43. File Permissions - Symbolic & Numeric Modes, Setuid & Setgid
Contents
We can determine the permissions of a file by looking at the mode bits of that file.
Mode Bits Structure
The mode bits structure of files and directories:
| Option | Meaning |
|---|---|
| r | Read permission. |
| w | Write permission. |
| x | Execute permission. |
Permissions of Directory and File
Let’s take a look at the default permissions for the newly created files and directories:
|
|
Directory Permissions
As we can see from the following table, the directory is:
- readable, writable and executable to the user: the user called root;
- readable and executable to the group: everyone in the root group;
- readable and executable to others: other users.
| User | Group | Others |
|---|---|---|
| rwx | r-x | r-x |
Without execute permission, we can’t access the directory.
Without write permission, we can’t add new files or delete existing files in a directory.
File Permissions
As we can see from the following table, the file is:
- readable and writable to the user: the user called root;
- readable to the group: everyone in the root group;
- readable to others: other users.
| User | Group | Others |
|---|---|---|
| rw- | r‑‑ | r‑‑ |
Symbolic Modes
We can set permissions for users, groups, others, and everyone in symbolic mode.
Permissions Assignment
We can assign read, write, and execute permissions to the file owner, file group, others or everyone through the plus, equal sign operator, or remove the appropriate permissions from the user by the minus sign operator:
| Users | Operation | Permissions |
|---|---|---|
| ugoa | +-= | rwx |
Users
There are four users, file’s owner, file’s group, others, and all:
| User | Meaning |
|---|---|
| u | Owner of the file |
| g | Group of the file |
| o | Any other users |
| a | All users, this is equivalent to ugo |
Operations
There are three actions, append, remove, and assign:
| Operation | Meaning |
|---|---|
| + | Append the permission(s) to user(s) |
| - | Remove the permission(s) from user(s) |
| = | Assign the permission(s) to user(s) |
Permissions
There are three permissions, read, write, and execute, respectively:
| Permission | Meaning |
|---|---|
| r | Readable or Viewable permission |
| w | Writable or Editable permission |
| x | Executable or Runnable permission |
Copying Permissions
We can append the permissions of the user after the addition symbol to the permissions of the user before the addition symbol:
| Copy To | Operation | Copy From |
|---|---|---|
| ugoa | + | ugoa |
Changing Special Mode Bits
Set User or Group ID Mode Bit
| Users | Operation | Copy From |
|---|---|---|
| uga | +- | s |
Impact on Directories
If a directory has the group id set up, the files created in this directory belong to the group of the directory, but setting the user id does not seem to have much effect. A child directory created in this directory inherits the group to which the parent directory belongs and also inherits the special mode bit set group id.
Impact on Programs or Files
If a program is set up with user id, then whoever executes it, the operator is always the owner of the program. If a program is set up with group id, then no matter who executes it, the runtime group is always the group to which the application belongs.
Set Restricted Deletion Flag or Sticky Bit
If we don’t want the files we created to be deleted by others; we can add a special mode bit the so-called sticky bit to the permission of the directory containing those files:
| User | Operation | Flag |
|---|---|---|
| o (This is optional) | +-= | t |
A file in the flagged directory can only be deleted by the root user, the owner of the directory and the file’s owner.
Making Multiple Changes
We can use commas to separate multiple actions that change permissions:
|
|
Numeric Modes
Linux also gives us another way to change user permissions more quickly. We can provide a range of numbers to represent their corresponding permissions. A complete numeric model has four digits
Special Mode Bits
The first digit represents a special mode bit:
| Mode | Mode Bit |
|---|---|
| 4000 | Set User ID |
| 2000 | Set Group ID |
| 1000 | Restricted delete flag or sticky bit |
The Owner of the File
The second digit represents the owner of the file:
| Mode | Mode Bit |
|---|---|
| 0400 | Readable or Viewable to owner |
| 0200 | Writable or Controllable to owner |
| 0100 | Executable or Accessible to owner |
Usually only displayed as 400, 200 and 100.
The Group of the File
The third digit represents the group of the file:
| Mode | Mode Bit |
|---|---|
| 0040 | Readable or Viewable to users belonging to the file’s group |
| 0020 | Writable or Controllable to users belonging to the file’s group |
| 0010 | Executable or Accessible to users belonging to the file’s group |
Usually only displayed as 40, 20 and 10.
Others
The fourth digit represents for others:
| Mode | Mode Bit |
|---|---|
| 0004 | Readable or Viewable to other users |
| 0002 | Writable or Controllable to other users |
| 0001 | Executable or Accessible to other users |
Usually only displayed as 4, 2 and 1.
When used, the preceding zeros are usually removed. Next, we’ll show you how to use most of the mode bits listed above.
References 27 File permissions, 27.1 Structure of File Mode Bits, 27.2 Symbolic Modes, 27.3 Numeric Modes, 27.4 Operator Numeric Modes, 27.5 Directories and the Set-User-ID and Set-Group-ID Bits
Author Dong Chen
LastMod Fri Mar 15 2019