Checking Linux file permissions with ls

Once you understand Linux file permissions, the next step on the road to enlightenment is learning how to check the permissions for a file or directory.


Checking permissions

If you've been through the previous article in this series you'll have an idea of what file permissions are. Before we talk about how to actually change file permissions we'll want to look into how we can see what permissions are set on a file to begin with. To do this we'll use the "ls" command.

ls

A really thorough look at ls and what you can do with it will make a good subject for another article someday. For now, let's focus on the basics of how to use ls, and what it can tell us about a file's type and permissions.

First of all, "ls" (the first letter is a lowercase L) is the command you'll use to see what files are in a directory. It's a handy command, and you've probably used it before. When run by itself, ls will get a listing of the current working directory (essentially, the directory you are "in"). You can also tell the ls command what directory to get a listing of.

A listing of the first few files in /etc on a Gentoo system might look like:

$ ls /etc
DIR_COLORS            gentoo-release      man.conf            runlevels
adjtime               gpm                 mime.types          sandbox.conf
apache2               group               mke2fs.conf         sandbox.d
bash                  group-              modprobe.d          scsi_id.config
ca-certificates       host.conf           modules.autoload.d  securetty
ca-certificates.conf  hosts               modprobe.d          scsi_id.config
...

Of course, you'll eventually want to know more about the files than just their names. Their permissions, for example.

ls -l

If you want more information about files in a directory, use the "-l" flag with ls to get a long listing.

$ ls -l /etc
total 492
-rw-r--r-- 1 root root  4468 Nov 19  2009 DIR_COLORS
-rw-r--r-- 1 root root    10 Jun 30 03:29 adjtime
drwxr-xr-x 4 root root  4096 Jun 30 03:44 apache2
drwxr-xr-x 2 root root  4096 Nov 19  2009 bash
drwxr-xr-x 3 root root  4096 Nov 19  2009 ca-certificates
-rw-r--r-- 1 root root  5955 Nov 19  2009 ca-certificates.conf
drwxr-xr-x 2 root root  4096 Jul  5 20:37 conf.d
drwxr-xr-x 2 root root  4096 Dec  3  2009 cron.d
drwxr-x--- 2 root root  4096 Dec  3  2009 cron.daily
-rw-r--r-- 1 root root   220 Dec  3  2009 cron.deny
drwxr-x--- 2 root root  4096 Dec  3  2009 cron.hourly
drwxr-x--- 2 root root  4096 Dec  3  2009 cron.monthly
drwxr-x--- 2 root root  4096 Dec  3  2009 cron.weekly
-rw-r--r-- 1 root root   611 Dec  3  2009 crontab
...

If you look way over on the right, you may recognize the file names from the previous example. If you look at the stuff before the names, that's where the file details are. We'll be concerning ourselves with those bunches of letters and dashes on the left, and the columns that both have "root" in them.

But before going into details about those, one more of the (many) options that can be sent to ls...

ls -la

One thing to know about ls is that it doesn't normally want to show you everything. If you want to see any files that start with a period, you'll need to pass it the -a option. For example, let's look at a directory listing for root's home directory on a clean Linux install:

$ ls /root

The nothingness that follows the command isn't an accident - that's what ls returns. Nothing. There are no files in /root. Or...are there?

$ ls -a /root
.  ..  .bash_history  .bashrc  .profile  .viminfo

That feeling of betrayal you're feeling is normal, but we shouldn't judge ls too harshly. Files that start with a period are usually system files and application settings files, and you usually don't want them cluttering up your directory listings anyway. But it's important to know that they're there, and how to see them. That ".bashrc" file is especially useful to know about, since there are a bunch of user environment settings you can change in there.

If you combine "-l" and "-a" into "-la" you can get all the details of those hidden files:

$ ls -la /root
total 24
drwxr-xr-x  2 root root 4096 2009-12-16 01:10 .
drwxr-xr-x 23 root root 4096 2010-02-18 10:14 ..
-rw-------  1 root root  123 2010-01-21 15:49 .bash_history
-rw-r--r--  1 root root 2227 2007-10-20 11:51 .bashrc
-rw-r--r--  1 root root  141 2007-10-20 11:51 .profile
-rw-------  1 root root  868 2009-12-16 00:47 .viminfo

Let us briefly pause to consider the "." and ".." in both directory listings. They show up because "-a" is very thorough and leaves nothing out. The "." refers to the directory itself. You can type "cd ." and you'll change directory right back into where you were to start with. It's pretty convenient when you're running a command and you want it to refer to your current directory (like when you want to copy a file there).

The ".." refers to the parent directory. If you type "cd .." you'll wind up in the directory above the one you're in, in the filesystem hierarchy. In this case, we're in /root, so "cd .." would take us into "/", the very top of the hierarchy.

drwxr-x--- wha?!?

Now we'll look at that first mess of letters and dashes in more detail. We'll start with the letter or dash in the first slot.

The first bit

In the examples above, the first character in each long listing was either a "d" or a "-".

When you see a "-" in the first slot, that means the file it's referring to is a regular file. That's the sort that you'll usually work with when you're saving some text or running a command.

A "d" in the first slot means the file is a directory. Remember how, in the previous article, I said that directories are basically a special kind of file? This is another place where that knowledge comes in handy. It makes it easier to think of that first slot in the full directory listing as the "file type".

Another type: the symlink

Speaking of the file type, there's one other special file type you'll run into frequently (and some others you'll see less frequently, but we'll save those for the last article). You can see it here:

lrwxrwxrwx 1 root root      4 Jun 30 03:29 sh -> bash

The "l" (lowercase L) stands for "link", and refers to something more properly called a "symlink", sometimes called a "soft link".

A symlink (as we shall refer to it henceforth) is a pointer to another location in the filesystem. You can see that over on the right - there's a name ("sh"), followed by an arrow of sorts, and it ends with another name ("bash"). In this case, the link is named "sh" and it points to a file named "bash". This means that if you call /bin/sh (in a script, for example), you will actually run /bin/bash.

A symlink doesn't have to point to something in the same directory, either:

lrwxrwxrwx 1 root root     20 Jun 30 03:29 pgawk -> /usr/bin/pgawk-3.1.6
lrwxrwxrwx 1 root root     16 Jun 30 03:29 pidof -> ../sbin/killall5

In those examples you can see a symlink using an absolute path to reference its target, and another one using a relative path.

Briefly, to make your own symlink you can use "ln -s", as in:

ln -s target link

That command would create a symlink named "link" that points to the file or directory named "target".

The next three bits

Now we're getting into the permissions. The next three letters in a file listing cover the "user" category of permissions. Consider:

drwxrwxr-x 2 root mail 4096 Dec  3  2009 mail

After the "d" that tells us that "www" is a directory, you'll see "rwx". These are abbreviations that hearken back to the types of permissions we can set:

r refers to the "read" permission

w refers to the "write" permission

x refers to the "execute" permission

So as you can see, the owner of the file ("user") has all three permissions — read, write, and execute.

The second trio of bits

The next trio is also "rwx". This triplet is for the "group" category, and the letters mean the same thing as they did for "user". So for this directory, the group has as many permissions as the owner.

The third trio of bits

The last trio in this example is "r-x". That set is for the final category, "other", and in this case, "other" does not have write permission for the directory. So:

- refers to a lack of permission

Notice that there's a specific order to the permissions in a triplet: read, then write, then execute. If there's a dash in place of a letter for a permission slot, it means that category doesn't have that permission.

To sum up what we have so far:

The first character in the directory listing refers to the file type.

The next three characters refer to the user permissions.

The next three characters refer to the group permissions.

The final three characters in that block refer to the other permissions.

That first number

After the permissions, there's a number. Ignore it, it's in the way. Someone else can tell you what that number means, it's not important for this topic. Just move on. That number is dead to me.

Owner and group

Next you'll see two names - in the above example, "root" and "mail".

The first name is the name of the owner of the file. The "user" permissions will apply to that user when it attempts to access the directory, in this case the user "root".

The second name is the file's group. The "group" permissions will apply to any user (that is not the file owner) in the same group as the file. In this case, those permissions would apply to anyone in the "mail" group.

The other stuff

The rest of it will have to wait for another day, since we're just looking at file types and permissions here. You can see a date, and there's a column for size, but we won't go into more detail than that.

Summary

Being able to check the permissions on a file is a good first step, and useful too. This is where troubleshooting can start — making sure a user can read a particular file, for example, or examining a directory structure to make sure users can work their way down the hierarchy to the files they need.

In the next article we'll look at how to change the permissions on files and directories using the "chmod" command.

  • -- Jered

Article Comments:

Ghiath commented Wed Jan 23 22:18:52 UTC 2013:

thank you!

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)