Permissions

Restricting access to files and folders is important for maintaining confidentiality. Linux has features that allow different users or groups to read files, write to files, or execute programs.

Learning Objectives

You should be able to:

  • Describe read, write, and execute permissions
  • Interpret the user, group, and other permissions
  • Use the chmod command to change permissions
  • Execute a program after granting execute permissions

Video Walkthrough

Use this video to follow along with the steps in this lab.

Example Use Case

It is necessary to restrict access to files and folders on a Linux server. For example, a hospital might have patient data that should only be accessed by authorized personnel. The hospital might have a group of doctors who can read patient data, but only a few administrators who can update patient data. The hospital might have a group of nurses who can execute applications that help them do their jobs. The chmod tool can be used to set permissions for files and directories on Linux.

in 2024, a server hosted by Pokemon was hacked. The hacker found out that a critical file had "777" permissions on a file that contained administrative credentials. The hacker used the credentials to steal game source code and find information about unannounced Nintendo hardware. The Fireship YouTube channel discussed the breach and the fallout--skip to 0:45 to get into the breach details.

Ubuntu documents the process for setting up OpenSSH on its Linux operating system. Note that the instructions include the following commands:

sudo chmod a-w /etc/ssh/sshd_config.original
chmod 600 .ssh/authorized_keys

This section will help you understand what chmod, 600, 700 and other commands mean.

Read, Write, and Execute

Limiting access to resources is key to maintaining confidentiality. In Linux, file permissions can be modified to grant read, write, and execute permissions. These permissions will show up in the terminal as r, w, and x.

  • Read permissions. This allows users to display the contents of the file, or open the file in a program. Just because somebody can read a file does not mean that they can make changes.
  • Write permissions. People can update or delete files. Technically, it is possible to grant somebody write permissions without read permissions, but that is often reserved for special systems processes. In most cases, if you grant write permissions, you likely want to grant read permissions as well.
  • Execute permissions. The Linux execute permission is very different from permissions on Windows. In Linux, just because a program exists on a computer does not necessarily mean that you can run it. Execute permissions have to be granted in some cases.

The chmod command can use numbers that represent the permissions.

Permission Value
Read 4
Write 2
Execute 1

You can compute permissions by adding the numbers for the desired permissions. For example, if a user needs read and execute permissions, you would add 4 + 1 to get 5. Every combination of permissions can be represented uniquely with the numbers 1-7.

Read (4) Write (2) Execute (1) Sum
No No No 0
No No Yes 1
No Yes No 2
No Yes Yes 3
Yes No No 4
Yes No Yes 5
Yes Yes No 6
Yes Yes Yes 7

Create Files

This section will have you create several files. Later, you will set the permissions on the files.

  • Connect to your Linux virtual machine's terminal.
  • Run the following command to ensure that you are in your home directory.
cd ~
  • Run the following command to create a new folder called permissions.
mkdir permissions
  • Change directories to the new permissions folder.
cd permissions
  • Use the touch command to create files called program, watch, and write.
touch program
touch watch
touch write

At this point, there are now three files in the permissions folder.

Listing File Permissions

  • Run ls -l to list the files in the long format which shows the permissions.
ls -l

ls -l output

Notice the dashes and letters. The first column's dash indicates that program, watch, and write are files. The r indicates read access. The w indicates write access.

There are 3 sets of permissions (that correspond to the 3 read permissions):

  • Owner - The user who "owns" the file. Often, this is the creator of the file, but ownership can be transferred.
  • Group - Groups of users that can be granted permissions.
  • Other - People who are not owners or given access via a group are "other."

Looking at the permissions, you can read and write all three files, but not execute them.

Executing Files

There are times when you need to download a file from the internet and execute it (i.e., run it). In this section, you will write a very small program, add the execute permissions, and then run the program.

  • Open the program file in nano.
nano program
  • Add the following text, then save and exit nano.
echo "Hello world"
  • Run the following command to add the execute permission.
chmod +x program
  • List the folder contents with the permissions.
ls -l

ls -l output after adding execute permissions

  • Note that the "x" permission now exists. Also, the word program is now in a different font to show that is can be executed.
  • Run the program with a period, forward slash, and the name of the program.
./program

Running "program"

  • Remove the execute permission.
chmod -x program
  • Try running the program again.
./program

Execution fails

Note that the program will not run.

Unlike Windows, programs in Linux can have any file name. They do not always have extensions. In Windows, you often tell a program by its .exe file extension.

Group Permissions

In the previous section, the chmod command was used to grant execute permissions to user, group, and other. It is possible to grant permissions granularly. In this section you will modify the group permissions.

  • Verify the permissions using ls -l.
ls -l
  • Note that the group does not have write access to any of the files.
  • Run the following command to grant the group access to the write file.
chmod g+w write
  • Check the permissions. Note that the group now has write access.
ls -l

Write permissions granted

User Permissions

Perhaps we want to protect a file so that changes are not made to it. Write access can be revoked.

  • Verify the permissions using ls -l.
ls -l
  • Note that the user has write access to the watch file.
  • Run the following command to revoke write access.
chmod u-w watch
  • Try to edit the file in nano.
nano watch
  • Notice that nano says that the file cannot be changed.

Nano warning

  • Quit nano.

Using chmod with Numbers

  • Create a new file called permtest.txt.
touch permtest.txt
  • Change its permissions to that the owner, groups, and others get full read, write and execute access (7, 7, and 7).
chmod 777 permtest.txt
  • Verify the permissions with ls -l
ls -l
  • Change the permissions so that the owner have read and execute permissions, the group have read and write permissions, and others do not have any permissions.
chmod 560 permtest.txt
  • Verify the permissions using the ls.
ls -l

Because full owner, group, and other permissions can be set with a single command using numbers, installation instructions will often include instructions that set the permissions via numbers. Using numbers is a little less intuitive than manually setting individual permissions, such as u+x, but it is much more compact.

Challenge

  • Create a file called me.
  • In the program, echo your name.
  • Grant the execute permissions on me.
  • Run the program.

Cleanup

When finished, the permissions folder can be deleted with the following commands.

cd ~
rm -rf permissions

Reflection

  • At a hospital, who should have access to read patient data, update patient data, and execute applications?
  • At a hospital, what groups would you create to help manage access?
  • Linux requires that the execute permission be added to programs. Why might this default help prevent people from malware infections?

Key Terms

  • Linux File Permissions: A system that controls the access rights to files and directories in a Linux operating system. Permissions determine who can read, write, or execute a file. They are typically represented by a combination of three sets of permissions (read, write, execute) for three types of users (owner, group, others). For example, rwxr-xr-- indicates read, write, and execute permissions for the owner, read and execute permissions for the group, and read-only permissions for others.
  • chmod: A command-line utility in Unix-like operating systems used to change the file permissions of a file or directory. The chmod command can modify permissions using symbolic notation (e.g., chmod u+x file.txt) or octal notation (e.g., chmod 755 file.txt). It allows users to set or modify read, write, and execute permissions for the owner, group, and others.
  • Octal: A base-8 numbering system used to represent file permissions in Unix-like operating systems. Each digit in an octal number represents a set of three binary bits, corresponding to read (4), write (2), and execute (1) permissions. For example, the octal number 755 translates to rwxr-xr-x, where the owner has full permissions (7), the group has read and execute permissions (5), and others have read and execute permissions (5).