<div style="color:red;background-color:black">
Diamond Light Source

<h1 style="color:red;background-color:antiquewhite"> Linux Introduction: Permissions</h1>  

©2000-20 Chris Seddon 
</div>

# Linux Permissions

In Linux, files have 3 sets of permissions.  
You can use the 'ls' command to see the permissions.  
Let's create some files and look at their permissions.

In [1]:
%cd

/home/wns35789


That takes us to your home directory.  Now lets create a directory for our work:

In [2]:
%%bash
mkdir play

cd to the directory we've just created:

In [3]:
%cd play

/home/wns35789/play


We can create an empty file using the 'touch' command.  This command was really meant to be used in a different context, but is handy here and saves having to use an editor to create files.

In [4]:
%%bash
touch f1 f2 f3 f4

This creates 4 empty files:

In [5]:
%%bash
ls -l

total 0
-rw-rw-r--. 1 wns35789 wns35789 0 Feb 26 22:11 f1
-rw-rw-r--. 1 wns35789 wns35789 0 Feb 26 22:11 f2
-rw-rw-r--. 1 wns35789 wns35789 0 Feb 26 22:11 f3
-rw-rw-r--. 1 wns35789 wns35789 0 Feb 26 22:11 f4


The ouput of 'ls' is interpreted as follows:
* column 1 indicates the file type.  - indicates a regular file, d indicates a directory.  Other types exist.
* the next 9 characters for the file permissions.  In this case each file has been created with the same set of permissions: rw-rw-r--.
* immediately after the permissions is the link count of the file.  Every file can have multiple names and this count shows the number of such names.
* next comes the owner of the file
* followed by the group to whom permissions apply
* the zero indicates the file size in bytes - recall we created empty files
* then a time stamp when the file was last edited
* finally we have the name of the file

The 9 permissions can be split into 3 sets of permissions:
    rw-
    rw-
    r--
* The first set applies to the owner of the file.  
* The second set applies to members of the files group.
* The last set applies to everybody else.
The 'r' and 'w' permission are obviously read and write permission.  There is also 'x' permission for command files that can be executed.
You can check on who you are with:

In [6]:
%%bash
whoami

wns35789


You can check which groups you belong to:

In [7]:
%%bash
groups

wns35789 dls_staff


You might be wondering why new files are created with the above set of permissions.  This is controlled by the 'umask'.  The idea is to create new files with a sensible set of permissions, so that you and probably members of your group can read and write to the files, but everyone else is restricted.
We can see our 'umask' setting with:

In [8]:
%%bash
umask

0002


The umask is displayed as an octal number.  The permissions can also be expressed in octal using the following scheme:
    r = 4
    w = 2
    x = 1
* if the file owner has 'rw' permission; this is represented by octal 6 (r+w=4+2)  
* if the groups also have 'rw' permission; octal 6 (r+w=4+2)  
* and others have only 'r' permission: octal 4 (r=4)  

then the total permission will be octal 664.  

When a file is created the sum of the umask and the permissions always comes to 666:  
>    umask       = 002  
    permissions = 664  
    TOTAL        = 666  

Lets set the umask and create some files to check this out:

In [9]:
%%bash
umask 044
touch g1 g2 g3 g4
ls -l

total 0
-rw-rw-r--. 1 wns35789 wns35789 0 Feb 26 22:11 f1
-rw-rw-r--. 1 wns35789 wns35789 0 Feb 26 22:11 f2
-rw-rw-r--. 1 wns35789 wns35789 0 Feb 26 22:11 f3
-rw-rw-r--. 1 wns35789 wns35789 0 Feb 26 22:11 f4
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 g1
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 g2
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 g3
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 g4


The new files have permissions: rw- -w- -w-  
In octal this amounts to a permission of 644.  
Note that the sum of the umask (002) and the permissions (644) on g1, g2, g3 and g4 comes to 666:  

>   umask       = 002  
    permissions = 664  
    TOTAL       = 666

If you change the 'umask' it will only affect new files:

In [10]:
%%bash
umask 044
touch h1 h2 h3 h4
ls -l

total 0
-rw-rw-r--. 1 wns35789 wns35789 0 Feb 26 22:11 f1
-rw-rw-r--. 1 wns35789 wns35789 0 Feb 26 22:11 f2
-rw-rw-r--. 1 wns35789 wns35789 0 Feb 26 22:11 f3
-rw-rw-r--. 1 wns35789 wns35789 0 Feb 26 22:11 f4
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 g1
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 g2
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 g3
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 g4
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 h1
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 h2
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 h3
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 h4


Note that the sum of the umask and the permissions on h1, h2, h3 and h4 still comes to 666:  
>    umask       = 044  
    permissions = 622  
    TOTAL         666  
    
The other files are unchanged.

That begs the question of how can you change the permissions of existing files.  Use the *chmod* command:

In [11]:
%%bash
chmod 666 g1 g2 g3 g4
ls -l

total 0
-rw-rw-r--. 1 wns35789 wns35789 0 Feb 26 22:11 f1
-rw-rw-r--. 1 wns35789 wns35789 0 Feb 26 22:11 f2
-rw-rw-r--. 1 wns35789 wns35789 0 Feb 26 22:11 f3
-rw-rw-r--. 1 wns35789 wns35789 0 Feb 26 22:11 f4
-rw-rw-rw-. 1 wns35789 wns35789 0 Feb 26 22:11 g1
-rw-rw-rw-. 1 wns35789 wns35789 0 Feb 26 22:11 g2
-rw-rw-rw-. 1 wns35789 wns35789 0 Feb 26 22:11 g3
-rw-rw-rw-. 1 wns35789 wns35789 0 Feb 26 22:11 g4
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 h1
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 h2
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 h3
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 h4


Here we have changed the permissions on h1, h2, h3 and h4 to octal 666 or rw-rw-rw-

We can also make the files executable by adding the *x* permission:

In [12]:
%%bash
chmod 777 g1 g2 g3 g4
ls -l

total 0
-rw-rw-r--. 1 wns35789 wns35789 0 Feb 26 22:11 f1
-rw-rw-r--. 1 wns35789 wns35789 0 Feb 26 22:11 f2
-rw-rw-r--. 1 wns35789 wns35789 0 Feb 26 22:11 f3
-rw-rw-r--. 1 wns35789 wns35789 0 Feb 26 22:11 f4
-rwxrwxrwx. 1 wns35789 wns35789 0 Feb 26 22:11 g1
-rwxrwxrwx. 1 wns35789 wns35789 0 Feb 26 22:11 g2
-rwxrwxrwx. 1 wns35789 wns35789 0 Feb 26 22:11 g3
-rwxrwxrwx. 1 wns35789 wns35789 0 Feb 26 22:11 g4
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 h1
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 h2
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 h3
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 h4


*chmod* also allows us to use symbolic permissions.  For example:

In [13]:
%%bash
chmod +x f1 f2 f3 f4
ls -l

total 0
-rwxrwxr-x. 1 wns35789 wns35789 0 Feb 26 22:11 f1
-rwxrwxr-x. 1 wns35789 wns35789 0 Feb 26 22:11 f2
-rwxrwxr-x. 1 wns35789 wns35789 0 Feb 26 22:11 f3
-rwxrwxr-x. 1 wns35789 wns35789 0 Feb 26 22:11 f4
-rwxrwxrwx. 1 wns35789 wns35789 0 Feb 26 22:11 g1
-rwxrwxrwx. 1 wns35789 wns35789 0 Feb 26 22:11 g2
-rwxrwxrwx. 1 wns35789 wns35789 0 Feb 26 22:11 g3
-rwxrwxrwx. 1 wns35789 wns35789 0 Feb 26 22:11 g4
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 h1
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 h2
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 h3
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 h4


The <em>+x</em> switches on the <em>x</em> permission.  
    We can also use <em>r</em> for read and <em>w</em> for write:

In [14]:
%%bash
chmod -rw f1 f2 f3 f4
ls -l

total 0
---x--x--x. 1 wns35789 wns35789 0 Feb 26 22:11 f1
---x--x--x. 1 wns35789 wns35789 0 Feb 26 22:11 f2
---x--x--x. 1 wns35789 wns35789 0 Feb 26 22:11 f3
---x--x--x. 1 wns35789 wns35789 0 Feb 26 22:11 f4
-rwxrwxrwx. 1 wns35789 wns35789 0 Feb 26 22:11 g1
-rwxrwxrwx. 1 wns35789 wns35789 0 Feb 26 22:11 g2
-rwxrwxrwx. 1 wns35789 wns35789 0 Feb 26 22:11 g3
-rwxrwxrwx. 1 wns35789 wns35789 0 Feb 26 22:11 g4
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 h1
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 h2
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 h3
-rw--w--w-. 1 wns35789 wns35789 0 Feb 26 22:11 h4


Here we've switched off the <em>rw</em> permissions.

The *umask* and *chmod* commands also apply to directories, but they work slightly differently.  This is because the <em>rwx</em> permissions mean different thing when applied to directories.  For directories:    
>  r = permission to read directory contents (ls will work)  
   w = premission to modify directory contents (mv, rm will work)  
   x = permission to access directory (cd will work)  

When using *umask* with directories the permissions + umask = 777.  
Let's create some directories to check this out:

In [15]:
%%bash
umask 044
mkdir d1 d2
ls -ld d1 d2

drwx-wx-wx. 2 wns35789 wns35789 4096 Feb 26 22:11 d1
drwx-wx-wx. 2 wns35789 wns35789 4096 Feb 26 22:11 d2


Note that d1 and d2 have been created with permissions 733.  
> umask = 044  
  permissions = 733  
    TOTAL = 777  

Again, change the umask:

In [16]:
%%bash
umask 023
mkdir d3 d4
ls -ld d3 d4

drwxr-xr--. 2 wns35789 wns35789 4096 Feb 26 22:11 d3
drwxr-xr--. 2 wns35789 wns35789 4096 Feb 26 22:11 d4


Note that d3 and d4 have been created with permissions 751.  
> umask = 023  
  permissions = 751  
    TOTAL = 777  

We can use *chmod* to change these permissions:

In [17]:
%%bash
chmod -r d3 d4
ls -ld d3 d4

d-wx--x---. 2 wns35789 wns35789 4096 Feb 26 22:11 d3
d-wx--x---. 2 wns35789 wns35789 4096 Feb 26 22:11 d4


That completes this tutorial; all that is left is to remove the files created in this tutorial: 

In [18]:
%cd

/home/wns35789


In [19]:
%%bash
rm -r ~/play