LUNAROPS · OPERATIONAL UPLINK 100% UPTIME 1,247d POSTS 893 JEFF.MOON@LUNAROPS.DEV UTC --:--:--

Linux File Permissions Demystified

linuxpermissionssecuritychmod

File permissions are fundamental to Linux security. They control who can read, write, and execute files. Here’s everything you need to know.

Understanding Permission Bits

Every file has three permission sets:

-rwxr-xr-- 1 alice developers 1234 Jan 10 10:00 script.sh
│├─┤├─┤├─┤
│ │  │  └── Others (everyone else)
│ │  └───── Group (developers)
│ └──────── Owner (alice)
└────────── File type (- = regular file)

Permission Types

Symbol Permission For Files For Directories
r Read View contents List contents
w Write Modify file Create/delete files
x Execute Run as program Enter directory

File Types

Symbol Type
- Regular file
d Directory
l Symbolic link
b Block device
c Character device
s Socket
p Named pipe

Numeric (Octal) Notation

Permissions can be expressed as numbers:

r = 4
w = 2
x = 1

rwx = 4+2+1 = 7
rw- = 4+2+0 = 6
r-x = 4+0+1 = 5
r-- = 4+0+0 = 4

Common permission sets:

Octal Symbolic Meaning
755 rwxr-xr-x Owner full, others read/execute
644 rw-r–r– Owner read/write, others read
700 rwx—— Owner only
777 rwxrwxrwx Everyone full access (dangerous!)
600 rw——- Owner read/write only
755 rwxr-xr-x Standard for scripts/executables

Changing Permissions: chmod

Numeric Mode

1
2
3
4
# Set exact permissions
chmod 755 script.sh
chmod 644 config.txt
chmod 600 private_key

Symbolic Mode

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# Add permissions
chmod +x script.sh        # Add execute for all
chmod u+x script.sh       # Add execute for owner only
chmod g+w file.txt        # Add write for group

# Remove permissions
chmod -x script.sh        # Remove execute from all
chmod o-rwx secret.txt    # Remove all from others

# Set exact permissions
chmod u=rwx,g=rx,o=r file.txt

Symbolic Notation

Symbol Meaning
u User (owner)
g Group
o Others
a All (u, g, and o)
+ Add permission
- Remove permission
= Set exact permission

Recursive Changes

1
2
3
4
5
6
7
8
# Change directory and all contents
chmod -R 755 /var/www/html

# Directories only
find /path -type d -exec chmod 755 {} \;

# Files only
find /path -type f -exec chmod 644 {} \;

Changing Ownership: chown

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
# Change owner
chown alice file.txt

# Change owner and group
chown alice:developers file.txt

# Change group only
chown :developers file.txt
# or
chgrp developers file.txt

# Recursive
chown -R alice:developers /project

Special Permissions

SUID (Set User ID)

When executed, runs as the file owner (not the user running it):

1
2
3
4
5
6
7
# Set SUID
chmod u+s program
chmod 4755 program

# Example: passwd runs as root
ls -l /usr/bin/passwd
# -rwsr-xr-x 1 root root ... /usr/bin/passwd

SGID (Set Group ID)

For files: runs as the file’s group For directories: new files inherit the directory’s group

1
2
3
4
5
6
7
8
9
# Set SGID
chmod g+s directory
chmod 2755 directory

# Useful for shared directories
mkdir /shared
chgrp developers /shared
chmod 2775 /shared
# New files will belong to 'developers' group

Sticky Bit

On directories: only owners can delete their own files (used on /tmp):

1
2
3
4
5
6
7
# Set sticky bit
chmod +t directory
chmod 1777 directory

# Example: /tmp
ls -ld /tmp
# drwxrwxrwt 10 root root ... /tmp

Special Permission Summary

Permission Octal Symbolic Effect
SUID 4xxx u+s Run as owner
SGID 2xxx g+s Run as group / inherit group
Sticky 1xxx +t Only owner can delete

Default Permissions: umask

umask sets default permissions for new files:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
# Check current umask
umask
# 0022

# New file permissions = 666 - umask
# 666 - 022 = 644 (rw-r--r--)

# New directory permissions = 777 - umask
# 777 - 022 = 755 (rwxr-xr-x)

# Set umask
umask 027    # New files: 640, directories: 750

Common umask values:

umask Files Directories Use Case
022 644 755 Default
027 640 750 More restrictive
077 600 700 Private

Access Control Lists (ACLs)

For more granular control beyond owner/group/others:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
# View ACLs
getfacl file.txt

# Set ACL for specific user
setfacl -m u:bob:rw file.txt

# Set ACL for specific group
setfacl -m g:testers:r file.txt

# Remove ACL
setfacl -x u:bob file.txt

# Remove all ACLs
setfacl -b file.txt

# Default ACL for directory (inherited by new files)
setfacl -d -m g:developers:rwx /project

Common Scenarios

Web Server Files

1
2
3
4
# Standard web permissions
chown -R www-data:www-data /var/www/html
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -type f -exec chmod 644 {} \;

SSH Keys

1
2
3
4
# Private key must be restricted
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 700 ~/.ssh

Shared Directory

1
2
3
4
# Team can read/write, others cannot
mkdir /shared
chgrp team /shared
chmod 2770 /shared  # SGID + rwxrwx---

Executable Scripts

1
2
3
4
5
# Make script executable
chmod +x script.sh

# Or specifically for owner
chmod u+x script.sh

Troubleshooting

Permission Denied

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# Check permissions
ls -la file.txt

# Check directory permissions (need x to enter)
ls -la /path/to/directory

# Check your groups
groups

# Check file ACLs
getfacl file.txt

Common Mistakes

1
2
3
4
5
6
7
8
9
# DON'T: 777 is rarely appropriate
chmod 777 file.txt  # Everyone can do everything

# DON'T: Recursive chmod on /
sudo chmod -R 755 /  # Will break your system

# DO: Be specific
chmod 644 config.txt  # Owner rw, others read
chmod 755 script.sh   # Owner rwx, others rx

Quick Reference

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
# View permissions
ls -l file.txt

# Change permissions
chmod 755 file.txt      # Numeric
chmod u+x file.txt      # Symbolic

# Change owner
chown user:group file.txt

# Check your identity
whoami
groups
id

Permissions protect your system. Learn them well, and always think twice before using 777.

Comments