OverviewTeaching: 30 min
Exercises: 0 minQuestions
How do I control access to my data?Objectives
Understand ownership and access permissions on files and directories
Users and Groups
We will be talking about permissions on Linux files and directories. These permissions allow you to decide who can access your data. Perhaps you want to have all your files restricted so only you can access them. Or you can choose to share certain files and directories with your colleagues.
We have already seen how to connect to a remote Linux computer using ssh. Each of us has our own username and password to do so - Linux computers have more than one user account.
Users are also collected into groups. All users are in one primary group and can optionally be in other groups as well. Some Linux systems have a primary group per user. Other systems may have one primary group shared for all users.
Performing Administrative Tasks
When we talk about users and groups, we are starting to touch upon system administration. In other words, we are configuring the computer’s settings for all users rather than just working with our own user’s account and files.
Linux has a special user called
root. The root user can do anything to the operating system and so root is used to modify computer settings. On many types of Linux, you can run configuration commands as root using the
sudo command. If you put
sudo at the start of a shell command, that command will run as the administrative
It is a good idea to avoid
sudounless you are already accustomed to using it. Commands that run using
sudocould cause problems not just for your own user account and files, but for everybody on the Linux system.
You may recall that the
whoami command tells you your username:
If we use
sudo to run this same command, we do see that
sudo runs our
whoami command as the root user:
$ sudo whoami
There are various common tasks system administrators perform using
sudo, such as software installation, user account creation, and setup hardware. Changing the owner of a file must also be done using sudo.
Every file and directory in Linux is owned by a user and by a group. The
ls -lh command’s listing shows the user and group owning a file in the third and fourth columns respectively:
$ ls -lh data.zip
-rw-rw-r-- 1 jane researchers 5.2K Aug 31 11:20 data.zip
In this example, the data.zip file is owned by user
jane and group
To change the user and group of a file, one needs to use the chown command. The user and then group are separated by a colon:
$ sudo chown root:reseachers data.zip # ls -lh data.zip
-rw-rw-r-- 1 root researchers 5.2K Aug 31 11:20 data.zip
Let’s look at the long format output of
ls again. This time, we will look at the codes at the start of each output line. The letters you see specify who is allowed to use the file. These letters might be a little bit hard to understand at first, but we will explain their meaning in detail:
$ ls -lh
total 23K -rw-rw-r-- 1 jane researchers 5.2K Aug 31 11:20 data.zip drwxrwxr-x 2 jane researchers 4.0K Sep 5 11:03 Desktop -rwx------ 1 jane researchers 14K Aug 30 15:52 run_simulation
Permissions for a file are listed at the start of
ls in 10 characters. The first character actually doesn’t have to do with permissions, but rather indicates the file type;
- represents a file and
d represents a directory.
The following 9 characters are grouped into
rwx permissions for each of the three user roles. The file permissions are
- The read permission on a file allows you to view the data in the file
- The write permission on a file allows you to modify or delete the file
- The execute permission on a file allows you to run the file (assumes the file is a program or shell script)
And the three user roles are:
- The user is the person who owns the file, usually the file’s creator
- The group is the group of users associated with the file
- Finally other specifies anybody else who isn’t the file’s user or in the file’s group
In the output of
ls, when a permission is shown as
-, the file does not have that particular permission.
For example, in the preceding
ls -lh output we see that
data.zip has permissions
-rw-rw-r--. The first
- means that we are looking at a file. The next
rw- means that the user
jane can view or modify this file, but not execute it. This makes sense, since it is Jane’s file, and it is not a program that could be run. Similarly, anybody in the group
jane can read or modify the file. All other users on this Linux computer can read but not change the file due to the the permissions for other users:
Directories have the same three permissions: read, write, and execute. However, permissions have different meanings for directories.
The directory permissions are
- The read permission on a directory allows you to run
lsto list the files in that directory
- The write permission on a directory allows you to create or delete files in the directory
- The execute permission on a directory allows you to get the directories and files in the directory.
Let’s look at the
ls output again:
$ ls -lh
total 28K -rw-rw-r-- 1 jane researchers 5.2K Aug 31 11:20 data.zip drwxr-x--x 2 jane researchers 4.0K Sep 5 11:03 Desktop -rwx------ 1 jane researchers 14K Aug 30 15:52 run_simulation
In this output, we see that Desktop is a directory. We know this because the first letter in the permissions entry is
d. The user
jane has full access to
Desktop. Users in the
researchers group can see what files are in
Desktop and are able to use them. For other users, the files in
Desktop are hidden, although the files still can be used.
The command to change permissions is called
chmod. The permissions are modified with a special three character code.
The first letter in the code is either u, g, or o and specifies whether we are modifying the permission for user, group, or other role.
The second letter is either + or -, and indicates whether we are adding or removing a permission.
The third letter either r, w, x and indicates wheter we are modifying the read, write, or execute permission.
The most common use of
chmod would be to add the execute permission to a program that you have downloaded. For example, let’s remove the ability to execute our run_simulation program:
chmod u-x run_simulation ./run_simulation
bash: ./mycommands: Permission denied
u+x will allow the user to execute this file:
chmod u+x run_simulation ./run_simulation
Your supervisor has given you a new program to run, called sim2. You can find it in the data.zip file. Unfortunately, your supervisor accidentally changed permissions on the sim2 program and now it won’t run.
-bash: ./sim2: Permission denied
Using your new knowledge of Linux file permissions, how would you determine the problem and what command would correct the permission error on the sim2 program?
To see the current permissions on sim2:
ls -lh sim2
----r----- 1 jane researchers 8.3K Sep 13 10:28 sim2
And to allow your own user to run the program:
chmod u+x sim2
lscommand lists your file’s access like this:
-rw-r--r-- 1 jane researchers 12K Sep 13 10:33 confidential.txt
chmodcommands would change this file’s permissions so only your user can view the file?
chmod g-r confidential.txt chmod o-r confidential.txt
Jane has a directory somestuff that contains a program mysim:
drwxr----x 2 jane researchers 4.0K Sep 5 09:22 somestuff
ls -l somestuff/
-rw-r-xr-x 1 jane researchers 8.3K Sep 13 10:32 mysim
What can can these users do with the mysim program?
- The user
- The user
bob, who is in the
- The user
alice, who is not in the
- Jane can see the program with ls and change the mysim file, but she cannot run it.
- Bob can see that the program exists by using
ls, but he cannot run the program.
- Alice cannot use
lsto see that the program exists, but she can run the program
chowncommand controls file user and group ownership
chmodcommand controls file permissions
Permissions exist for read, write, and execute
Permissions apply to user, group, and other