{"id":269,"date":"2015-10-21T07:38:30","date_gmt":"2015-10-21T15:38:30","guid":{"rendered":"https:\/\/cloudinsidr.com\/content\/?p=269"},"modified":"2015-12-26T08:37:10","modified_gmt":"2015-12-26T16:37:10","slug":"understanding-and-settingchanging-access-privileges-on-unixlinux-files-and-directories-mode-bits-and-alternative-access-methods-explained","status":"publish","type":"post","link":"https:\/\/www.cloudinsidr.com\/content\/understanding-and-settingchanging-access-privileges-on-unixlinux-files-and-directories-mode-bits-and-alternative-access-methods-explained\/","title":{"rendered":"Understanding and Setting\/Changing Access Privileges on Unix\/Linux Files and Directories: Mode Bits\/Permissions and Alternative Access Methods Explained"},"content":{"rendered":"<p>Mode bits in Linux\/Unix have been puzzling newbies to no end:<\/p>\n<pre class=\"font-size:14 width:520 lang:sh decode:true\">-rwxrwxrwx. 1 owner group 420 Dec 21 12:46 .bash_history<\/pre>\n<p>The first mode bit designates the type of the item; the following nine mode bits indicate access permissions on the\u00a0item with respect to the <span style=\"color: #ff0000;\"><strong>owner<\/strong><\/span>, the <strong><span style=\"color: #00ff00;\">group<\/span><\/strong>\u00a0and <strong><span style=\"color: #3366ff;\">all other users<\/span><\/strong>.<\/p>\n<h3>Special file designator<\/h3>\n<p>The first character field\u00a0is a <strong>special file designator<\/strong>. It can\u00a0indicate that an item is:<\/p>\n<ul>\n<li>a directory (d);<\/li>\n<li>a symlink or symbolic link (l);<\/li>\n<li>a Unix socket (s);<\/li>\n<li>a block device (b);<\/li>\n<li>a named pipe (p) such as initctl;<\/li>\n<li>a character device (c);<\/li>\n<li>a &#8220;door&#8221; (D); rarely used, but nonetheless supported.<\/li>\n<\/ul>\n<p>For lack of a\u00a0letter, a leading\u00a0&#8216;<strong>&#8211;<\/strong>&#8216; in place of a special file designator\u00a0indicates that the\u00a0item in question is a regular file.<\/p>\n<h3>Permissions (file mode) bits<\/h3>\n<p>Each consecutive three characters within the nine permissions bits represent privileges that may be assigned to the <span style=\"color: #ff0000;\"><strong>owner<\/strong><\/span> of an item (the first three characters after the special file designator), the\u00a0<span style=\"color: #00ff00;\"><strong>group<\/strong><\/span>\u00a0(the next three characters), and\/or\u00a0<span style=\"color: #3366ff;\"><strong>everyone else<\/strong><\/span>\u00a0(the next three characters). Unix\/Linux supports the following permissions:<\/p>\n<ul>\n<li>read (<strong>r<\/strong>);<\/li>\n<li>write (<strong>w<\/strong>);<\/li>\n<li>execute a file or list a directory or perform a search within a directory (<strong>x<\/strong>);<\/li>\n<li>in the owner&#8217;s or group&#8217;s permissions: set-user-ID mode on a file that is not executable (<strong>S<\/strong>);<\/li>\n<li>in the owner&#8217;s or group&#8217;s permissions:\u00a0set-user-ID mode on an executable file (s).<\/li>\n<\/ul>\n<p>For example the following notation:<\/p>\n<pre class=\"\">-rw-r----- someuser somegroup filename<\/pre>\n<p class=\"\">translates as follows:<\/p>\n<ul>\n<li class=\"\">the item is a file (-),<\/li>\n<li class=\"\">the user &#8216;someuser&#8217; has <strong>read<\/strong> and <strong>write<\/strong> permissions (<strong>rw-<\/strong>) on it,<\/li>\n<li class=\"\">the group somegroup has only <strong>read<\/strong> permissions (<strong>r&#8211;<\/strong>) on it, and<\/li>\n<li class=\"\">everyone else can <strong>neither read nor write nor execute<\/strong> the file (<strong>&#8212;<\/strong>).<\/li>\n<\/ul>\n<h4>Setting read, write, and execute permissions for the owner, group, and everyone else<\/h4>\n<p class=\"\">Unix permissions can be expressed numerically as powers of two:<\/p>\n<ul>\n<li class=\"\"><strong>r<\/strong> equals <strong>4<\/strong> (2^2; the lack of this privilege is represented by a <strong>0<\/strong>),<\/li>\n<li class=\"\"><strong>w<\/strong> equals <b>2<\/b>\u00a0(2^1; the lack of this privilege is represented by a <strong>0<\/strong>),<\/li>\n<li class=\"\"><strong>x<\/strong> equals <strong>1<\/strong> (2^0; the lack of this privilege is represented by a <strong>0<\/strong>).<\/li>\n<\/ul>\n<p>This designation ensures that there is no room for overlaps. Undefined permissions aren&#8217;t possible,\u00a0either. It&#8217;s as clear cut as it gets.<\/p>\n<figure id=\"attachment_409\" aria-describedby=\"caption-attachment-409\" style=\"width: 660px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/cloudinsidr.com\/content\/wp-content\/uploads\/2015\/10\/rwx_421_gray.png\" rel=\"attachment wp-att-405\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-409 size-large\" src=\"https:\/\/cloudinsidr.com\/content\/wp-content\/uploads\/2015\/10\/rwx_421_gray-803x1024.png\" alt=\"Unix\/GNU Linux permissions\/mode bits: read, write, execute (in grayscale)\" width=\"660\" height=\"842\" srcset=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2015\/10\/rwx_421_gray-803x1024.png 803w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2015\/10\/rwx_421_gray-600x765.png 600w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2015\/10\/rwx_421_gray-235x300.png 235w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2015\/10\/rwx_421_gray-768x980.png 768w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2015\/10\/rwx_421_gray.png 1890w\" sizes=\"(max-width: 660px) 100vw, 660px\" \/><\/a><figcaption id=\"caption-attachment-409\" class=\"wp-caption-text\">Unix\/GNU Linux permissions\/mode bits: read, write, execute<\/figcaption><\/figure>\n<p class=\"\">To arrive at a numerical value for permissions that affect an entity class such as the owner, the group or everyone else\u00a0(meaning all users that neither belong to the group nor own the object), all you have to do is sum up the permissions that represent privileges of this\u00a0entity class (the owner&#8217;s, the group&#8217;s, and everyone else&#8217;s permissions, one single digit for each class).<\/p>\n<p class=\"\">If an entity class such as the owner, the\u00a0group or &#8216;everyone else&#8217; has <strong>read<\/strong> (4), <strong>write<\/strong> (2), and <strong>execute<\/strong> (1) permissions, these equal <strong>7<\/strong> (4+2+1=7).<\/p>\n<p class=\"\">Likewise, if an entity class such as the owner, the\u00a0group or &#8216;everyone else&#8217; can <strong>read<\/strong>\u00a0(4) and <strong>execute<\/strong>\u00a0(1) a file but <strong>not write<\/strong>\u00a0(0) to it, the permissions equal\u00a0<strong>5<\/strong> (4+0+1=5).<\/p>\n<p class=\"\">If an entity class such as the owner, the\u00a0group or &#8216;everyone else&#8217; has\u00a0<strong>read<\/strong>\u00a0(4) permissions only, these permissions are represented by the digit\u00a0<strong>4<\/strong> (4+0+0=4).<\/p>\n<p class=\"\">This is how you can change privileges on a file in a way that only grants its owner read, write, and execute permissions:<\/p>\n<pre class=\"\">chmod 700 filename \r\nls -l filename\r\n-rwx------ owner group filename<\/pre>\n<h3>Inheritance<\/h3>\n<p>When a new file is created, it usually\u00a0inherits the group id of its creator. However, there are exceptions from the rule.<\/p>\n<h4>SGID<\/h4>\n<p>If you\u00a0want new files to inherit the group id of their parent folder, enable the SGID\u00a0(Set Group ID on execution) bit on that\u00a0folder.<\/p>\n<h4>Sticky bit<\/h4>\n<p>In addition to the above, the permissions to delete or rename a file or directory can be limited to its\u00a0owner and the root user by means of setting a sticky bit (mode 1000) in one of two scenarios:<\/p>\n<ul>\n<li>sticky bit on an object without execute or search permissions (T);<\/li>\n<li>sticky bit on an object that is either an executable file or a searchable directory (t).<\/li>\n<\/ul>\n<p>In each case, the sticky bit appears in place of the last one of the three mode bits\u00a0that denote permissions for &#8220;everyone else&#8221;.<\/p>\n<h3>Alternate access method designator<\/h3>\n<p>Following the file mode bits is <strong>a single character<\/strong> that <strong>specifies an alternate access method<\/strong> such as an access control list. When the character following the file mode bits is a <strong>space<\/strong>, there is no alternate access method. When it is a printing character, then there is such a method.<\/p>\n<p>GNU &#8216;ls&#8217; command uses a dot (&#8216;<strong>.<\/strong>&#8216;) to indicate a file with an <strong>SELinux security context and\u00a0no other alternate access method<\/strong>. A file with <strong>any other combination of alternate access methods<\/strong> is marked with a &#8216;<strong>+<\/strong>&#8216; character.<\/p>\n<p>In order to\u00a0read out the alternate access methods, you can use the command:<\/p>\n<pre class=\"width:520 lang:sh decode:true\">getfacl<\/pre>\n<p>for example like this:<\/p>\n<pre class=\"lang:sh decode:true \">-rw-------. 1 centos centos 586 Oct 21 15:03 authorized_keys getfacl . # file: . # owner: centos # group: centos user::rwx group::--- other::---<\/pre>\n<p>&nbsp;<\/p>\n<p class=\"font-size:14 width:520 lang:sh decode:true \">Tip: use this SELinux label for a temp directory<\/p>\n<pre class=\"\">chcon -t tmp_t temp<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Mode bits in Linux\/Unix have been puzzling newbies to no end: -rwxrwxrwx. 1 owner group 420 Dec 21 12:46 .bash_history The first mode bit designates the type of the item; the following nine mode bits indicate access permissions on the\u00a0item with respect to the owner, the group\u00a0and all other users. Special file designator The first [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":405,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[16,17,33],"tags":[69,25,70,71,72],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v14.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Understanding and Setting\/Changing Access Privileges on Unix\/Linux Files and Directories: Mode Bits\/Permissions and Alternative Access Methods Explained - CloudInsidr<\/title>\n<meta name=\"robots\" content=\"index, follow\" \/>\n<meta name=\"googlebot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta name=\"bingbot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cloudinsidr.com\/content\/understanding-and-settingchanging-access-privileges-on-unixlinux-files-and-directories-mode-bits-and-alternative-access-methods-explained\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Understanding and Setting\/Changing Access Privileges on Unix\/Linux Files and Directories: Mode Bits\/Permissions and Alternative Access Methods Explained - CloudInsidr\" \/>\n<meta property=\"og:description\" content=\"Mode bits in Linux\/Unix have been puzzling newbies to no end: -rwxrwxrwx. 1 owner group 420 Dec 21 12:46 .bash_history The first mode bit designates the type of the item; the following nine mode bits indicate access permissions on the\u00a0item with respect to the owner, the group\u00a0and all other users. Special file designator The first [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cloudinsidr.com\/content\/understanding-and-settingchanging-access-privileges-on-unixlinux-files-and-directories-mode-bits-and-alternative-access-methods-explained\/\" \/>\n<meta property=\"og:site_name\" content=\"CloudInsidr\" \/>\n<meta property=\"article:published_time\" content=\"2015-10-21T15:38:30+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2015-12-26T16:37:10+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2015\/10\/rwx_421-e1451041754567.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1681\" \/>\n\t<meta property=\"og:image:height\" content=\"1008\" \/>\n<meta name=\"twitter:card\" content=\"summary\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/\",\"name\":\"CloudInsidr\",\"description\":\"Cyber security, infotech\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/www.cloudinsidr.com\/content\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/understanding-and-settingchanging-access-privileges-on-unixlinux-files-and-directories-mode-bits-and-alternative-access-methods-explained\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2015\/10\/rwx_421-e1451041754567.jpg\",\"width\":1681,\"height\":1008,\"caption\":\"Unix\/GNU Linux permissions\/mode bits: read, write, execute\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/understanding-and-settingchanging-access-privileges-on-unixlinux-files-and-directories-mode-bits-and-alternative-access-methods-explained\/#webpage\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/understanding-and-settingchanging-access-privileges-on-unixlinux-files-and-directories-mode-bits-and-alternative-access-methods-explained\/\",\"name\":\"Understanding and Setting\/Changing Access Privileges on Unix\/Linux Files and Directories: Mode Bits\/Permissions and Alternative Access Methods Explained - CloudInsidr\",\"isPartOf\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/understanding-and-settingchanging-access-privileges-on-unixlinux-files-and-directories-mode-bits-and-alternative-access-methods-explained\/#primaryimage\"},\"datePublished\":\"2015-10-21T15:38:30+00:00\",\"dateModified\":\"2015-12-26T16:37:10+00:00\",\"author\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/dd6ee9cb21cf05763fd7cff3d6f11b2b\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cloudinsidr.com\/content\/understanding-and-settingchanging-access-privileges-on-unixlinux-files-and-directories-mode-bits-and-alternative-access-methods-explained\/\"]}]},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/dd6ee9cb21cf05763fd7cff3d6f11b2b\",\"name\":\"Cloud Insidr\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/8b2fa1415b3d573b97d818b8f8f83b7c?s=96&d=mm&r=g\",\"caption\":\"Cloud Insidr\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/269"}],"collection":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/comments?post=269"}],"version-history":[{"count":19,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/269\/revisions"}],"predecessor-version":[{"id":472,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/269\/revisions\/472"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media\/405"}],"wp:attachment":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media?parent=269"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/categories?post=269"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/tags?post=269"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}