Linux File Ownership And Permissions: Users, Groups, And Others

ByThe Aha Unix Team

What are Linux File Owners, Groups, and Others?

On a Linux system, every file and directory has an associated owner, group, and permissions for all other system users not in those categories. Understanding this ownership and permission model is crucial for properly administering a Linux environment and ensuring appropriate access.

Defining file owners, group owners, and others

The file owner refers to the specific Linux user that created the file or directory. By default, the file owner has full read, write, and execute permissions on their own files. The group owner allows Linux administrators to assign users to groups and set permissions for entire groups on files and directories. The others category applies to all other system users not included in the owner or group owner categories.

Viewing ownership with ls -l command

The most common way to view file and directory ownership and permissions is with the ls -l command. This command lists contents in long format, displaying additional info not shown in a standard ls output. Here is an example directory listing:

$ ls -l
total 8
-rwxr-xr-x 1 john staff 4096 Feb 12 09:23 file1.txt 
-rw-r--r-- 1 jane accounting 12288 Feb 15 13:05 file2.docx

Example output explained

In the sample output above, the first column shows the file permissions (covered later). The next field displays the number of hard links pointing to the file. Then the owner name is shown (john and jane), followed by the group owner (staff and accounting). The next columns display the file size and modification date. So this output makes the file owner and group owner clearly visible.

Setting File Permissions

Managing permissions appropriately is critical for Linux security and usability. Permissions dictate what users and groups can access given files and directories.

Permission types: read, write, execute

There are three basic permission types in Linux:

  • Read (r) – Ability to view or copy file contents
  • Write (w) – Ability to edit, modify, delete or add to a file
  • Execute (x) – Ability to run a file as a script or program

Representation with rwx notation

These three permission types can be represented by the rwx notation, using a single character for each permission setting. Here are some examples values:

rw- = The file has read and write but no execute 
r-x = The file can be read and executed but not modified  
--- = No permissions granted

Setting permissions with chmod

Permissions are modified on Linux using the chmod command. This allows changing permissions for the file owner, group owner, and all other users. Here is the basic syntax:

chmod [reference][operator][permissions] file

The reference can be:

  • u – Owner permissions
  • g – Group permissions
  • o – Permissions for others
  • a – Permissions for all (owner, group, others)

chmod code examples

Some examples help illustrate chmod usage:

chmod g+w file.txt = Add group write permission
chmod a-x file.py = Remove execute permission from all categories
chmod 644 file.html = Set permissions to owner RW, group R, others R

As shown above, chmod allows selectively adding, removing, or explicitly setting Linux file permissions as needed.

Default File Permissions

When new files and directories are created, Linux assigns default permissions based on umask rules. Understanding these defaults is helpful for administering a Linux system.

Permissions for files and directories

The default permissions vary slightly for files vs directories. Newly created files receive 666 permissions, meaning owner RW, group RW, others RW. New directories get 777 permissions – everything RWX for all categories by default.

umask impact on default permissions

These base defaults can then be modified by setting a umask value on the system. The umask specifies which permissions should be removed from the 666/777 defaults when creating new files or folders. Common umask values include:

002 - Removes write for others (default on some Linux distros)
022 - Removes write for group and others 
027 - Removes write + execute for group/others

Configuring umask to change defaults

You can view the current umask with the umask command. And the default umask can be updated as needed by adding it to the /etc/profile or specific shell RC files. This allows tuning the umask and resulting permission defaults for your environment.

Changing Ownership

The owner associated with files and directories can be altered as needed with the Linux chown and chgrp commands.

Changing the owner with chown

To change the owner of a file or folder, use the chown command like this:

chown newowner file

For example, to change owner of file.txt from john to jane, run:

  
chown jane file.txt

Recursively updating ownership

To recursively update ownership through subfolders and files, use the -R flag like this:

chown -R jane somefolder/

Restrictions on ownership changes

Note normal users can only change ownership of files they currently own. The superuser root can take ownership of any files via chown. And chown will not allow you to change ownership to a user that does not exist on the system.

Setting the Group Owner

The chgrp command allows altering the group owner assigned to files and directories as needed.

Using chgrp to alter group owner

The chgrp command works much like chown, except it changes the group owner rather than regular owner. Here is the syntax:

chgrp newgroup file

For instance, to assign file.txt to the staff group, you would run:

chgrp staff file.txt

Impacts on file permissions

Changing the group owner with chgrp does not change the actual file permissions. So files will retain their current permission settings for the new group owner.

Use cases for changing group owner

Some common use cases for altering group ownership include:

  • Easing permission administration by group
  • Allowing shared access for particular groups
  • Restricting access only to certain groups

Special Permissions

In addition to the standard read, write and execute permissions, Linux supports three special permission flags that control enhanced access.

The setuid, setgid and sticky bits

These special permissions include:

  • setuid – Allows a file to run as the owner, rather than current user
  • setgid – Allows a file to run assuming the group owner rights
  • sticky – Restricts file deletion in shared directories

When you may want to use them

Reasons to employ these special permissions can include:

  • Allowing a script to access owner resources (setuid)
  • Allowing group members enhanced access to a shared program (setgid)
  • Securing files in public directories like /tmp (sticky)

Setting special permissions in chmod

You can assign these special permissions using chmod much like standard permissions. For example:

chmod +t shareddir = Add sticky bit 
chmod u+s myscript.sh = Add setuid to owner on script

This gives you added flexibility in configuring permissions for specific needs.

Ownership, Permissions and Security

Appropriately configuring file and directory ownership and permissions is a key part of overall Linux server security.

Ownership and permissions role in security

From a security standpoint, ownerships and permissions help ensure users only access files and directories necessary for their job duties. This promotes the principles of least access and need-to-know in restricting unnecessary access.

Principle of least privilege

Following the principle of least privilege, users should only be granted the most restrictive permissions needed for their role. Unnecessary “write” or “execute” privileges should be avoided whenever possible.

Balancing usability and security

Setting ownerships and permissions is often a balancing act between usability and security. Allowing broader access promotes productivity and collaboration, but also increases exploit risks. Adjusting those balances for a particular environment is key for enabling work while still maintaining tight security.

Leave a Reply

Your email address will not be published. Required fields are marked *