In linux there are three permissions for any file or directories:
- r -> user can read a file or directory
- w -> user can write to file or directory
- x -> user can execute file
These file permissions are further divied into three categories of permissions:
- owner: rwx permissions for owner of the file or directory
- group: rwx permission for group assigned to file or directory
- other: rwx permisions for group not assigned to file or directory
To understand file and permissions better we would have to visualize how users and groups will work with our linux system.
Let say that you are a small IT company where you have team of developers and devops. Assume following people fall in above two groups.
Now, you have a web application running on linux server and you wanted to give access to these people. You also want to control your groups so that they can perform specific tasks on your server.
Let assume that you have sudo access to this web server or you log in as a root user to this web server. First thing you will do is to create a group for your organization.
How to create a group in linux?
To create a new group in linux use groupadd command. In our case we will create two groups called developers and devops using this command as shown below:
# create developers group sudo groupadd developers # create devops group sudo groupadd devops
You can also create group using specific group ids in this case instead of running above commands you will run following commands:
# create developers group sudo groupadd -g 1000 developers # create devops group sudo groupadd -g 1010 devops
Now, that we have created groups for our organization we would want to create different users for our webserver and assign these user to appropriate groups.
How to create a user and assign a group to user in linux?
Now, let us create different users and assign them groups we created using following commands.
# OPTION-1: CREATE USER WITHOUT HOME DIR # create john, sandip and brad user sudo useradd john sudo useradd brad sudo useradd sandip # OPTION-3: CREATE USER WITH HOME DIR # create john, sandip and brad user sudo useradd -m john sudo useradd -m brad sudo useradd -m sandip # OPTION-3: CREATE USER WITH DIFF HOME DIR # create john, sandip and brad user sudo useradd -m -d /opt/john john sudo useradd -m -d /opt/brad brad sudo useradd -m -d /opt/sandip sandip # OPTION-3: CREATE USER WITH SPECIFIC USERID # create john, sandip and brad user sudo useradd -u 1500 john sudo useradd -u 1200 brad sudo useradd -u 1210 sandip # check the id of the user id -u sandip # add users to group usermod -a -G devops john usermod -a -G developers brad usermod -a -G developers sandip
Above are different methods of creating users in linux in our case we want to create users and then add them to specific groups we already created for them.
To do this we need to run following commands instead of running above commands:
# OPTION-1: CREATE USER WITHOUT COMMENT # create user brad, john and sandip and assign them group sudo useradd -m -g devops john sudo useradd -m -g developers brad sudo useradd -m -g developers sandip # OPTION-2: CREATE USER WITH COMMENT # create user brad, john and sandip and assign them group # add some comments to this users sudo useradd -m -g -c "devops account" devops john sudo useradd -m -g -c "developer account" developers brad sudo useradd -m -g -c "developer account" developers sandip
How does file permission works with user in linux?
Now, that we have created users in different groups we can do two things here:
- assign permissions to group so that user can perform limited tasks when he logs in
- assign permission to file so that other user or group can not perform all actions to this file or directory
Let say that user sandip is logged in to webserver and he creates a new directory:
# create a new directory mkdir test # check the file type of this directory ls -ld test/ # sample output from above command drwxr-xr-x 3 sandip programmer 96 5 Aug 11:39 test/
Let's understand above output what does each word mean in above output:
In this tutorial we are only focusing on permissions let use look at how permissions are assigned to created folder using below diagram:
Looking at permissions above you can say that owner in this case user sandip has rwx permissions i.e. owner permissions.
Group has read and execute permissions but not write permissions i.e. r-x
Others has read and execute permissions but not write permissions i.e. r-x
If user brad logs in to ther webserver and then he goes to test/ directory created by sandip user. Now, he can do following things in this specific directory:
- he can not create a file in this directory because group permissions are r-x for developers group
- he can only read or execute files in this directory
Let's see what happens if user brad logs in to the webserver and wants to create a file in this directory
# log into webserver ssh brad@remote-server-ip # once user logs in go to directory created by sandip user cd /home/sandip/test # try to create a file as brad user touch test.txt # you will get following error touch: cannot touch 'test.txt': Permission denied
To fix permission issue for brad user you can add write permission for developers group for this directory.
What is chmod command in linux?
In linux to change permissions for given file or folder chmod command is used. Now, using chmod command we will do followings:
To understand chmod command let us understand following abbreviations:
|+||add permissions top of existing permissions|
|-||remove permissions top of existing permissions|
Next thing we need to understand following abbreviations:
|u||stands for user or owner of the file or directory|
|g||stands for group which means group for given file or directory|
|o||stands for others meaning users outside of current file or directory group|
|a||stands for all meaning all of above|
Next, we need to understand following basic permission realted abbreviations:
Following table can be used for numeric permissions:
|1||001||Execute permission only|
|2||010||Write permission only|
|3||011||Write and execute permissions only|
|4||100||Read only permission|
|5||101||Read and execute permissions only|
|6||110||Read and write permissions only|
|7||111||Read, write and execute permissions i.e. all permissions|
Some of the examples of chmod command
Checkout following commands that can help you understand chmod command in detail:
# add execute permission to file called test.txt for user only chmod u+x test.txt # remove execute permission to file called test.txt for user only chmod u-x test.txt # allow read only permission to file called test.txt for user only chmod u=r test.txt # allow write permissions for all i.e. users, group and others for directory test/ chmod a+w test/ # allow read only permission for all i.e. users, group and others for file test.txt chmod a=r test.txt # let’s say we want to remove the read permissions for the “other” users from files that have a “.logs” extension. chmod o-r *.logs # will give read, write, and execute permissions for the user only. chmod 700 test/ # will give read, write, and execute permissions for everyone. chmod 777 test/ # will give write and execute (3) permission for the user, w (2) for the group, and read, write, and execute for the users. chmod 327 test/
To learn more about chmod command use following link to this command manual page:
What is chown command in linux?
If you want to change the ownership of the file or directory you can use chown command. For example: let say that user sandip who is from developers group created a file called test.txt.
If you check the file permission once you created this file you will see following:
-rw-r--r-- 1 sandip developers 0 5 Aug 11:39 test.txt
You can see that this file has owner=sandip and group=developers. Now, let say that you want to change ownership of this file.
You can login as root user or use sudo user to change the ownership of the file using following command:
# command syntax chown <user>:<group> <file or directory> # change ownership or single directory chown john:devops test/ # change ownership of directory and file or folders in this directory chown -R john:devops test/
I hope you enjoyed this tutorial if you have any question regarding this tutorial or you want to add or suggest new edit please send me email via contact form. Thank you.