Introduction
In this lab, you will learn the fundamental skills for managing file and directory permissions in a Linux environment. You will begin by setting up a dedicated workspace, creating a new directory and a sample file to serve as the basis for the exercises. This hands-on approach will allow you to practice controlling access to data using essential command-line tools.
Throughout the lab, you will use the chown command to change file ownership and the chmod command to modify read, write, and execute permissions for different users and groups. You will apply these concepts first to an individual file and then learn how these permissions uniquely affect directory access. By the end, you will be able to effectively secure files and manage user access on a Linux system.
Prepare the Workspace and Create a File
In this step, you will begin by setting up a dedicated workspace for this lab. Organizing files into specific directories is a fundamental practice in Linux for maintaining a clean and manageable file system. You will create a directory and then a new file within it, which will serve as the subject for the permission management exercises in the following steps.
First, let's create a new directory named RandD (for Research and Design) inside your current working directory, ~/project. The mkdir command is used to create new directories.
Execute the following command in your terminal:
mkdir RandD
Next, navigate into the newly created RandD directory. The cd (change directory) command allows you to move between directories in the file system.
cd RandD
Your terminal prompt should now reflect that you are inside the ~/project/RandD directory.
Now, let's create an empty file that will represent a design document. The touch command is a simple way to create a new, empty file. If the file already exists, touch updates its modification timestamp without changing its content.
Create a new file named design_doc.odt:
touch design_doc.odt
To confirm that the file has been created and to inspect its default properties, use the ls -l command. This command lists the contents of the current directory in a long format, providing detailed information such as permissions, owner, group, size, and modification date.
ls -l
You should see output similar to the following. Notice that by default, the new file is owned by your user account (labex) and your primary group (labex). The permission string -rw-rw-r-- will be explained in detail in the upcoming steps.
total 0
-rw-rw-r-- 1 labex labex 0 Jun 26 10:36 design_doc.odt
You have now successfully prepared the workspace and created the target file for this lab. In the next steps, you will learn how to modify its ownership and permissions.
Change File Ownership with the chown Command
In this step, you will learn how to change the ownership of a file. In Linux, every file and directory is assigned an owner (a specific user) and a group. This ownership is a cornerstone of the Linux security model, as it helps determine who has the right to read, write, and execute files. The command used to change ownership is chown.
Our scenario requires the design_doc.odt file to be managed by a new user, student1, and a new collaborative group, research. Since this user and group do not exist yet, you must create them first.
Make sure you are still in the ~/project/RandD directory. If you are not, use the cd ~/project/RandD command to navigate there.
First, create the research group using the groupadd command. This is a system-level operation that requires administrative privileges, so you must use sudo.
sudo groupadd research
Next, create the student1 user with the useradd command. The -m flag is used to create a home directory for the new user, which is a standard practice. This also requires sudo.
sudo useradd -m student1
Now that the student1 user and research group exist, you can change the ownership of the design_doc.odt file. The syntax for chown is chown user:group filename. You need sudo to execute this command because you are assigning the file to another user.
sudo chown student1:research design_doc.odt
To verify that the ownership has been updated, use the ls -l command again.
ls -l
The output will now show student1 as the user owner and research as the group owner.
total 0
-rw-rw-r-- 1 student1 research 0 Jun 26 10:36 design_doc.odt
Compare this with the previous output. The third and fourth columns have changed from labex labex to student1 research, confirming your command was successful. You have now transferred the ownership of the design document.
Modify File Permissions with the chmod Command
In this step, you will learn to control who can read, write, or execute a file using the chmod (change mode) command. File permissions are a fundamental aspect of the Linux security model. You will practice removing permissions for "others" to make the document more secure.
First, ensure you are in the ~/project/RandD directory. Let's re-examine the current permissions of design_doc.odt with ls -l.
ls -l
-rw-rw-r-- 1 student1 research 0 Jun 26 10:36 design_doc.odt
The string -rw-rw-r-- represents the file's permissions. It's divided into three sets of three characters for the user (owner), the group, and others (everyone else).
rw-: The owner,student1, has read and write permissions.rw-: The group,research, already has read and write permissions.r--: Others have only read permission.
As you can see, the research group already has write access to this document, which allows for collaboration. However, to ensure the document remains confidential, you should remove all permissions for "others". You can achieve this using chmod with octal (numeric) notation, which is a common and efficient method.
Let's verify the current permissions once more:
ls -l
The output confirms the current permissions:
-rw-rw-r-- 1 student1 research 0 Jun 26 10:36 design_doc.odt
Now, to ensure the document remains confidential, you should remove all permissions for "others". You can achieve this using chmod with octal (numeric) notation, which is a common and efficient method.
Here's how octal permissions work:
r(read) = 4w(write) = 2x(execute) = 1
You sum the numbers for the desired permissions for each category (user, group, other).
- User: read (4) + write (2) =
6 - Group: read (4) + write (2) =
6 - Other: no permissions =
0
The resulting permission code is 660. Let's apply it.
sudo chmod 660 design_doc.odt
Finally, verify the permissions one last time.
ls -l
The output confirms that "others" now have no permissions (---), securing the document.
-rw-rw---- 1 student1 research 0 Jun 26 10:36 design_doc.odt
You have successfully modified the file's permissions to allow group collaboration while restricting access from others.
Control Directory Access Permissions
In this final step, you will secure the entire RandD directory. Just like files, directories have permissions that control access. However, the meaning of read, write, and execute permissions is different for directories.
- r (read): Allows a user to list the contents of the directory (i.e., see the names of the files and subdirectories inside).
- w (write): Allows a user to create, delete, and rename files within the directory. This permission is powerful, as it allows modification of the directory's contents regardless of the permissions on the files themselves.
- x (execute): Allows a user to enter the directory (e.g., using
cd) and access files or subdirectories within it. Without execute permission, you cannot access any items inside the directory, even if you have read permission.
First, navigate up to the parent directory, ~/project, so you can operate on the RandD directory itself.
cd ..
Now, let's inspect the current ownership and permissions of the RandD directory using the ls -ld command. The -d flag is crucial here; it tells ls to list information about the directory itself, not its contents.
ls -ld RandD
The initial output will look something like this:
drwxrwxr-x 2 labex labex 28 Jun 26 10:36 RandD
This shows that the owner (labex) has full access (rwx), the group (labex) also has full access (rwx), and others can only read and enter the directory (r-x). To make this a proper collaborative folder for the research team, you should first change the group ownership of the directory to research.
sudo chown :research RandD
Next, you'll set the permissions to give both the owner (labex) and the group (research) full control, while completely removing access for others. The desired permission is rwxrwx---, which translates to the octal code 770. As the owner of the directory, you can change its permissions without using sudo.
chmod 770 RandD
Finally, let's verify the changes.
ls -ld RandD
The output should now reflect the new ownership and permissions, securing the directory for your team.
drwxrwx--- 2 labex research 28 Jun 26 10:36 RandD
Both the user labex and any members of the research group now have full read, write, and execute permissions on the RandD directory, while all other users have no access. You have successfully configured a secure collaborative space.
Summary
In this lab, you learned the fundamental steps for preparing a workspace in a Linux environment. This involved creating a new directory using the mkdir command, navigating into it with cd, and creating an empty file with touch. You also practiced using the ls -l command to inspect the detailed properties of the newly created file, observing its default owner, group, and permission settings, which laid the groundwork for the subsequent management tasks.
Building on this foundation, you explored the core concepts of Linux file system security. The lab demonstrated how to change the ownership of a file using the chown command, transferring control to a different user or group. You then learned to modify the read, write, and execute permissions for the owner, group, and others using the chmod command. Finally, the lab covered how to apply these permission concepts specifically to directories to control access to the files contained within them.
