Last week I had one of those real eye-opening moments where it finally dawned on me just why Windows can be so insecure. File permissions. From the Windows OS perspective, everything is executable. It doesn’t mean everything does something, but pretty much everything can be seen as an executable file. That is dangerous. Linux, on the other hand, doesn’t apply the executable bit by default. So, conversely, unless specifically given executable permission — Linux sees everything as non-executable. With that in mind, I thought I would demonstrate how to work with file permissions in Linux — but from the perspective of the GUI (since most file permission how-tos focus on command line — and my goal is to help people migrate to the Linux desktop).
But first, a few general words on Linux file permissions.
There are really three bits the end user needs to know about, and every file on a Linux system works with them. Those bits are:
- R — read
- W — write
- X — execute
There are also three different users you need to be aware of:
- Owner — the user that created the file
- Group — the group of users that have ownership of the file
- Others — all other users on the system
With that simple knowledge under your belt, let’s examine what happens when you create a file. Let’s say we’re going to use LibreOffice to create a text document in the Documents directory of user ‘jlwallen’. If we open up LibreOffice, start writing a document, and save the document in /home/jack/Documents, the file permissions are automatically set such that:
- Owner (jack) has read/write permissions
- Group (anyone in the ‘jlwallen’ group) has read/write permissions
- Others have read permission
Figure A shows how this is displayed in the Nautilus file browser.
Clearly a text file created in LibreOffice does not need to have execute permissions. But what if you were creating a bash script (using, say, Gedit)? Even still, the permissions will be the same. If that script needs to have executable permissions, what can you do? It’s quite simple actually.
Open up the Nautilus file manager, navigate to the Documents directory, right-click the file, select Properties, and click on the Permissions tab. To give that file executable permissions, you simply check the box for Execute. The one caveat to that is all users get executable permissions. If you want to get more granular than that, you would have to use the command line. Of course, if you’re getting into bash scripting, you are most likely okay with the command line.
But what if you were on a multi-user system and you wanted to make sure that you were the only user on the system (outside of root, of course) that could even view the newly created file? To do that all you would do is select None from the Access drop-down for both Group and Others. If the Execute check box is still checked, the only thing Group and Others could do is execute the file — they cannot read it or edit it. If you want confirmation of that, you can open up a terminal window, change to the Documents directory, and issue the command ls -l. Figure B illustrates how the file permissions now look from the command line.
With this knowledge in hand, you could, effectively, create your new bash script using Gedit, give that script executable permission, and then launch the script — all without ever touching the command line.
This will also come in very handy when you download an installer that isn’t a .deb or .rpm file and need to run it. These files can often be in the form of .bin. In this case you must do the following:
- Open the file manager
- Navigate to where the file was downloaded
- Right-click on the file
- Select Properties
- Click on the Permissions tab
- Click on the check box for Execute
- Close the properties window
- Double-click on the installer
- Install the application
Some might say this is a bit of a hassle that these extra steps are necessary. But having the security of knowing that not just any file can be executed is worth those extra steps.
Now you have the ability to manage your file systems without having to touch the command line. No, you can’t get as granular as you can with the chmod and chown commands, but for those that aren’t ready for the terminal (or simply don’t ever want to bother with it), the file manager gives you just enough power to make those files work for you.