File System Permissions (Unix / Linux)

Posted:  May 14th, 2018

 

Most file systems have methods to assign permissions or access rights to specific users and groups of users. These permissions control the ability of the users to view, change, navigate, and execute the contents of the file system.

 

Two types of permissions are very widely used: traditional Unix permissions date back many decades to the earliest days of Unix. They are universally available on all Unix and Linux derived platforms. Access Control Lists (ACLs) are more recent in origin and are universally used on Microsoft Windows based file systems where the file system supports user permissions (mainly NTFS and ReFS), and are also now commonly used and widely available in most common Unix and Linux based systems, although not necessarily all. They are generally capable of far more detailed fine-tuning of permissions than the traditional Unix permissions, and permit a system of access control which traditional ACLs cannot provide. On Unix and Linux based systems, the standard type of ACL is that defined by the POSIX standard (POSIX ACLs) but other variants exist such as NFS v3 and v4 ACLs, which work slightly differently (NFSv3 ACLs or NFSv4 ACLs).

 

File ownership is an important component of Unix that provides a secure method for storing files. Every file in Unix has the following attributes −

 

Owner permissions − The owner's permissions determine what actions the owner of the file can perform on the file.

 

Group permissions − The group's permissions determine what actions a user, who is a member of the group that a file belongs to, can perform on the file.

 

Other (world) permissions − The permissions for others indicate what action all other users can perform on the file.

 

Where multiple systems are available within the same operating system, there is usually a way to specify which will be used for any given file system, and how the system should handle attempts to access or modify permissions that are controlled by one of these, using commands designed for another. The usual solution is to ensure at least some degree of awareness and inter-operability between the different commands and methods.

 

File Access Modes

 

The permissions of a file are the first line of defense in the security of a Unix system. The basic building blocks of Unix permissions are the read, write, and execute permissions, which have been described below −

 

Read

Grants the capability to read, i.e., view the contents of the file.

 

Write

Grants the capability to modify, or remove the content of the file.

 

Execute

User with execute permissions can run a file as a program.

 

 

Directory Access Modes

 

Directory access modes are listed and organized in the same manner as any other file. There are a few differences that need to be mentioned −

 

Read

Access to a directory means that the user can read the contents. The user can look at the filenames inside the directory.

 

Write

Access means that the user can add or delete files from the directory.

 

Execute

Executing a directory doesn't really make sense, so think of this as a traverse permission.

 

A user must have execute access to the bin directory in order to execute the ls or the cd command.

 

Changing Permissions (CHMOD)

 

To change the file or the directory permissions, you use the chmod (change mode) command. There are two ways to use chmod — the symbolic mode and the absolute mode.