The Ultimate Guide to Linux & Unix File Permissions – keep

[php gutter="0"]
Johns-MacBook-Pro:test johncurry$ ls -l
total 0
-rw-r--r--  1 johncurry  staff   0 Jul 11 06:50 cat.txt
drwxr-xr-x  2 johncurry  staff  68 Jul 11 06:50 nestedFolder
Johns-MacBook-Pro:test johncurry$
[/php]

You should see something similar to the above. My nestedFolder line has:
“drwxr-xr-x 2 johncurry staff 68”

The “johncurry staff” section means that “johncurry” is the owner, and staff is the group.

drwxr-xr-x Can be broken up into |User|Group|Wheel

the very first space has a – or a “d”. The “d” means it’s a directory. Notice the cat.txt does not have a “d” because it’s a file.

The following three spaces represent the level of access for the USER, followed by three spaces for the GROUP, followed by three spaces for EVERYONE ELSE. Read (r) Write (w), and Execute (x) are the options. If the user doesn’t have the privilege, it will be “-“.

“rwxr-xr-x” means the USER has “rwx” The Group has “r-x”, and Others has “r-x” meaning the Group and others can only read and execute, but not write.

Now take a look at the cat.txt file and see if you can figure out what its permissions are for the user, group, and others.

Changing Permissions

Change Permissions Using Number Values:

Use the CHMOD command and set equivalent value for the permissions you desire for the User, Group, and Other. Remember, None=0, Execute=1, Write=2, Read=4

Let’s set the permissions to Read/Write/Execute for User, Read/Write for Group, and Read for Other.
If you do the math, that equates to: User-7, Group-6, Other-4. The Command to change a files permission looks like this: chmod octal filename

[php gutter="0"]
$ chmod 764 cat.txt ## User=rwx, Group=rw, Other=r
$ chmod 153 cat.txt ## User=x, Group=rx, Other=wx
[/php]

Change File Permissions with UGOA

You can set the desired permissions using shorthand characters as well.
You decide which User type to affect with UGOA:

User Type Symbol
USER u
GROUP g
OTHERS o (lowercase letter)
ALL a

You decide HOW you would like to affect that user type by either Adding, Removing, or setting the values r, w, or x with the following:

Action Symbol
ADD +
REMOVE
SET =

Decide the permission settings for that user type with r, w, x. Read (r), Write (w), Execute (x).

Here’s a couple examples:

[php]
test johncurry$ ls -l #start with no permissions on anything
total 0
----------  1 johncurry  staff  0 Jul 11 06:50 cat.txt
test johncurry$ chmod u=rw cat.txt  # set User to read,write
test johncurry$ ls -l
total 0
-rw-------  1 johncurry  staff  0 Jul 11 06:50 cat.txt # rw in users.
test johncurry$ chmod o+rx cat.txt   # add read, execute to Others group
test johncurry$ ls -l
total 0
-rw----r-x  1 johncurry  staff  0 Jul 11 06:50 cat.txt
test johncurry$ chmod o-x cat.txt    # remove execute from Others group
test johncurry$ ls -l
total 0
-rw----r--  1 johncurry  staff  0 Jul 11 06:50 cat.txt
test johncurry$ chmod o=wx cat.txt   # set Others Group to Write, Execute
test johncurry$ ls -l
total 0
-rw-----wx  1 johncurry  staff  0 Jul 11 06:50 cat.txt
test johncurry$ chmod u+x,g=rw,o=rx cat.txt  # commands separated by comma
test johncurry$ ls -l
total 0
-rwxrw-r-x  1 johncurry  staff  0 Jul 11 06:50 cat.txt
test johncurry$ chmod u-rwx,g-rw,o-rx cat.txt
test johncurry$ ls -l
total 0
----------  1 johncurry  staff  0 Jul 11 06:50 cat.txt
test johncurry$ chmod a=rwx cat.txt  # set ALL to have read, write, execute
test johncurry$ ls -l
total 0
-rwxrwxrwx  1 johncurry  staff  0 Jul 11 06:50 cat.txt
[/php]

Changing File’s Owner & Group

To change the owner of the file, run the command $ sudo chown theOwner filename.

To change the group the file belongs to, run $ sudo chgrp theGroup filename.

To change the owner AND the group in one line, run $ sudo chown theOwner:theGroup filename.

Note: The group must exist first. Learn how create groups below.

[php]
test johncurry$ ls -l
total 0
-rwxrwxrwx  1 johncurry  staff    0 Jul 11 06:50 cat.txt
drwxr-xr-x  3 johncurry  staff  102 Jul 11 09:31 nestedFolder
test johncurry$ sudo chown bunny cat.txt
test johncurry$ ls -l
total 0
-rwxrwxrwx  1 bunny      staff    0 Jul 11 06:50 cat.txt  # owner is bunny, group is staff
drwxr-xr-x  3 johncurry  staff  102 Jul 11 09:31 nestedFolder
test johncurry$ sudo chown bunny:bunny nestedFolder/
test johncurry$ ls -l
total 0
-rwxrwxrwx  1 bunny  staff    0 Jul 11 06:50 cat.txt
drwxr-xr-x  3 bunny  bunny  102 Jul 11 09:31 nestedFolder  # owner is bunny, group is bunny
[/php]

Note: You can do any of these operations RECURSIVELY with the -R (Capital R!) flag

[php]
$ sudo chmod -R 777 test/  #changes EVERYTHING in the test/ to rwxrwxrwx (very bad don't do this)
$ sudo chown -R bunny:bunny test/   #changes EVERYTHING in test/ to bunny as owner & group
[/php]

Adding/Removing Users & Groups on Linux

to view groups a user is in:

[php]
$ groups        # view groups the current user is in
$ groups bunny  # view groups that the user "bunny" is in
[/php]

To Add a user “bunny” and set the password, run:

[php]
$ useradd bunny
$ passwd bunny
[/php]

To Remove a user “bunny”, run:

[php]
$ userdel -r bunny   # -r removes the files associated with the user
[/php]

To create a new group called “bunny”, run:

[php]
$ sudo groupadd bunny
[/php]

To Add the user “john” to the group bunny, run:

[php]
$ sudo usermod -a -G bunny john
[/php]

To Remove the user “john” from the group bunny, run:

[php]
$ sudo gpasswd -d john bunny
[/php]

To Delete the group “bunny”

[php]
$ sudo groupdel bunny
[/php]

I encourage you to read the friendly manual to learn more about each command, and the flags accompanying the command. Do this with $ man nameOfCommand

Adding/removing Users & Groups on Mac

Adding new Users & Groups is simple on a Mac, but some common linux commands don’t appear to work out of the box, so we mac users will submit to their power, and do it their way.

Step 1. Click on the Apple Icon > System Preferences > Users & Groups

Step 2. Click the little Lock icon to unlock the page so you can edit users/groups

Step 3. Click the + icon to add a new user/group

Step 4. Select the correct option from the “New Account” drop down.

Step 5. Fill in the info & hit “Create user”, or “Create Group” or whatever it says. Don’t add an “administrator” user unless you absolutely need to.

Do these steps as necessary until you have the users & groups you need.

(Mac) Check which groups your user belongs to, run:

[php]
$ groups
staff com.apple.sharepoint.group.2 everyone localaccounts _appserverusr admin _appserveradm _lpadmin com.apple.sharepoint.group.1 _appstore _lpoperator _developer com.apple.access_ftp com.apple.access_screensharing com.apple.access_ssh com.apple.sharepoint.group.3
$ groups bunny  # check groups the user bunny belongs to

[/php]

(Mac) To ADD a user to a group, run:

$ dseditgroup -p -o edit -a userToAdd -t user group

to add the user “johncurry” to the group “bunny” that would look like:

[php]
$ dseditgroup -p -o edit -a johncurry -t user bunny
[/php]

“-p”
Give prompt for password

“-o”
is “operation” and edit is the parameter. So “-o edit” is “edit operation”

“-a userToAdd”
-a is “add” and the “userToAdd” should be replaced with the user you wish to add

“-t user group”

-t is the type of record to be added. “-t user” means add a user to the group, and “group is the group to add the user to.

Let’s verify that “johncurry” is in the “bunny” group by running $ groups

[php]
$ groups
staff com.apple.sharepoint.group.2 bunny everyone localaccounts _appserverusr admin _appserveradm _lpadmin com.apple.sharepoint.group.1 _appstore _lpoperator _developer com.apple.access_ftp com.apple.access_screensharing com.apple.access_ssh com.apple.sharepoint.group.3

[/php]

Yay! “bunny” is the third option for me, so I’m in the bunny group!

(Mac) How to Remove a User From a Group

To REMOVE “johncurry” from the “bunny” group, all you do is replace the -a flag with a -d flag. -a is add, and -d is delete!

[php]
dseditgroup -p -o edit -d johncurry -t user bunny
[/php]

Poof! It’s gone!

Read the manual page for the command $ dseditgroup for more info. To view the manual, run:

[php]
$ man dseditgroup
[/php]

Sudo & Wheel

We have one more important topic. Sudo & WHEEL. Sudo stands for “SUperuser DO”. It’s where a normal user is given super powers aka “super administrator access”, meaning they can act as root. A SUDO command will look like this:

[php]
$ sudo do-something-important
[/php]

root has virtually no limits, so you can accidentally destroy your entire computer with one bad command. Because it’s so dangerous to run around as the root user, you should give your main user “SUDO” access, and only run commands as root when absolutely necessary.

Regular users do NOT have SUDO access unless you explicitly add them to a group with SUDO access.

Giving a user SUDO access

If you try to run a command as sudo without sudo access, you’ll get an error like this: Username is not in the sudoers file. This incident will be reported.

Here’s how you fix the error by giving a user SUDO access. (You only give accounts sudo if they NEED it)

The /etc/sudoers file.

The sudoers file is a list of all the groups & users that have access to the “sudo” command. You can only edit this file by running “$ visudo” or “$ sudo visudo” from your terminal. This editor verifies there are no errors, which could seriously harm your computer. If an error warning pops up, press “x” to exit without saving or “e” to re-edit the file.

Let’s go ahead and take a look at our /etc/sudoers file. From the command line, run one of the following:

[php]
$ sudo visudo  #run this on a mac, or as a non-root user with admin privileges
$ visudo       # as a root user.
[/php]

You’ll want to look for code that looks something like this (maybe not exact):

[php]
##
## User privilege specification
##
root ALL=(ALL) ALL
%admin  ALL=(ALL) ALL

## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL

## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL) ALL
[/php]

In this code, you’ll notice my %admin line is set to ALL=(ALL) ALL and it’s uncommented. (The # is a comment). Because %admin is uncommented, and set the way it is, the admin group and all users inside admin group will have SUDO privileges. If I need the wheel group to have sudo privileges, then all I need to do is uncomment the # %wheel ALL=(ALL) ALL line and add the user to the wheel group.

[/et_pb_text][et_pb_text admin_label=”Text” _builder_version=”3.0.51″ background_layout=”light” text_orientation=”left” border_style=”solid” background_position=”top_left” background_repeat=”repeat” background_size=”initial”]

Thoughts on Security

Unfortunately I’m not a security guru, but Linux permissions are a very basic security feature. The idea is to only give people access to stuff you want them to have access to. On a personal computer, you don’t want your grandma accidentally finding her way into your local server and deleting a bunch of stuff. So give her account no permissions on sensitive files, and don’t put her in any important groups.

It also protects you from yourself. Running around your filesystem as root you may destroy something with a single typo. At least force yourself to use SUDO when doing dangerous stuff.

Conclusion

I think that’s everything. If you understand how to add/remove groups, add/remove users to groups, change the files ownership and group, change the access rights of each user, and add/remove users to the sudoers file, then you have a great understanding of Unix/Linux permissions, which will make your computer and servers much more secure, and you’ll never have to be confused by them again. Is there anything I missed? Let me know in the comments!

Like this article?

Share on facebook
Share on Facebook
Share on twitter
Share on Twitter
Share on linkedin
Share on Linkdin
Share on pinterest
Share on Pinterest

Leave a Comment

Your email address will not be published. Required fields are marked *