Author	Nejat Hakan
eMail	nejat.hakan@outlook.de
PayPal Me	https://paypal.me/nejathakan

Permissions and Ownership

In Linux, permissions and ownership are critical mechanisms for controlling access to files and directories, ensuring security, privacy, and proper system operation. These features define who can read, write, or execute resources and who owns them, making them essential for system administrators, developers, and users. This chapter provides a comprehensive guide to understanding and managing permissions and ownership in Linux, covering key concepts, commands, and best practices. A hands-on workshop at the end offers a practical project to apply these skills in a real-world scenario.

Understanding Permissions and Ownership

Linux is a multi-user operating system, and its permissions and ownership model ensures that users and processes access only the resources they are authorized to use. Every file and directory in Linux has an associated owner, group, and set of permissions that dictate access rights.

Key Concepts

Owner: The user who owns the file or directory, typically its creator.
Group: A set of users assigned to the file or directory, allowing shared access.
Others: All users who are neither the owner nor part of the group.
Permissions: Access rights for reading (r), writing (w), and executing (x) a file or directory.
File Types: Regular files, directories, symbolic links, or special files (e.g., devices).
Metadata: Information about ownership and permissions, viewable with ls -l.

Permission Types

Read (r): View file contents or list directory contents.
Write (w): Modify file contents or create/delete files in a directory.
Execute (x): Run a file as a program/script or access a directory’s contents (e.g., cd).

Ownership Structure

User Owner: The individual user assigned to the file/directory.
Group Owner: A group of users with shared access rights.
Others: Everyone else on the system.

Viewing Permissions and Ownership

The ls -l command displays detailed information about files and directories, including permissions, ownership, and metadata.

Example Output:

-rwxr-xr-x 1 alice developers 1024 Apr 29 2025 script.sh

- -rwxr-xr-x: Permissions (file type, owner, group, others). - 1: Number of hard links. - alice: User owner. - developers: Group owner. - 1024: File size in bytes. - Apr 29 2025: Last modification date. - script.sh: Filename.

Breaking Down Permissions

The first 10 characters of the ls -l output describe the file type and permissions: - Position 1: File type (- for regular file, d for directory, l for symbolic link). - Positions 2-4: Owner permissions (rwx or - for absent). - Positions 5-7: Group permissions. - Positions 8-10: Others’ permissions.

Example: -rwxr-xr-x - -: Regular file. - rwx: Owner can read, write, execute. - r-x: Group can read, execute. - r-x: Others can read, execute.

Managing Permissions with `chmod`

The chmod (change mode) command modifies permissions using either symbolic or numeric notation.

Symbolic Notation

Uses letters to specify user classes (u for owner, g for group, o for others, a for all) and actions (+ to add, - to remove, = to set).

Examples: - Add execute permission for the owner:

chmod u+x script.sh

- Remove write permission for group and others:

chmod go-w file.txt

- Set read-only for all:

chmod a=r file.txt

Numeric (Octal) Notation

Uses three or four digits, where each digit represents permissions for owner, group, and others: - 4 = read, 2 = write, 1 = execute. - Add values for combined permissions (e.g., 7 = rwx, 5 = r-x).

Examples: - 755: Owner (rwx), group/others (r-x).

chmod 755 script.sh

- 644: Owner (rw-), group/others (r--).

chmod 644 file.txt

- 600: Owner (rw-), group/others (no access).

chmod 600 private.txt

Option: - -R: Apply recursively to directories and their contents.

chmod -R 755 project_folder

Managing Ownership with `chown` and `chgrp`

`chown` - Change Owner and Group

The chown (change owner) command assigns a new user and/or group to a file or directory.

Syntax:

chown user:group file

Examples: - Change owner to alice:

chown alice file.txt

- Change owner and group:

chown alice:developers file.txt

- Apply recursively:

chown -R alice:developers project_folder

`chgrp` - Change Group

The chgrp (change group) command changes the group ownership.

Syntax:

chgrp group file

Example:

chgrp developers file.txt

Option: - -R: Recursive.

chgrp -R developers project_folder

Special Permissions

Beyond rwx, Linux supports special permissions that enhance access control.

1. Setuid (`s`)

Allows a user to run an executable with the owner’s permissions. - Appears as s in the owner’s execute position (e.g., rwsr-xr-x). - Example: The passwd command uses setuid to allow users to modify /etc/shadow.

Set:

chmod u+s executable

2. Setgid (`s`)

Ensures files created in a directory inherit the directory’s group or runs executables with the group’s permissions. - Appears as s in the group’s execute position.

Set:

chmod g+s directory

3. Sticky Bit (`t`)

Prevents users from deleting or renaming files in a directory unless they own them (common in /tmp). - Appears as t in the others’ execute position (e.g., rwxr-xr-t).

Set:

chmod +t directory

Example:

chmod +t shared_folder

Understanding Default Permissions with `umask`

The umask command sets default permissions for new files and directories, subtracting from the base permissions (666 for files, 777 for directories).

View Current umask:

umask

Output Example: 0022 - 022: Removes write permission for group and others.

Set umask:

umask 002

Creates files with 664 (rw-rw-r--) and directories with 775 (rwxrwxr-x).

Use Case: Adjust umask in ~/.bashrc for consistent defaults.

Advanced Permission Management

1. Access Control Lists (ACLs)

ACLs provide fine-grained access control beyond standard permissions.

Commands: - setfacl: Set ACLs. - getfacl: View ACLs.

Example: Grant bob read access to a file:

setfacl -m u:bob:r file.txt

2. Checking Permissions

Use stat for detailed permission and metadata information:

stat file.txt

Productivity Tips for Permissions and Ownership

Verify Before Changing: Use ls -l to check current permissions/ownership.
Use Numeric Notation for Simplicity: Octal values are concise (e.g., 755).
Test Changes: Apply to non-critical files first.
Combine Commands: Pipe ls -l to grep to filter files by permissions.
Create Aliases: Add shortcuts in ~/.bashrc (e.g., alias ll='ls -l').

Best Practices for Permissions and Ownership

Follow Least Privilege: Grant only necessary permissions (e.g., 600 for sensitive files).
Secure System Files: Restrict access to /etc, /bin, etc., to root or specific groups.
Use Groups: Assign group ownership for collaborative projects.
Backup Before Changes: Copy critical files before modifying permissions.
Document Changes: Log ownership/permission changes for system files.
Avoid Overuse of 777: Never use chmod 777 unless absolutely necessary.
Check umask: Ensure default permissions align with security needs.

Workshop: Setting Up a Collaborative Project Directory

This workshop provides a practical, step-by-step project to apply the permissions and ownership concepts covered. You’ll create a shared project directory for a team, assign appropriate ownership and permissions, configure special permissions, and test access, simulating a real-world collaborative environment.

Project Overview

You are setting up a directory for a team project called “CollabProject.” The directory will contain scripts, documents, and a shared workspace. You’ll create users and a group, assign ownership, set permissions, apply special permissions, and verify access controls.

Prerequisites

A Linux system with a terminal.
Root access (via sudo) to create users and groups.
Basic shell familiarity (commands like ls, mkdir).
Ensure setfacl is installed (sudo apt install acl on Debian/Ubuntu or equivalent).

Step-by-Step Tutorial

Step 1: Set Up the Project Directory

Open a terminal.
Navigate to your home directory:
```
cd ~
```
Create a directory called CollabProject:
```
mkdir CollabProject
```
Navigate into CollabProject:
```
cd CollabProject
```

Step 2: Create Directory Structure and Files

Create subdirectories for scripts, documents, and a shared workspace:
```
mkdir scripts docs shared
```

Create sample files:

touch scripts/run.sh docs/project_plan.txt shared/notes.txt

Add content to run.sh:

echo -e "#!/bin/bash\necho 'Running script'" > scripts/run.sh

List the structure:

ls -R

Expected Output:

.:
docs  scripts  shared

./docs:
project_plan.txt

./scripts:
run.sh

./shared:
notes.txt

Step 3: Create Users and a Group

Create two test users, alice and bob (requires sudo):
```
sudo useradd -m.signup
sudo groupadd -g 1000 team
sudo usermod -a -G team alice
sudo usermod -a -G team bob
```
Note: If user creation fails due to permissions, skip to Step 4 and use your current user and group for testing.
Create a group called team:
```
sudo groupadd team
```

Add users to the team group:

sudo usermod -a -G team alice
sudo usermod -a -G team bob

Step 4: Assign Ownership

Change the group ownership of CollabProject to team:
```
sudo chgrp -R team CollabProject
```
Change the user ownership to alice:
```
sudo chown -R alice CollabProject
```
Verify ownership:
```
ls -l
```

Step 5: Set Permissions

Set permissions for scripts to allow owner execution and group read/execute:
```
chmod 750 scripts
```
Make run.sh executable:
```
chmod 755 scripts/run.sh
```
Set docs to read/write for owner and group, read-only for others:
```
chmod 664 docs/project_plan.txt
```
Set shared to allow group read/write with sticky bit:
```
chmod 2770 shared
```

Verify permissions:

ls -lR

Expected Output (simplified):

drwxr-x---  2 alice team 4096 Apr 29 2025 scripts
drwxr-xr-x  2 alice team 4096 Apr 29 2025 docs
drwxrws---  2 alice team 4096 Apr 29 2025 shared

./scripts:
-rwxr-xr-x  1 alice team   32 Apr 29 2025 run.sh

./docs:
-rw-rw-r--  1 alice team    0 Apr 29 2025 project_plan.txt

./shared:
-rw-rw----  1 alice team    0 Apr 29 2025 notes.txt

Step 6: Apply Special Permissions

Set the sticky bit on shared (already done in Step 5):
```
chmod +t shared
```

Verify sticky bit:

ls -ld shared

Expected Output:

drwxrws--T  2 alice team 4096 Apr 29 2025 shared

Step 7: Configure ACLs

Grant bob read/write access to project_plan.txt:

setfacl -m u:bob:rw docs/project_plan.txt

Verify ACL:

getfacl docs/project_plan.txt

Expected Output (partial):

user:bob:rw-

Step 8: Test Access (Optional)

Switch to alice (requires password setup or sudo):
```
su - alice
```

Try editing docs/project_plan.txt:

echo "Project plan" >> ~/CollabProject/docs/project_plan.txt

Exit and switch to bob:
```
exit
su - bob
```

Try editing shared/notes.txt:

echo "Team notes" >> ~/CollabProject/shared/notes.txt

Verify file ownership in shared:
```
ls -l ~/CollabProject/shared
```
Expected Output:
```
-rw-rw----  1 bob team 11 Apr 29 2025 notes.txt
```
Note the group remains team due to setgid.

Step 9: Clean Up

Exit user sessions:
```
exit
```

Delete test users and group (requires sudo):

sudo userdel -r alice
sudo userdel -r bob
sudo groupdel team

Remove project directory:
```
rm -rf ~/CollabProject
```
Verify cleanup:
```
ls ~
```

Workshop Summary

In this project, you:

Created a collaborative project directory (mkdir).
Set up users and a group (useradd, groupadd).
Assigned ownership (chown, chgrp).
Configured permissions (chmod).
Applied special permissions (sticky bit, ACLs).
Tested access controls.
Cleaned up resources (rm, userdel).

Next Steps

Experiment with setuid on a test script.
Explore ACLs for more complex access scenarios.
Adjust umask in ~/.bashrc and test new file permissions.
Practice managing permissions on real system files (e.g., /etc) with sudo.

Takeaway

Permissions and ownership are foundational to Linux security and collaboration, enabling precise control over file and directory access. By mastering chmod, chown, chgrp, and advanced features like ACLs and special permissions, you can secure resources and facilitate teamwork. The workshop provided hands-on practice through a collaborative project setup, reinforcing these concepts in a practical context. Regular practice, adherence to best practices, and careful management of permissions will ensure a secure and efficient Linux environment, empowering you to manage systems effectively.

Permissions and Ownership

Understanding Permissions and Ownership

Key Concepts

Permission Types

Ownership Structure

Viewing Permissions and Ownership

Breaking Down Permissions

Managing Permissions with chmod

Symbolic Notation

Numeric (Octal) Notation

Managing Ownership with chown and chgrp

chown - Change Owner and Group

chgrp - Change Group

Special Permissions

1. Setuid (s)

2. Setgid (s)

3. Sticky Bit (t)

Understanding Default Permissions with umask

Advanced Permission Management

1. Access Control Lists (ACLs)

2. Checking Permissions

Productivity Tips for Permissions and Ownership

Best Practices for Permissions and Ownership

Workshop: Setting Up a Collaborative Project Directory

Project Overview

Prerequisites

Step-by-Step Tutorial

Step 1: Set Up the Project Directory

Step 2: Create Directory Structure and Files

Step 3: Create Users and a Group

Step 4: Assign Ownership

Step 5: Set Permissions

Step 6: Apply Special Permissions

Step 7: Configure ACLs

Step 8: Test Access (Optional)

Step 9: Clean Up

Workshop Summary

Next Steps

Takeaway

Managing Permissions with `chmod`

Managing Ownership with `chown` and `chgrp`

`chown` - Change Owner and Group

`chgrp` - Change Group

1. Setuid (`s`)

2. Setgid (`s`)

3. Sticky Bit (`t`)

Understanding Default Permissions with `umask`