Folder permissions - Linux Nitty Gritty: Working at the Ubuntu Command-Line Prompt (2011)

Linux Nitty Gritty: Working at the Ubuntu Command-Line Prompt (2011)

Folder permissions

Folders are a little different from files when it comes to permissions.

In order to understand how permissions apply to folders, it helps if you realize that, on a technical level, they’re simply small files containing a listing of the files or subfolders the folder contains, along with some technical information. Commands that list or modify the contents of folders actually access or modify this small file.

Execute permission

When applied to a folder, the execute permission has nothing to do with running programs. Instead, the execute permission controls who can access or modify the small folder file.

In real-world terms, this means that if the execute permission for a folder isn’t set, the contents of the folder are inaccessible.

Unless the execute permission is set for a folder, the user will be not be able to do any of the following:

* View a listing of files in the folder (with caveats—see later);

* Create, modify or delete files in the folder;

* Switch into the folder by double-clicking its icon using Nautilus, or using the cd command.

If a user attempts any of these actions, and the execute permission isn’t set, she will see a “Permission Denied” error message.

As with files, execute permissions can be set for the folder owner, the group it’s assigned to, and others.

Read/write permissions

Although the execute permission controls access to the folder, permissions for reading and writing can be set separately. However, neither has any relevance unless the execute permission is also set.

Read permission: By setting the read permission of a folder, it’s possible to control who can view a listing of the files/folders there. If a user tries to view a file listing, and the read permission isn’t set, he’ll see a “Permission denied” error.

Write permission: By setting the write permission, it’s possible to control who can create, delete or rename files/folders within a folder. If the folder’s write permission isn’t set, and a user attempts to create, delete or rename a file/folder, he’ll see an error.

As with files, separate read and write permissions can be set for the owner of the folder, the group it’s assigned to, and others.

Folder permissions in more depth

It isn’t entirely true to say that users won’t be able to view the listing of a folder unless the execute permission is set. If the read permission for a folder is set, but not the execute permission, users will be able to view a short file listing using the ls command but the long listing command option (i.e. ls -l myfolder) won’t work. Why this happens is to do with the way Linux works on a technical level.

NOTE In a Nautilus file-browsing window, if the read permission is set, but not the execute permission, the user will be able to access the folder but it will appear to be empty.

If all of this is giving you a migraine, don’t worry. For most users, folder permissions boil down to the following day-to-day rules:

Read only: To limit a user to viewing a listing of files in a folder, ensure the read and execute permissions are set, but not the write permission;

Write permission: To let a user create or delete files in a folder, ensure the read, write and execute permissions are set (note: it’s possible for a folder to be set to “write-only” if the read permission isn’t also set—users will be able to save files there, but not view a file listing);

Deny access: To deny complete access to a folder for a user, unset all permissions—read, write, and execute.

Any other combination of folder permissions can lead to confusion.

What permissions look like

Within a command-line file listing, permissions are indicated by r, for read, w, for write, and x, for execute. For all files and folders, the permissions are listed in a line: owner first, followed by group, and then others. See Figure 5-1 for an annotated example.

Permissions, ownerships and group assignments can be viewed by using the –l command option with the ls command. Give it a try by listing the permissions of files and folders in your /home folder:

ls –l ~

Here’s what I see on my test system:

total 28
drwxr-xr-x 2 keir keir 4096 2008-10-24 10:07 Desktop
drwxr-xr-x 2 keir keir 4096 2008-10-24 10:07 Documents
lrwxrwxrwx 1 keir keir 26 2008-10-24 09:51 Examples -> Ã /usr/share/example-content
drwxr-xr-x 2 keir keir 4096 2008-10-24 10:07 Music
drwxr-xr-x 2 keir keir 4096 2008-10-24 10:07 Pictures
drwxr-xr-x 2 keir keir 4096 2008-10-24 10:07 Public
drwxr-xr-x 2 keir keir 4096 2008-10-24 10:07 Templates
drwxr-xr-x 2 keir keir 4096 2008-10-24 10:07 Videos

Let’s take a closer look at the first in the list—the Desktop folder. The permissions, ownership and group assignment are listed at the beginning of the line and read as follows:

drwxr-xr-x 2 keir keir

The d at the beginning simply indicates this is a directory—another word for a folder. If a hyphen appears there instead then we’re dealing

Figure 5-1. File/folder permissions.

with a file. There are a handful of other letters that can appear here, but the main one you’ll encounter is l, which indicates a link.

Following this are the three sets of permissions, listed one after the other: rwxr-xr-x. After that is a link number, which isn’t relevant to this discussion and can be ignored. Then the owner’s username is listed (in this case, keir), and then the group the file is assigned to (the group is also called keir).

NOTE Under Ubuntu each user is assigned to their own personal group, that is named after their username. This policy effectively means that group permissions are irrelevant for personal files unless you were specifically to add another user to your personal group. However, it’s still important you understand the concept of groups and how it applies to file/folder permissions.

Here are the permissions separated out into sets of three relating to owner, group and others:

Owner: rwx
Group: r-x
Others: r-x

The owner has read (r), write (w), and execute (x) permissions. In other words, he can do anything—he has full permissions. He can view a file listing of the Desktop folder, and write new files there. He can switch to the folder by typing cd Desktop, or by browsing to it with Nautilus.

Members of the group keir have read and execute permissions, so they can view a file listing of the folder, and also switch into it. However, they can’t write any files there, or delete them, because there’s a hyphen where the w would normally appear. Quite simply, a hyphen in place of a permission means “no permission”.

Finally, other users on the system also have read and execute permissions, but not write permissions—just like with the group permissions.

Let’s take a look at another example of permissions, this time from a word processing document called report.doc:

-rw-r--r-- 1 keir keir 3024 2008-10-28 18:21 report.doc

Once again, we see that the file belongs to the user named keir, and is assigned to the group named keir.

This time the permission component of the listing starts with a hyphen, because this is a file and not a folder or link. Following this are the three groups of permissions that again can be split-out as follows:

Owner: rw-
Group: r--
Others: r--

The first permission grouping refers to the owner, and he can read and write to the file, but not execute it. That makes sense because this is a document file and not a program; nobody would want to execute it.

Next, the group permissions say that any member of the group called keir can read the file, but not write changes to it (there’s a hyphen where the w would be), or execute it.

Finally, others on the system can also read the file, but not write changes to it or execute it.

In other words, for everybody but the user named keir, the file is read-only.