Linux File Permissions: A Beginner’s Guide for DevOps Engineers | Day 6 of 90DaysOfDevOps

Photo by Towfiqu barbhuiya on Unsplash

Linux is a powerful and versatile operating system that allows multiple users to work on the same server simultaneously without disrupting each other. However, this also poses a risk of exposing confidential information or losing data if other users access your files or directories without your permission. 😱

To prevent this, Linux has a built-in feature to specify how much power each user has over a given file or directory. This feature is called file permissions. 🛡️

In this blog post, you will learn:

• How Linux organizes files and directories in a hierarchical structure
• How to use basic symbols and commands to interact with files and directories
• How to identify different file types and their attributes
• How to view and change file permissions using numeric and symbolic methods
• How to use special permissions such as SUID and GUID
• How to use Access Control List (ACL) to fine-tune file permissions

By the end of this post, you will have a solid understanding of Linux file permissions and why they are important for DevOps engineers. 🚀

Linux File Structure

Linux organizes files and directories in a hierarchical structure, starting from the root directory /. The root directory contains several subdirectories, each with a specific purpose and function. Here are some of the common subdirectories and their descriptions:

• /bin: Contains binary executable files that are essential for the system to run, such as ls, cp, mv, etc.
• /boot: Contains files needed for booting the system, such as the kernel image and the boot loader.
• /dev: Contains device files that represent hardware devices, such as disks, keyboards, mice, etc.
• /etc: Contains configuration files for the system and various applications, such as /etc/passwd, /etc/hosts, etc.
• /home: Contains the home directories of regular users, where they can store their personal files and settings.
• /lib: Contains library files that are needed by the binary files in /bin and /sbin.
• /media: Contains mount points for removable media, such as CDs, DVDs, USB drives, etc.
• /opt: Contains optional software packages that are not part of the standard distribution.
• /proc: Contains virtual files that provide information about the system processes and kernel parameters.
• /root: Contains the home directory of the superuser or root user, who has complete control over the system.
• /sbin: Contains binary executable files that are used for system administration, such as fdisk, ifconfig, mount, etc.
• /tmp: Contains temporary files that are created and deleted by various programs.
• /usr: Contains user-related programs and data, such as applications, games, documentation, etc.
• /var: Contains variable data that changes frequently, such as logs, caches, spools, etc.

You can use the ls command to list the contents of any directory. For example, to see what’s inside the root directory, you can type:

ls /

You can also use the -l option to see more information about each file or directory in a long listing format. For example:

ls -l /etc

Basic Symbols in Linux

To interact with files and directories in Linux, you need to know some basic symbols and what they mean. Here are some of the common symbols and their descriptions:

• .: Represents the current working directory. You can use it to refer to files or directories in your current location. For example, ./script.sh means run the script.sh file in the current directory.
• ..: Represents the parent directory of the current working directory. You can use it to move up one level in the hierarchy. For example, cd .. means change the current working directory to its parent directory.
• ~: Represents your home directory. You can use it to quickly access your personal files and settings. For example, cd ~ means change the current working directory to your home directory.
• /: Represents the root directory or the top of the hierarchy. You can use it to specify absolute paths that start from the root directory. For example, /etc/passwd means the passwd file in the etc subdirectory of the root directory.
• -: Represents the previous working directory. You can use it to switch back to where you were before. For example, cd - means change the current working directory to the previous one.

File Types in Linux

In Linux, everything is a file. However, there are different types of files that have different attributes and functions. You can identify the type of a file by looking at the first character of its permission string in the long listing format. Here are some of the common file types and their symbols:

• -: Represents a regular file that contains data, such as text, images, audio, video, etc.
• d: Represents a directory that contains other files or directories.
• l: Represents a symbolic link that points to another file or directory.
• c: Represents a character device file that represents a hardware device that transfers data byte by byte, such as a keyboard, mouse, printer, etc.
• b: Represents a block device file that represents a hardware device that transfers data in blocks, such as a disk, CD-ROM, USB drive, etc.
• s: Represents a socket file that facilitates communication between processes, such as a web server and a web browser.
• p: Represents a pipe file that facilitates communication between processes using a FIFO (first in first out) method.

You can use the file command to get more information about the type and content of a file. For example:

file /bin/ls

File Permissions in Linux

File permissions in Linux control the access level that the system processes and users have to files and directories. This ensures that only authorized users and processes can access specific files and directories.

File permissions are grouped into three categories: user, group, and others.

• User permissions apply only to the owner of the file or directory. They determine what actions the owner can perform on the file or directory.
• Group permissions apply only to the group that has been assigned to the file or directory. They determine what actions the members of the group can perform on the file or directory.
• Others permissions apply to all other users on the system. They determine what actions anyone else can perform on the file or directory.

For each category, there are three types of permissions: read, write, and execute.

• Read permission allows you to view or copy the content of a file or list the content of a directory.
• Write permission allows you to modify or delete the content of a file or create or remove files or directories within a directory.
• Execute permission allows you to run a file as a program or enter a directory.

You can view the permissions of a file or directory by using the ls -l command. The output will show a string of 10 characters at the beginning of each line. The first character indicates the type of the file, and the next nine characters indicate the permissions for each category.

For example:

ls -l /bin/ls

The output shows:

-rwxr-xr-x 1 root root 133792 Jan 18  2018 /bin/ls

This means that:

• The type of the file is -, which means it is a regular file.
• The user permissions are rwx, which means the owner (root) can read, write, and execute the file.
• The group permissions are r-x, which means the members of the group (root) can read and execute the file, but not write to it.
• The others permissions are r-x, which means anyone else can read and execute the file, but not write to it.

Numeric Method

One way to change the permissions of a file or directory is to use the numeric method. This method uses numbers from 0 to 7 to represent the permissions for each category.

Each number is a combination of read (4), write (2), and execute (1) permissions. For example:

• 0 means no permission
• 1 means execute only
• 2 means write only
• 3 means write and execute
• 4 means read only
• 5 means read and execute
• 6 means read and write
• 7 means read, write, and execute

To change the permissions of a file or directory using the numeric method, you need to use the chmod command, followed by three numbers that represent the permissions for the user, group, and others categories, respectively. For example:

chmod 755 file1

This means change the permissions of file1 to:

• 7 for the user, which means read, write, and execute
• 5 for the group, which means read and execute
• 5 for the others, which means read and execute

You can also use the -R option to change the permissions of a directory and all its contents recursively. For example:

chmod -R 755 dir1

This means change the permissions of dir1 and all its files and subdirectories to:

• 7 for the user, which means read, write, and execute
• 5 for the group, which means read and execute
• 5 for the others, which means read and execute

Symbolic Method

Another way to change the permissions of a file or directory is to use the symbolic method. This method uses symbols to represent the categories and the types of permissions.

The symbols for the categories are:

• u for user
• g for group
• o for others
• a for all (user, group, and others)

The symbols for the types of permissions are:

• r for read
• w for write
• x for execute

The symbols for the operators are:

• + for adding permissions
• - for removing permissions
• = for setting permissions

To change the permissions of a file or directory using the symbolic method, you need to use the chmod command, followed by one or more expressions that specify the category, operator, and type of permission. For example:

chmod u+x file1

This means add execute permission (+x) to the user (u) of file1.

You can also use commas to separate multiple expressions. For example:

chmod u+rwx,g+rx,o-rwx file1

This means:

• Add read, write, and execute permissions (+rwx) to the user (u) of file1.
• Add read and execute permissions (+rx) to the group (g) of file1.
• Remove read, write, and execute permissions (-rwx) from the others (o) of file1.

You can also use the -R option to change the permissions of a directory and all its contents recursively. For example:

chmod -R u+rwx,g+rx,o-rwx dir1

This means change the permissions of dir1 and all its files and subdirectories to:

• Read, write, and execute for the user (u+rwx)
• Read and execute for the group (g+rx)
• No permission for the others (o-rwx)

Special Permissions in Linux

In addition to the regular permissions, there are also some special permissions that can be applied to files or directories in Linux. These are:

• SUID (Set User ID): This permission allows a file to be executed as if it was run by its owner, regardless of who actually runs it. This is useful for programs that need to access privileged resources or perform privileged tasks. For example, the /bin/passwd program has SUID permission so that it can modify the /etc/passwd file when a user changes their password.
• SGID (Set Group ID): This permission allows a file to be executed as if it was run by its group, regardless of who actually runs it. This is useful for programs that need to access shared resources or perform shared tasks within a group. For example, some games have SGID permission so that they can update a common scoreboard file when a user scores points.
• Sticky Bit: This permission prevents users from deleting or renaming files or directories that they do not own within a directory. This is useful for directories that are shared by multiple users, such as /tmp, where users can create temporary files but not delete or rename other users’ files.

You can view the special permissions of a file or directory by using the ls -l command. The output will show a special character in place of the execute bit for the user, group, or others category. Here are the symbols and their meanings:

• s: Represents SUID or SGID permission with execute permission
• S: Represents SUID or SGID permission without execute permission
• t: Represents sticky bit permission with execute permission
• T: Represents sticky bit permission without execute permission

For example:

ls -l /bin/passwd

The output shows:

-rwsr-xr-x 1 root root 54256 Jan 18  2018 /bin/passwd

This means that:

• The type of the file is -, which means it is a regular file.
• The user permissions are rws, which means the owner (root) can read, write, and execute the file, and the file has SUID permission.
• The group permissions are r-x, which means the members of the group (root) can read and execute the file, but not write to it.
• The others permissions are r-x, which means anyone else can read and execute the file, but not write to it.

Numeric Method

To change the special permissions of a file or directory using the numeric method, you need to use a fourth number before the three numbers that represent the regular permissions. The fourth number is a combination of SUID (4), SGID (2), and sticky bit (1) permissions. For example:

• 0 means no special permission
• 1 means sticky bit only
• 2 means SGID only
• 3 means SGID and sticky bit
• 4 means SUID only
• 5 means SUID and sticky bit
• 6 means SUID and SGID
• 7 means SUID, SGID, and sticky bit

To change the special permissions of a file or directory using the numeric method, you need to use the chmod command, followed by four numbers that represent the special and regular permissions. For example:

chmod 4755 file1

This means change the permissions of file1 to:

• 4 for the special permission, which means SUID only
• 7 for the user, which means read, write, and execute
• 5 for the group, which means read and execute
• 5 for the others, which means read and execute

You can also use the -R option to change the permissions of a directory and all its contents recursively. For example:

chmod -R 2755 dir1

This means change the permissions of dir1 and all its files and subdirectories to:

• 2 for the special permission, which means SGID only
• 7 for the user, which means read, write, and execute
• 5 for the group, which means read and execute
• 5 for the others, which means read and execute

Symbolic Method

To change the special permissions of a file or directory using the symbolic method, you need to use a special symbol before the operator and type of permission. The symbols for the special permissions are:

• u for SUID
• g for SGID
• o for sticky bit

To change the special permissions of a file or directory using the symbolic method, you need to use the chmod command, followed by one or more expressions that specify the category, operator, type of permission, and special symbol. For example:

chmod u+s file1

This means add SUID permission (+s) to the user (u) of file1.

You can also use commas to separate multiple expressions. For example:

chmod u+s,g+s,o+t file1

This means:

• Add SUID permission (+s) to the user (u) of file1.
• Add SGID permission (+s) to the group (g) of file1.
• Add sticky bit permission (+t) to the others (o) of file1.

You can also use the -R option to change the permissions of a directory and all its contents recursively. For example:

chmod -R g+s,o+t dir1

This means change the permissions of dir1 and all its files and subdirectories to:

• Add SGID permission (+s) to the group (g)
• Add sticky bit permission (+t) to the others (o)

Access Control List in Linux

Access Control List (ACL) is a feature that allows you to fine-tune file permissions in Linux beyond the regular permissions. With ACL, you can grant or deny specific permissions to specific users or groups for a file or directory.

To use ACL, you need to make sure that your file system supports it and that it is enabled. You can check this by using the mount command and looking for the acl option in the output. For example:

mount | grep acl

The output shows:

/dev/sda1 on / type ext4 (rw,relatime,acl)

This means that the / file system is mounted with the acl option enabled.

To view the ACL of a file or directory, you need to use the getfacl command, followed by the name of the file or directory. For example:

getfacl file1

The output shows:

# file: file1
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

This means that:

• The owner of the file is root
• The group of the file is root
• The user permissions are rwx, which means read, write, and execute
• The group permissions are r-x, which means read and execute
• The others permissions are r-x, which means read and execute

These are the same as the regular permissions that you can see with the ls -l command.

To change the ACL of a file or directory, you need to use the setfacl command, followed by one or more options and expressions that specify the users or groups and their permissions. For example:

setfacl -m u:alice:rwx file1

This means modify (-m) the ACL of file1 by adding (+) read, write, and execute permissions (rwx) to the user alice (u:alice).

You can also use commas to separate multiple expressions. For example:

setfacl -m u:alice:rwx,g:bob:r-x,o:- file1

This means modify (-m) the ACL of file1 by:

• Adding (+) read, write, and execute permissions (rwx) to the user alice (u:alice)
• Adding (+) read and execute permissions (r-x) to the group bob (g:bob)
• Removing (-) all permissions (-) from the others (o)

You can also use the -R option to change the ACL of a directory and all its contents recursively. For example:

setfacl -R -m u:alice:rwx,g:bob:r-x,o:- dir1

This means modify (-m) the ACL of dir1 and all its files and subdirectories recursively (-R) by:

• Adding (+) read, write, and execute permissions (rwx) to the user alice (u:alice)
• Adding (+) read and execute permissions (r-x) to the group bob (g:bob)
• Removing (-) all permissions (-) from the others (o)

To remove the ACL of a file or directory, you need to use the setfacl command with the -b option, which means remove all extended ACL entries. For example:

setfacl -b file1

This means remove all extended ACL entries from file1.

You can also use the -R option to remove the ACL of a directory and all its contents recursively. For example:

setfacl -R -b dir1

This means remove all extended ACL entries from dir1 and all its files and subdirectories recursively.

Conclusion

In this blog post, you learned about Linux file permissions and how to view and change them using different methods. You also learned about special permissions and access control list that allow you to fine-tune your file security.

File permissions are an essential part of Linux system administration and DevOps engineering. They help you protect your data from unauthorized access and ensure that only authorized users and processes can perform specific tasks on your files and directories.

I hope you found this post useful and informative. Don’t forget to follow me for more Linux tips and tricks. 😊