File permissions explained
Users, superusers and file permissions… discover how Linux steps up security and controls access to files and folders.
Any filesystem worth its salt will apply restrictions to files in the form of permissions, limiting access based on users and groups. Windows does this to some degree with its NTFS filesystem, but it’s no substitute for Linux’s approach.
Everything in Linux is represented as a file, including folders and hardware devices. The ext filesystem then applies special permissions to these files to determine how they can be accessed, and by whom. These permissions boil down to three basic levels of access: r (read), w (write) and x (execute). You can view a file’s permissions when in the
Terminal with the ls -l command, where you’ll see entries such as rwx (full access) or r-- (read-only) next to each file.
These rwx permissions apply to folders as well as files, and things are complicated by the fact certain permissions – such as deleting a file – reside with its parent folder, not the file itself. So files can be viewed (r), edited (w) and executed if a program (x), but unless their parent folder has w permissions applied to it, you can’t create (or delete) files within the folder. Similarly, you can’t view files – even with r permissions – assigned unless the folder has x permissions applied.
Security is paramount in Linux, so permissions aren’t applied directly to each file and folder; instead, they’re applied to three categories of user: owner (the user who created the file), specific user group, and others (everyone else).
The second category refers to a single user group for whom specific permissions have been defined, and opens up a question about users and groups. Although it appears to apply to a specific user (often the same user as the file or folder’s owner), these permissions applies to a user group.
When you create a new user, a group of the same name is also created, your user is added to that group and it’s this group that Linux references here. It’s also possible to add users to multiple groups, enabling advanced users to set up groups into which multiple users are added, giving all those users the same level of access to the selected file or folder based on the group they’re part of.
Setting up permissions
Permissions are set when a file is created, with the file owner also set as the default user or group for that file. Note, if you create a file when running in elevated mode (such as through sudo in the Terminal), then the owner is root, not you. The owner typically has full access rights to the file or folder created, while everyone else normally has more limited rights to files, and are usually blocked from folders.
By default, all users have full ownership, access and control over their personal Home folder and its contents, while other users are blocked access. Outside the home folder, access is more restrictive – certain folders are accessible, but most are either read-only or off-limits, requiring you to access them via the root super-user account.
It’s possible to change a file or folder’s permissions if you’re the owner via the Nautilus file manager. Right-click a folder or file and choose Properties > Permissions tab. From here you can change permissions for owners, the featured group and others, plus change which user group has special access to the item in question. Click the Group drop-down menu and the list will include a load of unfamiliar names – these are system users, designed to do specific things without compromising on security, and are best left alone.