FreePBX | Register | Issues | Wiki | Portal | Support

Understanding *NIX Permissions

(Greg) #1

I have seen a number of posts and problems that seem to be permissions related, so I thought I would write a quick FAQ on *NIX permissions.

Let’s look at a typical directory listing (# ls -al o*)

[root@srv-a etc]# ls -al o*
-rw-r--r-- 1 asterisk asterisk  181 Mar 16  2015 odbc.ini
-rw-r--r-- 1 root     root      209 Jan 30  2014 odbc.ini.freepbx-template
-rw-r--r-- 1 root     root      326 Mar 16  2015 odbcinst.ini
-rw-r--r-- 1 root     root      127 Jan 30  2014 odbcinst.ini.freepbx-template

total 24
drwxr-xr-x   3 root root  4096 Mar 22  2017 .
drwxr-xr-x 104 root root 12288 Jul 31 03:32 ..
drwxr-xr-x   2 root root  4096 Mar 22  2017 certs
-rw-r--r--   1 root root   282 Mar 16  2015 ldap.conf

Each line gives information about the file.
The first column (in this case either d or -) indicates whether it is a directory or a file (or in some cases l (the letter L) for a link)
Then you have three sets of letters… r w and x.
r means “Read”, w means “write”, and x means “eXecute”.
There are three sets of them. The first set is for the OWNER of the file. The second set is for the GROUP that the file belongs to, and the third set is “Everyone else”
So… let’s look at the last line for “ldap.conf”
The first column is a - , so it is a file.
The OWNER of the file has read and write permissions.
The GROUP the file belongs to has read permissions only.
Everyone else has read permissions only.
The “1” after the permissions refers to the number of LINKS to that file.
the first “root” is the owner of the file.
the second “root” is the group that the file belongs to.
The next column is the size of the file, then the date of the file, and finally the name of the file.

So, if I had a file that was:
-rwxrwxr-- 1 root asterisk 4095 May 19 2017
… the owner and anybody belonging to the group “asterisk” could read, write, and execute the file, but anybody else could only read it (not change it or execute it).

Now that you have a basic understanding of how to read the directory structure and permissions, the next question becomes “Well, how do I change those?”

As root (or using sudo) to change the owner of a file you use the chown (change owner) command like this:
# chown greg
… now the entry would look like this:
-rwxrwxr-- 1 greg asterisk 4095 May 19 2017
… to change the GROUP membership of a file, you would use the chgrp command
# chgrp users
-rwxrwxr-- 1 root users 4095 May 19 2017

*** POWER TIP ***
You can use chown to change both the OWNER and the GROUP at the same time, by separating the two with a colon:
# chown asterisk:asterisk

-rwxrwxr-- 1 asterisk  asterisk  4095  May 19 2017

So, that’s fine and dandy you say… (and will probably solve 90% of your permissions problems right there, by fixing the owner and the group of any asterisk files that are being weird) but what about that whole rwx bit (you ask)?

Well, I’m old school… and so I do it the old way (yes, I know there are other ways, but this way will work on ANY *nix system…)

This requires just a bit of math though. Binary, to be exact, and a command called chmod (change mode)
Here’s how it works… each rwx gets represented as a binary number… so r has a value of 4, w has a value of 2, and x has a value of 1. To come up with the rwx, add the ones you want turned on TOGETHER.
For example, if I want the OWNER to have read and write (but not execute), the GROUP to have read and write (but not execute) and everyone else to be read only, I’d add them together like this:
read (4) + write (2) = 6
read (4) + write (2) = 6
Read (4) = 4
then execute my chmod, using “Owner, Group, Other” order…
chmod 664 somefilename.txt

That would give me rw-rw-r–

So, let’s say that I wanted the owner to have full control, the group to be able to execute and read, and everyone else not to have any permissions? Math again…
read (4) + write (2) + execute (1) = 7
read (4) + execute (1) = 5
No permissions (0) = 0

chmod 750 somefilename.txt

That would give me rwxr-x—

And there you have it! Everything you need to know about permissions on your *nix system.
Oh… and it works the same on DIRECTORIES (Folders) as well.

One more power tip… USE WITH CAUTION however…
You can use wildcards on chmod, chown and chgrp…
chown asterisk:asterisk *

And you can even use recursion and wildcards…
chown -R asterisk:asterisk /etc/asterisk/* (this will change ALL files to have the owner of asterisk and the group of asterisk for the entire /etc/asterisk folder AND all subfolders… power indeed!)

… be sure that is what you want to do. You can lock even yourself out of things if you’re not careful.

That’s all for this tutorial! If you have questions or feedback, please feel free to reach out!

Apply config not written data base changes in conf file