Permissions: Mode, User and Group Ownership

Documentation

Tune Permissions

• man -s 1 chmod

Change Ownership

• man -s 1 chgrp

• man -s 1 chown

Create and Modify Users and Groups

• man -s 8 useradd

• man -s 8 groupadd

• man -s 8 usermod

• man -s 8 groupmod

Owner and Permissions

Types of permissions

• Read (r)

• Write (w)

• Execute (x)

Separate permissions for …

• User (u): the owning user of the entry

• Group (g): the owning group of the entry

• Others (o): all others

A Simple Example

Teacher’s note: create that constellation (as root)

# groupadd team
# useradd --groups team --home-dir /home/teammember42 --create-home teammember42
# usermod --append --groups team jfasch
$ touch tasks.csv
$ chmod 664 tasks.csv
$ chgrp team tasks.csv

• Group team

• User jfasch, member (among possibly others) of group team

• User teammember42, also member of group team

• User manfromthestreet, not member of group team

The typical ls -l output:

$ ls -l tasks.csv
-rw-rw-r-- 1 jfasch team 396 Jun  8 14:49 tasks.csv

Three groups of “bits”: rw-, rw-, r--

Bits	Meaning
rw-	Read- and writable for owning user (jfasch)
rw-	Read- and writable for (members of) owning group (team)
r--	Readable for all others: those who are neither user jfasch nor belong to group team

First column (-) is irrelevant (it’s the type: regular file)

Permission Check: User

Can user jfasch write the file?

• Which triplet to check?

  • jfasch is the owner of the file

  • ⟶ The first triplet: rw-

• ⟶ yes, jfasch can write

• (likewise, jfasch will be able to read)

Permission Check: Group

Can user teammember42 write the file?

• Which triplet to check?

  • teammember42 is not jfasch ⟶ not the first triplet

  • Is teammember42 a member of group team?

    $ id teammember42
    uid=1001(teammember42) gid=1002(teammember42) groups=1002(teammember42),1001(team)
    

    • Answer: yes

    • ⟶ second triplet, rw-

• ⟶ yes, teammember42 can write

• (likewise, teammember42 will be able to read)

Permission Check: Others

Can user manfromthestreet read the file?

• Which triplet to check?

  • manfromthestreet is not jfasch ⟶ not the first triplet

  • Is manfromthestreet a member of group team?

    $ id manfromthestreet
    uid=1002(manfromthestreet) gid=1003(manfromthestreet) groups=1003(manfromthestreet)
    

    • Answer: no

    • ⟶ not the second triplet

  • ⟶ manfromthestreet is among the others

    • Third triplet, r--

    • ⟶ no, manfromthestreet cannot write

    • (manfromthestreet can read though)

Programs: Execute Permissions

What makes a file a program?

$ ls -l /bin/ls
-rwxr-xr-x ... /bin/ls

Facts …

• An executable file does not have to end with .exe to be executable

• … it simply is executable

Directory Permissions

$ ls -ld /etc
drwxr-xr-x 1 root root 4882 Mar 22 12:20 /etc

• Read permissions: content (list of names) is readable

• Execute permissions: to access a file (e.g. for reading), one has to have execute permissions on the parent directory and all directories along the path

• The right to cd into the directory

Permission Bits, octal

ls -l Output	Binary	Shell command
-rw-r--r--	110100100	chmod 0644 <path>
-rw-------	110000000	chmod 0600 <path>
-rwxr-xr-x	111101101	chmod 0755 <path>

Shell Commands: Tuning Permissions

• Permission modification (set to octal value, absolutely, the whole bitmask no matter what)

  $ ls -l /bin/script.sh
  -rw-rw-r-- 1 jfasch jfasch 612 Mar 23 18:39 script.sh
  $ chmod 755 /bin/script.sh
  -rwxr-xr-x 1 jfasch jfasch 0 Mar 23 18:39 script.sh
  

• Permission modification (differential symbolic)

  $ ls -l /bin/script.sh
  -rw-rw-r-- 1 jfasch jfasch 612 Mar 23 18:39 script.sh
  $ chmod u+x,g-w,g+x,o+x script.sh
  $ ls -l script.sh
  -rwxr-xr-x. 1 jfasch jfasch 0 Mar 23 18:42 script.sh
  

Shell Commands: Changing User/Group Ownership

• Group ownership modification (only root and members of the group can do this)

  $ chgrp team /tmp/file
  

• Ownership modification (only root)

  # chown jfasch /tmp/file
  

• chmod, chown, and chgrp understand -R for “recursive”.