File Permissions
Overview
Linux is a multi-user operating system, and the file permission mechanism is an important foundation of its security. Each file and directory has a set of permissions that control who can read, write, or execute it.
Permission Basics
Viewing Permissions
Use the ls -l command to view file permissions:
bash
$ ls -l
-rw-r--r-- 1 maxwell maxwell 1234 Jan 1 10:00 file.txt
drwxr-xr-x 2 maxwell maxwell 4096 Jan 1 10:00 directoryPermission String Interpretation
-rw-r--r--
│├─┤├─┤├─┤
│ │ │ └── Other user permissions (other)
│ │ └───── Group permissions (group)
│ └──────── Owner permissions (owner/user)
└────────── File typePermission Types
| Symbol | Meaning | Significance for files | Significance for directories |
|---|---|---|---|
r | Read | View file content | List directory contents |
w | Write | Modify file content | Create/delete files |
x | Execute | Run program | Enter directory |
- | No permission | - | - |
Three User Classes
| Class | Description |
|---|---|
| Owner (User) | File creator |
| Group | File's所属组 |
| Others | Users other than the above two |
Numeric Representation
Permissions can be represented using octal numbers:
| Permission | Numeric Value |
|---|---|
| r (read) | 4 |
| w (write) | 2 |
| x (execute) | 1 |
| - (none) | 0 |
Calculating Permission Numbers
rwx = 4 + 2 + 1 = 7
rw- = 4 + 2 + 0 = 6
r-x = 4 + 0 + 1 = 5
r-- = 4 + 0 + 0 = 4
--- = 0 + 0 + 0 = 0Common Permission Combinations
| Number | Symbol | Meaning |
|---|---|---|
| 755 | rwxr-xr-x | Owner has full control, others can read and execute |
| 644 | rw-r--r-- | Owner can read/write, others read-only |
| 700 | rwx------ | Only owner can access |
| 777 | rwxrwxrwx | Everyone has full control (not recommended) |
| 600 | rw------- | Only owner can read/write |
| 666 | rw-rw-rw- | Everyone can read/write |
Modifying Permissions
chmod - Modify Permissions
Symbolic Mode
bash
# Format: chmod [ugoa][+-=][rwx] file
# Add execute permission for owner
$ chmod u+x script.sh
# Remove write permission for group
$ chmod g-w file.txt
# Set other users to read-only
$ chmod o=r file.txt
# Add execute permission for everyone
$ chmod a+x script.sh
# Combination usage
$ chmod u+x,g-w,o-rwx file.txt
# Recursive modify directory
$ chmod -R u+w directory/Symbol Description
| Symbol | Meaning |
|---|---|
| u | Owner (user) |
| g | Group |
| o | Others |
| a | All |
| + | Add permission |
| - | Remove permission |
| = | Set permission |
Numeric Mode
bash
# Set to 755
$ chmod 755 script.sh
# Set to 644
$ chmod 644 file.txt
# Recursive modify
$ chmod -R 755 directory/Common Use Cases
bash
# Make script executable
$ chmod +x script.sh
$ chmod 755 script.sh
# Protect configuration file
$ chmod 600 config.ini
# Shared directory
$ chmod 775 shared_dir/
# Website directory
$ chmod 755 /var/www/html/
$ chmod 644 /var/www/html/*.htmlModifying Ownership
chown - Modify Owner
bash
# Modify owner
$ sudo chown newowner file.txt
# Modify owner and group
$ sudo chown newowner:newgroup file.txt
# Modify only group
$ sudo chown :newgroup file.txt
# Recursive modify
$ sudo chown -R newowner:newgroup directory/chgrp - Modify Group
bash
# Modify group
$ sudo chgrp newgroup file.txt
# Recursive modify
$ sudo chgrp -R newgroup directory/Special Permissions
SUID (Set User ID)
When an executable file has the SUID bit set, it runs with the permissions of the file owner rather than the user executing it.
bash
# View SUID files
$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 68208 Jan 1 10:00 /usr/bin/passwd
# ^-- s indicates SUID
# Set SUID
$ chmod u+s executable
$ chmod 4755 executableSecurity Tip: SUID files have security risks and should be used with caution.
SGID (Set Group ID)
- For files: Runs with the file's group permissions
- For directories: Files created in the directory inherit the directory's group
bash
# Set SGID
$ chmod g+s directory/
$ chmod 2755 directory/
# View
$ ls -ld directory/
drwxr-sr-x 2 user group 4096 Jan 1 10:00 directory/
# ^-- s indicates SGIDSticky Bit
When set on a directory, only the file owner, directory owner, or root can delete or move files within it.
bash
# Set sticky bit
$ chmod +t directory/
$ chmod 1777 directory/
# View
$ ls -ld /tmp
drwxrwxrwt 10 root root 4096 Jan 1 10:00 /tmp
# ^-- t indicates sticky bitSpecial Permission Numbers
| Permission | Number |
|---|---|
| SUID | 4 |
| SGID | 2 |
| Sticky | 1 |
bash
# Complete 4-digit permissions
$ chmod 4755 file # SUID + rwxr-xr-x
$ chmod 2755 dir # SGID + rwxr-xr-x
$ chmod 1777 dir # Sticky + rwxrwxrwxDefault Permissions: umask
umask determines the default permissions for newly created files and directories.
Understanding umask
bash
# View current umask
$ umask
0022
# Calculate default permissions
# File default permissions = 666 - umask = 666 - 022 = 644
# Directory default permissions = 777 - umask = 777 - 022 = 755Setting umask
bash
# Temporary setting
$ umask 027
# File default permissions: 640
# Directory default permissions: 750
# Permanent setting (add to ~/.bashrc)
$ echo "umask 027" >> ~/.bashrcCommon umask Values
| umask | File permissions | Directory permissions | Description |
|---|---|---|---|
| 022 | 644 | 755 | System default |
| 027 | 640 | 750 | More secure |
| 077 | 600 | 700 | Only owner can access |
| 002 | 664 | 775 | Group members can write |
Access Control Lists (ACL)
ACL provides more fine-grained access control than traditional permissions.
Viewing ACL
bash
$ getfacl file.txt
# file: file.txt
# owner: maxwell
# group: maxwell
user::rw-
group::r--
other::r--Setting ACL
bash
# Set permissions for specific user
$ setfacl -m u:alice:rw file.txt
# Set permissions for specific group
$ setfacl -m g:developers:rx directory/
# Set default ACL (applies to new files)
$ setfacl -d -m u:alice:rw directory/
# Delete ACL
$ setfacl -x u:alice file.txt
# Delete all ACL
$ setfacl -b file.txt
# Recursive set
$ setfacl -R -m u:alice:rx directory/ACL Examples
bash
# Scenario: Let alice read private file
$ setfacl -m u:alice:r secret.txt
$ getfacl secret.txt
# file: secret.txt
# owner: maxwell
# group: maxwell
user::rw-
user:alice:r--
group::---
other::---File Attributes
lsattr - View Attributes
bash
$ lsattr file.txt
----i------------ file.txtchattr - Modify Attributes
bash
# Set immutable (cannot be modified)
$ sudo chattr +i file.txt
# Cannot be modified or deleted even by root
# Remove immutable
$ sudo chattr -i file.txt
# Append only
$ sudo chattr +a logfile.txt
# Secure delete
$ sudo chattr +s file.txtCommon Attributes
| Attribute | Description |
|---|---|
| i | Immutable |
| a | Append only |
| s | Secure delete |
| u | Recoverable delete |
| c | Auto-compress |
Permission Practices
Website Directory Permissions
bash
# Set owner to www-data
$ sudo chown -R www-data:www-data /var/www/html
# Directory permissions
$ sudo find /var/www/html -type d -exec chmod 755 {} \;
# File permissions
$ sudo find /var/www/html -type f -exec chmod 644 {} \;SSH Key Permissions
bash
# ~/.ssh directory
$ chmod 700 ~/.ssh
# Private key
$ chmod 600 ~/.ssh/id_rsa
# Public key
$ chmod 644 ~/.ssh/id_rsa.pub
# authorized_keys
$ chmod 600 ~/.ssh/authorized_keysShared Directory
bash
# Create shared directory
$ sudo mkdir /shared
# Set group
$ sudo chgrp developers /shared
# Set SGID (new files inherit group)
$ sudo chmod 2775 /sharedScript Files
bash
# Make script executable
$ chmod 755 script.sh
# Or owner only
$ chmod 700 private_script.shTroubleshooting Permission Issues
Checklist
bash
# 1. View file permissions
$ ls -la file.txt
# 2. View current user and groups
$ id
# 3. View file ACL
$ getfacl file.txt
# 4. View directory permission chain
$ namei -l /path/to/file.txt
# 5. Check SELinux (if enabled)
$ ls -Z file.txt
$ getenforceCommon Problems
Cannot execute script
bash$ chmod +x script.shPermission denied accessing directory
bash# Need x permission on directory $ chmod +x directory/Cannot delete file
bash# Check w permission on directory $ chmod +w parent_directory/SSH keys not working
bash$ chmod 600 ~/.ssh/id_rsa $ chmod 700 ~/.ssh
Summary
This chapter introduced the core concepts of Linux file permissions:
- Basic permissions: Read (r), Write (w), Execute (x)
- Three user classes: Owner, Group, Others
- Permission representation: Symbolic (rwx) and numeric (755)
- Modifying permissions:
chmod,chown,chgrp - Special permissions: SUID, SGID, Sticky Bit
- Default permissions: umask
- Advanced control: ACL
Setting file permissions correctly is an important part of system security. In daily use, follow the principle of least privilege - grant only necessary permissions.
Previous chapter: File Operations
Next chapter: File Search