The role of permissions and files is much clearer in Linux when compared to Windows. Most people find it easier to understand compared to the complex system of groups and users that we find in Windows’ concept of permissions. For example, each file in a Linux-based operating system has three sets of permissions – the first being the permissions of the owner, the second being for a specific group of users, and the last group’s permissions are responsible for the rest of the system.
The levels of access to reading, writing, and executing are then described with a scale, ranging from 1 to 7. A value of ‘1’ allows for execution of the file, ‘2’ allows writing access, and ‘4’ allows the file to be read. To combine several permissions, you just add the numbers together. For example, if you want read and write access for a file, but no access to executing this file, the value to set for permissions would be 2 + 4, which is 6.
In this tutorial, we’ll see how to create a file in such a way that only the owner has full permissions over it. We’ll also see what happens when another user tries to read or modify that file. Finally, we’ll look at the role of “sudo” users who take on the root role for themselves, and how we can implement ironclad file security by hiding contents even from root if necessary.
Creating a File with “Owner Only” Permissions
Let’s say we have a file whose contents we want to have hidden from everyone else. In essence, others would be able to see that the file exists, and that’s about it. We don’t want them to see what’s inside it, or be able to modify it in any way. We do this using the following command:
chmod 700 test.txt
test.txt is the name of the file that I want to protect. Once we run this command, the file turns “green” when you list it in a command like “ls”, and it displays the new file permissions with the “ls -l” command, like this:
Here, you can see the file permissions are restricted only to the first group – the owner – who has “rwx”, or read, write, and execute permissions. And the third column of “ls -l” is the owner name, which in this case is “root”.
For convenience sake, we’ve created this file in the home directory of another user called “testuser”. Here’s what happens when we log in as the new user and try and read the contents of test.txt:
As you can see, testuser is denied the ability to access the file in any way. Any other user who tries to open this file will get the same error message. In this way, you can ensure that your important files are kept hidden from other users.
Allowing Others to ONLY Read the File
Perhaps there’s an important document or set of rules that you want others to be able to read, but not modify. We can achieve this using the following command:
chmod 744 test.txt
Here, “744” instead of “700” gives everyone else the permission to read the file, but nothing else. Here you can see that “testuser” is able to access the contents of the file after it has been assigned its “744” permissions:
However, if they then try and modify the file using a file editor, like “vi”, they get the warning you expect as shown here:
Use this variant of the
chmod command when you need others to see the file, but not modify it in any way.
Root or “Sudo” Users Still Have Access
Unfortunately, file permissions don’t apply to root or sudo users. For this example, I’ve added “testuser” to the sudoers file so they can use execute root commands using sudo. And when they do this, they can access the protected file as shown here:
There’s no way around this using file permissions. Root, and users belonging to the “wheel” group can simply use “sudo” to get around these restrictions. Of course, it’s good practice to be wise with the capabilities you give your users – handing out sudo permissions to everyone is not a good idea. Since this is common practice, well-configured Linux systems shouldn’t have this problem.
True File Security – Even from Root
Ultimately, the only way to hide your files from everyone – including root users – is to use passphrase-based encryption. No other method can hide your information with 100% security from everyone, including the root and sudo users!
Of course, you don’t have to do any of this if you use one of our Outsourced Server Support Services, in which case you can simply ask our expert Linux admins to set up your file permissions for you. Just sit back, relax, and let our admins take care of the issue for you. They are available 24×7 to help you with your requests.
PS. If you liked this post on denying file permissions to everyone except yourself, please share it with your friends on the social networks by using the share shortcut buttons, or simply leave a comment in the comments section below. Thanks.