Blog 13: How to Manage File Permissions and Security in Unix
In Unix, file security and permissions are crucial for controlling access to files and directories. Understanding how to manage permissions ensures that sensitive data is protected and that users can only perform actions appropriate to their roles.
This blog will walk you through how to use commands like chmod, chown, chgrp, and umask to control access to files, change ownership, and configure default permissions.
1. Understanding Unix File Permissions
Unix file permissions control what actions users can perform on files and directories. There are three types of permissions:
- Read (
r): Allows the user to view the contents of the file or list the contents of the directory. - Write (
w): Allows the user to modify the file or add/remove files in the directory. - Execute (
x): Allows the user to execute the file as a program or script, or enter the directory.
Each file or directory in Unix is assigned three sets of permissions:
- Owner: The user who owns the file.
- Group: Users who belong to the same group as the file.
- Others: All users who are not the owner or in the group.
The permissions are represented by a three-character string, such as rwxr-xr--. This string indicates the permissions for the owner, group, and others, respectively.
Example:
-rwxr-xr--- Owner has read, write, and execute permissions (
rwx). - Group has read and execute permissions (
r-x). - Others have read-only permissions (
r--).
2. How to Use chmod to Change File Permissions
The chmod (change mode) command is used to modify file or directory permissions. You can change permissions either using symbolic notation or numeric (octal) notation.
Symbolic Notation
With symbolic notation, you specify the permissions to be added or removed for the owner, group, or others.
+: Adds permission.-: Removes permission.=: Sets permissions explicitly.
Examples:
- Add execute permission to the owner:
$ chmod u+x filename- Remove write permission from the group:
$ chmod g-w filename- Give read, write, and execute permissions to everyone:
$ chmod a+rwx filename- Set permissions explicitly (e.g., read and write for owner, read for group and others):
$ chmod u=rw,g=r,o=r filenameNumeric Notation
In numeric notation, permissions are represented by a three-digit number. Each permission is represented by a number:
- Read (r) = 4
- Write (w) = 2
- Execute (x) = 1
You sum the numbers for the desired permissions. For example:
7=rwx(4 + 2 + 1)6=rw-(4 + 2)5=r-x(4 + 1)
Examples:
- Set permissions to
rwxr-xr-x(7 for owner, 5 for group, and 5 for others):
$ chmod 755 filename- Set permissions to
rw-r--r--(6 for owner, 4 for group, and 4 for others):
$ chmod 644 filename3. How to Use chown to Change File Ownership
The chown (change owner) command is used to change the owner and/or group of a file or directory.
Basic Syntax
chown [owner][:[group]] filename- owner: The new owner of the file.
- group: The new group of the file.
If you only want to change the owner, omit the group. If you only want to change the group, omit the owner.
Examples:
- Change owner to
username:
$ chown username filename- Change owner to
usernameand group togroupname:
$ chown username:groupname filename- Change only the group to
groupname:
$ chown :groupname filename- Recursively change ownership for all files in a directory:
$ chown -R username:groupname directory/4. How to Use chgrp to Change the Group of a File
The chgrp (change group) command allows you to change the group ownership of a file or directory.
Basic Syntax
chgrp groupname filenameExample:
- Change the group of a file to
staff:
$ chgrp staff filename- Recursively change the group of all files in a directory:
$ chgrp -R staff directory/5. How to Use umask to Set Default Permissions
The umask command controls the default permissions for new files and directories. It sets a mask that removes permissions from newly created files or directories.
Default Permissions
- Files: By default, files are created with
666permissions (read and write for owner, group, and others). - Directories: By default, directories are created with
777permissions (read, write, and execute for owner, group, and others).
How umask Works
The umask subtracts from these defaults to set the actual permissions for new files and directories.
For example:
- Default permissions for files:
666(rw-rw-rw-) - Default permissions for directories:
777(rwxrwxrwx)
If the umask is set to 022, it subtracts 0 for the owner, 2 for the group, and 2 for others, resulting in:
- Files:
644(rw-r–r–) - Directories:
755(rwxr-xr-x)
Example:
- Set the
umaskto022:
$ umask 022- Check the current
umaskvalue:
$ umask6. How to View and Modify ACLs (Access Control Lists)
For more granular control over file permissions, you can use Access Control Lists (ACLs). ACLs allow you to specify permissions for individual users or groups beyond the basic owner, group, and others model.
Viewing ACLs
To view ACLs on a file, use the getfacl command:
$ getfacl filenameSetting ACLs
To set ACLs, use the setfacl command:
$ setfacl -m u:username:rwx filenameThis command grants the user username read, write, and execute permissions on filename.
Practice Time!
- Change File Permissions:
- Use
chmodto modify permissions for a file and test different combinations of read, write, and execute. - Use both symbolic and numeric notation.
- Change File Ownership:
- Use
chownto change the owner and group of a file. - Test recursively changing ownership with the
-Roption.
- Set Default Permissions with
umask:
- Set a custom
umaskand observe how it affects new files and directories.
- View and Modify ACLs:
- Use
getfaclto view ACLs for a file. - Use
setfaclto assign specific permissions to a user or group.
Summary
- How to use
chmodto modify file and directory permissions. - How to use
chownandchgrpto change ownership and group of files. - How to set default permissions for new files and directories with
umask. - How to manage more granular permissions with ACLs.
