
Let's see what values these modes can hold.
Regular file access attributes
For a regular file, we have three simple attributes.
- Read (open and see contents of).
- Write (edit and saving).
- Execute (runnable).
Thus, if the owner, group, or all has any of these attributes listed in their file mode, that means they are permitted to perform that command.
For example, let's look at file1.txt.
$ ls -l file1.txt
-rwxr----- 1 JohnDoe staff Apr 01 20:40 file1.txt
From the file type we can tell that this is a regular file (
-) The file modes tell us that the user can read, write and execute (
rwx), group members can only read (
r--), and the world has no access to anything (
Directory file access attributes
To view the directory permission attributes, specify a
-d option - otherwise the shell will just list the files within that directory.
$ ls -dl dir1
drwxr-xr-x@ 6 JohnDoe JohnDoe 204 Mar 30 13:15 dir1
If the file is a directory (i.e. its first letter is
d), then its file attribute meanings are a little different.
- Contents can be listed.
- Directories can be created, deleted and renamed.
- Allows directory to be opened and entered.
w attributes to be valid, the
x attribute must also be set.
Changing Permissions chmod
To change the mode of a file or directory, we use the
Note that only the file's owner or the superuser is able to change the mode of a file.
There are two ways of using
chmod - by octal number or symbolic representation.
Chmodding by Octal
Octal values range from 0-7, rather than 0-9 in the more familiar decimal number system.
To see how chmodding works in octal, we must convert first to binary.
1 represents a boolean true value, while a
0 represents false, which is then applied to our
rwx pattern for permissions.
Now you can see how an octal value can be translated to all file permissions for either owner, group or all.
chmod, we pass in file mode in octal values for owner, group, in order, followed by the file we'd want to modify.
$ chmod 644 helloWorld.txt
Here, we would set the file accession of the owner to 6, or
rw-, and 4, or
r-- for both the group and others (all).
This would give us the new file attributes
As another example, the command below would change the helloWorld.txt accession to
-r---wxr--. Can you see why?
$ chmod 434 helloWorld.txt
Most common permission modes
It'd be a hassle to memorize all octal values. Here are a list of absolute permission modes that are used most often.
|644||rw- --r --r|
|600||rw- --- ---|
|755||rwx -wx -wx|
|700||rwx --- ---|
|711||rwx --x --x|
Chmodding by Symbolic Representation
The second way to chmod is by symbolic representation. If you have trouble remembering the octal forms, this may be a better alternative for you.
We have four characters to describe the file user, group, others and all.
- User (file owner).
- Others (world).
- All (u+g+o).
- If no characters are present, all is assumed.
Authorizing or revoking permissions
We may use the plus (
+) and minus (
-) symbols to add or remove the permissions
To give or revoke permissions from multiple groups, simply separate the permissions with a comma (
Here are some common examples of chmodding by symbol. We'll start with the default
644 permissions (
$ touch helloWorld.txt $ ls -l helloWorld.txt
-rw-r--r-- 1 JohnDoe staff 0 Apr 1 23:20 helloWorld.txt
# Give group permission to execute $ chmod g+x helloWorld.txt $ ls -l helloWorld.txt
-rw-r-xr-- 1 JohnDoe staff 0 Apr 1 23:20 helloWorld.txt
# Revoke read permissions from others $ chmod o-r helloWorld.txt $ ls -l helloWorld.txt
-rw-r-x--- 1 JohnDoe staff 0 Apr 1 23:20 helloWorld.txt
# Give all execution permission $ chmod +x helloWorld.txt $ ls -l helloWorld.txt
-rwxr-x--x 1 JohnDoe staff 0 Apr 1 23:20 helloWorld.txt
# Revoke execution permission from all and give read permission to others $ chmod a-x,o+r helloWorld.txt $ ls -l helloWorld.txt
-rw-r--r-- 1 JohnDoe staff 0 Apr 1 23:20 helloWorld.txt
Specifying exact permissions
In addition to
-, we can assign precise permissions with the equals symbol (
# All can only read $ chmod =r helloWorld.txt $ ls -l helloWorld.txt
-r--r--r-- 1 JohnDoe staff 0 Apr 1 23:20 helloWorld.txt
This will change our mode of helloWorld.txt to only read.
$ chmod g=rwx helloWorld.txt $ ls -l helloWorld.txt
-rw-rwxr-- 1 JohnDoe staff 0 Apr 1 23:20 helloWorld.txt
Note that the settings for
umask may alter what you'd expect for the
chmod command above. Let's learn about
umask in our next lesson to better understand this.
Setting Default Permissions umask
When we create a file or directory, accession modes are applied by default. We can see and change these defaults with
To look at your current masking simply use the
$ umask 0022
Since our umask is set to
0022, and the default file mode is usually
666, we have:
- Original file mode
- rw- rw- rw-
- --- -1- -1-
- rw- r-- r--
Thus we see the canonical
644 file permission that we get when we create new files.
$ touch sampleFile.txt $ ls -l sampleFile.txt
-rw-r--r-- 1 JohnDoe staff 0 Mar 30 18:34 sampleFile.txt
To change umask, simply pass the octal value as an argument (include a 0 for the file mode).
$ umask 0777 $ touch sampleFile2.txt $ ls -l sampleFile2.txt
---------- 1 JohnDoe staff 0 Apr 01 18:34 sampleFile2.txt
Here, we would cannot do anything with our sampleFile2.txt because
umask suppressed all its accession modes.
Changing file owner and group chown, chgrp, -R
To change the owner and group owner of a file or directory, we use
chown (short for change owner). To change a new group, use the similar command
We must have root permissions to use this command.
The syntax for
chown is as follows:
$ chown [options] [owner]:[group] files
The syntax for
chgrp is very similar:
$ chgrp [options] newgroup files
Here are some functionalities of
chgrp that are used in the real world.
1) Changing file owner
To change the file owner, specify the user, then the file name.
$ chown bob sampleFile.txt
The sampleFile.txt file will change user to bob.
2) Changing the group
To change the file's group owner, we set the group name after a colon (
This provides the same function as
$ chown :programmers todo-list.txt $ chgrp programmers todo-list.txt
3) Changing both file and group ownership
$ chown bob:redditors sampleFile.txt
Here, we are changing the sampleFile.txt. The argument before the : indicates the new user, while the argument after shows the new group.
4) Recursive subdirectories and files with -R
To recursively grant ownership of a directory and all files with subdirectories within, use the
$ chown -R bob /files/folder
An example to wrap things up
Let's go through an example with two users: marie and bob.
marie has access to sudo commands, and wants to copy a file into bob's home directory. She would like to give bob the ownership.
$ sudo cp sampleFile.txt ~bob Password: # Copied file to bob's homepage. $ sudo ls -l ~bob/sampleFile.txt -rw-r--r-- 1 marie staff 2014-01-13 16:00 /home/bob/sampleFile.txt # bob only has read access to this file. $ sudo chown bob: ~bob/sampleFile.txt -rw-r--r-- 1 bob bob 2014-01-13 16:00 /home/bob/sampleFile.txt # Now bob has ownership and has write access.
Changing Identities su, sudo, -l, -c
Sometimes we need to take on someone else's identity to carry out a specific task.
Let's begin by looking at
su, which is used to assume the identity of another user. Then we'll discuss
sudo, which is used to execute a single authorized command.
su command (aka switch user), allows you to switch to any user account, as long as you know the password.
For example, to switch to the user bob, simply pass
bob as the argument to
$ su bob Password:
Don't worry if the password isn't showing any characters as you type - the shell is still reading what you type into the buffer.
Loading the user's environment with -l
If you'd like to load the user's entire environment, you can do so with the
$ su -l bob Password: # Environment gets loaded # Working directory is bob's home directory
To switch to the superuser, simply use a single hyphen
$ su -
-l option is interchangable with using
-. Keep in mind that with no argument after the hyphen, the shell assumes the superuser.
Executing a single command as another user
In case you just want to execute a single command as the user, use the
$ su bob -c 'dougie'
This code will execute the command
dougie under the user
bob. Make sure to enclose your command in single quotes to prevent expansion!
To exit and return to your account, use the
sudo command allows a permitted user to execute a command that he or she is entitled to.
The list of who can perform what is kept in a file called /etc/sudoers, and is maintained only by the root adminstrator.
The administrator is able to use this file to allow access to different users in a controlled way. With this, users may be restricted to one or more specific commands and no others.
sudo does not start a new session or load any environmental configurations, and when using sudo, the user enters his own password - not the superusers's.
sudo, simply pass in the command after the
$ sudo vim /etc/hosts Password: # Now you can edit this secure file
Simple shortcut for using sudo
Many times you'll input a command that the shell will complain that you don't have sudo permissions. Instead of typing the command again, you can simply call
sudo !! to run the same command with sudo permissions.
So what's the main difference? su vs. sudo
su switches you to the root user account (or another user's) and requries a specific password.
sudo, on the other hand, runs a single command with root priveleges and does not require a root user password.
The /etc/sudoers file defines who can perform what commands with
To access this file, use the
# Defines users User_Alias ADMINS = user1, user2 # Users with ADMINS alias can use sudo to execute commands as root # First ALL = any host, Second ALL = any command ADMINS ALL = NOPASSWD: ALL # superuser may also use sudo to run any command on any host. # (ALL) means superuse may also run commands as any other user. root ALL = (ALL) ALL