File & Directory permissions and groups

[Kolusion]

I've been using Linux for about 1 and a half year now and I don't fully understand how file & directory permissions and groups work.
when I view properties of a folder in GNOME2, I see "Group" and then a group selected. What I don't get is what are the other groups in the drop down menu - I mean, are they the groups that also have permission to the folder, or is the selected group the only group that has permission?

I want to allow the group www-data to have permission to a folder, but I cannot see the group in the menu. How do I go about getting it in there, or how can I give www-data permission via terminal.. I think its with chgrp.

Argh! I use to love being able to tinker and explor computers to teach myself, but as I get older there seems to be less hours in a day!

[yancek]

is the selected group the only group that has permission?

Yes.

You change the group with the chgrp command. If you have a folder named junk in your /var/www directory that you want to have www-data as the group you would navigate in the terminal to /var/www directory and as root do:

chgrp -R junk/

The -R changes the group in sub-directories and files. You also can set the owner with chown command and permissions with chmod command. Do you have a www-data group? Type group in a terminal and you should see output.

There are numerous tutorials on using these commands online as they are very commonly used.

[MikeTbob]

Check out groupadd.
groupadd - Linux Command - Unix Command
Managing Linux group Access
Linux Tutorial - Managing Group Access on Linux and UNIX
And finally, it's probably best if you also view the man pages on your system with these commands.

Code:

man groupadd

Code:

man chown

Code:

man chgrp

[Kolusion]

Cool, thanks guys.
Well, I had a quick read of the manual for groupadd:
SYNOPSIS says

groupadd [options] group

are options neccessary? or can I just create a group by using groupadd groupname

?

[MikeTbob]

I believe options are just that, optional.

[Kolusion]

Also, once I make a group, how can I then add a user to the group?

[MikeTbob]

Also, once I make a group, how can I then add a user to the group?

useradd is your friend

[yancek]

The link below has some simple examples which should help:

Howto: Linux Add User To Group

[Pockets64]

useradd is your friend

If the account already exists, look into usermod.

[alf55]

I've been using Linux for about 1 and a half year now and I don't fully understand how file & directory permissions and groups work.
when I view properties of a folder in GNOME2, I see "Group" and then a group selected. What I don't get is what are the other groups in the drop down menu - I mean, are they the groups that also have permission to the folder, or is the selected group the only group that has permission?

I want to allow the group www-data to have permission to a folder, but I cannot see the group in the menu. How do I go about getting it in there, or how can I give www-data permission via terminal.. I think its with chgrp.

Argh! I use to love being able to tinker and explor computers to teach myself, but as I get older there seems to be less hours in a day!

Taken from my web site for Linux Learning (which is still in development) is how I explain permissions:

Note: formatting has been mostly stripped.

Code:

Directory and file permissions are assigned on three tier system
Looking at a three tier access model
A multiple building apartment complex and some set of people will serve a working model of a three tier permission system. The buildings within the complex may contain similar items such as apartments; however, some builds my have more unique items such as "game room" or "pool" that are shared across the buildings. Fine you say, but how is this getting us to a permission model.

The people are treated as "User" of the complex. Some of the people are not tenets with the complex. These people will only have access that is declared as "Other" (or the "World" if the set is really really big). Some of the people are tenant's and are declared "members" of the complex as whole and "members" of the building containing their rented apartment (group membership). The renter of a apartment is the "User" of a specific apartment.

Now the complex to computer is being mapped as:

     The whole complex  -----------------------------------  A "file system"
     A building  ------------------------------------------  A "directory"
     A item in a building (i.e. apartment, pool, etc) -----  A "file"
     A person  --------------------------------------------  A "user" 

           
            A person arrives at a building door (the door is to the "rental office").  The
            rental office grants permission to everyone the right to enter and leave but
            does not grant them the right to sleep. (One could see enter, leave, and sleep
            as alternate the the file permissions of read, write, and execute. But that is
            another story.)  If the person arrives at the door to the "game room" only tenets
            of the complex is provided enter and leave access but not sleep (these people
            are members of the "complex" group.) while others are not granted any access.
            When a person arrives a building door that is to apartments, they will be
            granted enter leave access but not sleep permission if they have an apartment
            is in the building (building group membership) access while others are not
            granted access at all.  Once in the apartment building, you can search for
            the laundry room, other apartments, etc or go to your apartment.  If you
            attempt to enter your apartment you are granted enter, leave, and sleep
            permissions and not granted access to other apartments (user level access).
            

So now look at a fragment of the "file system" 
      drwxrw-rw-   complexowner complex             apartment_complex
      -rwxrw-rw-   complexowner complex             apartment_complex/rental_office
      drwxrw----   complexowner complex             apartment_complex/game_room_building
      drwxrw----   complexowner complex_building_a  apartment_complex/apartment_building_a
      -rwx------   renter_a_311 complex_building_a  apartment_complex/apartment_building_a/a_311
      -rwx------   renter_a_312 complex_building_a  apartment_complex/apartment_building_a/a_312
      -rwx------   renter_a_313 complex_building_a  apartment_complex/apartment_building_a/a_313
      -rwxrw----   complexowner complex_building_a  apartment_complex/apartment_building_a/laundry_room
      drwxrw----   complexowner complex_building_a  apartment_complex/apartment_building_a/storage_area
      -rw-------   renter_a_311 complex_building_a  apartment_complex/apartment_building_a/storage_area/a_311
      -rw-------   renter_a_312 complex_building_a  apartment_complex/apartment_building_a/storage_area/a_312
      -rw-------   renter_a_313 complex_building_a  apartment_complex/apartment_building_a/storage_area/a_313
      drwxrw----   complexowner complex_building_b  apartment_complex/apartment_building_b
      -rwx------   renter_b_211 complex_building_a  apartment_complex/apartment_building_b/b_211
      -rwx------   renter_b_212 complex_building_a  apartment_complex/apartment_building_b/b_212
      -rwx------   renter_b_213 complex_building_a  apartment_complex/apartment_building_b/b_213
      -rwxrw----   complexowner complex_building_a  apartment_complex/apartment_building_b/laundry_room
      drwxrw----   complexowner complex_building_a  apartment_complex/apartment_building_b/storage_area
      -rw-------   renter_b_211 complex_building_a  apartment_complex/apartment_building_b/storage_area/b_211
      -rw-------   renter_b_212 complex_building_a  apartment_complex/apartment_building_b/storage_area/b_212
      -rw-------   renter_b_213 complex_building_a  apartment_complex/apartment_building_b/storage_area/b_213


            Now back to the computer stuff.
        


The commands to change ownerships and permissions.
User ownership
The command to change the user ownership of one or more files or directories is chown. A common option is -R for changing recursively. A form of this command can change both the user and group ownerships at the same time.
The general format of the command is:

    chown [options] username_or_uid file_or_directory_name ...
or
    chown [options] username_or_uid:groupname_or_gid file_or_directory_name ...



Root level access is needed to change the user ownership of a file.

Group ownership
The command to change the group ownership of one or more files or directories is chgrp. A common option is -R for changing recursively.
The general format of the command is:

    chgrp [options] groupname_or_gid file_or_directory_name ...



Root level access is not needed by the user owner of the file to change the group to a group that the user is has membership.
NOTE: The command, id to see the uid, primary group membership, and the groups that you are a member.


Permission Setting/Changing
The command for changing permissions is the chmod. It has an older format that we will look at latter on. The first format (which is newer and was expected to replace the older form at the time it was intoduced) is:

    chmod [options] comma_seperated_permission_string file_or_directory_name ...

Like the above two commands, a common option is the -R for changing recursively.

While the "permission_string" may seem overly complex, they are designed to be simple and compact.
There is a character desinator for each of the three tiers plus another that means "all" the tiers. This are:

    u -- The owning user permission set.
    g -- The owning group permission set.
    o -- any other permission set.
    a -- All three tiers.


There are three operators defined for the adjusting the permission bits. These are:

    + -- To "Grant additionally" the permission set.
    - -- To "Revoke subtractivly" the permission set.
    = -- To "Grant absolute" the permission set.


There are several permission bit characters. These are:

    r -- Read access
    w -- Write access
    x -- eXecute (or search for directories) access
    X --  FIXME:  : execute/search only if the file is a directory or already has execute permission for some user
    s -- SUID or SGID sticky bits
    t -- Restricted delete sticky bit



Contining, the most simple method to set permissions is to use each tier designator and the "=" adjustment. As far as the permission bits the order of rwx (like the "ls -l" command output) is used. For example:

chmod u=rw,g=rw,o=r filename

which assigns the following permissions:

    owning user get both "read" and "write" access
    owning group gets both "read" and "write" access
    All others get "read" access.


As you see, that both "u" and "g" are the same. So a format is available that has less typing. These commands are the same as above in results:

chmod ug=rw,o=r filename

chmod a=rw,o-w filenane


The first combines the User and Group ownership into a common permission setting while the later permits "read" and "write" to all three tiers and then "revokes" the "write" permission from the "other" tier.

The older method (which all administrators must know as it is used more often then the above at this point in time). The permission bits are represented by there octal (base 8) number. There are four digits in the number and first is only required when setting sticky bits. But don't get too worried that they are in octal because you can assign the permissions numbers (in base 10 and simply add them together).

    r -- Read -- the decimal value 4 (also use 4 for SUID sticky bit)
    w -- Write -- the decimal value 2 (also use 2 for SGID sticky bit)
    x -- eXecute -- the decimal value 1 (also use 1 for "restricted delete" sticky bit)


So if you want "read" and "write" permissions simply add 4 and 2 which is 6, and if you want only "read" permission it is simply 4. Put the digits in the order of:

    The SUID, SGID, and "restricted delete" sum as the first digit. If none of these are being set, simply forget this digit.
    The sum of the permissions granted to the owning User (or zero for none)
    The sum of the permissions granted to the owning Group (or zero for none)
    The sum of the permissions granted to every one else (or zero for none)


Using this method you are always defining every bit of the permissions. After using this for a while, you will not be adding the values as only a few of the eight digits are commonly used.
Digit 	Permissions Granted 	Is commonly used
0 	none 	yes
4 	read 	yes
5 	read and execute 	yes
6 	read and write 	yes
7 	read, write, and execute 	yes
1 	execute 	no
2 	write 	no
3 	write and execute 	no

So to set the permissions for the above case, it would be simply:

chmod 664 filename


Which is why this older method continues after a simpler method but longer command was been added. There is also a few three digit patterns typically used such as:
3-Digit 	Permissions Granted
664 	owning user and group "read" and "write" while every one else only "read".
775 	owning user and group "read","write", and "execute" while every one else "read" and "execute".
600 	owning user "read" and "write" while every one else gets "none".

When a user account is created, the user can belong to one or more groups. Which your "gid" is your primary group and the others are group memberships. To see the group memberships of your account you can use the command:

Code:

id

Accounts can have group membership added or deleted. This changes do not take effect until the user next time that the user logs into the computer.