We are going to talk about the traditional Linux permissions, and our goal is to help the administrator understand and manage the permissions, which is going to be part of your daily tasks when managing Linux workloads. This topic is also a requirement for those studying for Linux certifications such as Red Hat Certified System Administrator (RHCSA) and Linux Foundation Certified System Administrator (LCFS).
Understanding the permissions structure in Linux
When managing Linux permissions, the administrator should be able to identify the type of object, permissions associated with the user owner, group, and others in a single glance.
In the image depicted below, we have the output of the ls -la command on a folder that we created using the root user. We created a root directory called ap6, and added three folders and create a couple of files.
The first step is to be able to understand all the information being provided. It starts with the first column. Usually, it has 11 characters, and they give a bunch of information to the trained eye.
The first letter will indicate the type of the object in the file system, and common varieties are d (represents a directory), - (dash represents a file), and l (represents a link).
Then, we have three sets of three digits that represent the permissions associated with user owner, group, and others. We are going to cover that in detail in our next section, hold that thought!
The missing character from the bigger group (represented by the period in the previous image) defines if the current folder/file has Access Control List enabled on it. (We will discuss this topic in a separate article, stay tuned!)
In the third and fourth columns, we have the user owner and the group associated with the object being listed.
Reading and understanding the current permissions
That portion may not be that intuitive, but it is easy enough to memorize and most important to understand all those fields if you understand the logic behind it.
After the first character in the first column, we have nine characters, and they define all the necessary permissions of any given object. The first three characters of this group are associated with the user owner, the other three are associated with the group owner, and the remaining three are associated with others.
The permissions are represented in two ways. We can use letters, and that is called symbolic, and they are represented by r (read), w (write), and execute (x). They can also be represented with numbers, where the read has the value of four, write has the value of two, and execute has the value of one, and this representation is called octal. Both are valid, and we will use them interchangeably.
My attempt to summarize what we have learned so far is shown in the image below and where they connect to each other. The following image shows a default folder created in Linux.
Understanding the primary group role in Linux permissions
Now that we have an understanding of how to read permission, we are going to practice in a real-world scenario of how the entire process works.
First, logged as the root or with a user with enough privileges, we will create a user called number6 and associate a password. We will also create a group called TheVillage.
useradd number6 passwd number6 id number6 groupadd TheVillage
Logged as number6, we can go inside of our /ap6 folder and subfolders and read the files. Why? Because the other permission is set to r-x (read and execute or 5).
Still logged on as number6, we are going to create a new folder a new file in a temporary location.
mkdir /tmp/number6 touch /tmp/number6/firstfile.txt ls -la /tmp/number6 logout
Now, logged on as root, we will change the primary group of number6 to be TheVillage. We can do that by running the usermod -g TheVillage number6.
Time to log back in as number6 and execute these commands. The result is depicted in the image below, and we can see that the files have a different group because they are based on the primary group of the user that is creating the file.
cd /tmp/number6 touch second-file.txt pwd ls -la
To manage Linux permissions, we can use the chmod command using either symbolic or octal methods. We are going to perform some actions to analyze the permissions applied and the impact on the end-users when trying to use the resources.
The chmod is simple to use. Here are a few examples to get you up to speed:
- chmod u+rwx file.txt, it will add read, write and execute permissions to the user owner (first set of three characters)
- chmod g+wx file.txt, it will add write and execute permissions to the group
- chmod a+r file.txt, it will add read permission to all (user owner, group and other)
- chmod 754 file.txt, it will add read/write/execute to the owner, read/execute to the group, and read to other
The first exercise is to check the permissions of the ap6 folder, and since we are inside of the folder, we will run ls -la / | grep ap6 to get an understanding of the permissions. Then, we will list the permissions of the file underneath the ap6 folder. Finally, we will remove all permissions from others in the index.html file, and set read and write for others in the README.md file.
Now logged as number6, we will perform a series of tasks (the picture below will have the output of all commands) and the table below shows the results of each operation and why we get the results.
|Create a new folder in the /ap6 folder||Fail||The owner and group are root and root. The others, which is what number6 is using, only has read and execute.|
|Read the index.html content using cat /ap6/index.html||Fail||The same issue as above, but in this case, others do not have single permission.|
|Read the content of /ap6/README.md file||SUCCESS||
The others has permission to read and write in that file. Thus, reading and writing are successful.
|Write content to the /ap6/README.md file||SUCCESS|
Now that we know how to manage the permissions and we can accommodate some business requirements (not all of them) by setting up the security properly, we need to cover the process to change the owner and group from any given object.
We can use the chown command, which requires some parameters like the owner, group, and the object. For example, chown number6:TheVillage file.txt, this line will change the file.txt to have number6 as user owner and TheVillage as a group.
Manage permissions in Linux: Much more to come
Have we covered all that there is to manage permissions in Linux? Of course not! There are a lot of small features/functionalities to be covered, such as umask, Set Group ID, Sticky Bit, setgid, setuid, to mention a few. We are going to cover some of them in small chunks as blog posts here at TechGenix. For now, we covered what it takes to understand the Linux basic permission and which commands we can use to manage permissions.
Featured image: Shutterstock