Skip to main content

Changing File/Directory Permissions

The command used to change permissions from the command line is chmod, short for "change mode" (permissions are also called the mode of a file). The chmod command takes a permission instruction followed by a list of files or directories to change. The permission instruction can be issued either symbolically (the symbolic method) or numerically (the numeric method).
Symbolic Method Keywords
chmod WhoWhatWhich file|directory
  • Who is u, g, o, a (for user, group, other, all)
  • What is +, -, = (for add, remove, set exactly)
  • Which is r, w, x (for read, write, execute)
The symbolic method of changing file permissions uses letters to represent the different groups of permissions: u for user, g for group, o for other, and a for all.
With the symbolic method, it is not necessary to set a complete new group of permissions. Instead, it is possible to change one or more of the existing permissions. In order to accomplish this, use three symbols: + to add permissions to a set, - to remove permissions from a set, and = to replace the entire set for a group of permissions.
The permissions themselves are represented by a single letter: r for read, w for write, and x for execute. When using chmod to change permissions with the symbolic method, using a capital X as the permission flag will add execute permission only if the file is a directory or already has execute set for user, group, or other.
Numeric Method
chmod ### file|directory
  • Each digit represents an access level: user, group, other.
  • # is sum of r=4, w=2, and x=1.
Using the numeric method, permissions are represented by a three-digit (or four, when setting advanced permissions) octal number. A single octal digit can represent the numbers 0-7, exactly the number of possibilities for a three-bit number.
To convert between symbolic and numeric representation of permissions, we need to know how the mapping is done. In the three-digit octal (numeric) representation, each digit stands for one group of permissions, from left to right: user, group, and other. In each of these groups, start with 0. If the read permission is present, add 4. Add 2 if write is present, and 1 for execute.
Numeric permissions are often used by advanced administrators since they are shorter to type and pronounce, while still giving full control over all permissions.
Examine the permissions -rwxr-x---. For the user, rwx is calculated as 4+2+1=7. For the group, r-x is calculated as 4+0+1=5, and for other users, --- is represented with 0. Putting these three together, the numeric representation of those permissions is 750.
This calculation can also be performed in the opposite direction. Look at the permissions 640. For the user permissions, 6 represents read (4) and write (2), which displays as rw-. For the group part, 4 only includes read (4) and displays as r--. The 0 for other provides no permissions (---) and the final set of symbolic permissions for this file is -rw-r-----.
Examples
  • Remove read and write permission for group and other on file1:
    [student@desktopX ~]$ chmod go-rw file1

  • Add execute permission for everyone on file2:
    [student@desktopX ~]$ chmod a+x file2

  • Set read, write, and execute permission for user, read, and execute for group, and no permission for other on sampledir:
    [student@desktopX ~]$ chmod 750 sampledir

Note

The chmod command supports the -R option to recursively set permissions on the files in an entire directory tree. When using the -R option, it can be useful to set permissions symbolically using the X flag. This will allow the execute (search) permission to be set on directories so that their contents can be accessed, without changing permissions on most files. But be cautious. If a file has any execute permission set, X will set the specified execute permission on that file as well. For example, the following command will recursively set read and write access on demodir and all its children for their group owner, but will only apply group execute permissions to directories and files which already have execute set for user, group, and/or other.
[student@desktopX ~]# chmod -R g+rwX demodir
 
 

Changing File/Directory User or Group Ownership

A newly created file is owned by the user who creates the file. By default, the new file has a group ownership which is the primary group of the user creating the file. Since Red Hat Enterprise Linux uses user private groups, this group is often a group with only that user as a member. To grant access based on group membership, the owner or the group of a file may need to be changed.
File ownership can be changed with the chown command (change owner). For example, to grant ownership of the file foofile to user student, the following command could be used:
[root@desktopX ~]# chown student foofile
chown can be used with the -R option to recursively change the ownership of an entire directory tree. The following command would grant ownership of foodir and all files and subdirectories within it to student:
[root@desktopX ~]# chown -R student foodir
The chown command can also be used to change group ownership of a file by preceding the group name with a colon (:). For example, the following command will change the group foodir to admins:
[root@desktopX ~]# chown :admins foodir
The chown command can also be used to change both owner and group at the same time by using the syntax owner:group. For example, to change the ownership of foodir to visitor and the group to guests, use:
[root@desktopX ~]# chown visitor:guests foodir
Only root can change the ownership of a file. Group ownership, however, can be set by root or the file's owner. root can grant ownership to any group, while non-root users can grant ownership only to groups they belong to.
Instead of using chown, some users change the group ownership by using the chgrp command; this command works exactly the same as changing ownership with chown, including the use of -R to affect entire directory trees.

Important

You may encounter examples of chown commands using an alternative syntax that separates owner and group with a period instead of a colon:
[root@host ~]# chown owner.group filename
You should not use this syntax. Always use a colon.
A period is a valid character in a user name, while a colon is not. If the user enoch.root, the user enoch, and the group root exist on the system, the result of chown enoch.root filename will be to have filename owned by the user enoch.root. You may have been trying to set the file to be owned by user enoch and group root. This can be confusing.
If you always use the chown colon syntax when intending to set user and group at the same time, the results are always easy to predict.

Guided Exercise: Managing File Security from the Command Line

In this exercise, you will create a collaborative directory for pre-existing users.
Outcomes

  • Create a directory with permissions that make it accessible by all members of the ateam group
  • Create a file owned by user andy that can be modified by alice.
Before You Begin
Start your Amazon EC2 instance and use ssh to log in as the user ec2-user. It is assumed that ec2-user can use sudo to run commands as root.
Steps
  1. Become the root user at the shell prompt.
    [ec2-user@ip-192-0-2-1 ~]$ sudo su -
    [root@ip-192-0-2-1 ~]# 
  2. Create a group, ateam. Create two new users, andy and alice, who are members of that group.
    [root@ip-192-0-2-1 ~]# groupadd ateam
    [root@ip-192-0-2-1 ~]# useradd -G ateam andy
    [root@ip-192-0-2-1 ~]# useradd -G ateam alice
    [root@ip-192-0-2-1 ~]# id andy; id alice
    uid=1010(andy) gid=1010(andy) groups=1010(andy),40001(ateam)
    uid=1011(alice) gid=1011(alice) groups=1011(alice),40001(ateam)
    
  3. Create a directory in /home called ateam-text.
    [root@ip-192-0-2-1 ~]# mkdir /home/ateam-text
  4. Change the group ownership of the ateam-text directory to ateam.
    [root@ip-192-0-2-1 ~]# chown :ateam /home/ateam-text
  5. Ensure the permissions of ateam-text allows group members to create and delete files.
    [root@ip-192-0-2-1 ~]# chmod g+w /home/ateam-text
  6. Ensure the permissions of ateam-text forbids others from accessing its files.
    [root@ip-192-0-2-1 ~]# chmod 770 /home/ateam-text
    [root@ip-192-0-2-1 ~]$ ls -ld /home/ateam-text
    drwxrwx---.  2 root ateam 6 Jan 23 12:50 /home/ateam-text
  7. Exit the root shell and switch to the user andy.
    [root@ip-192-0-2-1 ~]# exit
    [ec2-user@ip-192-0-2-1 ~]$ sudo su - andy
    [andy@ip-192-0-2-1 ~]$ 
  8. Navigate to the /home/ateam-text folder (remember to open a terminal window first).
    [andy@ip-192-0-2-1 ~]$ cd /home/ateam-text
  9. Create an empty file called andyfile3.
    [andy@ip-192-0-2-1 ateam-text]$ touch andyfile3
  10. Record the default user and group ownership of the new file and its permissions.
    [andy@ip-192-0-2-1 ateam-text]$ ls -l andyfile3
    -rw-rw-r--.  1 andy andy 0 Jan 23 12:59 andyfile3
  11. Change the group ownership of the new file to ateam and record the new ownership and permissions.
    [andy@ip-192-0-2-1 ateam-text]$ chown :ateam andyfile3
    [andy@ip-192-0-2-1 ateam-text]$ ls -l andyfile3
    -rw-rw-r--.  1 andy ateam 0 Jan 23 12:59 andyfile3
  12. Exit the shell and switch to the user alice with a password of password.
    [andy@ip-192-0-2-1 ateam-text]$ exit
    [ec2-user@ip-192-0-2-1 ~]$ sudo su - alice
    [alice@ip-192-0-2-1 ~]$ 
  13. Navigate to the /home/ateam-text folder.
    [alice@ip-192-0-2-1 ~]$ cd /home/ateam-text
  14. Determine alice's privileges to access and/or modify andyfile3.
    [alice@ip-192-0-2-1 ateam-text]$ echo "text" >> andyfile3
    [alice@ip-192-0-2-1 ateam-text]$ cat andyfile3
    text
    If you didn't set the permissions correctly, the above commands will instead result in something like the following:
    [alice@ip-192-0-2-1 ateam-text]$ echo "text" >> andyfile3
    -bash: /home/ateam-text/andyfile3: Permission denied
    

    Important

    In the preceding example, the command echo "text" >> andyfile3 is using a technique called shell I/O redirection to append the line text to the end of the file andyfile3. The output of the echo command is appended to the end of the file that the >> points at. Be careful to use >> and not just one >, since the > operator will overwrite the entire file and replace its contents with only the line text.
    If you are interested in more information on shell I/O redirection, an overview is available at http://wiki.bash-hackers.org/syntax/redirection.
    Be careful if you choose to test this by having alice edit andyfile3 with vim. If the permissions are wrong on the file, vim will warn you that you're editing a read-only file. But if the /home/ateam-test directory is writable by alice, then vim will still let you use :wq! to write the file, even if alice doen't have write permission on the file!
    How is this possible? It turns out vim is "smart" enough to recognize that it can overwrite the file by deleting the file from the directory and creating a new copy. This is allowed because having write on a directory means you can delete any file in that directory, even if you can't write the file directly. The ! on the vim command :wq! indicates that you want it to do everything it can to write the file.
    Note that one side effect of this is that the file's owner will change to alice, and other permissions may change as well.
  15. This completes this exercise. Log out and stop your Amazon EC2 instance.

Comments

Popular posts from this blog

The Seven-Step Model of Migration

Irrespective of the migration approach adopted, the Seven-step Model of Cloud Migration creates a more rational point of view towards the migration process and offers the ability to imbibe several best practices throughout the journey Step 1: Assess Cloud migration assessments are conducted to understand the complexities in the migration process at the code, design and architectural levels. The investment and the recurring costs are also evaluated along with gauging the tools, test cases, functionalities and other features related to the configuration. Step 2: Isolate The applications to be migrated to the cloud from the internal data center are freed of dependencies pertaining to the environment and the existing system. This step cuts a clearer picture about the complexity of the migration process. Step 3: Map Most organisations hold a detailed mapping of their environment with all the systems and applications. This information can be used to distinguish between the ...

Special Permissions in linux

The setuid permission on an executable file means that the command will run as the user owning the file, not as the user that ran the command. One example is the passwd command: [student@desktopX ~]$ ls -l /usr/bin/passwd -rw s r-xr-x. 1 root root 35504 Jul 16 2010 /usr/bin/passwd In a long listing, you can spot the setuid permissions by a lowercase s where you would normally expect the x (owner execute permissions) to be. If the owner does not have execute permissions, this will be replaced by an uppercase S . The special permission setgid on a directory means that files created in the directory will inherit their group ownership from the directory, rather than inheriting it from the creating user. This is commonly used on group collaborative directories to automatically change a file from the default private group to the shared group, or if files in a directory should be...

RequestsDependencyWarning: urllib3 (1.24.1) or chardet (3.0.4) doesn't match a supported version

import tweepy /usr/lib/python2.7/dist-packages/requests/__init__.py:80: RequestsDependencyWarning: urllib3 (1.24.1) or chardet (3.0.4) doesn't match a supported version!   RequestsDependencyWarning) Traceback (most recent call last):   File "<stdin>", line 1, in <module>   File "/usr/local/lib/python2.7/dist-packages/tweepy/__init__.py", line 14, in <module>     from tweepy.api import API   File "/usr/local/lib/python2.7/dist-packages/tweepy/api.py", line 12, in <module>     from tweepy.binder import bind_api   File "/usr/local/lib/python2.7/dist-packages/tweepy/binder.py", line 11, in <module>     import requests   File "/usr/lib/python2.7/dist-packages/requests/__init__.py", line 97, in <module>     from . import utils   File "/usr/lib/python2.7/dist-packages/requests/utils.py", line 26, in <module>     from ._internal_utils import to...

tag