File Permissions
Overview
Linux is a multi-user operating system, and the file permission mechanism is an important foundation of its security. Each file and directory has a set of permissions that control who can read, write, or execute it.
Permission Basics
Viewing Permissions
Use the ls -l command to view file permissions:
$ ls -l
-rw-r--r-- 1 maxwell maxwell 1234 Jan 1 10:00 file.txt
drwxr-xr-x 2 maxwell maxwell 4096 Jan 1 10:00 directory
Permission String Interpretation
-rw-r--r--
│├─┤├─┤├─┤
│ │ │ └── Other user permissions (other)
│ │ └───── Group permissions (group)
│ └──────── Owner permissions (owner/user)
└────────── File type
Permission Types
Three User Classes
Numeric Representation
Permissions can be represented using octal numbers:
Calculating Permission Numbers
rwx = 4 + 2 + 1 = 7
rw- = 4 + 2 + 0 = 6
r-x = 4 + 0 + 1 = 5
r-- = 4 + 0 + 0 = 4
--- = 0 + 0 + 0 = 0
Common Permission Combinations
Modifying Permissions
chmod - Modify Permissions
Symbolic Mode
# Format: chmod [ugoa][+-=][rwx] file
# Add execute permission for owner
$ chmod u+x script.sh
# Remove write permission for group
$ chmod g-w file.txt
# Set other users to read-only
$ chmod o=r file.txt
# Add execute permission for everyone
$ chmod a+x script.sh
# Combination usage
$ chmod u+x,g-w,o-rwx file.txt
# Recursive modify directory
$ chmod -R u+w directory/
Symbol Description
Numeric Mode
# Set to 755
$ chmod 755 script.sh
# Set to 644
$ chmod 644 file.txt
# Recursive modify
$ chmod -R 755 directory/
Common Use Cases
# Make script executable
$ chmod +x script.sh
$ chmod 755 script.sh
# Protect configuration file
$ chmod 600 config.ini
# Shared directory
$ chmod 775 shared_dir/
# Website directory
$ chmod 755 /var/www/html/
$ chmod 644 /var/www/html/*.html
Modifying Ownership
chown - Modify Owner
# Modify owner
$ sudo chown newowner file.txt
# Modify owner and group
$ sudo chown newowner:newgroup file.txt
# Modify only group
$ sudo chown :newgroup file.txt
# Recursive modify
$ sudo chown -R newowner:newgroup directory/
chgrp - Modify Group
# Modify group
$ sudo chgrp newgroup file.txt
# Recursive modify
$ sudo chgrp -R newgroup directory/
Special Permissions
SUID (Set User ID)
When an executable file has the SUID bit set, it runs with the permissions of the file owner rather than the user executing it.
# View SUID files
$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 68208 Jan 1 10:00 /usr/bin/passwd
# ^-- s indicates SUID
# Set SUID
$ chmod u+s executable
$ chmod 4755 executable
Security Tip: SUID files have security risks and should be used with caution.
SGID (Set Group ID)
- For files: Runs with the file's group permissions
- For directories: Files created in the directory inherit the directory's group
# Set SGID
$ chmod g+s directory/
$ chmod 2755 directory/
# View
$ ls -ld directory/
drwxr-sr-x 2 user group 4096 Jan 1 10:00 directory/
# ^-- s indicates SGID
Sticky Bit
When set on a directory, only the file owner, directory owner, or root can delete or move files within it.
# Set sticky bit
$ chmod +t directory/
$ chmod 1777 directory/
# View
$ ls -ld /tmp
drwxrwxrwt 10 root root 4096 Jan 1 10:00 /tmp
# ^-- t indicates sticky bit
Special Permission Numbers
# Complete 4-digit permissions
$ chmod 4755 file # SUID + rwxr-xr-x
$ chmod 2755 dir # SGID + rwxr-xr-x
$ chmod 1777 dir # Sticky + rwxrwxrwx
Default Permissions: umask
umask determines the default permissions for newly created files and directories.
Understanding umask
# View current umask
$ umask
0022
# Calculate default permissions
# File default permissions = 666 - umask = 666 - 022 = 644
# Directory default permissions = 777 - umask = 777 - 022 = 755
Setting umask
# Temporary setting
$ umask 027
# File default permissions: 640
# Directory default permissions: 750
# Permanent setting (add to ~/.bashrc)
$ echo "umask 027" >> ~/.bashrc
Common umask Values
Access Control Lists (ACL)
ACL provides more fine-grained access control than traditional permissions.
Viewing ACL
$ getfacl file.txt
# file: file.txt
# owner: maxwell
# group: maxwell
user::rw-
group::r--
other::r--
Setting ACL
# Set permissions for specific user
$ setfacl -m u:alice:rw file.txt
# Set permissions for specific group
$ setfacl -m g:developers:rx directory/
# Set default ACL (applies to new files)
$ setfacl -d -m u:alice:rw directory/
# Delete ACL
$ setfacl -x u:alice file.txt
# Delete all ACL
$ setfacl -b file.txt
# Recursive set
$ setfacl -R -m u:alice:rx directory/
ACL Examples
# Scenario: Let alice read private file
$ setfacl -m u:alice:r secret.txt
$ getfacl secret.txt
# file: secret.txt
# owner: maxwell
# group: maxwell
user::rw-
user:alice:r--
group::---
other::---
File Attributes
lsattr - View Attributes
$ lsattr file.txt
----i------------ file.txt
chattr - Modify Attributes
# Set immutable (cannot be modified)
$ sudo chattr +i file.txt
# Cannot be modified or deleted even by root
# Remove immutable
$ sudo chattr -i file.txt
# Append only
$ sudo chattr +a logfile.txt
# Secure delete
$ sudo chattr +s file.txt
Common Attributes
Permission Practices
Website Directory Permissions
# Set owner to www-data
$ sudo chown -R www-data:www-data /var/www/html
# Directory permissions
$ sudo find /var/www/html -type d -exec chmod 755 {} \;
# File permissions
$ sudo find /var/www/html -type f -exec chmod 644 {} \;
SSH Key Permissions
# ~/.ssh directory
$ chmod 700 ~/.ssh
# Private key
$ chmod 600 ~/.ssh/id_rsa
# Public key
$ chmod 644 ~/.ssh/id_rsa.pub
# authorized_keys
$ chmod 600 ~/.ssh/authorized_keys
Shared Directory
# Create shared directory
$ sudo mkdir /shared
# Set group
$ sudo chgrp developers /shared
# Set SGID (new files inherit group)
$ sudo chmod 2775 /shared
Script Files
# Make script executable
$ chmod 755 script.sh
# Or owner only
$ chmod 700 private_script.sh
Troubleshooting Permission Issues
Checklist
# 1. View file permissions
$ ls -la file.txt
# 2. View current user and groups
$ id
# 3. View file ACL
$ getfacl file.txt
# 4. View directory permission chain
$ namei -l /path/to/file.txt
# 5. Check SELinux (if enabled)
$ ls -Z file.txt
$ getenforce
Common Problems
-
Cannot execute script
-
Permission denied accessing directory
# Need x permission on directory
$ chmod +x directory/
-
Cannot delete file
# Check w permission on directory
$ chmod +w parent_directory/
-
SSH keys not working
$ chmod 600 ~/.ssh/id_rsa
$ chmod 700 ~/.ssh
Summary
This chapter introduced the core concepts of Linux file permissions:
- Basic permissions: Read (r), Write (w), Execute (x)
- Three user classes: Owner, Group, Others
- Permission representation: Symbolic (rwx) and numeric (755)
- Modifying permissions:
chmod, chown, chgrp
- Special permissions: SUID, SGID, Sticky Bit
- Default permissions: umask
- Advanced control: ACL
Setting file permissions correctly is an important part of system security. In daily use, follow the principle of least privilege - grant only necessary permissions.
Previous chapter: File Operations
Next chapter: File Search