Changing Permissions

Windows

Sharing a Folder with Another User

Now that we can read permissions, let's take it a step further and learn how to change permissions in Windows. Let's say I want to give access to another person in my family to view a folder with family pictures on the computer. How would I do that?

On my local Disk C, I have a folder called vacation pictures that I want to share with another user on my machine, Devan. To do that, I'm going to:

1. Right-click on this folder

2. Go to Properties

3. Click on the Security tab

4. Click the "Edit" button to edit file permissions

5. Click "Add" to add a new user/group

6. Enter Devan's username and click "Check Names" to verify

7. Click "Ok" to add Devan

8. Select Devan's username and check the "Allow" boxes for the permissions I want to give him (e.g. Modify access)

That's it! 🎉

Understanding "Deny" Permissions

We've been glossing over this other checkbox here - "Deny". You might have already guessed that "Deny" doesn't allow you to have a certain permission, but it's special because it generally takes precedence over the "Allow" permissions.

For example, let's say Devan is in a group that has access to this folder. If we explicitly check the "Deny" box for Devan's username, even if the group has access to the folder, Devan won't.

Changing Permissions Using icacls in PowerShell

To modify permissions in the CLI, we're going to use the icacls command. In the examples I'm going to show you, we'll be running icacls from PowerShell.

The icacls command was designed for the Command Prompt before PowerShell, and its parameters use special characters that confuse PowerShell. By surrounding icacls parameters with single quotes, I'm telling PowerShell not to try and interpret the parameter as code.

If you run these commands in command.exe, you'll need to remove the single quotes for them to work.

Let's look at this side by side with powershell.exe and command.exe:

• PowerShell: icacls 'vacation pictures' /grant everyone:OI(CI)R

• Command Prompt: icacls "vacation pictures" /grant everyone:OI(CI)R

The key difference is the use of single quotes in PowerShell to prevent PowerShell from interpreting the special characters.

Granting Read-Only Access to Everyone

Let's say we want anyone with permission to use this computer to be able to see these pictures, but we don't want them to add or remove photos. What permissions do we want to give them? 🤔

That's right, we want to give them read permission to the vacation pictures folder. Let's use the special everyone group to do this:

icacls 'vacation pictures' /grant everyone:OI(CI)R

The everyone group includes local user accounts, guest users, and anyone who can use the computer. 🙂

Restricting Access to Authenticated Users

Actually, maybe I didn't really want everyone to look at my vacation photos. Maybe I just want the people that have passwords on the computer to be able to see them. In that case, I want to use the Authenticated Users group. That group doesn't include guest users.

First, let's add the Authenticated Users group with read access:

icacls 'vacation pictures' /grant "Authenticated Users":OI(CI)R

Now, let's remove the permissions for the everyone group:

icacls 'vacation pictures' /remove everyone

Finally, let's use icacls to verify that the permissions are set as intended:

icacls 'vacation pictures'

Sweet! 🤩 We can see that Authenticated Users are added and everyone is removed.

Changing Permissions in Linux

In Linux, we change permissions using the chmod or change mode command. First, pick which permission set you want to change. The owner, which is denoted by u, the group the file belongs to, denoted by g, or other users, which is noted by an o. To add or remove permissions, just use a plus or minus symbol that indicates who the permission effects.

Examples

Let's take a look at some examples. Let's chmod u+x, my_cool_file. This command is saying that we want to change the permission of my_cool_file by giving executable or x axis to the owner or u. You can do the same thing if you wanted to remove a permission. Chmod u-x, my_cool_file. Instead of a plus, we just minus. Pretty simple.

If you wanted to add multiple permissions to a file, you could just do something like this. chmod u+rx, my_cool_file. This is saying we want to add read and execute permissions for the owner of my_cool_file. You can do the same for multiple permission sets. You do chmod ugo+r, my_cool_file. Now, this says we want to add read permissions for our owner, the group the file belongs to and all other users and groups.

This format of using r, w, x and ugo to denote permissions and users in chmod is known as symbolic format. We can also change permissions numerically, which is much faster and simpler.

Numerical Format

Let's just change all permissions at once. The numerical equivalent of r, w, x is 4 for read or r, 2 for write or w, and 1 for execute or x. To set permissions, we add these numbers for every permission set we want to effect. Let's take a look at an example. The first Number 7 is our owner's permission. The second Number 5 is our group permissions, and the third Number 4 is the permission for all other users.

Remember, you have to add the permissions together. If you add 4, 2 and 1 together, you get r, w, x, which equals 7, so our owner permission is able to read, write, and execute this file. 5 would stand for 4+1, which is read and execute.

Now, you can see how numeric format is quicker than symbolic format. Instead of running something like this, we can run chmod 754 my_cool_file to update them all.

Changing Owner and Group

Either way, you can change permissions using the symbolic or numerical format. Just pick whichever is easiest for you. You can also change the owner and the group of a file that you own. The chown or change owner command allows you to change the owner of a file. Let's go ahead and change the owner to Devan. Awesome. Now, Devan is the owner of this file. To change the group a file belongs to, you can use chgrp or change group command. Awesome. Now, the best group ever is the group owner for this file.

It may take a while for you to get the hang of reading and changing permissions. You can practice changing their permissions on a few files until you get it done. Permissions are an essential building block to computer security, and you'll be using them throughout your work as an IT support specialist. 🖥️ 💻 🔒