Debian 8 file-system: File permissions and ownership

Introduction

File permissions and file ownership is a very important subject to keep in the back of your mind when administrating computers running Linux. File permissions and file ownership plays an important part in the overall system security especially when it comes to system files. This article should get you started on some basics around file permissions and file ownership. I assume you’ve read my previous article as some Directories and files that you’ve created while practicing the instructions will be used here as well. Click here to read my previous article.

File permissions

Files and directories on a Linux file-system make use of file ownership and permission attributes. These determine who may do something to a file. Let’s first look at file permissions in practice. Fire up a terminal if you’re not already in it and head to our previously created directory folder-1 We have a file there with the name some-file, we will use this as our example file to work with.

Then enter the following ls command with the option -l It should list the files in such a way you can see the file permissions, file owner and file group. Let’s do this now.

It will return output like this, let’s zoom in on this a bit to explain what it is.

You can see the first line starting with ‘drwxr-xr-x’ and the second line starting with ‘-rw-r–r–‘. These are the file permissions and are really important. You should always pay attention to these if something isn’t working as expected. Errors during writing to a file of deleting files usually occur because of these file permissions.

Lets first take a look at this weird looking string of characters. This string is made up of four groups, the first character is a special character I will not go into for now. The following 9 characters are divided up in three groups. These are permissions for:

  • The owner of the file or folder
  • The group of the file or folder
  • All of the users with access to the system

Each of these groups has the same three permission types:

  • The right to read the file / directory
  • The right to write the file / directory
  • The right to execute the file / directory

The next bit, in my example case, you can read ‘prhozenbit phrozenbit’ This represents to who and what group the file belongs to.

So you now understand that the directory folder-2 can be read, written to and executed by the owner, can be read and executed by users that are member of the group phrozenbit and that anyone can read and execute the folder. Executing a folder means traversing into the folder otherwise known as opening the folder.

You can see that the file some-file has different permissions. The owner can only read and write, members of the group phrozenbit can only read and everyone else can only read the file. Nobody has the right to execute the file since some-file isn’t the type of file that can be executed.

Of course you can change permissions and file ownership. Lets play around with that a little. We can use our file some-file for that. First make sure you’re in the folder-1 directory as that’s where some-file should be if you followed the other examples.

Now lets view it’s file permissions specifically to find out the current state.

The above command returns the following text

Now that we’ve got some insight into what’s going on with some-file permission wise, it’s time to explain a little about how you can change file permissions and file owners. To change file permissions you should use the chmod program. You have to provide chmod with arguments in a certain format so first I’ll give some examples.

The very first argument you should be the permission group. This determines if you want to set a permission for either the owner of the file, a member of the group or if you want to set a permission for every user. These are the available permission groups:

  • u – user, permissions of the file owner
  • g – group, permission of group members
  • o – all, permissions of every user on the system

after providing chmod with a permission group you can then set or unset a permission. If you want to set a permission, you should prefix the permissions type with a + symbol. If you want to unset a permission you should prefix the permission type with a – symbol. These are the permission types

  • r – Read permission
  • w – write permission
  • x – execute permission

So if for example we want to add write permissions for members of the group phrozenbit we have to use chmod, tell it to set a group permission by supplying g as an argument, then tell chmod to add a permission by supplying the + symbol directly after the g, and then we tell chmod to set the write permission by supplying the w permission code. Lets do this now.

We now have set the group write permission on our file, lets verify (always verify, anything unless you use verbosity flags)

This should return a slightly different line of text as opposed to the previous permission check we did.

We can also unset this write permission, in the case that the group write permissions were temporary for example. It’s almost the same instruction, but in this one we use the – symbol.

We just revoked the group write permission, We should again verify if the change actually occurred.

This returns the following text, and you should be familiar with this one because it’s back to the original permission state.

Experiment a little with this to get used to setting file permissions. If you’ve got a whole lot of files in some directory that you need to change the same file permissions of you can do this recursively. It means that you can change the permissions of a directory and all the files in it. An example of this could be:

The -v option allows you to see what’s going on, this will produce a lot of output you can write to a file to examine later if anything went wrong. The -R option is the option that tells chmod to change file permissions recursively one level deep. It changes the permissions of every file inside that directory including the directory itself. The o-wx part tells chmod to remove the write and execute permissions from the ‘all‘ permission group of every file in some-directory.

File ownership

File ownership is a little less complicated than file permissions. Usually the ownership of a file is determined during creation of a file. The user that created the file through a command or some other program is the owner. There are however some circumstances that require you to change the ownership of a certain file or directory, especially when mounting hard-drives or USB-drives.

Mounting some storage device requires you to be root so initially every directory and file on that drive will have the user and group root as the owner. If you want to access the storage device using a normal account you’d have to change ownership of the folder you mount the storage device on to that username. I will explain mounting later because this subject is beyond the scope of this article.

Another example would be changing the ownership of web documents in the document root of a web-server. Usually these files are owned by root or another system username, but for the web-server software to be able to host the files on the web the files need to belong to the username and group that the web-server software needs to operate. In my case that would be user www-data in group www-data because I use Apache 2, but for other web-server software this could be different.

Again you can view the permissions and file ownership by issuing the following command:

The command will output text that looks like this:

You see the ‘phrozenbit phrozenbit’ part of this line, the format of this is ‘user group’. Changing ownership of a file or directory isn’t really hard. If you want to change just the owner of a file or directory, which usually is sufficient, you issue the following instruction:

You should always verify if your instruction has done it’s job. You can also change the owner and the group at the same time by issuing the following command like so:

This changes the ownership completely. If you enter the original file owner in this instruction then only the group will change. You should be careful how and when you use this, don’t change ownership of files that have root as default owner, these are most likely system files. If you need to modify these file you should either use sudo, or log on with your root system account.

If you have a whole folder, with a whole lot of files in them you can use options to recursively change ownership of the folder and it’s contents in one run. You don’t need to go ahead and spend days changing the owner of a couple of hundred files manually. Use the -v -R options to do so. The -v options allows you to see whats going on, this helps in verifying the change of ownership and the -R option (mind the capital R here, case sensitivity) means ‘change ownership recursively one level deep’. Here’s how that looks like:

This will cause a whole lot of output but that’s alright, you could even write the output to a file to read it later if something went wrong. But that’s kind of beyond the scope of this tutorial and I’ve already showed you how to write output to a file somewhere in this tutorial series.

Final notes

Be careful when changing file permission or file ownership attributes of files and directories, especially when doing so recursively. This article should provide you with a basic understanding of file permissions and file ownership, practice some to gain experience. My next article will be about preparing and mounting storage media. As always thanks for reading.

Leave a Reply