What is permission?

Directories and files on Linux have defined permissions.

Permissions are the rights to manipulate directories and files.

Although it is also called “access rights”, in this article it will be called permissions.

Target users and notations are defined as follows.

Check the permissions

Let's check the permissions.

You can check the permissions by running “ls -l” on the target directory/file.

As an example, let's check the file /home/lpic/index.html.

ls -l /home/lpic/index.html
total 8
-rw------ 1 lpic linux   16 Jan 14 01:16 index.html
drwx------ 2 lpic linux 4096 Jan 14 01:17 test

This section explains the meaning of authority.

ls -l /home/lpic/index.html
-rw------ 1 lpic linux 16 Jan 14 01:16 /home/lpic/index.html

The item on the left in the result of the ls command is the permissions.

By default, it is a total of 10 characters, and the permissions for each user are displayed in the part excluding the first character.

Permissions of the owning user (lpic) = rw-.

=> The owner can display files by cat command, and edit contents by vi command.

Permissions of the owning group (linux) = ---.

⇒The group cannot display, edit, or access files.

Permissions of other users = ---.

⇒The other users cannot view, edit, or access files.

Next, we will look at the /home/lpic/test directory.

To check a directory by itself, add the -ld option to the ls command.

ls -ld /home/lpic/test
drwx------ 2 lpic linux 4096 Jan 14 01:17 test

For directories, the first character of the permissions is displayed as "d".

The permissions for the "test" directory are explained as follows:

Permissions for the owning user (lpic) = rwx.

⇒ The user can list the files in the directory, create files, and access files within the directory.

Permissions for the owning group (linux) = ---.

⇒ The group member cannot list files in the directory, create or delete files, or access files within the directory.

Permissions for other users = ---.

⇒ The other users cannot list files in the directory, create or delete files, or access files within the directory.

Operate using the user with permission

Let’s ‘cat’ the index file using the lpic user with read permissions.

[lpic@loclhost ~ ]$ cat /home/lpic/index.html
Thu Jan 18 11:08:57 JST 2018

Display a list of test directories using the lpic user with read permissions.

[lpic@loclhost ~ ]$ ls -ld /home/lpic/test/
drwx------ 2 lpic linux 4096 Jan 14 01:17 /home/lpic/test/

Move to the test directory using the lpic user with read permissions.\

[lpic@loclhost ~ ]$ cd /home/lpic/test/
[lpic@loclhost test ]$

All execution results were successful.

Operate using the user without permission

Let’s try and execute with the user without permission.

‘cat’ the index file using the lpic2 user without read permissions.

[lpic2@loclhost ~ ]$ cat /home/lpic/index.html
cat: /home/lpic/index.html: Permission denied

Display list of test directories using the lpic2 user without read permissions.

[lpic2@loclhost ~ ]$ ls -ld /home/lpic/test/
ls: cannot access /home/lpic/test/: Permission denied

Move to the test directory using the lpic user with read permissions.

[lpic2@loclhost ~ ]$ cd /home/lpic/test/
bash: cd: /home/lpic/test/: Permission denied

Because the user doesn’t have permission, it replies “Permission denied”.

How to operate outside of the owner user and owner group

There are several methods to allow the lpic2 user to operate:

・Change the owner of the target directory/file.

・After changing the permission of the owner group, add the lpic2 user to the owner group.

・Change the permission of the target directory/file, etc.

Most often, to perform such tasks, you modify the permissions in the target environment.

Let's try it.

First, execute the chmod command as a user who can operate on the index.html file.

Note that if you don't grant permissions to other users in the parent directory (in this case, /home/lpic), they won't be able to operate on it.

[lpic@loclhost ~ ]$ chmod 707 /home/lpic/
[lpic@loclhost ~ ]$ chmod 706 /home/lpic/index.html

The chmod command allows you to change permissions.

By using the -R option, you can apply changes to a target directory and all the files under it. However, since I didn’t need to grant execute permissions this time, I modified the permissions individually.

Let's look at the permissions after the changes.

[lpic@loclhost ~ ]$ ls -l /home/lpic/
total 8
-rw----rw- 1 lpic linux   29 Jan 18 11:08 index.html
drw----rw- 2 lpic linux 4096 Jan 14 01:17 test

‘cat’ index.html as the lpic2 user.

[lpic2@loclhost ~ ]$ cat /home/lpic/index.html
Thu Jan 18 11:08:57 JST 2018

Successfully the file is displayed which means that the permission was changed correctly.

Summary

There can be potential consequences if permissions are not set correctly. For example, if a file intended for public access on a browser doesn't have read permissions for general (other) users, accessing it could result in a 'Forbidden (403 error).'

However, it's not recommended from a security perspective to set crucial files like configuration files in such a way that anyone can edit or execute them.

When operating a server, setting appropriate permissions for each file brings you closer to creating safer and more optimized websites. Deepening one's understanding of permissions is essential for anyone looking to deliver a stable server operation and achieve the kind of site the customers are aiming for.

This blog post is translated from a blog post written by Sakina Nakagawa on our Japanese website Beyond Co..