Permissions
Linux has the concept of permissions.
Since the "core" of linux is a file system accessed and used by users, files have permissions that can be assigned/delegated to users.
- Permissions
Principle of least permissions
Linux starts with, and works best when users + groups have the least privilege needed to do their job. If a user needs to do something to a file, that user should have the right to do that thing and that thing only.
An Example of denied permissions
# switch user to'jake'
ubuntu@primary:~$ su jake
Password:
# go into the "home" directory of the 'ubuntu' user
$ cd /home/ubuntu
$ pwd
/home/ubuntu
# try creating a file
$ touch jake.txt
touch: cannot touch 'jake.txt': Permission denied
Here, the ubuntu
user's home directory is only editable by the ubuntu
user, so jake
should, correctly, be denied the ability to work in the ubuntu
dir.
How Linux Describes Permissions
using the jake
user in the ubuntu
users' home directory...
$ pwd
/home/ubuntu
$ whoami
jake
run ls -l
to show each file, one-per-line. Might look something like this...
$ ls -l
total 32
drwxr-xr-x 2 ubuntu ubuntu 4096 May 16 08:20 Home
-rw-rw-r-- 1 ubuntu ubuntu 0 Jun 1 19:36 complex-errs.txt
drwxrwxr-x 2 ubuntu ubuntu 4096 May 26 13:36 dock
-rw-rw-r-- 1 ubuntu ubuntu 124 May 30 09:35 errors.txt
-rw-rw-r-- 1 ubuntu ubuntu 2122 Jun 1 19:33 ls.txt
-rw-rw-r-- 1 ubuntu ubuntu 118 Jun 1 19:36 ls2.txt
-rw-rw-r-- 1 ubuntu ubuntu 51 May 30 09:17 poiu.txt
drwx------ 3 ubuntu ubuntu 4096 May 16 08:20 snap
Linux describes permissions with the first column, the drwxr-xr-x
column. Each character in that string represents information and permissions of the file/directory.
The string is a 10-character description.
The first line, the drwxr-xr-x
Home
line, will be explored below.
Item Type with the First Character
The d
or -
here represent the "type" of item:
d
for directory-
for file
Read Write and Execute with RWX
The next 9 characters are variations on these 4 characters:
r
for readw
for writex
for execute-
for none
Owner Permissions with the next 3 Characters
The next 3 characters, rwx
, represent the "owner permissions" on the directory. This has read
, write
, and execute
permissions for the user that owns the file, the ubuntu
user.
Group Permissions with the next 3 Characters
The next 3 characters, r-x
, represent the "group permissions" on the directory. This has read
, and execute
permissions for the group that owns the file, the ubuntu
group.
Everyone Elses Permissions with the next 3 Characters
The next 3 characters, r-x
, represent the permissions that "everyone else" has on the directory. This has read
, and execute
permissions for the anyone other than the owner or in the group.
Changing Things
Linux allows the changing of owner && permissions of things.
Changing item owner with chown
chown
means "change owner". When chown
is run against a directory or file, the owner of the item changes. The chown
syntax can be something like chown grp:usr item-to-change
:
grp
: the group name of the new ownerusr
: the group name of the new owneritem-to-change
: the name of the item that is being changed
Use-Cases
chown has been useful when dealing with systems && users, like in "dockerland".
When docker is running on a linux machine, as an example....
- a node api docker container is running and is writing to a log file
- the log file path is mounted to the host linux os, so when node is writing to a logfile in a container, docker is passing-along the log-file contents to the host machine
- the host os, which contains docker and is running the container, has a user in-use
- the container os, which is "inside" "dockerland", has a user in-use (and in the supported node image the default user is "node")
- the host os user may not have permission to create or write to this log file, so this
chown
command can make the logfile creat-able and writable by docker
Here, chown
in action ->
# Using chown without permission
ubuntu@primary:~$ whoami
ubuntu
ubuntu@primary:~$ pwd
/home/ubuntu
# attempt to make a dir in a dir that ubuntu does not have permission to
ubuntu@primary:~$ cd /
ubuntu@primary:/$ mkdir new-dir
mkdir: cannot create directory ‘new-dir’: Permission denied
# make the dir with sudo
ubuntu@primary:/$ sudo mkdir new-dir
ubuntu@primary:/$ ls
bin dev home lost+found mnt opt root sbin srv tmp var
boot etc lib media new-dir proc run snap sys usr
ubuntu@primary:/$ ls -l | grep "new-dir"
drwxr-xr-x 2 root root 4096 Jun 3 08:45 new-dir
# the above line shows that root:root is the owner of the new-dir
# fail attempt to make a file in
ubuntu@primary:/$ touch new-dir/new-file.txt
touch: cannot touch 'new-dir/new-file.txt': Permission denied
# update the owner of new-dir
ubuntu@primary:/$ sudo chown ubuntu:ubuntu new-dir
ubuntu@primary:/$ ls -l | grep "new-dir"
drwxr-xr-x 2 ubuntu ubuntu 4096 Jun 3 08:45 new-dir
# succeed now
ubuntu@primary:/$ touch new-dir/new-file.txt
ubuntu@primary:/$ ls -l new-dir/new-file.txt
-rw-rw-r-- 1 ubuntu ubuntu 0 Jun 3 08:49 new-dir/new-file.txt
Changing item permissions with chmod
chmod
can be used to change permission on a file.
This is different from chown
in that chown
changes a file's owner, and chmod
changes a file's read-write-execute permissions.
long-form syntax
Here's chmod in action
# assure the 'ubuntu' user is being used
ubuntu@primary:~$ whoami
ubuntu
# navigate
ubuntu@primary:~$ cd ~
ubuntu@primary:~$ pwd
/home/ubuntu
# create a file as root
ubuntu@primary:~$ sudo touch only-sudo.txt
# inspect the permissions
ubuntu@primary:~$ ls -l only-sudo.txt
-rw-r--r-- 1 root root 0 Jun 3 20:50 only-sudo.txt
# fail at writing to file
ubuntu@primary:~$ echo "test string" >> only-sudo.txt
-bash: only-sudo.txt: Permission denied
# chmod in action on only-sudo.txt
ubuntu@primary:~$ sudo chmod u=rw,g=rw,o=rw only-sudo.txt
# inspect new permissions
ubuntu@primary:~$ ls -l only-sudo.txt
-rw-rw-rw- 1 root root 0 Jun 3 20:50 only-sudo.txt
# try again
ubuntu@primary:~$ echo "test string" >> only-sudo.txt
An overview of the chmod command
chmod
is the command, change the "mode" if the itemu=rw
is the user permissions of the item,rw
for read+writeg=rw
is the group permission of the item,rw
for read+writeo=rw
is the owner permission of the item,rw
for read+write
short form
The short form of setting permissioins with chmod involves numbers.
4
for read2
for write1
for execute0
for ...zero permissions
These numbers get added up:
1
for execute3 (1 + 2)
for execute + write5 (1 + 4)
for execute + read6 (4 + 2)
for read + write7 (4 + 2 + 1)
for all rights
These numbers get put in an order, 1 number for each "level" of permissions. 3 numbers in order (1)(2)(3).
- the 1st digit for
user
- the 2nd digit for
group
- the 3rd digit for
other
In practice, these numbers can look like...
660
is read+write on user+group and no rights for anyone else760
is read+write on group, all rights as owner, and no rights for anyone else
Using these in a chmod
command looks like
ubuntu@primary:~$ chmod 760 the-file.txt
super short form
# add executable to a file permission
ubuntu@primary:~$ chmod +x the-file.txt
# add write to a file permission
ubuntu@primary:~$ chmod +w the-file.txt
# remove write to a file permission
ubuntu@primary:~$ chmod -w the-file.txt