File permissions are fundamental to Linux security. They control who can read, write, and execute files. Here’s everything you need to know.
Understanding Permission Bits
Every file has three permission sets:
-rwxr-xr-- 1 alice developers 1234 Jan 10 10:00 script.sh
│├─┤├─┤├─┤
│ │ │ └── Others (everyone else)
│ │ └───── Group (developers)
│ └──────── Owner (alice)
└────────── File type (- = regular file)
Permission Types
| Symbol |
Permission |
For Files |
For Directories |
r |
Read |
View contents |
List contents |
w |
Write |
Modify file |
Create/delete files |
x |
Execute |
Run as program |
Enter directory |
File Types
| Symbol |
Type |
- |
Regular file |
d |
Directory |
l |
Symbolic link |
b |
Block device |
c |
Character device |
s |
Socket |
p |
Named pipe |
Numeric (Octal) Notation
Permissions can be expressed as numbers:
r = 4
w = 2
x = 1
rwx = 4+2+1 = 7
rw- = 4+2+0 = 6
r-x = 4+0+1 = 5
r-- = 4+0+0 = 4
Common permission sets:
| Octal |
Symbolic |
Meaning |
| 755 |
rwxr-xr-x |
Owner full, others read/execute |
| 644 |
rw-r–r– |
Owner read/write, others read |
| 700 |
rwx—— |
Owner only |
| 777 |
rwxrwxrwx |
Everyone full access (dangerous!) |
| 600 |
rw——- |
Owner read/write only |
| 755 |
rwxr-xr-x |
Standard for scripts/executables |
Changing Permissions: chmod
Numeric Mode
1
2
3
4
|
# Set exact permissions
chmod 755 script.sh
chmod 644 config.txt
chmod 600 private_key
|
Symbolic Mode
1
2
3
4
5
6
7
8
9
10
11
|
# Add permissions
chmod +x script.sh # Add execute for all
chmod u+x script.sh # Add execute for owner only
chmod g+w file.txt # Add write for group
# Remove permissions
chmod -x script.sh # Remove execute from all
chmod o-rwx secret.txt # Remove all from others
# Set exact permissions
chmod u=rwx,g=rx,o=r file.txt
|
Symbolic Notation
| Symbol |
Meaning |
u |
User (owner) |
g |
Group |
o |
Others |
a |
All (u, g, and o) |
+ |
Add permission |
- |
Remove permission |
= |
Set exact permission |
Recursive Changes
1
2
3
4
5
6
7
8
|
# Change directory and all contents
chmod -R 755 /var/www/html
# Directories only
find /path -type d -exec chmod 755 {} \;
# Files only
find /path -type f -exec chmod 644 {} \;
|
Changing Ownership: chown
1
2
3
4
5
6
7
8
9
10
11
12
13
|
# Change owner
chown alice file.txt
# Change owner and group
chown alice:developers file.txt
# Change group only
chown :developers file.txt
# or
chgrp developers file.txt
# Recursive
chown -R alice:developers /project
|
Special Permissions
SUID (Set User ID)
When executed, runs as the file owner (not the user running it):
1
2
3
4
5
6
7
|
# Set SUID
chmod u+s program
chmod 4755 program
# Example: passwd runs as root
ls -l /usr/bin/passwd
# -rwsr-xr-x 1 root root ... /usr/bin/passwd
|
SGID (Set Group ID)
For files: runs as the file’s group
For directories: new files inherit the directory’s group
1
2
3
4
5
6
7
8
9
|
# Set SGID
chmod g+s directory
chmod 2755 directory
# Useful for shared directories
mkdir /shared
chgrp developers /shared
chmod 2775 /shared
# New files will belong to 'developers' group
|
Sticky Bit
On directories: only owners can delete their own files (used on /tmp):
1
2
3
4
5
6
7
|
# Set sticky bit
chmod +t directory
chmod 1777 directory
# Example: /tmp
ls -ld /tmp
# drwxrwxrwt 10 root root ... /tmp
|
Special Permission Summary
| Permission |
Octal |
Symbolic |
Effect |
| SUID |
4xxx |
u+s |
Run as owner |
| SGID |
2xxx |
g+s |
Run as group / inherit group |
| Sticky |
1xxx |
+t |
Only owner can delete |
Default Permissions: umask
umask sets default permissions for new files:
1
2
3
4
5
6
7
8
9
10
11
12
|
# Check current umask
umask
# 0022
# New file permissions = 666 - umask
# 666 - 022 = 644 (rw-r--r--)
# New directory permissions = 777 - umask
# 777 - 022 = 755 (rwxr-xr-x)
# Set umask
umask 027 # New files: 640, directories: 750
|
Common umask values:
| umask |
Files |
Directories |
Use Case |
| 022 |
644 |
755 |
Default |
| 027 |
640 |
750 |
More restrictive |
| 077 |
600 |
700 |
Private |
Access Control Lists (ACLs)
For more granular control beyond owner/group/others:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
# View ACLs
getfacl file.txt
# Set ACL for specific user
setfacl -m u:bob:rw file.txt
# Set ACL for specific group
setfacl -m g:testers:r file.txt
# Remove ACL
setfacl -x u:bob file.txt
# Remove all ACLs
setfacl -b file.txt
# Default ACL for directory (inherited by new files)
setfacl -d -m g:developers:rwx /project
|
Common Scenarios
Web Server Files
1
2
3
4
|
# Standard web permissions
chown -R www-data:www-data /var/www/html
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -type f -exec chmod 644 {} \;
|
SSH Keys
1
2
3
4
|
# Private key must be restricted
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 700 ~/.ssh
|
Shared Directory
1
2
3
4
|
# Team can read/write, others cannot
mkdir /shared
chgrp team /shared
chmod 2770 /shared # SGID + rwxrwx---
|
Executable Scripts
1
2
3
4
5
|
# Make script executable
chmod +x script.sh
# Or specifically for owner
chmod u+x script.sh
|
Troubleshooting
Permission Denied
1
2
3
4
5
6
7
8
9
10
11
|
# Check permissions
ls -la file.txt
# Check directory permissions (need x to enter)
ls -la /path/to/directory
# Check your groups
groups
# Check file ACLs
getfacl file.txt
|
Common Mistakes
1
2
3
4
5
6
7
8
9
|
# DON'T: 777 is rarely appropriate
chmod 777 file.txt # Everyone can do everything
# DON'T: Recursive chmod on /
sudo chmod -R 755 / # Will break your system
# DO: Be specific
chmod 644 config.txt # Owner rw, others read
chmod 755 script.sh # Owner rwx, others rx
|
Quick Reference
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
# View permissions
ls -l file.txt
# Change permissions
chmod 755 file.txt # Numeric
chmod u+x file.txt # Symbolic
# Change owner
chown user:group file.txt
# Check your identity
whoami
groups
id
|
Permissions protect your system. Learn them well, and always think twice before using 777.
Comments