On this page:
The default file permissions structure in Linux is fairly simple, but more than adequate for most situations. For each file or folder, there are three permissions that can be granted, and three entities that they are granted to. The permissions are:
- Read permission means that data can be read from the file; it also means the file can be copied.
- Write permission means that the file or folder can be changed, appended, or deleted. For folders, it specifies whether a user can write to files in the folder.
- Execute permission means whether or not the user can run the file as a script or program. For folders, it determines whether or not the user can enter the folder and make it the current working directory.
These permissions can be granted to:
Every file and folder acquires a single user designated as its owner when it is created on the system. It also has a single group designated as its group, by default the group to which the owner belongs. The permissions you grant to “others” affect everyone who isn’t the owner or in the group.
To view or change a file’s permissions, right-click the file and select “Properties”. Click the “Permissions” tab. Here you can view the permissions granted to the owner, group, and others entities. For files, you can check the box to make them executable, and for folders you can check a box to limit the deletion of files inside it to the owners (i.e. set the sticky bit). Alternately, you can click “Advanced Permissions” and see the permissions grid for the file.
To view permissions on the command line, use “ls -l”. The -l switch will cause ls to list files in long format, displaying their permissions. You will see a listing like this:
-rwxr-xr-x 1 jdoe users 43321 2007-04-28 23:12 somefile.txt
The “-rwxr-x-r-x” bit shows us the permissions for owner, group, and others; the owner has read, write, and execute; the group has read and execute; others have read and execute. The owner in this case is “jdoe”, and the group is “users”.
Tto change permissions of files and folders the command chmod is used.
The command chmod is very flexible in terms of syntax, so you’ll see it used in a variety of ways. A few useful applications:
To remove all read/write/execute restrictions on a file:
chmod 777 filename
To make a file executable (needed for scripts that you’ve written or downloaded):
chmod +x filename
To make a program or script run with root priveleges regardless of who runs it (be careful!):
chmod +s filename
To lock down a file so only the owner can do anything to it:
chmod 700 filename
To manage users and groups, the basic tool is MX User Manager (antiX MX) or [NEED NAME] (antiX).
If you need more advanced permissions options, you can use access control lists, which will enable you to specify permissions per user or group apart from the owner and owning group. The package acl is installed by default, and its use is pretty straightforwrd:
- Open the /etc/fstab file in a root text editor such as Leafpad.
- Select the partition you want to control, and modify its entry by adding “acl” to the options. For example, change this line:
/dev/sda3 /home ext3 defaults 0 0
/dev/sda3 /home ext3 defaults,acl 0 0
Once you reboot, you will see by right-clicking a file or folder that the permissions tab now has the option of adding any number of groups or users and specify permissions for them on any file or folder in the partition with acl.
There are three special permissions that can be set in addition to the nine above. They are setUID, setGID, and sticky.
- If the setUID permission is activated, the file will execute with the credentials of the owner, regardless of who executes it (for example, if a file is owned by root and setUID is on, anyone executing the file will do so with root credentials).
- If the setGID permission is activated, the file will execute with the credentials of the file’s group, regardless of whether the user executing it is in that group or not.
- The sticky bit means nothing on files; but on a folder, it specifies that only the owner (or root) of a file or subfolder may delete it, even if other users have write permissions on the folder.