In order to use a Linux computer, the first thing you need to do is login. If you don't see a login screen when your Pi boots up, you've probably been logged in automatically. Each user has their own username and password. All the files owned by a user are marked with that user's name.
All files and directories have three sets of permissions:
- permissions for the owner of the file,
- permissions for users who are in the group that owns a file,
- permissions for all other users.
In each of these sets there are three basic permissions:
You can view file permissions using the ls command with the '-l' option.
$ ls -l ./subfolder/ total 8 -rw-r-xr-x 1 pi pi 33 Nov 1 14:07 anexecutablefile.sh drwxr-xr-x 2 pi pi 4096 Nov 1 14:13 tempfolder -rw-r--r-- 1 pi pi 10 Nov 1 14:06 textfile.txt
The first character on each line is either a 'd' for a directory, or a '-' for files. The next three characters are the permissions for the owner of the file. The next three characters after the owner's permissions are the files group permissions, and the final three characters are show the permissions for other users.
These permissions are stored with each file and directory as metadata on the SD card in your Pi. The username of a file's owner is stored with its permissions.
The chmod command
The owner's permissions for anexecutablefile.sh are 'rw-' meaning user pi can read and write this file. This file is a script, so it needs to be given executable permissions:
$ chmod +x ./subfolder/anexecutablefile.sh
Now if I list the folder contents again, the output is slight different. This time there's an 'x' after the 'rw' characters on the line with anexecutablefile.sh:
$ ls -l ./subfolder/ total 8 -rwxr-xr-x 1 pi pi 33 Nov 1 14:07 anexecutablefile.sh drwxr-xr-x 2 pi pi 4096 Nov 1 14:13 tempfolder -rw-r--r-- 1 pi pi 10 Nov 1 14:06 textfile.txt
If necessary I can remove executable permission from this file using a '-' instead of a '+':
$ chmod -x ./subfolder/anexecutablefile.sh
The chmod can be used to set several permissions at once. This command makes sure that anexecutablefile.sh has read, write and execute permissions:
$ chmod +rwx ./subfolder/anexecutablefile.sh
The permissions on all the files and sub directories in ./subfolder can be set by using the -R option with chmod. If I wanted to remove write permissions for everything in subfolder, I could use this command:
$ chmod -w -R ./subfolder
Note, when the execute permission is applied to a directory, it just means that the users have the right to view the contents of the directory. It has no bearing on whether files in a directory can be executed. If I take away the executable permission for subfolder and run the ls command again, this time the contents of subfolder won't be displayed.
Groups and other users
Groups of users can be created when several users need access to the same set of files. By default the user pi is part of a group called pi. I can grant privileges to files that allow other users who are in group pi to access them:
$ chmod g+rwx ./subfolder/anexecutablefile.sh
Now anyone in group pi can read, write or execute this file.
By default other users can read the files in subfolder, but can't write to them. To remove the read rights for other users, I can use this command:
$ chmod o-r ./subfolder/anexecutablefile.sh
Octal is a base-8 numerical system, where the highest digit in a number is 7. Octal numbers are often used to represent file permissions. An octal number can be expressed as a three bit binary number where the first bit represents the read permission, the second bit represents the write permission and the third bit represents the execute permission.
If a file has read and write permissions, then the first two bits would be true, and the third would be false, 110. If 110 is converted from binary to octal, its value is 6. If the executable permission were set, all three bits would be 1, so the octal value would be 7.
There are three sets of permissions (owner, group and other), so three octal digits can be used to represent all of a file's permissions. The first digit refers to the permissions for a file's owner, the second digit refers to the permissions for groups, and the third digit refers to permissions for others. The permission string -rw-r-xr-x could be represented in octal as 655.
If I wanted to use the octal notation to set executable permission of my script, I could use this command:
chmod 744 ./subfolder/anexecutablefile.sh
I can remove executable permission using this command:
chmod 644 ./subfolder/anexecutablefile.sh
I rarely use the octal notation as I prefer the symbolic notation described above. I find it easier to control specific permissions without changing other permissions unintentionally.
There is a user account called root. This user account has more privileges than other users, and is often used for system administration. The root user's home directory is /root.
Any user can assume root privileges with the sudo command. For example, if I login as pi and try to edit files in /etc, I won't be allowed to because user pi doesn't have the necessary permissions to edit files owned by root. This command will open a file in the nano text editor:
$ nano /etc/resolv.conf
The problem is that if I make changes, I won't be able to save them. User pi has enough permission to read this file, but not enough permission to write to it. If I use the sudo command to open a text editor, then I have root's permissions and I can save changes to the file:
$ sudo nano /etc/resolv.conf
It's important to be careful when using sudo as it's possible to accidentally lose important information or break configuration settings. It's best to back up configuration files before you edit them.