Linux Basics: Understanding File Ownership And Permissions

While the basics of web hosting are not that complex, it’s important to know what you’re doing in order to keep your web server efficient and secure.

As many web servers out there are running on Linux while most workstations are running on Windows, mastering Linux administration concepts can be confusing at first. Today we’re going to see the basics of file and directory ownership and permissions.

File & Directory Ownership

File ownership on Linux is quite different (and simpler) than on Windows. A file or directory is only owned by a user and a group. It can’t owned by more than a single user and a single group at a time. In a command shell, issue this command to get a detailed file list:

# ls -al

Here is an example of a directory listing:

drwxrwxr-x 3 apache web2 4096 Feb 29 08:38 .
drwxr-xr-x 8 apache web2 4096 Feb 29 08:38 ..
drwxrwxr-x 2 apache web2 4096 Feb 29 08:38 error
-rw-rw-r– 1 apache web2 1208 Feb 29 08:38 index.html

The third and fourth columns respectively show the user and the group owners. Here we see that the “apache” user and the “web2″ user group owns the file index.html. In this case, the “apache” user is the account under which the web server process is running.

In order to change the ownership of a file, you must have a shell access as it has to be done through command lines:

# chown [user].[group] filename_or_directory

To recursively change the ownership of a directory, use:

# chown -R [user].[group] directory

Unfortunately this can’t be done through FTP. There might be some web-based file managers that can do this though.

File & Directory Permissions

A file or directory can only have three different permissions: read, write and execute. These file permissions are applied to:

• the owner user
• the owner group
• others (everyone else than the owners)

Let’s look at our previous directory listing:

drwxrwxr-x 2 apache web2 4096 Feb 29 08:38 error
-rw-rw-r– 1 apache web2 1208 Feb 29 08:38 index.html

Starting by the first character of the first column, here’s what it means:

• the first character indicates if this is a file (-) or a directory (d)
• characters 2, 3 and 4: these are the permissions for the user owning the file
• characters 5, 6 and 7: these are the permissions for the group owning the file
• characters 8,9 and 10: these are the permissions for other users than the owners

So for the above listing, we know that the “error” directory has:

• read, write and execute permissions set for the user and group owners
• read and execute permissions set for others

For the above listing also, we know that the “index.html” file has:

• read and write permissions set for the owners
• read permission set for others

Using The Command Line To Adjust Permissions

If you have a shell access, you can set file and directory permissions using the command line. This is done using the chmod command. There two syntaxes possible:

# chmod ugo+rwx filename

or

# chmod 777 filename

The first syntax is a bit more friendly but you might have to issue several commands to set all the permissions on a file or directory. Let’s see how it works:

• ugo : This means User, Group, Others. You can specify for which entity you want to set the permissions. This could be only one value or more. So for example if you’d like to set read / write / execute permissions for user and group owners only, you could issue chmod ug+rwx filename .
• + or - : Specifies if you want to add or remove a permission.
• rwx : Stands for Read, Write and eXecute. It specifies which permission you want to modify. It could one or more permission.

The second syntax is more difficult to remember but it’s much faster. The first number is the permission for user, the second is for group and the third is for others. Here are the possible numeric values:

• 1 - EXECUTE 
• 2 - WRITE
• 3 - WRITE, EXECUTE
• 4 - READ
• 5 - READ, EXECUTE
• 6 - READ, WRITE
• 7 - READ, WRITE, EXECUTE

Let’s look at a few examples done both ways.

User and Group have full access but Others have no access:

# chmod ug+rwx filename
# chmod o-rwx filename

# chmod 770 filename

User have full access, Group and Others can read and execute. Setting these permissions recursively:

# chmod -R u+rwx filename
# chmod -R go+rx filename

# chmod -R 755 filename

You can see that the second syntax is faster than the first one.

Using FTP To Adjust Permissions

You can also use a FTP client to set permissions. Pretty much any FTP software can do this. Using Filezilla for example, you can set the permissions by right-clicking on the file or folder and selecting File Attributes.

The downside to using an FTP client is that you can’t set permissions recursively. Changing the permission on a folder will not affect its content whatsoever.

Keep It Secure!

Sometimes it’s too easy to give all permissions to everyone to make things work. Unfortunately this is a big security hole and you’re putting your web server at risk. It’s always better to set the lowest level of permission possible.

There are some script installer that will require you to set the permissions to 777 while the application is being installed. Don’t forget to set the permissions back to their original state if possible.