A Beginners Guide to Linux File Permissions
First of all, these examples are all tested under Linux distribution Ubuntu. Nevertheless, they should all work the same no matter which flavor of Linux you’re running. Managing access to files and directories in Linux works with a set of permissions. If you look at those, by typing ls -l from the command line, it looks like this:
The first digit will usually be either blank or, for directories, you’ll see a d. After that, you’ll see 3 digits for user permissions, 3 for group permissions, and 3 for everyone else. These digits (nearly always letters) stand for read (r), write (w), and execute (x). That last one isn’t just for running programs, mind you. Without execute permissions, users can’t enter a directory at all. With that in mind, we can see the example above is a directory. The owner of the directory (jeff) has full access (read, write, and execute). Members of the group that the directory belongs to (jeff) can change into that directory and read its files, but not write. The same goes for all other users, since the last 3 permissions set it world-readable and world-executable.
Why Should I Use Groups in Linux?
Let’s say you’ve got a directory that multiple users need access to. The catch here, though, is some users need full read and write access. Others, you only want to be able to read files there, not create them. For example, let’s assume we have five users (jeff, olivia, bruce, stacey, and samantha). Two of them, users jeff and samantha, are editors and need to be able to read and write to the files in a directory. On the other hand, users olivia, bruce, and stacey require read access to a different directory so they can read the files but not make changes.
Creating Your Groups and Group Directories
To do this, you’d create two groups, readers and editors. Assuming you’ve already created the users, it’s time to create the groups. We’ll do that using the addgroup command. You can confirm the groups were created by issuing the command less /etc/group.
Next, let’s create our two directories, readers and editors. These commands will do the trick. With that done, it’s time to set the access permissions for the directories. You’ll assign each directory to its appropriate group, then set permissions. These commands change the group ownership for each directory. The g in the first commands tells Linux we want to change the group permissions. This command prevents users in the readers group from writing to the directory. The second command removes the x bit from others (note the o just before -x) for that directory. This keeps non-group members from accessing any of the files in it. After these commands, only the owner of the directory (root) and the members of the readers group can access the files inside the /READERS directory. Next, we’ll set up the /EDITORS directory to allow write access to members of group editors. Nobody else, except root, will have access to the files. Note that this time, the first command is adding the w bit to the directory permissions. That’s what will allow the group editors to write to the files. Now, root will have full access to the /EDITORS directory, the editors group will be able to write to the files inside, and nobody else can access the files.
Adding a User to a Group in Linux
So far, these commands won’t accomplish much. The groups are empty, so we need to add our users to their respective groups. To start, we’ll add users jeff and samantha to the editors group. Next, we’ll add users olivia, bruce, and stacey to the readers group. This is how, in Linux, to add a user to a group. Now our users have access to the files they need. You can check which users are members of each group by reviewing the /etc/group file. It should look similar to this.
More Advanced Access Control in Linux
Now, let’s say you want your members of the editors group to have write access to the directory /DATA. At the same time, your editors need full read/write access to the directory. This is a bit trickier, since Linux only allows one group at a time to take ownership of a file or directory. Luckily, there is a way. Using Access Control Lists (ACLs), you can give one group read access and another read/write. Here’s how you can give the members of the readers group the correct access. Now, let’s give editors read and write access. There’s quite a bit more that can be done with access control lists, but this is an excellent start.
Multiple Users Play Nicely Together in Linux, but Be Wary
That demonstrates how you can grant access to directories for multiple users. Remember, though, that every user on a computer can present its own security risks. It’s important to set proper policies regarding password strength and security, too. Educate your users about setting strong passwords. These don’t have to be random sequences of letters, numbers, and symbols, either. They can also use a secure passphrase, but only if your policy allows it. You’ll also want to make sure each user knows how to change their password. Comment Name * Email *
Δ Save my name and email and send me emails as new comments are made to this post.