Linux File Permissions: A Strategic Guide for Windows Administrators

Published:14 December 2023 - 7 min. read

Christopher Bisset Image

Christopher Bisset

Read more tutorials by Christopher Bisset!

Today’s sponsor is n8n, the AI-native workflow automation tool built for ITOps and DevSecOps. With 100+ templates to get you started quickly and a powerful visual editor, you can automate complex workflows without giving up control. Check it out here.

 

 

 

 

 

If you’ve managed Windows for some time, you probably have experience with user account management, the NTFS file system, and setting permissions. If so, prepare yourself for a different world with Linux file permissions! In Linux, the file system is a different animal you must learn to be a proficient Linux admin.

This is Part II of our four-part series on learning Linux from a Windows admin perspective! Be sure to read Part I if you haven’t already.

Working with the File System

Let’s first jump into how Linux stores and manages files via the file system.

Note: All examples will be using OpenSUSE Linux.

No More Drive Letters

Unlike Windows, removable drives and other devices don’t automatically get a drive letter and open up on reboot. In Windows, every drive gets mounted as a drive letter: C:\, D:\, etc. How do drive letters in Linux work? There are none!

In Linux, there is a folder called the root folder. This folder is located in the root of the file system or simply /. The forward slash is the first forward slash before every other file in the system comes from. This forward slash is kind of like the base C:\, though only if the other drive letters only existed as a subfolder of C:\.

The root folder is where the core system files lie. Everything else, including other devices, are a subfolder of this central folder.

Linux blurs the line between folders and filesystems. The Linux directory /home is the root of all users’ “profiles” similar to the C:\Users folder in Windows. In this case, /home is a directory. However, “directories” in Linux don’t have to actually be directories. They can also be storage partitions or even a separate hard disk altogether. This concept is analogous to Windows mount points.

You can learn more about root folders in this article.

Users and Home Folders

If you’re using OpenSUSE, you might notice a Home folder on your desktop as shown below. This folder is the Linux version of the C:\users\<username> folder or “profile”. The Linux “users” folder lives under /home on your installation disk by default.

In the example below, the user is called homelab with a “profile” located in /home/homelab.

Your own User (Home) Folder
Your own User (Home) Folder

In Linux (and Windows), the home folder (or user profile in Windows) has a shorthand notation of a tilde (~). If you see something like "~/Documents/blah.txt, it’s actually referring to your /home/<username>/Documents/blah.txt file.

Capitalization is Everything in Linux

Everything in Linux is case sensitive. This concept is the complete opposite of Windows where almost nothing is case sensitive.

For example, if you have a directory called /home/homelab, a completely different directory can be called /home/Homelab. This concept also extends to commands. Running cd /home/homelab is different from CD /home/homelab (which should fail).

As a Windows person, this concept will trip you up at some point. Be very careful about your capitalization! You can see an example of two separate folders below. The only difference between the two is capitalization: In a Windows environment, this is not possible.

Being able to create two separate folders just by capitalization is not possible on Windows
Being able to create two separate folders just by capitalization is not possible on Windows

User Accounts

Like Windows, Linux has the concept of user accounts but they behave a little differently. First start off by thinking of Linux user accounts in terms of your familiar Windows user accounts.

Windows has a few built-in user accounts such as Administrator, the hidden SYSTEM account, Guest, etc. Windows also have various built-in security groups like Administrators, Guests, etc.

You can view all of all Windows users and groups via the Local Users and Groups MMC by running thelusrmgr.msc MMC snapin.

The Windows Local User Control Panel
The Windows Local User Control Panel

Windows SIDs

To uniquely identify users and groups, Windows refers to users and groups by something called the SID. In Windows, you can find each user and groups’ SID by running a couple of PowerShell commands below.

Get-LocalUser | select name, sid
Get-LocalGroup | select name,sid
The list of users and groups on a Windows computer
The list of users and groups on a Windows computer

Each Windows group SID is the same across all Windows computers. The built-in user SIDs for Windows are unique. That Administrator SID you see in the above screenshot should be different on every Windows computer. Any future user or group created in Windows will be unique. Notice below the test group. If you would create a test group on your Windows computer, the SID would be different.

A new "test" group at the top has a unique SID
A new “test” group at the top has a unique SID

Linux User IDs

On the flip side, Linux handles users and groups similarly only this time Linux doesn’t use SIDs but user IDs (UIDs) and group IDs (GIDs). Also unlike Windows, Users and groups are unique to the computer but not unique across all computers. This means that your UID on Computer A might be the exact same UID on Computer B, even if it isn’t the same user.

Both UIDs and GIDs follow a simple, numeric convention; each UID and GUID start at 0 and increment by one ranging from 1-999 for internal system accounts and 1000+ for custom user accounts.

The built-in root user always has a UID of 0 and a GID of 0. Also, like the Windows hidden SYSTEM account, this root account is generally (depending on Linux distribution) prevented from logging in.

The built-in root user is similar to Windows SYSTEM and Administrator built-in accounts, kind of rolled into one. Even if you are working as an Administrator in Windows, there are still some built-in safeguards to prevent you completely destroying Windows.

The root user, on the other hand, is an absolute authority. If you purposely drop into the root user (you can do this on the command line using the command sudo su) and try to delete your whole operating system, root will happily do so until the system dies.

Let’s say you’ve created a user called homelab. The UID for homelab could then be referenced either by 1000 or by homelab. The user will automatically become a member of the internal group users which you can reference with the group ID of 100. You can find a list of these mappings by running the getent passwd command as seen below:

running getent passwd inside the terminal
running getent passwd inside the terminal

You can also find the same information as above for groups with the getent group command.

running getent group inside the terminal
running getent group inside the terminal

Linux File Permissions

In a Windows world, filesystem permissions are not fun. Setting and managing permissions in NTFS can sometimes turn into a nightmare with ACE, ACLs, inheritance, propagation, etc. Luckily, in Linux filesystem permission are much simpler.

In Linux, you have three types of rights you can assign to a file: read, write, and execute with three categories of access: owner, group, others.

  • owner is the user who owns the file/folder. Every file or folder has a designated owner.
  • group is the group that owns the file/folder. This does not have to be the same group the owner belongs to. Every file or folder can only belong to one group.
  • others is… well… others. It’s people who aren’t part of the owning group or is not the designated owner.

You can allow or deny every option for every category. As an example: you can give read, write, execute options for the owner, and read/execute options for the group and others. You can see that in the screenshot below. This means that anybody besides the user who is the owner of the folder cannot modify it.

Just like Windows explorer, in Ubuntu, you can see this information by doing the following:

  1. Open up your Home folder on your desktop.
  2. Navigate to the file/folder in question.
  3. Right click on the file/folder and click on Properties.
  4. Click on the Permissions tab.
  5. Click on Advanced Permissions.

Once you’re in the Advanced Permissions box, you can graphically see all permissions assigned to that file or folder.

Demonstration of the advanced permissions menu in OpenSUSE
Demonstration of the advanced permissions menu in OpenSUSE

Below is what the Advanced Permissions table represents.

How the file permissions look visually
How the file permissions look visually

File Ownership

Like Windows, each file and folder has an owner. In Windows, you can take ownership of a file in the GUI or via the takeown command. In Linux, you take ownership by running chown <user>:<group> <file/folder> on the command line.

Like Windows, you generally need administrative permission to change ownership of files using sudo. sudo is the Linux equivalent of Windows’ User Account Control (UAC). Instead of opening an administrative command line window, you preface commands with sudo to make it run as an administrator.

Let’s create a folder that’s only owned by root to demonstrate some of these concepts.

  1. Open up your home folder and navigate to Documents
  2. Open up a command prompt by right click —> Actions —> Open Terminal Here, and run the following:
sudo mkdir owned-by-root
sudo chmod 700 owned-by-root
Creating a root only folder
Creating a root only folder

This folder only has read/write/execute permissions for the owner. Because you created the folder with admin rights, that owner is currently root.

You also changed the permissions so only the owner has access. The owning group and other users cannot access this folder at all. In fact, you’ll notice that the folder has a big lock on it indicating you don’t have access.

Below you can see how to take ownership of this folder.

  1. Open up another terminal in that same folder (or use the one you already had)
  2. Run sudo chown homelab:users ./owned-by-root
Demonstration of the change ownership command in OpenSUSE
Demonstration of the change ownership command in OpenSUSE

Now that you have ownership, you can also change the file permissions inside the explorer GUI using the properties window.

File permissions inside the explorer GUI
File permissions inside the explorer GUI

You (usually) only want to change ownerships, not file permissions. Linux is pretty good at knowing what permissions things are supposed to have by default. You can really screw things up by ‘chmoding’ without knowing the implications.

Numeric Notation for File Permissions

If you have done any Linux troubleshooting, you may have seen people online explain file permissions using a number scheme. You can see that highlighted in the screenshot below:

The permissions menu, as viewed remotely from a Windows machine using WinSCP
The permissions menu, as viewed remotely from a Windows machine using WinSCP

Linux uses a shorthand notation for this access system using numbers, like 0600. The first number is for some special properties you can add, which people generally ignore. In fact, most people only use three digits for the notation and ignore the leading fourth.

For more information about numeric notation for file permissions, check out this article.

Wrap Up

That’s it for Part II of our A Windows Guy in a Linux World blog post series! Be sure to keep up the momentum with Part III !

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!