Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 12
I've been using Linux for about 1 and a half year now and I don't fully understand how file & directory permissions and groups work. when I view properties of ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Banned
    Join Date
    Aug 2011
    Posts
    43

    File & Directory permissions and groups


    I've been using Linux for about 1 and a half year now and I don't fully understand how file & directory permissions and groups work.
    when I view properties of a folder in GNOME2, I see "Group" and then a group selected. What I don't get is what are the other groups in the drop down menu - I mean, are they the groups that also have permission to the folder, or is the selected group the only group that has permission?

    I want to allow the group www-data to have permission to a folder, but I cannot see the group in the menu. How do I go about getting it in there, or how can I give www-data permission via terminal.. I think its with chgrp.

    Argh! I use to love being able to tinker and explor computers to teach myself, but as I get older there seems to be less hours in a day!

  2. #2
    Linux Guru
    Join Date
    Oct 2007
    Location
    Tucson AZ
    Posts
    3,190
    is the selected group the only group that has permission?
    Yes.

    You change the group with the chgrp command. If you have a folder named junk in your /var/www directory that you want to have www-data as the group you would navigate in the terminal to /var/www directory and as root do:

    chgrp -R junk/
    The -R changes the group in sub-directories and files. You also can set the owner with chown command and permissions with chmod command. Do you have a www-data group? Type group in a terminal and you should see output.

    There are numerous tutorials on using these commands online as they are very commonly used.

  3. #3
    Administrator MikeTbob's Avatar
    Join Date
    Apr 2006
    Location
    Texas
    Posts
    7,864
    Check out groupadd.
    groupadd - Linux Command - Unix Command
    Managing Linux group Access
    Linux Tutorial - Managing Group Access on Linux and UNIX
    And finally, it's probably best if you also view the man pages on your system with these commands.
    Code:
    man groupadd
    Code:
    man chown
    Code:
    man chgrp
    I do not respond to private messages asking for Linux help, Please keep it on the forums only.
    All new users please read this.** Forum FAQS. ** Adopt an unanswered post.

    I'd rather be lost at the lake than found at home.

  4. $spacer_open
    $spacer_close
  5. #4
    Banned
    Join Date
    Aug 2011
    Posts
    43
    Cool, thanks guys.
    Well, I had a quick read of the manual for groupadd:
    SYNOPSIS says
    groupadd [options] group
    are options neccessary? or can I just create a group by using groupadd groupname

    ?

  6. #5
    Administrator MikeTbob's Avatar
    Join Date
    Apr 2006
    Location
    Texas
    Posts
    7,864
    I believe options are just that, optional.
    I do not respond to private messages asking for Linux help, Please keep it on the forums only.
    All new users please read this.** Forum FAQS. ** Adopt an unanswered post.

    I'd rather be lost at the lake than found at home.

  7. #6
    Banned
    Join Date
    Aug 2011
    Posts
    43
    Also, once I make a group, how can I then add a user to the group?

  8. #7
    Administrator MikeTbob's Avatar
    Join Date
    Apr 2006
    Location
    Texas
    Posts
    7,864
    Quote Originally Posted by Kolusion View Post
    Also, once I make a group, how can I then add a user to the group?
    useradd is your friend
    I do not respond to private messages asking for Linux help, Please keep it on the forums only.
    All new users please read this.** Forum FAQS. ** Adopt an unanswered post.

    I'd rather be lost at the lake than found at home.

  9. #8
    Linux Guru
    Join Date
    Oct 2007
    Location
    Tucson AZ
    Posts
    3,190
    The link below has some simple examples which should help:

    Howto: Linux Add User To Group

  10. #9
    Just Joined!
    Join Date
    Aug 2011
    Posts
    7

    usermod

    Quote Originally Posted by MikeTbob View Post
    useradd is your friend
    If the account already exists, look into usermod.

  11. #10
    Linux Enthusiast
    Join Date
    Jan 2005
    Location
    Saint Paul, MN
    Posts
    679
    Quote Originally Posted by Kolusion View Post
    I've been using Linux for about 1 and a half year now and I don't fully understand how file & directory permissions and groups work.
    when I view properties of a folder in GNOME2, I see "Group" and then a group selected. What I don't get is what are the other groups in the drop down menu - I mean, are they the groups that also have permission to the folder, or is the selected group the only group that has permission?

    I want to allow the group www-data to have permission to a folder, but I cannot see the group in the menu. How do I go about getting it in there, or how can I give www-data permission via terminal.. I think its with chgrp.

    Argh! I use to love being able to tinker and explor computers to teach myself, but as I get older there seems to be less hours in a day!

    Taken from my web site for Linux Learning (which is still in development) is how I explain permissions:

    Note: formatting has been mostly stripped.
    Code:
    Directory and file permissions are assigned on three tier system
    Looking at a three tier access model
    A multiple building apartment complex and some set of people will serve a working model of a three tier permission system. The buildings within the complex may contain similar items such as apartments; however, some builds my have more unique items such as "game room" or "pool" that are shared across the buildings. Fine you say, but how is this getting us to a permission model.
    
    The people are treated as "User" of the complex. Some of the people are not tenets with the complex. These people will only have access that is declared as "Other" (or the "World" if the set is really really big). Some of the people are tenant's and are declared "members" of the complex as whole and "members" of the building containing their rented apartment (group membership). The renter of a apartment is the "User" of a specific apartment.
    
    Now the complex to computer is being mapped as:
    
         The whole complex  -----------------------------------  A "file system"
         A building  ------------------------------------------  A "directory"
         A item in a building (i.e. apartment, pool, etc) -----  A "file"
         A person  --------------------------------------------  A "user" 
    
               
                A person arrives at a building door (the door is to the "rental office").  The
                rental office grants permission to everyone the right to enter and leave but
                does not grant them the right to sleep. (One could see enter, leave, and sleep
                as alternate the the file permissions of read, write, and execute. But that is
                another story.)  If the person arrives at the door to the "game room" only tenets
                of the complex is provided enter and leave access but not sleep (these people
                are members of the "complex" group.) while others are not granted any access.
                When a person arrives a building door that is to apartments, they will be
                granted enter leave access but not sleep permission if they have an apartment
                is in the building (building group membership) access while others are not
                granted access at all.  Once in the apartment building, you can search for
                the laundry room, other apartments, etc or go to your apartment.  If you
                attempt to enter your apartment you are granted enter, leave, and sleep
                permissions and not granted access to other apartments (user level access).
                
    
    So now look at a fragment of the "file system" 
          drwxrw-rw-   complexowner complex             apartment_complex
          -rwxrw-rw-   complexowner complex             apartment_complex/rental_office
          drwxrw----   complexowner complex             apartment_complex/game_room_building
          drwxrw----   complexowner complex_building_a  apartment_complex/apartment_building_a
          -rwx------   renter_a_311 complex_building_a  apartment_complex/apartment_building_a/a_311
          -rwx------   renter_a_312 complex_building_a  apartment_complex/apartment_building_a/a_312
          -rwx------   renter_a_313 complex_building_a  apartment_complex/apartment_building_a/a_313
          -rwxrw----   complexowner complex_building_a  apartment_complex/apartment_building_a/laundry_room
          drwxrw----   complexowner complex_building_a  apartment_complex/apartment_building_a/storage_area
          -rw-------   renter_a_311 complex_building_a  apartment_complex/apartment_building_a/storage_area/a_311
          -rw-------   renter_a_312 complex_building_a  apartment_complex/apartment_building_a/storage_area/a_312
          -rw-------   renter_a_313 complex_building_a  apartment_complex/apartment_building_a/storage_area/a_313
          drwxrw----   complexowner complex_building_b  apartment_complex/apartment_building_b
          -rwx------   renter_b_211 complex_building_a  apartment_complex/apartment_building_b/b_211
          -rwx------   renter_b_212 complex_building_a  apartment_complex/apartment_building_b/b_212
          -rwx------   renter_b_213 complex_building_a  apartment_complex/apartment_building_b/b_213
          -rwxrw----   complexowner complex_building_a  apartment_complex/apartment_building_b/laundry_room
          drwxrw----   complexowner complex_building_a  apartment_complex/apartment_building_b/storage_area
          -rw-------   renter_b_211 complex_building_a  apartment_complex/apartment_building_b/storage_area/b_211
          -rw-------   renter_b_212 complex_building_a  apartment_complex/apartment_building_b/storage_area/b_212
          -rw-------   renter_b_213 complex_building_a  apartment_complex/apartment_building_b/storage_area/b_213
    
    
                Now back to the computer stuff.
            
    
    
    The commands to change ownerships and permissions.
    User ownership
    The command to change the user ownership of one or more files or directories is chown. A common option is -R for changing recursively. A form of this command can change both the user and group ownerships at the same time.
    The general format of the command is:
    
        chown [options] username_or_uid file_or_directory_name ...
    or
        chown [options] username_or_uid:groupname_or_gid file_or_directory_name ...
    
    
    
    Root level access is needed to change the user ownership of a file.
    
    Group ownership
    The command to change the group ownership of one or more files or directories is chgrp. A common option is -R for changing recursively.
    The general format of the command is:
    
        chgrp [options] groupname_or_gid file_or_directory_name ...
    
    
    
    Root level access is not needed by the user owner of the file to change the group to a group that the user is has membership.
    NOTE: The command, id to see the uid, primary group membership, and the groups that you are a member.
    
    
    Permission Setting/Changing
    The command for changing permissions is the chmod. It has an older format that we will look at latter on. The first format (which is newer and was expected to replace the older form at the time it was intoduced) is:
    
        chmod [options] comma_seperated_permission_string file_or_directory_name ...
    
    Like the above two commands, a common option is the -R for changing recursively.
    
    While the "permission_string" may seem overly complex, they are designed to be simple and compact.
    There is a character desinator for each of the three tiers plus another that means "all" the tiers. This are:
    
        u -- The owning user permission set.
        g -- The owning group permission set.
        o -- any other permission set.
        a -- All three tiers.
    
    
    There are three operators defined for the adjusting the permission bits. These are:
    
        + -- To "Grant additionally" the permission set.
        - -- To "Revoke subtractivly" the permission set.
        = -- To "Grant absolute" the permission set.
    
    
    There are several permission bit characters. These are:
    
        r -- Read access
        w -- Write access
        x -- eXecute (or search for directories) access
        X --  FIXME:  : execute/search only if the file is a directory or already has execute permission for some user
        s -- SUID or SGID sticky bits
        t -- Restricted delete sticky bit
    
    
    
    Contining, the most simple method to set permissions is to use each tier designator and the "=" adjustment. As far as the permission bits the order of rwx (like the "ls -l" command output) is used. For example:
    
    chmod u=rw,g=rw,o=r filename
    
    which assigns the following permissions:
    
        owning user get both "read" and "write" access
        owning group gets both "read" and "write" access
        All others get "read" access.
    
    
    As you see, that both "u" and "g" are the same. So a format is available that has less typing. These commands are the same as above in results:
    
    chmod ug=rw,o=r filename
    
    chmod a=rw,o-w filenane
    
    
    The first combines the User and Group ownership into a common permission setting while the later permits "read" and "write" to all three tiers and then "revokes" the "write" permission from the "other" tier.
    
    The older method (which all administrators must know as it is used more often then the above at this point in time). The permission bits are represented by there octal (base 8) number. There are four digits in the number and first is only required when setting sticky bits. But don't get too worried that they are in octal because you can assign the permissions numbers (in base 10 and simply add them together).
    
        r -- Read -- the decimal value 4 (also use 4 for SUID sticky bit)
        w -- Write -- the decimal value 2 (also use 2 for SGID sticky bit)
        x -- eXecute -- the decimal value 1 (also use 1 for "restricted delete" sticky bit)
    
    
    So if you want "read" and "write" permissions simply add 4 and 2 which is 6, and if you want only "read" permission it is simply 4. Put the digits in the order of:
    
        The SUID, SGID, and "restricted delete" sum as the first digit. If none of these are being set, simply forget this digit.
        The sum of the permissions granted to the owning User (or zero for none)
        The sum of the permissions granted to the owning Group (or zero for none)
        The sum of the permissions granted to every one else (or zero for none)
    
    
    Using this method you are always defining every bit of the permissions. After using this for a while, you will not be adding the values as only a few of the eight digits are commonly used.
    Digit 	Permissions Granted 	Is commonly used
    0 	none 	yes
    4 	read 	yes
    5 	read and execute 	yes
    6 	read and write 	yes
    7 	read, write, and execute 	yes
    1 	execute 	no
    2 	write 	no
    3 	write and execute 	no
    
    So to set the permissions for the above case, it would be simply:
    
    chmod 664 filename
    
    
    Which is why this older method continues after a simpler method but longer command was been added. There is also a few three digit patterns typically used such as:
    3-Digit 	Permissions Granted
    664 	owning user and group "read" and "write" while every one else only "read".
    775 	owning user and group "read","write", and "execute" while every one else "read" and "execute".
    600 	owning user "read" and "write" while every one else gets "none".
    When a user account is created, the user can belong to one or more groups. Which your "gid" is your primary group and the others are group memberships. To see the group memberships of your account you can use the command:
    Code:
    id
    Accounts can have group membership added or deleted. This changes do not take effect until the user next time that the user logs into the computer.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •