Linux Permissions

Where shell we begin ?

Open a terminal window by pressing Ctrl + Alt + T

Typels -l lower case L

You should get something like this:

drwxr-xr-x  2 owner-username group     4096   Dec 25 20:15 Templates
-rwx--x--x  1 owner-username group     36     Jul 28 2016  script.ssh

The letters at the start of each line ( drwxr-xr-x ) tell us whether it’s a file or a folder and what permissions are set for that file or folder.

Each character position is called a permissions bit, with the exception of the first character which simply defines the file type. If the first character (type) is the letter d, then it’s a folder. Otherwise if the first character is a – (dash), then it’s a file.  File and folder names will be different colours, for example on my system it’s green for executables (scripts), blue for folders and red for all other files. It may vary depending on what version of Linux you’re running.

The owner-username and group show you which user owns that file or folder and which group also has access to it. Although, if you are looking at your home directory you might just see your username as owner and again as group, that’s perfectly normal. Your web servers html folder on the other hand might need the www-data group assigned to it.  Which is why you have separate permission bits, so you can for example give yourself (Owner) full access (rwx), your web server (Group) read-execute (r-x) and everything else (Other) read-only (r–). You can change the Owner and Group using the chown command, which we will cover later.

Permission Bits:

There are 3 parts to the permission bits. They are: Owner, Group and Other (aka World).

Each part has 3 bits, which are (r)Read , (w)Write and (x)eXecute . Always in that order.

For example: -rwxr--r-- would give the Owner read, write and execute permissions but read-only for Group and Other.

Another example: dr--r--r-- would give Owner, Group and Other read-only access to that folder (remember the d type is folder)

Each permission bit has a value when set: r = 4 , w = 2 , x = 1 (read , write , execute).

If we take the first example and explode it, we get this:   -  rwx  r--  r--  (type, owner, group, other)

So how do we get from -rwxr--r-- to 744 .

We simply add up the values for each permission bit respectively for Owner, Group and Other. Like this:

Note: Permission bits will always be Owner, Group and Other, in that order.

Below we have an exploded example with both the letter and numerical values for each permission bit.

Type    Owner        Group       Other
        Permissions  Permissions Permissions
 -      rwx          r--          r--
        7            4            4

Setting Permissions with chown and chmod:

chmod sets the permissions (what the Owner, Group and Other can do with the file or folder).
chown sets the owner of the file(s) or folder(s).

Now let’s say that we wanted to give:
Owner (r)ead, (w)rite and e(x)ecute permissions.
Group (r)ead, (w)rite and e(x)ecute permissions.
Other (r)ead only.

We would do it like this:

chmod 774 /home/hayward/file.txt - Owner (rwx)=4+2+1, Group (rwx)=4+2+1, Other (r--)=4.

If we wanted to set those same permissions on a directory instead, we would do it like this:

chmod 774 /home/hayward/documents - Changes permissions for the /documents folder and the files inside it.

chmod 774 -R /home/hayward/documents - Changes permissions for all folders and files recursively.

Now lets look at chown.

chown user:group -R /home/hayward/documents - Sets the user and group owners for that file or folder, recursively.

chown username file.txt - Sets the owner of file.txt to username.

You may need to use sudo or be root to use chmod and chown on your system.

Also, one last bit of advice.  Never , ever , ever , set file or folder permissions to 777 .
Why ? Have a think about it. Answers on a postcard please :p

Linux User Management

Let’s begin by asking, who am I ?

Before we continue, we need to make sure that our account (user login) has the permissions needed to manage users and groups.
If you are not the server owner or do not have some administrative rights, then this article is not for you.

Start by opening a terminal window by pressing Ctrl + Alt + T


The output will be the username you are currently logged in as.  You might also have noticed that your username makes up the first part of your command line prompt (i.e [email protected] ). For something a little more useful you can try: who -m.

Now that we know what user you’re logged in as, lets find out what groups you are a member of.

Type: groups

You should get an output similar to this (I’ve added the #comments for clarity).

[email protected]:~$ groups    #The command
hayward sudo shares admin     #The output

My logged in username is hayward, my primary group is hayward and my secondary groups are sudo, shares and admin.

The important thing to note here is that my account is a member of the sudo group (commonly known as Super User DO) .

What is sudo ?

Sudo is a program that allows users to run commands that would normally only work with higher level accounts, such as root for example. Users who need administrative privileges should be added to the sudo group, rather than given the root login and password.  When a sudo group member wants to run an administrative command, they prefix it with sudo then-command-to-execute.  Sudo tells the system to run the following command(s) as a substitute user, commonly the root user. The sudo user will need to provide their own password for security authentication. Nobody, even the server owner should be logging in as root, unless absolutely critical to the task in hand.

Be very careful running commands as root user. is your friend for more information and horror stories on using root :p

Why is my primary group the same as my username ?

The primary group is used by default when you log in, for setting ownership on files you create for example.
You can learn more about file permissions in our article: Linux Permissions 101 .

It is possible of course to change your primary group to something else, but that’s for advanced users and wont be covered here.

My username is root , what now ?

If your version of Linux didn’t prompt you to provide a username during installation (as is the case with most VPS hosting), then you’ll more than likely be logging in for the first time using the root account. This is often an unavoidable step when setting up a new server, so it’s nothing to worry about. Although you should make it a priority to prevent remote access with the root account.

Adding a new user:

The native command for adding new users is useradd, this is considered the more advanced method. But I’m trying to make your life easier, so I’ll show you how to use the second method also, which is with the adduser command (it’s actually a perl script that calls the useradd command).  adduser prompts you for the information needed, while useradd expects you to provide it as part of the command line.  Let’s take a look at both methods below:

adduser (recommended method).

Should your version of Linux not have adduser installed, install it with this command: sudo apt-get install adduser

If you are logged in as root:

Type: adduser newusername

If you are logged in as a user with sudo privileges:

Typesudo adduser newusername

You will be asked to set a password for the new user and given the option to provide additional information, such as Full Name. Once you’ve set a password you can simply press enter for each of the other prompts until you’re asked if the information you provided is correct. Press Y , then Enter.

useradd (for advanced users).

Using this command will not automatically add a home directory or prompt you to set the user password.

If you are logged in as root:

Type: useradd username Without home directory or password
Alternatively: useradd -d /home/username/ -m username With home directory, note the space after /username/

If you are logged in as a user with sudo privileges:

Type: sudo useradd username Same as above, but you’ll need to enter your password to continue.
Alternatively: sudo useradd -d /home/username/ -m username Note the space after /username/

Once you’ve added the new user, set a password by typing: sudo passwd username Don’t use sudo if logged in as root.

Adding the new user to a secondary group (sudo, for this example).

If you are logged in as root:

Typeusermod -a -G sudo username Adds username to the sudo group

-a (append)
-G sudo (add user to secondary group, sudo)

If you are logged in as a user with sudo privileges:

Typesudo usermod -a -G sudo username Same as above, but you’ll need to enter your password to continue.

This user will now be able to run commands as sudo (Super User DO).

You can switch to this new user by typing: su username To switch back, just type exit and press enter.

Tor Project

Tor Website on Ubuntu

This is a quick tutorial on how to set up a Tor website using Nginx on Ubuntu.

Step 1: Install Nginx

Type: sudo apt install nginx

Type: sudo nano /etc/nginx/sites-available/default

Replace the entire contents of the file with the code block below.

server {
       listen default_server;
       server_name localhost;
       root /usr/share/nginx/html;
       index index.html index.htm;
       location / {
               deny all;

Step 2: Install Tor

Typelsb_release -a

Note down your Linux release version and codename.

Then visit this link and select your Linux version and codename from the drop down menu.

Follow the instructions on that page, then continue back here.

Type: sudo nano /etc/tor/torrc

Look for the following two lines of code and uncomment them, then change “” to “”.

#HiddenServiceDir /var/lib/tor/hidden_service/ 
#HiddenServicePort 80

After making those changes, the two lines should now look like this:

HiddenServiceDir /var/lib/tor/hidden_service/ 
HiddenServicePort 80

Step 3: Restart the Services

Type: sudo service nginx restart

Typesudo service tor restart

Step 4: Test Your Tor Website

Typesudo nano /var/lib/tor/hidden_service/hostname

Copy your .onion hostname and try it out in your Tor Browser.

Your websites html files can be found in /usr/share/nginx/html

As a final note, I strongly advise you to read Tor Hidden (Onion) Services Best Practices.