6  File permissions

Now that we have user accounts and administrative privileges we need to understand better differences between users and groups and also how file permissions works in linux.

Let’s check with our users the contents of our personal folder with ls as we learn in the previous chapters, using the -la flags:

victor@aula:~$ ls -la
total 40
drwxr-x--- 5 victor victor 4096 Jun 29 15:30 .
drwxr-xr-x 5 root   root   4096 Jun 30 12:40 ..
-rw------- 1 victor victor 1608 Jun 30 12:41 .bash_history
-rw-r--r-- 1 victor victor  220 Jun  2 15:17 .bash_logout
-rw-r--r-- 1 victor victor 3771 Jun  2 15:17 .bashrc
drwx------ 2 victor victor 4096 Jun  2 15:21 .cache
-rw-r--r-- 1 victor victor    0 Jun  2 15:17 .cloud-locale-test.skip
-rw------- 1 victor victor   20 Jun 29 14:35 .lesshst
drwx------ 3 victor victor 4096 Jun 29 15:30 .local
-rw-r--r-- 1 victor victor  807 Jun  2 15:17 .profile
drwxrwxr-x 3 victor victor 4096 Jun 24 10:16 projects
-rw-r--r-- 1 victor victor    0 Jun  2 15:22 .sudo_as_admin_successful

Let’s focus in one of the lines

drwxrwxr-x 3 victor victor 4096 Jun 24 10:16 projects

• drwxrwxr-x is the permissions description
  
• victor victor are the username and group of the file/folder owner
• 4096 Jun 24 10:16 are metadata (size, modify date…)

TipHow to read the permissions description

First d indicates a folder.
First rwx indicates permission to read, write and execute for the owner of the file.
Second rwx block indicates permission to read, write and execute for members of the owner group.
Third r-x block indicates permission only to read and execute for everyone else (users not in the owner group).

NoteExercise: Describe permissions

Describe the following file permissions:

• drwx------ 2 victor victor 4096 Jun 2 15:21 .cache
• -rw-r--r-- 1 victor victor 3771 Jun 2 15:17 .bashrc

6.1 How to change permissions and ownership

Permissions and ownership can be changed. This allow us to create folders that any user in the same group can write to and read from. For this we need to:

1. Create a group
   
2. Add your user to the new group
3. Create a folder
   
4. Change the default owner group to the newly created group
   
5. Add other users to the newly created group

6.1.1 Creating the group and the folder

groupadd allows us to create a group, and as we saw before, usermod can serve us to add our user to the group:

victor@aula:~$ sudo groupadd research
[sudo] password for victor: 
victor@aula:~$ sudo usermod -aG research victor

We need to exit and connect again for the changes to take effect. After that we can create the folder:

victor@aula:~$ mkdir research
victor@aula:~$ ls -la
total 44
drwxr-x--- 6 victor victor 4096 Jun 30 13:24 .
drwxr-xr-x 5 root   root   4096 Jun 30 12:40 ..
-rw------- 1 victor victor 1716 Jun 30 13:20 .bash_history
-rw-r--r-- 1 victor victor  220 Jun  2 15:17 .bash_logout
-rw-r--r-- 1 victor victor 3771 Jun  2 15:17 .bashrc
drwx------ 2 victor victor 4096 Jun  2 15:21 .cache
-rw-r--r-- 1 victor victor    0 Jun  2 15:17 .cloud-locale-test.skip
-rw------- 1 victor victor   20 Jun 30 13:23 .lesshst
drwx------ 3 victor victor 4096 Jun 29 15:30 .local
-rw-r--r-- 1 victor victor  807 Jun  2 15:17 .profile
drwxrwxr-x 3 victor victor 4096 Jun 24 10:16 projects
drwxrwxr-x 2 victor victor 4096 Jun 30 13:24 research
-rw-r--r-- 1 victor victor    0 Jun  2 15:22 .sudo_as_admin_successful

6.1.2 Changing the ownership of the folder

As it is now, the research folder is only accessible by my user (victor) and by users belonging to the victor group. To change this we need to use chown:

victor@aula:~$ chown -R victor:research research
victor@aula:~$ ls -la
total 44
drwxr-x--- 6 victor victor   4096 Jun 30 13:24 .
drwxr-xr-x 5 root   root     4096 Jun 30 12:40 ..
-rw------- 1 victor victor   1716 Jun 30 13:20 .bash_history
-rw-r--r-- 1 victor victor    220 Jun  2 15:17 .bash_logout
-rw-r--r-- 1 victor victor   3771 Jun  2 15:17 .bashrc
drwx------ 2 victor victor   4096 Jun  2 15:21 .cache
-rw-r--r-- 1 victor victor      0 Jun  2 15:17 .cloud-locale-test.skip
-rw------- 1 victor victor     20 Jun 30 13:23 .lesshst
drwx------ 3 victor victor   4096 Jun 29 15:30 .local
-rw-r--r-- 1 victor victor    807 Jun  2 15:17 .profile
drwxrwxr-x 3 victor victor   4096 Jun 24 10:16 projects
drwxrwxr-x 2 victor research 4096 Jun 30 13:24 research
-rw-r--r-- 1 victor victor      0 Jun  2 15:22 .sudo_as_admin_successful

The -R flag makes the changes recursive to any file and subfolder contained in research.

Also, we maybe want that only the members in the research group can read or access the folder. For this we need to change the permissions with chmod:

victor@aula:~$ chmod -R u=rwx,g=rwx,o= research
victor@aula:~$ ls -la
total 44
drwxr-x--- 6 victor victor   4096 Jun 30 13:32 .
drwxr-xr-x 5 root   root     4096 Jun 30 12:40 ..
-rw------- 1 victor victor   1716 Jun 30 13:20 .bash_history
-rw-r--r-- 1 victor victor    220 Jun  2 15:17 .bash_logout
-rw-r--r-- 1 victor victor   3771 Jun  2 15:17 .bashrc
drwx------ 2 victor victor   4096 Jun  2 15:21 .cache
-rw-r--r-- 1 victor victor      0 Jun  2 15:17 .cloud-locale-test.skip
-rw------- 1 victor victor     20 Jun 30 13:32 .lesshst
drwx------ 3 victor victor   4096 Jun 29 15:30 .local
-rw-r--r-- 1 victor victor    807 Jun  2 15:17 .profile
drwxrwxr-x 3 victor victor   4096 Jun 24 10:16 projects
drwxrwx--- 2 victor research 4096 Jun 30 13:24 research
-rw-r--r-- 1 victor victor      0 Jun  2 15:22 .sudo_as_admin_successful

Now we have a folder, /home/victor/research that can be accessed only by members of the research group.

Tip

To ensure that any new file created in the folder inherits the correct group, we can use:

victor@aula:~$ sudo chmod g+s research

6.2 Exercise

NoteModifying permissions and ownership

Work in pairs (or groups of 3) to create a folder that only both/any of you can access, write to and read from.