Controlling Access to
Your Files with Permissions and Owners
If you share a Linux (or Unix) system, you will undoubtedly have
private files that you want to keep private, as well as files that
you want to be public. You can control access to your files by
setting the permission flags and ownership for your files.
How to Tell What
Access Your Files Have
When we discussed using the ls command, you may
have been wondering about that gibberish in the first few columns
of the ls -l command (stuff like -rw, r--, and so
on). Here's an example of output from the ls -l
command showing the contents of a directory:
Permissions User Group Size Date Name
-rw-r----- 1 hermie users 64183 Feb 14 22:07 cow_info
-rw-r----- 1 hermie users 115032 Jan 06 11:14 dog_info
-rw-r--r-- 1 hermie users 248 Jan 16 09:18 pig_info
-rw-r--r-- 1 hermie users 45090 Mar 23 23:17 cat_info
-rwx--x--- 1 hermie users 45198 Jan 23 11:14 zippity
drwxr-x--- 1 hermie friends 1024 Feb 28 06:12 slugs
For each file you see listed a set of permissions; the owning
user; a group name; and the size, creation date, and name of the
file. We'll focus on the permission first by dissecting the
file-access permissions for the cow_info file.
Specifically, these permissions are shown in the string of
characters preceding the file in the first column:
-rw-r-----. Note that the permissions data is made
up of ten characters, each of which has meaning.
To understand how to read file permissions, let's start by
splitting apart those ten characters for
cow_info:
Directory? User's Access Group Access Others' Access
- r w - r - - r - -
| | | | | |
Readable ---+ | | | | +--- Not executable8pt">
Writable -----+ | | +----- Not writable8pt">
Not executable -----+ +------- Readable
The character in the first position, a hyphen (-), indicates
that this is a file and not a directory. Directories are marked
with a d, as in drwxr-x--- (this precedes the
directory slugs).
The next three characters (rw-) tell us whether
the file's owner (hermie) can read, write, and
execute the file. An r in the first position means that the file
can be read; a w in the second position means that the file can be
written to (updated); and an x in the third position means that the
file can be executed (run). In all three cases, if a hyphen appears
in place of an r, w, or x, that specific privilege is removed. For
example, rw- means that the file can be read and written to, but
not executed.
The next sets of three characters define read, write, and
execute access for the users in a particular group (the users
group, in this case), along the same lines as above. For example,
the characters r-- that appear in these positions
for cow_info tell us that the users group can read
this file but can't write to or execute it.
The final set of three characters--all hyphens, in this
case--defines access for those who are not the owner or in the
listed group. This one's easy: No one outside the listed group has
any kind of access to this file.
Note: Groups are a convenient way to give a set of users the
same access to a bunch of files. Only a superuser can add to or
remove users from groups. To find out what groups you belong to,
use the groups command.
In sum, access to the cow_info file is
controlled like so: The user (hermie) can read and update the file,
but cannot execute it. People in the users group can only read the
file, and everybody else on the system gets no access at all.
Here's another example:
-rwx--x--- 1 hermie
users 45198 Jan 23 11:14 zippity
The characters that precede the file name
zippity tell us that this file is readable,
writable, and executable by hermie; only members of the users group
can execute it; and others outside the users group have no access
to it.
Note: You can give execute permission to any file, but it
doesn't make sense to do so unless the file is actually a
program.
Look at the listing for slugs:
drwxr-x--- 1 hermie
friends 1024 Feb 28 06:12 slugs
You can see first that it's a directory (signified by the d in
the first position). User hermie has read and write access, which
in the case of a directory translates into the ability to list files and to
create and delete files. Hermie also has execute access, which in
the case of a directory means the ability to use
cd to change to it. Those in the friends group can
list files in the directory and use cd to make it
the current directory, but others have no access whatsoever to the
directory.
Note: Unless you are administering a large Unix system with
lots of users, groups are not very important. In these examples,
users is just the name of a group that all users belong to by
default in a Linux system. If your primary group is users, all
files you create will show that as the group name, unless you use
the chgrp command to change it. If you're curious,
use the man chgrp command to find
out more.