Managing access to files in GNU/Linux distributions is a basic procedure in the administration process. The chown and chmod commands are closely related and directly determine who is allowed to manipulate objects and how deeply.
These utilities work in the terminal, but also many file managers provide the possibility to graphically assign permissions, but in a limited form.
This can be done by the user (the owner), the group and the others. A separate rule is set for each type, so it is not necessary for everyone to have any access.
Let’s start with the chown command. Using it, you can change the owner or group of objects (in other words, files, since everything in GNU/Linux is presented in this form). This affects the established access permissions to them.
To view the owner of a file, enter:
The third and fourth fields show the owner name and group name. Usually they coincide, but there are cases when they need to be dereferenced.
To change the current owner to the new one, use the command:
chown root OBJECT
where OBJECT is the name of the file (or several separated by a space). You can also specify the -R flag in front of the name of the directory to be modified to perform the operation recursively, that affecting all nested objects.
If a terminal indicates that there is not enough permission to perform this action, first add sudo:
sudo chown root OBJECT
To change a group as well, specify it through a command:
chown root:root OBJECT
chown :root OBJECT
to change only a group.
In addition to the recursive operation flag, there are others (which are similar to chmod). For example, –from allows you to make a change only for objects with the specified owner and group. It makes sense to use it together with recursion:
chown --from=anton:anton http:http -R OBJECT
Now let’s move on to the chmod command. It allows you to manipulate access permissions to any system objects, except for symbolic links (by default).
There are 3 types of file interactions: reading, writing, and execution. To view the specified rules for objects, enter:
In the list shown, the leftmost column is explained as follows. The first character describes the type of a file (“-” is a normal file, “d” is a directory, etc.), then there are three groups of three characters each: the first describes the access permissions for the user (not necessarily the owner of the object), the second for the group users and the third for the rest, not included into any category.
Each of these characters directly determines the type of access: read, write and execute. If there is a hyphen (a minus), then the corresponding action is forbidden. Reading means opening a file and viewing its contents. Writing allows you to make changes to the object, and execution—to run the program/script.
Regarding directories, prohibitions work as follows:
|only read directory is forbidden
|only write to the directory is forbidden
|only directory execution is forbidden
|change a folder||+||+||–|
|view files in a folder||–||+||+|
|remove files in a folder||+||–||–|
|create/modify files in a folder||+||+||–|
You may notice that the effect of the forbidding on reading is directly opposite to the effect of the forbidding on execution. Depending on access permissions, the owner can move and delete objects created on his behalf.
Note! The article will not consider the change in the Set-User-ID and Set-Group-ID bits due to the specific scope of their application.
Manipulation of these rules is carried out in two ways described below.
Each control letter corresponds to a numerical value in binary form (0 and 1). In fact, 0 means deny, 1 means access. You can record for all three types of access at a time (even if you need to change only one of them). But writing everything in ones and zeros is not very convenient, so the developers allowed us to write down the rules for each group with the corresponding number of the octal number system.
For example, rule 100 (one zero zero) in binary form means that the file can only be read; recording and performing are forbidden. The octal equivalent of this number is 4. If the general record looks like 400, then this means that the user can only read the file, and the group and everyone else are forbidden from doing anything:
chmod 400 OBJECT
where OBJECT is the name of the file (or several separated by a space). You can also specify the -R flag before the name of the directory to be changed to perform the operation recursively, that affecting all nested objects.
Below is a table of the ratio of binary and octal forms of access permissions.
This method does the same, only uses a simpler and more understandable form. It specifically indicates for whom to change (user, group, other or all) and what to change (r, w, x). To add permissions, use the “+” sign, remove — “-”. The equal sign “=” establishes the indicated permissions to the object; it is also used when creating objects to indicate a distribution of permissions that differs from the standard.
To enable the owner to read and write to the file, and the group and others to read only, the following construction is used:
chmod u+rw,go=r OBJECT
To forbid everyone from executing a file:
chmod a-x OBJECT
which is equivalent:
chmod ugo-x OBJECT
A detailed description of chmod and chown can also be found in the man reference manual.