Linux File Permissions
File permissions in Linux control who can access files and directories and what operations they can perform. Understanding permissions is crucial for system security and proper file management.
-rwxrwxrwx
│└─┬─┘└─┬─┘└─┬─┘
│ │ │ └── Others permissions
│ │ └────── Group permissions
│ └────────── Owner permissions
└───────────── File type
Overview
Linux file permissions are based on three concepts:
- Who - Owner (user), Group, Others (world)
- What - Read (r), Write (w), Execute (x)
- Where - Files and Directories
Each file and directory has three sets of permissions:
- Owner permissions - What the file owner can do
- Group permissions - What group members can do
- Other permissions - What everyone else can do
Permission Types
| Permission |
Symbol |
Numeric |
Files |
Directories |
| Read |
r |
4 |
View file contents |
List directory contents |
| Write |
w |
2 |
Modify file contents |
Create/delete files in directory |
| Execute |
x |
1 |
Run file as program |
Enter directory (cd) |
| No permission |
- |
0 |
No access |
No access |
Common Permission Values
| Numeric |
Symbolic |
Description |
Use Case |
755 |
rwxr-xr-x |
Owner: rwx, Group: r-x, Others: r-x |
Executable files, directories |
644 |
rw-r--r-- |
Owner: rw-, Group: r--, Others: r-- |
Regular files, documents |
600 |
rw------- |
Owner: rw-, Group: ---, Others: --- |
Private files, SSH keys |
700 |
rwx------ |
Owner: rwx, Group: ---, Others: --- |
Private directories, scripts |
777 |
rwxrwxrwx |
Owner: rwx, Group: rwx, Others: rwx |
Temporary files (use with caution) |
666 |
rw-rw-rw- |
Owner: rw-, Group: rw-, Others: rw- |
Shared data files |
Viewing Permissions
List files with permissions
ls -l
ls -la # Include hidden files
Shows detailed file information including permissions, ownership, and timestamps
View specific file permissions
ls -l filename.txt
stat filename.txt # Detailed file information
Displays permissions for a specific file
View directory permissions
ls -ld directory/
ls -la directory/ # Contents with permissions
Shows directory permissions and contents
Understanding ls -l output
-rw-r--r-- 1 user group 1024 Jan 21 10:30 file.txt
│└─┬─┘└─┬─┘└─┬─┘ │ │ │ │ │ │ └── filename
│ │ │ │ │ │ │ │ │ └─────── timestamp
│ │ │ │ │ │ │ │ └───────────── size
│ │ │ │ │ │ │ └────────────────── group
│ │ │ │ │ │ └──────────────────────── owner
│ │ │ │ │ └───────────────────────────── links
│ │ │ │ └──────────────────────────────── others permissions
│ │ │ └──────────────────────────────────── group permissions
│ │ └──────────────────────────────────────── owner permissions
│ └──────────────────────────────────────────── file type
└─────────────────────────────────────────────── file type indicator
Breakdown of ls -l output format
Changing Permissions (chmod)
Numeric mode
chmod 755 file.txt # rwxr-xr-x
chmod 644 document.txt # rw-r--r--
chmod 600 private.key # rw-------
chmod 700 script.sh # rwx------
Sets permissions using numeric values (octal notation)
Symbolic mode - absolute
chmod u=rwx,g=rx,o=rx file.txt # Same as 755
chmod u=rw,g=r,o=r document.txt # Same as 644
chmod u=rw,g=,o= private.key # Same as 600
Sets permissions using symbolic notation (u=user, g=group, o=others)
Symbolic mode - relative
chmod +x script.sh # Add execute for all
chmod u+w file.txt # Add write for owner
chmod g-w file.txt # Remove write for group
chmod o-r file.txt # Remove read for others
chmod a+r file.txt # Add read for all (a=all)
Modifies existing permissions by adding (+) or removing (-) specific permissions
Recursive permission changes
chmod -R 755 directory/ # Apply to directory and all contents
chmod -R u+x directory/ # Add execute for owner recursively
Applies permission changes to directories and all their contents
Changing Ownership
Change file owner (chown)
sudo chown newuser file.txt
sudo chown newuser:newgroup file.txt
sudo chown :newgroup file.txt # Change group only
Changes file ownership (requires root privileges)
Change group ownership (chgrp)
sudo chgrp newgroup file.txt
sudo chgrp -R newgroup directory/ # Recursive
Changes group ownership of files and directories
Recursive ownership changes
sudo chown -R user:group directory/
sudo chown -R --from=olduser:oldgroup newuser:newgroup directory/
Changes ownership recursively with optional conditions
Copy permissions from another file
chmod --reference=source.txt target.txt
chown --reference=source.txt target.txt
Copies permissions and ownership from one file to another
Special Permissions
Setuid (SUID) - 4000
chmod 4755 program # rwsr-xr-x
chmod u+s program # Add setuid bit
Allows file to run with owner's privileges instead of executor's
Setgid (SGID) - 2000
chmod 2755 directory/ # rwxr-sr-x
chmod g+s directory/ # Add setgid bit
Files created in directory inherit the directory's group
Sticky bit - 1000
chmod 1777 /tmp/ # rwxrwxrwt
chmod +t directory/ # Add sticky bit
Only file owner can delete files in the directory (like /tmp)
⚠️ Security Warning: Special permissions can create security vulnerabilities if used incorrectly. Use setuid and setgid with extreme caution, especially on executable files.
Default Permissions (umask)
View current umask
umask # Show current umask (e.g., 0022)
umask -S # Show in symbolic format
Displays the current default permission mask
Set umask
umask 022 # Default: files 644, directories 755
umask 077 # Restrictive: files 600, directories 700
umask 002 # Group-friendly: files 664, directories 775
Sets default permissions for newly created files and directories
Understanding umask calculation
# Default file permissions: 666
# Default directory permissions: 777
# umask: 022
# File permissions: 666 - 022 = 644
# Directory permissions: 777 - 022 = 755
How umask affects default permissions for new files and directories
Permanent umask settings
# Add to ~/.bashrc or ~/.profile
umask 022
# System-wide in /etc/profile
umask 022
Setting permanent umask values for users or system-wide
Access Control Lists (ACLs)
ACLs provide more granular permission control beyond the basic owner/group/others model.
View ACLs
getfacl file.txt
ls -l file.txt # Look for + at end of permissions
Displays extended ACL information for files
Set ACLs
setfacl -m u:username:rw file.txt # Give user read/write
setfacl -m g:groupname:r file.txt # Give group read
setfacl -m o::--- file.txt # Remove others permissions
Sets specific permissions for individual users or groups
Remove ACLs
setfacl -x u:username file.txt # Remove user ACL
setfacl -b file.txt # Remove all ACL
s
Removes ACL entries from files
Note: ACL support must be enabled on the filesystem (usually with the 'acl' mount option) and the getfacl/setfacl commands must be installed.
Security Best Practices
File Permission Guidelines
- Use 644 for regular files (documents, configs)
- Use 755 for directories and executable files
- Use 600 for private files (SSH keys, passwords)
- Use 700 for private directories
- Avoid 777 permissions except for temporary directories
- Never use setuid on shell scripts
Security Warnings
- World-writable files (777) can be security risks
- Setuid programs should be audited regularly
- Executable files in PATH should have restricted write permissions
- Configuration files should not be world-readable if they contain secrets
- Log files should have appropriate permissions to prevent tampering
Common Use Cases
Web server files
# Web content
chmod 644 *.html *.css *.js
chmod 755 cgi-bin/
# Web directories
find /var/www -type d -exec chmod 755 {} \;
find /var/www -type f -exec chmod 644 {} \;
Setting appropriate permissions for web server content
SSH key permissions
chmod 700 ~/.ssh/
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
Securing SSH keys and configuration files
Script permissions
chmod 755 script.sh # Executable by all
chmod 750 admin-script.sh # Executable by owner and group
chmod 700 private-script.sh # Executable by owner only
Setting appropriate permissions for shell scripts
Shared directory setup
# Create shared directory
sudo mkdir /shared
sudo chgrp developers /shared
sudo chmod 2775 /shared # Setgid + group write
# Files created will inherit 'developers' group
Creating directories for team collaboration
Troubleshooting Permission Issues
Permission denied errors
# Check file permissions
ls -l filename
# Check directory permissions in path
ls -ld /path/to/directory/
# Check if you're in the right group
groups
id
Diagnosing permission-related access issues
Find files with specific permissions
# Find world-writable files
find /home -type f -perm -002
# Find setuid files
find /usr -type f -perm -4000
# Find files with no group or other permissions
find /home -type f -perm 600
Locating files with specific permission patterns
Fix common permission problems
# Fix home directory permissions
chmod 755 ~
chmod 700 ~/.ssh
# Fix script permissions
chmod +x script.sh
# Reset directory permissions
find directory/ -type d -exec chmod 755 {} \;
find directory/ -type f -exec chmod 644 {} \;
Common fixes for permission-related issues
Advanced Permission Concepts
File attributes (chattr/lsattr)
# Make file immutable (cannot be modified or deleted)
sudo chattr +i important-file.txt
# Make file append-only
sudo chattr +a logfile.log
# View file attributes
lsattr filename
# Remove attributes
sudo chattr -i important-file.txt
Extended file attributes for additional protection
Capability-based permissions
# Give program capability to bind to privileged ports
sudo setcap 'cap_net_bind_service=+ep' /usr/bin/program
# View capabilities
getcap /usr/bin/program
# Remove capabilities
sudo setcap -r /usr/bin/program
Fine-grained capabilities instead of full root privileges
Permission Calculator
Quick Reference for Numeric Permissions
Read (r) = 4
Write (w) = 2
Execute (x) = 1
Examples:
7 = 4+2+1 = rwx
6 = 4+2+0 = rw-
5 = 4+0+1 = r-x
4 = 4+0+0 = r--