Beyond ‘Chmod’: Additional Steps Needed To Update Group Permissions For Linux Users
Understanding Linux File Permissions
The Linux operating system utilizes a sophisticated system of file permissions to control user access to files and directories. The basic permission scheme consists of three classes of users – the file owner, the group owner, and all other users referred to as “others”. Each class of users can be granted read, write and execute permissions on each file and directory.
The most common command used to view and modify Linux file permissions is chmod. This command allows the owner of a file to change the read, write and execute permissions for the owner, group and others. However, chmod has some limitations that prevent it from being a catch-all solution for permission management.
Quick Overview of Basic File Permissions – User, Group, Other
When viewing file permissions in Linux, you will see a set of symbols that indicate what permissions are enabled. Here is a quick overview:
- – The first character represents the permissions for the file owner
- – The second character represents the permissions for the group owner
- – The third character represents the permissions for all other users on the system
The letters used to indicate permissions are:
- r – read permission
- w – write permission
- x – execute permission
Explanation of Chmod and Its Limitations
The chmod command allows the owner of a file to change the read, write and execute permissions. The syntax is:
chmod [options] mode file
Where mode can specify permissions for the owner, group and others. Some examples:
- chmod 644 file.txt – Owner can read/write, group can read, others can read
- chmod 755 file.txt – Owner can read/write/execute, group and others can read/execute
While chmod is very useful, it has some limitations:
- It can only change permissions, not change file ownership
- Changes only apply to one file at a time
- Easy to fat-finger modes and break permissions
Thus other commands are needed for tasks like changing group ownership recursively across directories.
Setting the Group Owner
While chmod can change group permissions, the chgrp command allows changing the group owner on files and directories.
Using Chgrp to Change Group Ownership
The chgrp command syntax is simple:
chgrp [options] groupname file
To change group ownership on a file or directory, specify the name of the group you want to be the new owner. For example:
Example: chgrp managers file.txt
This changes the group owner of file.txt to be the group called managers. All files created by managers staff will likely need that group ownership.
Inheriting Group Permissions
One unique capability of Linux file permissions is that new files and folders inherit group ownership from parent directories by default. Understanding this concept is key to properly configuring permissions.
How New Files Inherit Group from Parent Directory
When a user creates a new file or folder, the basic umask permissions will dictate things like group read/write permissions. However that new file or folder will also automatically be assigned the same group owner as the parent folder.
For example, if parent-folder has group ownership set as managers, then:
parent-folder/new-file will inherit the managers group ownership.
Example of Creating File and Having Wrong Group
A common permission issue is that a user creates a new file without realizing what parent group permission will be inherited. For example, say accounting staff saves a file into a managers folder due to a workflow issue. The accounting user creates file.txt, but it gets assigned as being owned by the managers group when inheritance applies.
Fixing Incorrect Group Permissions
When troubleshooting permission issues caused by incorrect group ownership, there are several useful commands to fix the problem.
Using chmod g+rw to Add Group Permissions
A simple issue that occurs is that the correct group is assigned ownership, but that group lacks a given permission like write access. In that case, use chmod to specifically add group level permission:
chmod g+rw some-file
The g indicates this change applies to the group permission settings.
Recursively Updating Directories with Find
If you need to fix group permissions or ownership across a large directory with many subfolders and files, use find with chgrp or chmod:
find . -type f -exec chgrp managers {} +
This recursively descends through all directories, finds all files, and runs chgrp to assign those files to be owned by managers group.
Example Code for Bulk Permission Fix
Here is an example bash script that combines find and chown to recursively fix both group permissions and ownership on all matching files:
#!/bin/bash find . -type f -exec chown joe:managers {} + find . -type f -exec chmod 660 {} +
This sets all files to be owned by joe user and managers group, with group read/write access.
Setting Default Group
For a more permanent solution to issues with users creating new files and having incorrect group ownership, administrators can define default group assignments.
Configuring Default Group for New Files
Within the /etc/login.defs file, administrators can set the GROUP_ID parameter to specify the default group ID. Any newly created file will inherit permissions for that group unless otherwise specified by the creating application.
Updating Umask to Set Permissions
The umask value defines the default permission settings when a new file or folder is created. By updating the umask you can make sure that proper group level permissions are inherited.
Showing Umask Examples
Some example umask values and resulting permissions:
- umask 007 – No default group permissions
- umask 002 – Default group read/write permissions
Setting an appropriate umask is important to prevent permission problems when users create new files.
Verifying and Troubleshooting Groups
Once file and directory permissions are correctly configured for groups, there are several useful commands for verification and troubleshooting.
Checking Groups with ls, id, groups Commands
The first step is checking which groups a user belongs to. The groups and id commands show group membership:
$ groups managers users $ id uid=100(joe) gid=500(managers) groups=500(managers),501(users)
Then ls can be used to show ownership and permissions:
$ ls -l file.txt -rw—w—r— 1 joe managers 10232 Feb 12 14:23 file.txt
Debugging Issues with Group Permissions
If users report permission denied errors that seem tied to group ownership, check the following:
- Does the user belong to the file’s group?
- Does the group have the necessary permissions?
- Has group ownership changed unexpectedly?
Use chown and chmod as outlined to assign proper ownership and permissions.
Example Output for Verification
Here is example output showing a file owned by the managers group and user joe who belongs to that group:
$ ls -l file.txt -rw-rw-r-- 1 joe managers 10232 Feb 12 14:23 file.txt $ groups joe managers users $ id joe uid=1000(joe) gid=500(managers) groups=500(managers), 501(users)
The permissions allow the managers group read/write access, and joe can access the file via his managers group membership.