As Linux was designed to support many users on a system, permissions and ownership are in place to ensure authorized access to certain files. This prevents general users from modifying system and administration level files, users from accessing other users’ private files, or to allow some users to read a file but only one or few have access to write to it. Two of these systems are Linux’s file ownership and permissions policies.
Every file in Linux (including directories), all have an owning user and group, and read/write/execute flags to allow or deny such types of file access to the owner, owning group, and all other users respectively.
Finding Current File Ownership and Permissions
To list a file’s current ownership and permissions policies, the command ls -l can be used.
Supplying a file to the command with ls -l filename will output details about the file. These details include an indicator of the type of file it is, the read (r)/write (w)/execute (x) flags for the user, group, and other users, the number of links to the file, the size of the file, and the date the file was last modified.
$ ls -l filename
-rwxrw-r-- 1 foo bar 1024 Jan 1 00:00 filename
In this example, the file is owned by the user foo and the group bar. The user foo has read, write, and execute permissions, the group bar has read and write permissions, and any other users only have read access.
Simply running ls -l without supplying a filename will list the same output for all contents of the current directory.
If the file provided is actually a directory, the command will list the same output for all contents of that directory.
More information on the ls command can be found here, or with the use of the commands ls --help or man ls.
Changing File Ownership and Permissions
Because only the root user can change the ownership and permissions of a file in Linux, all of the following commands must be run as root or with sudo if logged in as any other user with sudo command permissions.
In Linux, when a file is created, ownership over the file defaults to the user who created it and that user’s primary group. Sometimes though. there are instances where the ownership of a file or directory must be changed. To do so, there are two useful commands in changing user or group ownership of a file: chown and chgrp.
The command chown is used to modify the ownership of a file. The command chgrp is used to modify group ownership of a file. However, because chown also has the functionality to modify group ownership, we will only be using chown in this guide. For more details on and instructions for using chgrp, you can look here, or with the use of the commands chgrp --help or man chgrp.
To use chown to change file ownership, simply supply the name of the user you want to transfer ownership to followed by which file you wish to transfer: chown user file
To change the group ownership, instead of a username, enter a : followed by the group name: chown :group file
To change both the user and group ownership at the same time, enter both the username and group name, with a : separating them: chown user:group file
You may also need to supply the command with one of its available argument options, depending on what is being changed.
For example, if changing the ownership of an entire directory, the -R option should also be supplied to run the command recursively, changing the ownership of the directory itself and all of its contents: chown -R user /full/path/of/file/or/directory
It is highly suggested to utilize the full path of the file or folder when using this flag and having a solid understanding of absolute and relative paths as this could have an adverse effect on your file system’s ownership.
Without this option, only the ownership of the directory itself would be updated, while the ownership of its contents would not.
More details, and a full list of the available options, for chown can be found here, or with the use of the commands chown --help or man chown.
In Linux, the access permissions for a file are split between the user, group, and others. The user is the owner of the file, while the group is the owning group of the file, and others is simply all other users. It is then further split into what’s basically a simple yes/no for each type of access is available: read, write, and execute. Read (r) means they can read data from the file, write (w) means they can write data to the file, and execute (x) means they can run the file as a program.
To change these permissions, the command chmod is available, with which there are two primary ways to adjust the permissions.
The first way is to enable or disable specific permissions for specific roles. To do this, you would run chmod and follow it with either u for adjusting user permissions, g for group permissions, or o for other users, then either a + or - to indicate either adding or remove permissions, and finally either a r for read, w for write, or x for execution permissions. You can also combine the options for who to change permissions for and which permissions.
$ chmod u+x filename
$ chmod ug+rw filename
$ chmod o-r filename
In the example above, the first command gives execution permissions to the user that owns the file. The second command gives read and write permissions for both the user and group that own the file. And finally, the last example takes away read permissions for the file from all other users.
The second way to use chmod to change file permissions is to set all permissions at once using a number to represent all permissions. This number is a 3-digit number where the first digit represents the permissions for the user, the second digit represents the group permissions, and the last digit represents the permissions for other users.
The value for each digit is the sum of the numbers representing which permissions to enable for that role. The numbers representing each type of permission is as follows:
Read = 4
Write = 2
Execute = 1
This means that the number representing no permissions would be zero. Four would be just read, six would be read and write, seven would be all permissions, etc.
We then concatenate these numbers into our 3-digit number to represent all roles at once. For example, to give the user read and write access, the group only read access, and other users no access, the number to represent that would be 740.
$ chmod 000 filename
$ chmod 777 filename
$ chmod 600 filename
$ chmod 505 filename
In the example above, the first command sets all roles to have no permissions, the second command gives all roles all permissions, the third gives read and write access to only the user, and the last command gives read and execute permissions to both the user and other users.
More details and options available for chmod can be found here, or with the use of the commands chmod --help or man chmod.