Understanding Linux Permissions on Your Raspberry Pi
In Linux, you can do three things to a file or folder: You can read it, you can change it, or you can run it as code.
These three permissions are called read, write, and execute. As you can maybe guess, you can set them separately for every file. For example, you can make a file read-only by turning off the write and execute permissions. Now you can’t edit the file, and you can’t run it as an app.
Why would you make a file read-only? For safety. Sometimes you want to protect a file so that you can’t edit it.
Execute doesn’t mean take it outside and shoot it. It means run it as code. No one knows why it’s called execute and not run. At least it starts with a different letter than the other two options, so there’s that.
In fact, Linux has three different permission settings for every file and folder:
The owner of the file gets one set of permissions. Usually this set gives the owner permission to do anything with the files.
The file’s group gets another set. This set allows the file to be shared within a group.
Everyone else gets yet another set. This set allows some files to be private, while others can be shared with everyone.
These different permission settings may seem super-complicated. Permissions were really designed for big computers with lots of users. On a big computer, it’s useful to be able to hide some files from everyone else, to share others, and to make a few completely open.
On a computer like the Raspberry Pi permissions make extra work for you. You’re probably the only user, so it makes sense to be able to do anything to any file, doesn’t it?
Not quite. In Linux, apps are users, too. You can use permissions to make sure that apps can’t read or change files they don’t need to.
Permissions get to be a big deal if you put your Pi on the Internet as a web server because it gives you some security from hackers.
Permissions also help keep you safe from mistakes because it’s harder to delete important files by accident.
To check permissions on the desktop, open a Terminal window to show a command prompt. Then type the following command and press Enter:
You see a list of files, with some extra letters at the left of the list. The following figure has an example. (You probably won’t see the same files or the same permissions.)
The string of letters and dashes at the left of each item is a list of the permissions. They look like a row of ten letters:
If you see a letter, the permissions allow you to do that thing. If you see a dash, they don’t.
Most files have a lot of dashes, so you may see something like this:
That row of letters isn’t very easy to read, is it? It’s like a code. But it’s not a complicated code, and it’s not very hard to understand it.
The first d is short for directory, which is another word for folder. If you see a d, it means that file is a folder/directory, and you can use the cd command to move inside and check whether it has any files.
The d isn’t like the other letters. In fact, it’s not really a permission. You can’t change it. It appears in the row of letters because it’s useful, but there was nowhere else to put it.
The next rwx is — you can maybe guess — the read, write, and execute permissions for the file.
Here’s an example:
In English, the code means read: yes; write: yes; and execute: nope.
rwx — with dashes, if they’re needed — appears three times on each row because there are three different sets of permissions.
In order, the first set of three lists permissions for the file owner.
The next set lists permissions for the file group.
And the last set lists permissions for everyone else — which means all the other users on the same computer.
Say that you want to work out what the following row of permissions means:
You have to split it up into sets of three in your head, like this:
d rwx rw- r--
Then you can read the code for each set.
This is a folder/directory (d)
The file owner can read, write/edit, and execute (first three: rwx).
The group can read and write/edit only (second three: rw-).
Everyone else can only read the file (last three: r–).