Linux Basic Permissions
In Linux, in addition to files and directories, all devices (with the exception of Network devices) are represented as files under /dev, and the permissions dictate what access different users have to those devices.
Linux permissions have two main forms: ‘-rwxrwxrwx‘, and 777 (sometimes written as 0777). This is broken down into these pieces, in order:
| Bit | Octal | Description | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| First character, one of: -, d, l, c, b, etc | N/A</th> | Type of File | </tr>|||||||||||||||||||||||||||||||||||||
| rwx (First set) | 7 (1st number)</td> | Owning User | </tr>|||||||||||||||||||||||||||||||||||||
| rwx (Second set) | 7 (2nd number)</td> | Owning Group | </tr>|||||||||||||||||||||||||||||||||||||
| rwx (Third set) | 7 (3rd number)</td> | Other | </tr> </table>
| Bit | Octal | On File | On Directory |
|---|---|---|---|
| R | 4 | Ability to read the file | Ability to list the contents of the directory |
| W | 2 | Ability to write or append to the file | Ability to create or delete files in the directory |
| X | 1 | Ability to execute the file | Ability to traverse the directory (change directory into) |
For the bitwise permissions, if the letter is there, it is enabled, if missing, it is not. For the octal permission number, just add up the permission bits that are enabled. Eg: Read (4) + Execute (1) = 5
The ACL check works like this:
- If you are UID 0 (root), skip the check (this is why it is bad to run things as root)
- If you are the owning user, you get the owning user's permissions
- If you are in the owning group, you get the owning group's permissions
- Otherwise, you get the ‘other' permissions
Note that permissions do not stack, if you are the owner, you get the owning user's permissions, even if that is less than others get. Also note that Symbolic links always have full permissions, the actual access is checked on the target of the symbolic link and not the link itself.
A few examples:
| Bitwise | Octal | Meaning |
|---|---|---|
-rwxrwxrwx |
777 | File, full permissions for everybody |
drwxr-xr-x |
755 | Directory, Full permissions for the owner, read/traverse for everyone else |
-rw-r--r-- |
644 | File, Read/Write for owner, read-only for everyone else |
-rw-r--r-- |
644 | File, Read/Write for owner, read-only for everyone else |
drwx------ |
700 | Directory, Full permissions for owner, no permissions for anyone else |
-rw------- |
600 | File, Read/Write permissions for owner, no permissions for anyone else |