31. File and Directory Permissions / Files Ownership
As I previously stated, when you create that file, whichever group your primary group is becomes the owner. Let’s say I’m a user who didn’t create your file, but I want to look at your file. My primary group might be primary group Blue, and you, as the owner of that file, have primary group Red. Well, maybe I am a member of the red group, but it’s not my primary group.
So in order for me to look at that file, I actually have to change my primary group to match the primary group with the file. In this case, change it to red. And I can do that with the new group command. That way, I can then have permission to look into that file. Also, on the file itself, if you want to change the owner or change the primary group, there are commands. They resemble a swarm of chickens, for example. I love the way you try to pronounce these, but it’s chon for change of ownership and ch GRP for change of group. And those commands allow you to change the user owner and the group owner of every one of those files. And you just have to list which user and which group are going to be changed.
32. Demo – File and Directory Permissions
All right. Now we’re going to take a look at working with files and permissions now that we have a couple of users, and we’re going to look at the contents of the home directory here on the live user and see that we don’t have any fun at all. We have nothing but directories. So, basically, we’re going to try to make that change. Now let’s also see what group I belong to. I’m going to type in groups, and it tells me that I’m a member of the root bin, Damon, on the sysadmin disc isk wheel. So I know basically which one of those I’m a member of. And the reason that’s important is that, as we talked about, at some point I may have to change my primary group to be able to get some of these permissions. All right? So now what I’m going to do is create a file.
I’m going to use the command touch, and we’re going to create one called sample file. Just like that, I’ll list it, and you can see there’s a sample file. And it’s telling me here that it’s a file that I, as the root user, have read and written, that my primary group root has read, and that the other categories have read. All right? So that doesn’t mean that anybody else has permission unless they’re in the root group. So that meant that if I let somebody like Jane try to open that file, they would be unsuccessful. So I’m going to change the ownership of the file and give it to Jane Doe, which was the sample file. Now that I am the owner, I’m allowed to do that. Now let’s do that same LS command. And we can see now that read and write are still given to the owner, but that is Jane Doe. Now, we didn’t change the group information.
So because I am in the root group, I do have reading ability. Remember, there are three separate columns that we have. Okay, well, in that same line, we probably want to change the group anyway for that sample file. As a result, we’ll use the changegroup command Jane Doe sample file. Remember that there was an automatic group called JaneDoe as well as a group named after the user. Now let’s do that LS command, and it’s Jane Doe all the way across. which means that if I actually tried to open the file, it doesn’t give me anything, but it shouldn’t give me anything because I technically don’t have any permissions. I am the route, but it’s also an empty file. Okay? So just like that, I was able to change the groups and the ownership. Now this is probably the one area where I said that you don’t have the same strengths as some other operating systems, and that is in the working of a complex set of permissions for each of these files. All right, so now we’re going to go places. I’m going to open up my home folder.
And this is the live user. And under Live User, let’s take a look up here real quick. When I do the PWD, okay, I’ve been doing all this work in the Live user folder. Let’s minimise this background command line. In fact, there it is: a sample file. and let’s see what we can do. I’m going to right-click it. I’m going to go to its properties. And when I look at the properties, I’m going to look at permissions. So I see the owner; I see the group that is present. And I noticed that a lot of this stuff is blanked out. And it tells me right at the bottom that I’m not the owner, so I can’t change these permissions. Well, that’s pretty straightforward. It’s telling me that there’s nothing I can do about it. Now, I am logged in as root on this other system, so I technically could get away with it and do some bad stuff to it if I really wanted to. Anyway, that’s the permissions tab. I’m going to go ahead and close it since there’s nothing I can do with it. And I’m going to right-click an empty spot up here, and I’m going to go to “create document” in an empty file. I’m going to give it a name: Second Sample. I did spell that, right? Okay, second Sample, that’s my new one.
So I had a sample file. There’s my second sample. It doesn’t have a padlock on it, and that is because I created it. Therefore, I am the owner. If I go to the properties of it and go to the permissions tab, look at all that stuff I can do, which includes, by the way, changing any information about groups. If I had other groups on there, or if the owner or another user accessed them, or even if I marked it as an executable file, which it isn’t, So I’ll leave it alone. All right. So now that I am the actual owner, I can make some other changes. So it gives me some permissions, okay? So I’m going to close this down and leave it be. And that was a very simple way to work with permissions using a command line and the gooey.
33. Files and Directory Permission
Now on our files and directories, what we’re going to see is a combination of permissions that are listed to three areas or three entities, and that’s going to be user group and other. So when you look at permissions, you’re actually going to see three columns based on user group and other. And in those columns, you’re going to have some options for permissions, with those permissions being read, write, and execute. and each one of those represents a binary position. If you think about it, that’s all computers read as binary.
So when we talk about permissions, for example, if you think of “read, write, execute” as a three-digit binary number, that means I have three zeros, three ones, or some combination of zeros and ones. But three of those digits, the very leftmost column, would be the read bit; the second or middle column would be the right bit; and the far right would be the execute bit. Now, if you want to look at it technically, the high-order bit is the one on the left. So the high-order bit is read, then it’s right, then execute. In binary, those columns represent a power of two. If I go with the highest-order bit, the read bit, in fact, this might be easier. Let’s go to the far right-hand side. We’ll proceed to the low-order bit, the execute. That represents the ones column, the middle bit, and represents two to the zero. The second bit in the right bit represents two to the first power, and the read bit represents the third column, or two to the second power.
So that’s really three columns, right? All powers of two One was two to the power of zero power.One is two to the first power. The third column is two to the second power. Now, I know that you heard me say “second power.” Remember, that was three columns: zero, one, and two for the exponents on the power of two. All right? So those have numerical answers based on which of those columns has one meaning or is true. So we’ll cover that again, even. But I’m kind of putting that in your head now so you can think about that, let it percolate as we get into the permissions, and actually discover how you can determine what your permissions are.
34. The Mode
So now when you go in and you take a look at the directory and file permissions, we’re going to look inside this thing we call the inode. Remember, that was the metadata about your files or your directories. Metadata is information about your information. Now, on the far left side, in the leftmost columns, is a section of that file known as the mode. The mode has three sections that describe the permissions assigned to the three entities we talked about: user, group, and others. Now the nice thing is that we see these not as numerical references, but we see them as the alphabetic characters that describe, read, write, and execute. If I see a dash, then that means to me that it does not have that permission or that absence. You have read if you see an R. If in that column you see a dash, then it means it’s not read, you don’t have it, and it’s not been given to you. So that’s kind of how you would read it.
Now, technically, if you were to look at it, you’d actually see a little column. The far leftmost column would have things like a D, a P, or a dash. Okay, that’s kind of the file type. So if you get past the “D” for directory or the “P” for program, that’s your file type. We’re going to go over the very next character, who starts this thing that’s called the mode. Also, keep in mind that it goes user, group, and other. And so I expect to see three values—read, write, execute—and then another three values—read, write, execute—and then another three values—read, write, execute. So those are the types of things I’m expecting to see in each of those columns. Now, again, you might not have executed, especially on something like a picture file. The film fails to deliver.
As a result, you might see ReadWrite, RW. Well, that would tell me in the first column that those were the user’s permissions. Read, write, but do not execute in this case. The group permissions are next, where “R” means they have read-only access. And then the other, which we haven’t really gotten to yet, would be the R, or again, the read-only for the other. We’ll talk about each other. That’s coming up. All right. So that’s how you read through those permissions. And like I said, it’s very nice and easy forus to read because they use alphabetic characters to represent the permissions rather than a numeric value, as I was trying to explain in the binary listings. But we’re still going to talk about it because we can still use the numeric values when changing permissions.
35. Mode Explained
All right, so to better explain the mode, I kind of blew up a picture of the mode. Remember, the very first column is what we call the type. What type of file is it? Then it goes into sets of three characters, which are the user permissions, the group permissions, and the other permissions. And each of those will get done as we need to.
But I think it’s pretty straightforward. The user and the group. When you return to the inode, the user group is listed alongside who is the owner user and who is the primary group that has permissions assigned to it. So you’ll see that in the same line. So that user can be compared to that owner, and that group to that group. And again, we’ll get into the other stuff here in a bit. All right, so that is the mode. So it’s the file type, and then the permissions are always in a nice alphabetic character representation, as I said, rather than the actual numeric values that we use when issuing commands.
36. Demo – Viewing File Permissions
We’re going to take a real quick look here at viewing file permissions and seeing what it takes—something we’ve kind of looked at already. You can tell I’m in the home directory, and the LSL gives me the long format and allows me to see permissions, so I’ll put it with a capital F. So you can kind of tell by looking at the end that it’s a folder directory or a file. And remember, the way the permissions work is that I give the owner three permissions: read, write, execute, followed by the primary group: read, execute. In this case, no, right?
And the others, who in this case have read and executed. And that’s for this particular thing; that’s a desktop, which is, according to this, a directory. If it’s blank like this or has a dash, that is a file. And this is a file that we changed in an earlier demonstration to have Jane Doe as the owner and primary group. Okay? So now I can go to my applications, or actually places, open up my home folder, right-click a file, go to its properties, go to permissions, and here I can see the owner, I can see what they are, but I can’t make these changes because I’m not the owner. If I take a look at this other file, I’ll right-click in Properties and go to its Permissions tab. This is one that I can change because I am the one who created it and I have the ability to make changes to the permissions. So just like that, it’s very straightforward to be able to see the permissions of any of these files.
37. Changing Permissions
Now, if you need to, you can programmatically—through the command line in your shell—change the permissions of any file or directory. The command we use is chmod, or change the mode. Remember that the mode is the thing with the permissions, and you would then list the permissions that you’re adding to it and the name of the file in the directory.
Now, the actual way in which I would put this together is to talk about the entities’ permissions that I’m changing, and I would use a plus sign if I’m adding the permission or a minus sign if I’m taking it away. So as an example, if I had a command that said chmod g, that’s the group plus w, which means I’m adding, right? And then list the file that I’m adding that to, and you’ve got the change to the mode; you’ve changed the permissions for the group, the primary group, by adding the right permissions. So obviously you have users and others, and you could subtract R and subtract the E for execute. I mean, you’ve got your choice of pluses or minuses, but don’t forget the name of the file that you’re making these changes to.
38. Numeric Syntax
Now, numerically, the values of your permissions are seen as binary. Now, I know we do everything we can to avoid actually having to learn binary. and I don’t know why. It’s not that hard of a number system. It’s just that we’re used to everything being on a base-ten decimal system. So we got to figure out how to convert those binary figures to a decimal representation, and we wondered, what does it mean?
Well, a little while ago, I started, I hope, a thought process in your head about three binary columns. The high-order bit is represented by the two to the second power, and the next bit to the right is the right bit. That worked out pretty well as being two to the first power and the lowest order bit, with the rightmost bit being two to the zero power. Remember that two to the power of zero, or any number to the power of zero, equals one. If you don’t believe me, wait till you have kids taking algebra; then you’ll remember those rules. So anyway, two to the first power is two to the second, which is four. Now, from there, I have to use those combinations.
So if I want you to have read permission in that high-order leftmost column, I have to change the zero to a one. By putting a one in that column, I’m actually saying that that column represents two to the second power, or the value four. So by having put a one for true or on in that column, numerically, I’ve just created a value of four. Now, if I want you to also have the right permission, well, then in that middle column, I have to turn zero to one. When I turn that on, that represents two to the first power, or two. So I need to have the value of two. Well, the problem is that I also want the value four to represent the read permission being set.
So technically, I have to count both columns together. So now the value would be six. So, if I had a permission of six, I’d say you’ve turned on two to the second power reading. You have to add two to the first power turned on, and that’s six. In fact, if you have all three columns turned on, a one in each column numerically would be represented by four plus two plus one, or seven. Now, I hope that that makes some sense, and you can look at several charts to make some sense out of that. So, if I say change a user’s permission to seven, that means there’s one in each of those three columns, and they have read, write, and execute permissions.
Now, I’m going to beat this up until I feel that you’re comfortable and you understand what we’re saying. And since I can’t see you, I’m going to just beat it up until I feel like you should be comfortable. Let’s say I only want you to have read permission. I would set your numeric equivalent of permission to just four, because the read bit is in the column of two to the second power. So if I turn it on for two to the second power, that’s a4. I don’t want you to have to write anything, so that’s a zero. I don’t want you to execute; that’s a zero. Add it all up. Four plus zero plus zero is four. So you would only have reading permission. If I want you to have read and execute, which means that you can open a file or, if it’s a program, you can execute the thing, then the value would be five. Because you have read two to the second power, that’s equal to four. Right was turned off, zero; execute was enabled. That’s twos to the power of zero or one. So what are my left four?
A zero and a one added up. That’s five. So that’s your permission. And you do it for each user, or for the user, as well as for the group and the other. You set those permissions. Now, by default, a directory, when it is created, has all of those set to seven. In other words, the users, groups, and others have full permissions to every directory you create. And, until you change it, every file you create has permissions 6, 6, 6. I know that doesn’t sound right to some of you. That is, read, write, read, write, read, write, read, write. Now, most of the time, what you’re putting in there is a file. And so you don’t actually have to worry about the file. So you don’t have to worry about the execute permission because if it’s not a program, you’re not executing anything things. So that’s normal. To have six, six, six for the user group and the other, you could call it full control of that file.
39. Default Permissions
Knowing those defaults, you might not like them and want to change those defaults. And we can create a mask called a umask that we can apply to these default permissions, so that when things are created, we can actually start subtracting some of those permissions so that our defaults don’t have to be as wide open as they are by default. In fact, that’s something you need to remember. And I’m going down the side road of security.
Many operating systems have a very low level of security by default, and by giving everything automatic full control, everyone has full control of all files, those defaults are very user friendly. And I hate to say this when I’m talking about Linux, so just bear with me because I thought it was funny. very plug-and-playish. You install the operating system, create a file, and it works. You don’t need to understand how or why. It just does. All right? That’s how a lot of operating systems have been designed and developed. I’m trying to tell you that might not be good for your enterprise or your solution. So you can use what we call the umask.
40. Demo – Changing File Permissions
All right. Now we’re going to look at changing some file permissions. Now to do this, we’re going to use a couple of commands we haven’t seen before, and I’ve certainly used some that we have in this case. I’m going to use the same LF so you can see the existing permissions and remember that we talked about these read writes and this little blank, the X for execute, which each had a different value based on its binary position. Basically, read was a 4, write was a 2, and execute was a 1. And if you add them all up, it’s a seven. Well, if I add this up, that looks like four plus two, which is six, and this looks like a four, and this looks like a four as well.
In fact, I see down here that this looks like it’s going to be a six six four in the type of permissions that it has for this file called Second Sample. In fact, that’s what I’m going to work with because it’s set up for the live user, which is who I originally logged in as, so we’re going to make those changes rather than doing that as the root user. Now the command we’re going to do is change the mode. Remember those columns are called the mode, and we’re going to change it to seven, seven, seven. For that file called Second Sample, I’ll hit the enter key, and now we’ll take a look at that same file. And now you see a second sample here. It’s got a whole new color, and it’s available for everybody. It’s read, write, execute all the way through. One of the most significant changes is that it now has execute permission all over the place, which it did not previously have. So it’s actually looking at this as an executable file rather than just a blank file.
All right, so just like that, we made some changes. Now we’ll go to our graphical location for the home folder, and we have Second Sample here. We’re going to right-click this, bring up its properties, go to its permissions, and we can see that we have the permissions that we can change here for this being a particular file. And here, where it says “Execute,” it says “execute the files of the program.” So I kind of added that on. Really, I’m going to turn that off and say, “Okay, let’s not execute this” and close things down. Now let’s go do that same LF command. And look at that. We kind of went back to where we were before, not quite in the sense that the right is still available for the other person, for the other group, or for the other mode. We did, however, get you to the X. So it’s no longer seven, seven, seven, and that little green colour indicates that Second Sample is no longer an executable program. Similarly, you can use change modes to make the changes. You can make the changes in the GUI. And you can have all sorts of fun putting that together.
