Sysadmin can be a tough nut to crack
It's something that we all come across at one point or another so I thought why not try to de-mystify the basics a little bit.
Fundamentals
When it comes down to it, all files and directories on a server have a few things in common:
- They belong to a user
- They belong to a group
- They have access permissions
There are 3 types of permission which a user can have for a file/directory.
- Read - The file can be read
- Write - The file can be written to
- Execute - The user can execute the file
There are also 3 different groups of users in terms of their relationship to the file.
- The owner of the file
- The group of users who can access the file
- The rest of the world
What this actually means
Typing ls -la
in almost any directory will show you all of this information. It will look something like this:
-rwxrwx--- 2 admin dev-team 4096 Apr 23 06:22 file-for-my-group
drwx------ 2 admin admin 4096 Apr 23 06:21 my-private-files
drwxrwxr-x 2 admin admin 4096 Apr 23 06:21 public-files
I've set up this example to show file/directory permissions and users/groups.
That long sequence of letters breaks down the permissions which each user has for (in this case) that directory.
This breaks down into 4 groups of file permissions. As an example, let's take a look at the permissions of the public-files
directory and break it down:
drwxrwxr-x
-
d
shows that the file is a directory (a normal file will just have a dash in this first spot) - The following 3 letters (
rwx
) shows that the user who owns the file can read from, write to, and execute the file - The second set of 3 letters (again
rwx
) shows that all users in the same group as the file can read from, write to, and execute the file - The final 3 characters (
r-x
) shows that all other users (those who aren't the owner or in the group) can only read from and execute that file.
In short, it looks like:
Changing Permissions
Now that we know how the server knows what we can and can't access, let's look at changing it.
Remember the example from before?
-rwxrwx--- 2 admin dev-team 4096 Apr 23 06:22 file-for-my-group
drwx------ 2 admin admin 4096 Apr 23 06:21 my-private-files
drwxrwxr-x 2 admin admin 4096 Apr 23 06:21 public-files
Let's say that I now want anyone who's not in the correct group to access the file-for-my-group
document. At the moment, you can see that people outside of the group cannot read, write, or execute this file, but I now want to allow anyone to be able to read it.
I would use the chmod
command to do this. This command takes several arguments which looks as follows:
chmod [options] [permission] [file to change]
By permission
I mean a sequence of 3 numbers which denotes the access levels and the information that we've been through above. We make this code by assigning each of the different permissions (read, write and execute) a number
- read - 4
- write - 2
- execute - 1
If I want to read, write and execute the file, the number used will be7
(4 + 2 + 1). If I only want to allow reading and execution, the number will be 5
(4 + 1) and, logically, if I don't want to allow any of the above the number will be 0
.
Knowing this, we can now assemble the three numbers we need in order to denote these new permissions. If I want the owner to have full access (7
), the group to have full access (7
) and the rest of the world to only have read access (4
) then the number will be 774
.
To use this in the case of the chmod command it will look like this:
chmod 774 file-for-my-group
Conclusion
And there we have it! A brief rundown of how server permissions work on Linux systems. There is much more depth to go into (security risks, making entire directories inaccessible, and changing the permissions of an entire directory of files etc.) but this was just meant to be an introduction to get you up and running with Linux and how its files work. Any questions or comments at all leave them down below!
Top comments (0)