Permission groups

To know about ownership and actual file owners, is really important, in order to understand permission groups. You have already seen that every file is owned by a user, and is assigned to a group. Those are the first two permission groups, (sometimes also referred to as "triads", as they are made up of the three basic permissions), while the third is "everyone else".

This means you can set, on the same file, permissions for the user, who owns the file, separate permissions for the group to which the file is assigned, and yet again separate permissions for everyone else (other users and groups). That means you can really fine-tune file permissions.

The permission triads are always in the order of "user, group, everyone else". Each permission triad will have the permission flags in the same order: rwx. If either of these is denied, its letter will be replaced by a dash (-).

Some typical setups would involve:

  • rwx - Can read, write and execute (all permissions granted. E.g. a user's own script file)
  • rw- - Can read and write, but cannot execute (typical file that is not a script or programme)
  • r-- - Can only read, cannot write or execute (typical read-only file)
  • r-x - Can read and execute, but cannot write (typically a system binary, or script that could be run, but should not be modified)

These will then be repeated for each triad separately, fine-tuning who does (or can do) what. Followed by the special first character, permission groups triads are simply written one after another:

File permissions illustrated

On an average non-directory file, allowing all permissions to everyone would look like:

-rwxrwxrwx

same on a directory becomes (d is for directory, remember?):

drwxrwxrwx

In a most restrictive scenario, where e.g. a user has a file that only they can read, but nobody, including themselves, can run modify, you would see

-r--------

Setting permissions for the owner might seem obvious. The most meaningful function of these is to restrict even a file owner to perform certain actions, e.g. make the file write protected, or non-executable. (Other cases include making it explicitly executable. This will largely depend on the security model.)

Setting them for a group can mean, you explicitly allow/disallow permissions for users, who are not owners of the file, but members of the assigned group.

"Everyone else" obviously means allowing or denying certain actions to all other users and groups

Say, for example, your file /home/beowulf/myfile.txt is owned by the user beowulf and assigned to a group named family to which all family members also belong. The user beowulf can read and write the file (rw-) but wants his family members (users in the family group) to be able to read the file, not write it. Everyone else should be denied access (cannot read, or write). Nobody should be able to execute the file, for security reasons (txt files can still contain scripts).

The permissions to allow for that would be, broken down to permission triad groups like:

  • user: rw-
  • group: r--
  • everyone else: ---

Listing permissions on the file would result in:

-rw-r-----

Theoretically, you could also set permissions to ----------, but it would not make much sense to have a file that nobody can read write or execute... Still, it's fun to know that you could. OK, to be honest, there might just be some scenarios, where this is done explicitly, but you don't need to worry about those. (Also root can always override permissions, (more on that later))

Numerical representation

A possibly simpler (definitely shorter) way to mark permissions is through numbers. the numerical permissions are based on the obscure and scary binary representations of each individual permission, sitting in the right permission group. Fortunately for us, and our sanity, a decimal representation is also possible.

As there are three permission groups, it would, quite logically, become a three digit number, where the first digit is for the user, the second for the group, and the third for everyone else.

To make it simple to write, but difficult to compute, each digit represents the sum of all permissions set in that group. Each letter r, w and x have a number assigned_

  • r = 4
  • w = 2
  • x = 1

This means, for each group, the effective permissions should be computed, such as e.g. all permissions granted becomes

rwx = 4 + 2 + 1 = 7

Any permission NOT set becomes a zero, so readable, and executable, but not writable it's

r-x = 4 + 0 + 1 = 6

, and for read-only

r-- = 4 + 0 + 0 = 4

...and so on.

An unusual permission, like -w- would be 0+2+0 = 2, but you don't really get to see those

You then have the number for the effective permissions for a permission group. Let's say the user, who is the file owner has all permissions granted. The first permission group would then be a 7.

7..

Now you'll need to repeat for the other two groups. To go with our previous example (the one that you've never read because it was in a TL;DR; drop-down , and you thought you'd be fine without opening it), the group permissions would be read-only, or r--. Following the above logic, that gets the numerical value of 4. We now put it in its place:

74.

Now we need to set the last permission group. In our example, "everyone else" gets no permissions at all, meaning: ---. Quite simply the number for that is 0. Put this into place and our numerical permission is complete:

740

To put it all together, our file had the permissions -rw-r-----, meaning the owner user can read and write, not execute, the owner group can only read, and nobody else can access the file in any way, the numerical representation for which would be 740.

Some common permission settings

There are some permission settings you will meet quite often. Below is a small sample of these:

  • 600, or -rw------- - The owner user can read and write the file, but not execute. Nobody else has any access
  • 644, or -rw-r--r-- - The owner user can read and write the file, the assigned group, and everyone else can only read
  • 700 or -rwx------- The owner can read write and execute (full access). nobody else (incl. the assigned group) has any access at all.
  • 666 or -rw-rw-rw-- Everybody (owner user, assigned group, and the rest) have read and write permission on the file, but nobody else can execute it
  • 777 or -rwxrwxrwx - Everyone has full access to the file, including read, write and execute. (this is really unsafe).

Permission 666 is dangerous. Not only does it have the potential to summon The Dark Lord 😈 (™), but what is worse, it allows anyone and everyone to read and write a file. If you set it to 777, it is (contrary to conventional Bible wisdom) even worse, allowing anyone and everyone to read, write and execute a file. Basically, 777 is like summoning The Dark Lord 😈 (™) as an executioner. And that is really not something you want to do. Or is it? Anyway, just be careful, when applying permissions, and remember, less is more.