Managing Permissions#

Imagine a file called .my_secrets which the following permissions: -rw-rw-r--. Let's change those around a bit and have a play.

For starters, we don't want to be able to accidentally change the file contents and lose our secrets. Let's make it so we cannot write to the file: chmod 440 .my_secret

1 2	`michael@develop:~$ ls -la .my_secrets -r--r----- 1 michael michael 0 Mar 18 10:11 .my_secrets`

That got use a file that can only be read, because the r flag is the only flag that's present. The w flag we had earlier under the user and group sections, has been removed. Try editing the file, now:

1 2	`michael@develop:~$ echo "Some new secret" >> .my_secrets -bash: .my_secrets: Permission denied`

Don't worry too much about what echo and >> mean right now. Just know I'm trying to "echo" or "print" the statement, "Some new secret" and then append it (>>) to the file called .my_secrets. And the results? -bash: .my_secrets: Permission denied.

The bash part refers to the default shell most Ubuntu installations use. It's like the environment you're using and there are other choices, but the default is Bash and right now you can ignore this.

The Permission denied is what we're interested in. We're getting this because, as you've probably worked out, we don't have permissions to write to the file. What about deleting it? rm .my_secrets

michael@develop:~$ rm .my_secrets
rm: remove write-protected regular empty file '.my_secrets'? y
michael@develop:~$ ls -la .my_secrets
ls: cannot access '.my_secrets': No such file or directory

Using rm to delete the file yields two things here:

We had to confirm we wanted to delete a write-protected file because the w flag was missing
And we don't need w or write access to delete a file

Permission Octets (Numbers)#

File permissions are a three-digit octal number where the three digits correspond to the access rights of the user who owns the file, the group and other users. Each of the octal digits is the sum of 4 for read permission; 2 for write permission; and 1 if execute permission is required.

Let's review the most common permissions you'll see in the wild:

chmod 755 <file> means you can do anything with the file or directory, and other users can read and execute it but not alter it. Suitable for programs and directories you want to make publicly available.
chmod 644 <file> means you can read and write the file or directory and other users can only read it. Suitable for public text files.
chmod 711 <file> means you can do anything with the file or directory and other users can only execute it. Suitable for directories where you don't want other people browsing through the contents but do want to give them access to selected files. This is the default for your home directory and the minimum access required for your public_html directory if you have a personal website.
chmod 700 <file> means you can do anything with the file or directory and other users have no access to it at all. Suitable for private directories and programs.
chmod 600 <file> means you can read and write the file or directory and other users have no access to it. Suitable for private text files.

To help with the numbering system, check this table out:

Binary	Octal	Permission
`000`	`0`	`—`
`001`	`1`	`–x`
`010`	`2`	`-w-`
`011`	`3`	`-wx`
`100`	`4`	`r–`
`101`	`5`	`r-x`
`110`	`6`	`rw-`
`111`	`7`	`rwx`

Permissions Letters#

You can also use letters to replace the number system, above. A lot of people prefer this as it makes more logical sense to them. I can appreciate that. I default to numbers as I've been doing this for years.

r = read
w = write
x = execute

You also use a letter to denote for whom you're changing the permissions - the user, the group or the other (world). These are:

u - user
g - group
o - other (other)

To add a permission you do + and to remove it, you do -. You can also use = to set it directly to the permissions you provide. Let's repeat the above examples, but using letters:

chmod u=rwx,go=rx <file> means you can do anything with the file or directory, and other users can read and execute it but not alter it. Suitable for programs and directories you want to make publicly available.
chmod u=rw,go=r <file> means you can read and write the file or directory and other users can only read it. Suitable for public text files.
chmod u=rwx,go=x <file> means you can do anything with the file or directory and other users can only execute it. Suitable for directories where you don't want other people browsing through the contents but do want to give them access to selected files. This is the default for your home directory and the minimum access required for your public_html directory if you have a personal website.
chmod u=rwx,go= <file> means you can do anything with the file or directory and other users have no access to it at all. Suitable for private directories and programs.
chmod u=rw,go= <file> means you can read and write the file or directory and other users have no access to it. Suitable for private text files.

You can also do this: chmod g=u <file>, which means the g or group permission set is synced up to the user permission set, so they both end up with the same permissions.

Note

See how we use go= above? What does that result in? Try it out!

Although more verbose, for people new to this sort of thing, the lettering system can be a blessing. I recommend understanding both systems.