This tutorial explains Linux permission levels (owner, group & other) and permission types (read, write & execute) in detail with examples including how to change the ownership of file and directory (with chown and chgrop command) and read the applied permissions on an object from output of ls –l command step by step.
Basic concepts of Linux file permission
Just like other operating system, Linux also protects resources with a set of permissions. These permissions define how a user should be allowed to access the resources. A user is anyone who accesses the resource such as user account, system process or application. A resource is an object which is being accessed by user such as file, directory or device.
Each object has three levels of permissions; user owner permissions, group owner permissions and other permissions. These permissions define how user, group and others can access that object respectively. In order to understand these permissions, we first need to understand user owner, group owner and others.
- User owner is the user who created that object or designated as user owner by actual owner or root user.
- Group owner is the primary group of user owner or designated group by actual owner or root user.
- All remaining users and groups are considered as others.
Let’s take an example, user vikarm whose primary group is developer created a file named config. In this example, file config is the object, user vikarm is the user owner, group developer is the group owner and rests are the others. So, whatever permission file config has in owner, group and other fields will apply on vikarm (user), developer (group) and remaining (others) respectively.
This tutorial is the first part of our article “Learn how to manage file permission in Linux step by step with examples”. You can read other parts of this article here.
How to use chmod command in Linux Explained with Examples
This tutorial is the second part of this article. It explains how to set and manage file attributes and permission with chmod command in Linux from both symbolic and octal methods.
How to change default umask permission in Linux
This tutorial is the third part of this article. It explains how to change the default umask permission temporary and permanently.
How to set immutable bit with chattr command
This tutorial is the last part of this article. It explains how to set immutable or sticky bit in Linux including how to set append attribute.
How to read default file permission
As we know, each object has three permission levels; user (owner), group (owner) and others. Each permission level has three types of permission; read, write and execute. Permission levels and types are always mapped in following sequence.
User (Read, Write, Execute), Group (Read, Write, Execute) and Other (Read, Write, Execute)
At shell prompt, symbols are used for permission levels and types instead of their full name. Following table explains relationship between permission levels and types with associated symbols.
If a hyphen sign is used in any type field then that level does not have that type of permission.
Let’s take one more example to understand permission levels and types in more detail.
User Sanjay created a file named record. The primary group of user Sanjay is Account. The group Account has two members; Sanjay and Krishna. Permission on file record is assigned as rwx in user level, rw- in group level and r-- in other level.
Permission in user level is set to rwx, which means who is the owner of this file can read (r), write (w) and execute (x) this file. In this example, owner of this file is Sanjay, so he can read, write and execute this file.
Permission in group level is set to rw-, which means anyone who is the member of Account group can read (r) and write (w) this file but he cannot execute this file. A hyphen (-) sign means there is no permission set in that particular field. In this case, hyphen sign is used in last place which represents execute permission. In this example, user Krishna belongs to group Account which means he can read and write this file but he cannot execute this file.
Permission in others level is set to r--, which means all remaining users can only read this file. They cannot write or execute this file.
Let’s take a practical example to understand how all this work at shell prompt.
- Accesses shell prompt from user root and create a group named rhcelab.
- Create a new user named test-owner.
- Use group rhcelab as the primary group for user test-owner.
- Switch account to user test-owner.
- Move in home directory.
- Create a directory named test-dir.
- Create a file named test-file.
- Run ls –l command.
Following figure illustrates above steps.
The output of ls –l command provides detailed information about permission. It has six fields; permission types, hard links, user owner, group owner, last modified date with time and name of object.
Permission Type: - This field has eleven sub fields. Each field represents a special meaning in permission.
First field shows whether the object is a directory or a file. If there is a letter d in this field then object is the directory. If there is a hyphen sign in this field then the object is a file. Permission type works in different way for files and directories.
Permission Type | File | Directory |
Read | Can view the content of file | Can view the content of directory |
Write | Can write content in file | Can make new file or directory in directory |
Execute | Can execute the content of file | Can navigate through the directory |
Next nine fields show the assigned permission types (read, write and execute) in each level (user, group and other).
Object | User permission | Group permission | Others permission |
test-dir | read, write and execute | read and execute | read and execute |
test-file | read and write | read | read |
Last field shows a special type of permission which we will understand in detail with examples in last part of this tutorial.
Hard links: - Number of hard links this object has.
User owner: - User owner of this object.
Group owner: - Group owner of this object.
Date with time: - Last modified time with date.
Name: - Name of object.
How shell checks file permission
How much a user has permission on object (file or directory) is determined in following order.
- If he is the owner of object, permissions which are set in user owner field will be applied.
- If he is the member of group, permissions which are set in group owner field will be applied.
- If he is neither the owner of file nor the member of group, permissions which are set in other field will be applied.
Owner, group and other are always checked in same sequence. Once a match is found, further levels are ignored.
- If you are the owner of object, group and other field permission will never be checked for you.
- If you are not the owner of object then group field permission will be checked.
- If you are the member of group owner, other field permission will never be checked for you.
- If you are neither the owner of file nor the member of group, other field permission will be checked for you.
To understand how shell checks file permission more clearly, let’s extend pervious example.
Exit from user test-owner and run following commands.
The chmod command is used to change the permission types. Second part of this article explains how to configure and manage the file permission in detail with example.
We have changed default permissions. Following table lists new permissions.
Object | User owner | group owner | other |
test-dir | read, write and execute | read and execute | execute |
test-file | read and write and execute | read and execute |
Testing user owner file permission
User test-owner has all permissions on file. He should be able to read, write and execute the file. Let’s it check out.
Switch to user test-owner and change directory to /home/test-owner.
Run following command to test the write permission.
#cat > test-file echo “hello”
Use Ctrl+d key combination to save and exit from this file.
If user is able to write the file, it means he has the write permission.
Run following command to test the read permission.
#cat test-file
If user can read the contents of file then he has the read permission.
Run following command to test the execute permission.
#./test-file
While testing write permission, we wrote a simple command in file which prints hello word on terminal. In output of above command you should get hello word on terminal.
If user can run above command then he has execute permission.
Testing user owner directory permission
User test-owner also has all permissions on directory. He should be able to list, write and navigate through the directory. Let’s it check out.
Run following command to test the execute permission.
#cd test-dir
If user is allowed to change the directory then he has execute permission.
Run following command to test the write permission.
#mkdir test-owner-dir
If user can create new directory then he has the write permission
Run following command to test the read permission.
#ls
If user can list the content of directory then he has the read permission.
Following figure illustrates both testing
Testing group owner file and directory permission
Exit from test-owner user and switch to user test-group. The user test-group belongs to the group rhcelab which is the primary group of owner. Group owner has read and execute rights on both objects. Being a group member, user test-group should be able to read and execute both objects but he should not be able to write any object.
Let’s test all permission types one by one, as we have just done from test-owner user account.
As output shows user test-group is unable to perform write action while he is allowed to perform read and execute action on both objects.
Testing other owner file and directory permission
In this example, other has no permission on file test-file and read permission on directory test-dir. To test these permissions, we need a user who is neither the owner of object nor belongs to the primary group of owner who owns the object. For this purpose create a separate account “test-other” and exit from user “test-group” and switch to user “test-other”. Now test all permissions step by step.
As above output confirms that user test-other is only able to navigate through the test-dir directory. He is unable to perform any other tasks.
How to change ownership of file and directory
As we have learned, owner and group are the primary objects while working with file permission. Both have their own dedicate field in file permission. Whatever permission is set in their respective field defines what they can do with that object. If we change the owner or group of a file, new owner or group will automatically receive the assigned permission.
Let’s take an example. User sanjay is the owner of file named data. User has read, write and execute permission on file. If we change the owner of file from sanjay to mike, user mike will get read, write and execute permission on file.
To understand it more clearly let’s take a practical example.
Accesses shell prompt from root user again and add two user accounts; maya and mini.
Add a group named webdeveloper and add both users in it. Create a folder webproject and view its default permissions.
When a user creates file or directory, shell automatically applies default ownership on it. In default ownership, user who creates the object (file or directory) is considered as user owner and the primary group of user owner is considered as the group owner of object.
In this example user root (whose primary group is also root) created the directory webproject, so user root becomes the user owner and group root becomes the group owner.
Can you figure out what permissions user maya and mini have on directory webproject?
Since user maya and user mini are neither the owner of directory nor belong to the primary group of owner, they will be considered as other and other has --x permission on directory. As we know --x permission for directory means they can navigate through this directory but they cannot list or create the content in this directory.
To change the ownership, following command is used.
#chown [New-owner] [object]
In this command New-owner is the name of new user or group and object is the name of file or directory which ownership we want to change.
Since same command is used to change the ownership of both user and group, a dot (.) or colon ( : ) is used in front of the group name.
Changing user ownership
Let’s change the user ownership to user maya and test all permissions again from both users.
As we can see in above output, user maya now has owner permission while user mini still has other permission.
Changing group ownership
Now change the group ownership to group webdeveloper and test all permissions again. To test other permission, use any user account which is not the member of group owner.
As we can see in above output, being a member of webdeveloper group user mini got r-w permission on directory webproject this time.
Changing both user and group ownership with single command
We can specify both user owner name and group owner name in single command.
There are two important rules which we have to follow while updating both ownerships in single command.
- Never put a space between user owner name and group owner name. If you do, second name will be treated as an object (name of file or directory).
- Always put a dot (.) or colon (:) in front of the group name. If you omit it, group owner name will be treated a user owner name.
Changing ownership recursively
The –R option is used to change the ownership recursively.
chgrp command
If we only want to change the group ownership, we can also use chgrp command instead of chown command.
chgrp command syntax
#chgrp [New group name] [object]
Since this command is used to change group owner only, it does not need any dot (.) or colon (:) in front of the group name.
This command also supports –R option to change permission recursively.
Key points
- Each file and directory in Linux has three permission levels which define how users can access it. These levels are user, group and others.
- Each permission level has three types of permission; read, write and execute. Permission type defines what a user can do with a particular object.
- What permission types are set in each level for any object can be viewed with ls –l command.
- First field in output of ls –l command shows the mapping of permission levels and permission types.
- Permission level and permission types are always mapped in user (rwx)group(rwx)other(rwx) sequence. If any level does not have any specific type of permission then a hyphen sign is used in that place to show the negative permission.
- Same permission type has different meaning for file and directory.
- When we change the ownership of any object, all associated permissions are also changed. Only root user or the owner of that object can change the ownership.
- The chown command is used to change the ownership of file and directory. It can change both user and group ownership.
- The chgrp command is also used to change ownership of file and directory. It only changes group ownership. It cannot change user ownership.
That’s all for this part. In next part of this article we will learn how to configure and manage file permissions step by step with examples.