Have you ever tried to open a file or document and were told you did not have access? Similarly, have you ever tried to edit a document only to discover that you were only able to read it, but not make changes? Both of these scenarios involve file permissions. File permission management allows for greater control over who can do what with files or even computer systems, and having proper file permission management can help in upholding the principle of least privilege as well as the confidentiality and integrity of important data.
No matter which operating system your system runs, knowing how to manage file permissions can be a great benefit to your cybersecurity. If your system runs on a version of the Linux, Unix, or similar operating system, then you most likely can modify the permissions of files using the command line. First, however, it is important to understand what the three basic file permissions are and how they impact access to a file.
Types of File Permissions
There are three types of file permission that can be assigned to a file or directory in Linux. They are Read (r), Write (w), and Execute (x). Each permission encompasses different actions that can be performed on or with the file in question.
Read
The Read permission grants users the ability to, as the name implies, read the file. If you have the Read permission, you will be able to open the given file in the appropriate file viewer. In Linux, “[y]ou can use a tool like cat or less on the file to display the file contents. You could also use a text editor like Vi or view on the file to display the contents of the file” (McBrien). Think of this like purchasing a book from a store. Now that the book is in your possession, you have the ability to read it, but cannot change the words that are printed on the page (without defacing the book).
For a directory, the Read permission allows users to see the files stored within the directory. Think of this like browsing the chapters of a book; you can see the chapters, but cannot change their order (without defacing the book). It is important to note that Read permission is “required to have things like the ls command work” in a given directory (McBrien).
Write
The Write permission grants users the ability to edit, or write to, the file. If you have the Write permission, then you will be able to make changes to the file’s content. Think of this like having a dry erase or chalk board. You can scribble across it, draw shapes, write words, or erase whatever is on the chalkboard.
For a directory, the Write permission allows users to move files into and out of the directory. Think of this like having a shopping cart while browsing a supermarket; you can add groceries to the cart, or take items back out of the cart as you desire. In Linux, the Write permission for a directory is required to be able “to move (mv) or remove (rm) files from it. You also need write permission to create new files (using touch or a file-redirect operator) or copy (cp) files into the directory” (McBrien).
Execute
The Execute permission grants users the ability to execute, or run, the file. Usually, this permission only applies to files that contain some sort of programming or code that contains commands for the computer to run. Think of this like having the key to a car. If you have the key, you can start the car and run it.
For a directory, the Execute permission works differently. Having the Execute permission gives “access to the directory. Having execute permission on a directory authorizes you to look at extended information on files in the directory (using ls -l, for instance) but also allows you to change your working directory (using cd) or pass through this directory on your way to a subdirectory underneath” (McBrien). Think of this like needing a keycard badge to enter a specific floor of a building.
Viewing File Permissions in Linux
Furthermore, before learning how to change the permissions of a given file or directory in Linux, it is important to know how to view what the current permissions of the file or directory are. To do this, simply type
ls -linto your command line terminal. This will list all of the files in the current directory and include additional information about each item, including whether it is a file or directory as well as its current permissions, among other details. Say our current directory is /users/johndoe/Documents. The ls -l command may produce an output like so:
drwxrwxrwx 1 johndoe root 256 Jan 19 9:00 Taxes
dr-xr-x— 1 johndoe staff 256 Mar 15 11:00 Reports
-rwxr–r– 2 johndoe root 64 Jan 1 21:00 Resume
-rwxrwxrwx 1 johndoe staff 128 Jan 3 8:00 SampleDoc
Out of the above information, of primary concern are the file permissions (from top to bottom, drwxrwxrwx, drwxr—–, -rwxr—r–, and -rwxrwxrwx), the owner of the file (all of the above files are owned by johndoe), the group or groups the owner belongs to (staff and root), and the names of the files (Taxes, Reports, Resume, and SampleDoc).
The file permissions shown above can be broken down into four sections:
- The first symbol describes what type the file is
- The next three symbols describe the permission of the file owner
- The second set of three symbols describe the permissions of the group the file owner belongs to
- The final set of three symbols describe the permissions of all others.
For example, the file permissions of the Taxes directory can be broken into
- d, since the item in question is a directory
- rwx, the permissions for johndoe, the owner of the file; johndoe has read, write, and execute permissions
- rwx, the permissions for root, one of the groups johndoe belongs to; root has read, write, and execute permissions
- rwx, the permissions for all other users; they have read, write, and execute permissions
and the permissions for the Resume file can be broke into
- -, since the item in question is a file
- rwx, the permissions for johndoe, the owner of the file-redirect; johndoe has read, write, and execute permissions
- r–, the permissions for root, one of the groups johndoe belongs to; root has only the read permission
- r–, the permissions for all other users; they have only the read permission.
The file owner is usually the person who created the file or directory in question, but this is not always the case (file ownership can be transferred and changed). Furthermore, users are assigned to different groups in order to help in managing file permissions. Our sample user, johndoe, is part of two groups: root and staff. The “root” group is a general group that contains the users that are the main administrators of the device in question; users on home devices will likely find that they are part of the “root” group. The “staff” group, however, is a group that was created for specific users to be a part of. Finally, the permissions for all others work exactly as they sound; if a user is not johndoe nor in the staff or root group, these are the permissions they have for that particular file or directory.
Changing File Permissions
Fortunately, there is one handy Linux command that allows you to change the permissions of a file in a few different ways. This command is the “change mode” command:
chmodThis command makes it easy to change the permissions of a file or directory, and this can be done either symbolically or numerically.
Symbolic Method
The symbolic method is the easier of the two for beginners to use since it is more straightforward than the numeric method. Essentially, with the symbolic method, you specify which particular set of permissions you want to change and how you want to change them.
To change permissions for the user, use
chmod uTo change permissions for the group, use
chmod gTo change permission for others, use
chmod oThen you simply type in either + (to give a permission) or – (to take away a permission) the corresponding symbol (r for Read, w for Write, and x for Execute), and then the file or directory name. Additionally, if you want to change multiple sets of permissions at once, you can include multiple sets symbols after chmod.
Let’s use the Taxes directory from above as an example for removing permissions.
drwxrwxrwx 1 johndoe root 256 Jan 19 9:00 Taxes
Currently, everyone has full permissions to this file! Let’s say, though, that johndoe wishes to take away the Read, Write, and Execute permission from all other users. The command
chmod o-rwx Taxeswill remove these permissions. The symbol “o” tells the computer that the permissions to be changed are for other users, the “-” tells the computer that the permissions are to be removed, and “rwx” tells the computer that the permissions in question are read, write, and execute. Now, the file permissions will read “drwxrwx—” since all three permissions of the other users were taken away.
Now, let’s use the Resume file from above as an example for adding permissions.
-rwxr–r– 2 johndoe root 64 Jan 1 21:00 Resume
Say johndoe decides that they want to give both the root group and other users the permission to write to the Resume file. The command
chmod go+w Resumewill add the write permission to both the group permission set as well as the other permission set.
Numeric Method
While the symbolic method may be easier to learn, the numeric method can be much quicker to perform.The symbolic method utilizes a three digit number made up of octal values (octal values range from 0 to 7) to determine the permissions for each of the three sets of permissions. For example, 777, 000, 742, 630, and 422 are all valid ways to express permissions for a file. The first digit corresponds to the permission for the owner, the second digit corresponds to the permissions for the group the owner belongs to, and the third digit corresponds to the permissions for others. Instead of adding or removing specific permissions like in the symbolic method, the numeric method sets all permissions at once.
Fortunately, you do not need to guess and check as to which three digit number represents the specific permissions you want to assign to a file. Each of the three permission types- read, write, and execute- has a corresponding value. Read has a value of 4, write has a value of 2, and execute has a value of 1. You then simply add up these values to designate which permissions to give. For example, say we wanted to give the owner full permissions, the group the owner belongs to read and write permissions, and everyone else only read permissions. The owner’s permissions are the first digit, and we want to give them all three permissions. Thus, we would add 4 (for read permission), 2 (for write permission), and 1 (for execute permission) to get 7 for our first digit. The owner’s group’s permissions are the second digit. Since we only want to give them read and write permissions, we would only add 4 (for read permission) and 2 (for write permission), which would give us 6 for our second digit. Finally, for everyone else, we just want read permissions, which is simply 4 for our third digit. Combining our three numbers together, we get 764.
The below table explains which permissions are granted with each number.
| Octal Value | Corresponding Permissions |
|---|---|
| 0 | No permissions |
| 1 | Only execute permission |
| 2 | Only write permission |
| 3 | Both write and execute permission |
| 4 | Only read permission |
| 5 | Both read and execute permission |
| 6 | Both read and write permission |
| 7 | Read, write, and execute permission |
If we were to use the above permission examples, we would get the following results:
- 777 gives read, write, and execute permission to the owner, owner’s group, and everyone else
- 000 takes away all permissions from the owner, owner’s group, and everyone else
- 742 gives read, write, and execute permission to the owner, only read permission to the owner’s group, and only write permission to everyone else
- 630 gives both read and write permission to the owner, write and execute permission to the owner’s group, and takes away all permissions from everyone else
- 422 gives only read permission to the owner and only write permission to both the owner’s group and everyone else.
Once we have figured out our octal value, we can use this alongside the chmod command to quickly update all of the permissions for a file or directory.
Let’s use the Taxes directory from above as an example for removing permissions.
drwxrwxrwx 1 johndoe root 256 Jan 19 9:00 Taxes
Currently, everyone has full permissions to this file! Let’s say, though, that johndoe wishes to take away the Read, Write, and Execute permission from all other users. The command
chmod 770 Taxeswill remove these permissions. The first seven tells the computer that the file owner is to have read, write, and execute permission, the second seven tells the computer that the file owner’s group, root, is also to have read, write, and execute permission, and the zero tells the computer to take away all permissions from others. Now, the file permissions will read “drwxrwx—” since all three permissions of the other users were taken away.
Now, let’s use the Resume file from above as an example for adding permissions.
-rwxr–r– 2 johndoe root 64 Jan 1 21:00 Resume
Say johndoe decides that they want to give both the root group and other users the permission to write to the Resume file. The command
chmod 766 Resumewill add the write permission to both the group permission set as well as the other permission set. The seven tells the computer to give read, write, and execute permission to the owner, the first six tells the computer to give only read and write permission to the root group, and the second six tells the computer to give only read and write permission to all other users.
Resources & Further Reading
McBrien, Scott. “Linux File Permissions Explained.” Redhat.com, Red Hat, Inc, 10 Jan. 2023, www.redhat.com/en/blog/linux-file-permissions-explained.
The H.A.C.K.E.R. Project 
Leave a comment