To the new Linux administrator, permissions can be a particularly sticky topic. While documented in various places, I thought it might be best to give a brief overview from the perspective of new users.
I am going to split the discussion about permissions into two factors: the user and group, and the actual permissions. While one might want to keep them separate, the topics work together from the perspective of introductory Linux administration.
Users and Groups
Many people will already be familiar with the concept of the user. When logging into a server, one must choose a user and have an appropriate password. Not all users allow for logins, many are implemented to help particular programs run, or to cordon off permissions during certain operations. Every user is also a part of one or more groups. The group is a collection of one or more users.
While a user can be given permissions to a file, a group can also be given permissions. when using the ls -l command to check the files in a directory, the column with the group immediately follows the column of the user.
The chown command can be used to change ownership of a file. If both user and group ownership must be changed, the process can be completed in one command, like this: chown user:group file
Now that our file is owned by the right user, lets make sure the permissions are set appropriately for access. Basic permissions can be displayed in two forms, one is a list of read, write, and execute options, the other is a 3 digit octal number. In either case, you can distinguish 3 different permission definitions: those for the user that owns the file, one for the group that owns the file, and one for everyone else. In list form, the following permissions indicate that the owner and owner group can read and write, but everyone else can just read:
If you change the example to allow all users to execute, the permissions would look like the following:
The octal version of these two examples would be 664 and 775 respectively. While the octal format can be intimidating at first, it can also be a very powerful and fast method for controlling permissions. Each digit represents a permission block (user, group, and everyone, in that order). To determine the number required for each digit, you simply add, using the values from the following list:
So to set read and write, we would use 4+2=6. To allow all users to read and write, the following command can be used: chmod 666 /path/to/file
What Does it all Mean?
Now that we can change owners and permissions on a file, what can we do? One of the most obvious answers is allow or restrict file access. For instance, if a user wanted all other users to be able to read a file, but not edit it, the permissions could be set to 744 (rwxr–r–). There are also cases where all users might need to be able to execute a program, but the administrator does not want them to be able to read or write it. This would use permissions 711 (rwx–x–x).
In the case of a web server, all files need to be read by the user that the web server runs as. This user cannot log in, but exists to control permission to the web files. Commonly, this user will be named apache or http. If a web server cannot find a file, or complains about permissions, it is important to make sure that the file is owned by the correct user, and that the owned has read permissions.
Another point about web servers is that scripts, such as php and perl, must have appropriate permissions to be allowed to run. This is to limit the available access a hacker might find to edit programs that run on the server. The correct permissions in this instance are 644 (rw-r–r–). This allows all users (like the web server user) to read the script, but does not let non-owners write, which would allow the program to be changed if someone gains access to the relatively public web server user. In this case, execute is not needed because the script is running inside the web server software, not on the general command line.
Whatever your need for Linux permissions, a thorough understanding of the system makes it possible to configure many systems and troubleshoot many common problems.