Fedora Linux

Remember the order: r w x .

Each of these three permissions is granted or denied to users in three different communities :

user (u)

The user who owns the file. Initially, this is the user who created the file; it may be changed by the superuser ( root ).

group (g)

All members of the group that owns the file. Normally, this starts off as the group of the user who created the file. A file's owner may change the group ownership to any group to which she belongs; e.g., if Jane owns the file foo and is a member of the audit and toronto groups, she can make either group own the file.

other (o)

Everyone else.

The order is significant here, too; you'll want to memorize it: u g o .

This gives a total of nine permissions for each file and directory:

? read, write, and execute for the user

? read, write, and execute for the group

? read, write, and execute for other

There are also three special file permissions, as outlined in Table 4-13 .

Table 4-13. Special file permissions
Name	Abbreviation	Appearance in ls -l output	Meaning when applied to a file	Meaning when applied to a directory
Set-User-ID	SUID	s in the x column for the user if execute permission is enabled, or S if execute permission is disabled.	When executed, the program takes on the user identity of the file's owner.	(No meaning)
Set-Group-ID	SGID	s in the x column for the group if execute permission is enabled, or S if execute permission is disabled.	When executed, the program takes on the group identity of the file's group.	All files and subdirectories created in the directory will be owned by the same group that owns the directory. Subdirectories will automatically have their SGID permission enabled.
Sticky bit	Sticky	t in the x column for other if execute permission is enabled, or T if execute permission is disabled.	(No meaning)	Files in the directory can be deleted or removed only by their owner (otherwise, anyone with write permission on the directory can delete or rename files in that directory).

The SUID and SGID permissions provide critical abilities. For example, /etc/passwd and /etc/shadow are only writable by root , but normal users need to be able to change their passwords. The program /usr/bin/passwd is owned by root and has the SUID permission enabled, so it runs with root privilegeregardless of who executes itand is therefore able to change /etc/shadow .

4.8.1.1. Viewing the current user, group, and mode from the command line

When ls is executed with the -l option, a long and detailed listing of file information is displayed. Here is an example:

$ ls -l /etc/aliases.db
-rw-r----- 1 root smmsp 12288 Oct 6 19:31 aliases.db

The first field displayed is -rw-r----- . The first character is reserved for file type information, and the rest of that field contains the file's mode: rw-r----- .

This mode breaks down into three sets of three characters, representing the permissions granted to each of the three communities:

? user: rw-

? group: r--

? other: ---

Notice that these communities are displayed in the u g o order mentioned earlier.

The three characters displayed for each of these communities represent read, write, and execute permission; if the permission is denied, a dash is shown, but if the permission is granted, the letter r , w , or x is shown, in that order ( r w x ).

In the preceding example, the permissions granted to the user are read and write ( rw- ); the permission granted to the group is read ( r-- ); and no permission is granted to other users ( --- ).

In order to correctly interpret the permission, we need to know who the user and group are. The ls -l output shows this information in fields 3 and 4; in this case, the user is root and the group is smmsp .

Putting this all together, we know that:

? root can read and write the file.