Linux/Unix operating systems have the ability to serve multiple users. Linux was designed to allow more than one user to have access to the system at the same time. Creating multiple users accounts is a good method to keep separated different work areas (e.g. design and test) - even if different accounts are used by the same person. In order for the Linux multiuser design to work properly, there needs to be a method to protect users from each other.
Permissions
Permissions are the “rights” to act on a file or directory. The basic rights are read, write, and execute.
pi@raspberrypi:~/work $ pwd
/home/pi/work
pi@raspberrypi:~/work $ ls -l
total 8
drwxr-xr-x 2 pi pi 4096 Sep 1 01:04 dir1
drwxr-xr-x 2 pi pi 4096 Sep 1 01:06 dir2
There are four parts to a file's permissions. The first part is the filetype (indicated by the first character in the permissions). If it shows d
, then that's a directory. For a regular file we will see a -
.
The next three parts of the file mode are the actual permissions. The permissions are grouped into 3 bits each. The first 3 bits are user permissions, followed by group permissions and then other permissions.
d | rwx | r-x | r-x
Each character represents a different permission:
r: read
w: write
x: execute
-: empty, i.e. no permission
In the above example, we see that the user pi (we are looking at the first word "pi" in a row) belongs to a group called also "pi" (the second "pi" in the row). User pi is the owner of the file and has read, write and execute permissions on the two directories. The group pi has read and execute permissions. And finally, the other users on the system (everyone else) has read and execute permissions.
Changing permissions
Changing permissions is done with the chmod command.
First, pick which permission set you want to change, user (u), group(g) or other(o). You can add or remove permissions with + or -.
In the following example we are going to create a file and grant execute permissions to the owner (ourself).
pi@raspberrypi:~/work $ pwd
/home/pi/work
pi@raspberrypi:~/work $ touch file1
pi@raspberrypi:~/work $ ls -l
total 8
drwxr-xr-x 2 pi pi 4096 Sep 1 01:04 dir1
drwxr-xr-x 2 pi pi 4096 Sep 1 01:06 dir2
-rw-r--r-- 1 pi pi 0 Sep 1 04:43 file1
pi@raspberrypi:~/work $ chmod u+x file1
pi@raspberrypi:~/work $ ls -l
total 8
drwxr-xr-x 2 pi pi 4096 Sep 1 01:04 dir1
drwxr-xr-x 2 pi pi 4096 Sep 1 01:06 dir2
-rwxr--r-- 1 pi pi 0 Sep 1 04:43 file1
pi@raspberrypi:~/work $
...And this is how we remove read permissions for others.
pi@raspberrypi:~/work $ chmod o-r file1
pi@raspberrypi:~/work $ ls -al
total 16
drwxr-xr-x 4 pi pi 4096 Sep 1 04:43 .
drwxr-xr-x 28 pi pi 4096 Sep 1 00:17 ..
drwxr-xr-x 2 pi pi 4096 Sep 1 01:04 dir1
drwxr-xr-x 2 pi pi 4096 Sep 1 01:06 dir2
-rwxr----- 1 pi pi 0 Sep 1 04:43 file1
pi@raspberrypi:~/work $
Changing ownership
Ownership of a file can be changed with chown.
The most powerful user account on a Linux/Unix system is root. Let's see what happens when user pi tries to transfer ownership of the file file1 (owned by user pi) to user root.
pi@raspberrypi:~/work $ chown root file1
chown: changing ownership of 'file1': Operation not permitted
The system does not allow user pi to change ownership of file (even if he is the owner.) Let's run the same command preceded by sudo. This command stands for "superuser do" and runs the command after it with superuser (root) priviledges (highest level of permissions possible).
pi@raspberrypi:~/work $ sudo chown root file1
pi@raspberrypi:~/work $ ls -al
total 16
drwxr-xr-x 4 pi pi 4096 Sep 1 04:43 .
drwxr-xr-x 28 pi pi 4096 Sep 1 00:17 ..
drwxr-xr-x 2 pi pi 4096 Sep 1 01:04 dir1
drwxr-xr-x 2 pi pi 4096 Sep 1 01:06 dir2
-rwxr----- 1 root pi 0 Sep 1 04:43 file1
Success! Now you can see that file1 is owned by user root.
Permissions are a much larger topic but for now, this is good enough to get a basic understanding of this topic.