3.4.1. Access rights: Linux's first line of defense
The Linux security model is based on the one used on UNIX
systems, and is as rigid as the UNIX security model (and sometimes
even more), which is already quite robust. On a Linux system, every
file is owned by a user and a group user. There is also a third
category of users, those that are not the user owner and don't
belong to the group owning the file. For each category of users,
read, write and execute permissions can be granted or denied.
We already used the long option to list files using the
ls -l command,
though for other reasons. This command also displays file
permissions for these three user categories; they are indicated by
the nine characters that follow the first character, which is the
file type indicator at the beginning of the file properties line.
As seen in the examples below, the first three characters in this
series of nine display access rights for the actual user that owns
the file. The next three are for the group owner of the file, the
last three for other users. The permissions are always in the same
order: read, write, execute for the user, the group and the others.
marise:~> ls -l To_Do
-rw-rw-r-- 1 marise users 5 Jan 15 12:39 To_Do
marise:~> ls -l /bin/ls
-rwxr-xr-x 1 root root 45948 Aug 9 15:01 /bin/ls*
The first file is a regular file (first dash). Users with user
name marise or users belonging to the group users
can read and write (change/move/delete) the file, but they can't
execute it (second and third dash). All other users are only
allowed to read this file, but they can't write or execute it
(fourth and fifth dash).
The second example is an executable file, the difference:
everybody can run this program, but you need to be root to
The Info pages explain how the ls command
handles display of access rights in detail, see the section
What information is listed.
For easy use with commands, both access rights or modes and user
groups have a code. See the tables below.
Table 3-7. Access mode codes
|0 or -
||The access right that is supposed
to be on this place is not granted.
|4 or r
||read access is granted to the user
category defined in this place
|2 or w
||write permission is granted to the
user category defined in this place
|1 or x
||execute permission is granted to
the user category defined in this place
Table 3-8. User group codes
||permissions for others
This straight forward scheme is applied very strictly, which
allows a high level of security even without network security.
Among other functions, the security scheme takes care of user
access to programs, it can serve files on a need-to-know basis and
protect sensitive data such as home directories and system
You should know what your user name is. If you don't, it can be
displayed using the id command, which also
displays the default group you belong to and eventually other
groups of which you are a member:
uid=504(tilly) gid=504(tilly) groups=504(tilly),100(users),2051(org)
Your user name is also stored in the environment variable
tilly:~> echo $USER