Linux File Permissions: Complete Guide
Introduction
Linux file permissions are a fundamental security mechanism that controls who can access, modify, or execute files and directories on a Linux system. Understanding file permissions is crucial for system administration, security, and proper file management. This comprehensive guide covers all aspects of Linux file permissions, from basic concepts to advanced implementation.
Basic Concepts
What are File Permissions?
File permissions in Linux define three types of access for three categories of users:
Types of Access: - Read (r): Permission to view the contents of a file or list the contents of a directory - Write (w): Permission to modify a file or create/delete files within a directory - Execute (x): Permission to run a file as a program or enter a directory
User Categories: - Owner (u): The user who owns the file - Group (g): Users who belong to the file's group - Others (o): All other users on the system
Permission Representation
Linux file permissions can be represented in two ways:
1. Symbolic notation: Uses letters (r, w, x, -) 2. Octal notation: Uses numbers (0-7)
Understanding Permission Display
The ls -l Command
The ls -l command displays detailed file information including permissions:
`bash
ls -l filename
`
Example Output:
`
-rwxr-xr-- 1 john developers 1024 Mar 15 10:30 script.sh
drwxr-xr-x 2 john developers 4096 Mar 15 09:15 documents
`
Breaking Down the Permission String
The permission string consists of 10 characters:
| Position | Meaning | |----------|---------| | 1 | File type (- for regular file, d for directory, l for link) | | 2-4 | Owner permissions (rwx) | | 5-7 | Group permissions (rwx) | | 8-10 | Others permissions (rwx) |
Example Analysis:
`
-rwxr-xr--
│└┬┘└┬┘└┬┘
│ │ │ └── Others: read only
│ │ └───── Group: read and execute
│ └──────── Owner: read, write, and execute
└─────────── Regular file
`
Symbolic Notation
Permission Characters
| Character | Permission | Octal Value | |-----------|------------|-------------| | r | Read | 4 | | w | Write | 2 | | x | Execute | 1 | | - | No permission | 0 |
Common Permission Combinations
| Symbolic | Description | Typical Use | |----------|-------------|-------------| | rwx | Full access | Owner of executable files | | rw- | Read and write | Owner of data files | | r-x | Read and execute | Group/others for programs | | r-- | Read only | Public readable files | | --- | No access | Restricted access |
Octal Notation
Understanding Octal Values
Octal notation uses three digits, each representing permissions for owner, group, and others respectively. Each digit is calculated by adding the values of granted permissions:
| Permission | Value | |------------|-------| | Read (r) | 4 | | Write (w) | 2 | | Execute (x) | 1 |
Octal Permission Table
| Octal | Binary | Symbolic | Description | |-------|--------|----------|-------------| | 0 | 000 | --- | No permissions | | 1 | 001 | --x | Execute only | | 2 | 010 | -w- | Write only | | 3 | 011 | -wx | Write and execute | | 4 | 100 | r-- | Read only | | 5 | 101 | r-x | Read and execute | | 6 | 110 | rw- | Read and write | | 7 | 111 | rwx | Full permissions |
Common Octal Permission Combinations
| Octal | Symbolic | Description | Common Use | |-------|----------|-------------|------------| | 755 | rwxr-xr-x | Owner full, others read/execute | Executable files, directories | | 644 | rw-r--r-- | Owner read/write, others read | Regular files | | 600 | rw------- | Owner read/write only | Private files | | 777 | rwxrwxrwx | Full permissions for all | Temporary files (not recommended) | | 700 | rwx------ | Owner full access only | Private directories | | 666 | rw-rw-rw- | Read/write for all | Shared data files |
File Permission Commands
The chmod Command
The chmod (change mode) command modifies file permissions.
Syntax:
`bash
chmod [options] mode file(s)
`
#### Using Octal Mode
Examples:
`bash
Set permissions to 755 (rwxr-xr-x)
chmod 755 script.shSet permissions to 644 (rw-r--r--)
chmod 644 document.txtSet permissions to 600 (rw-------)
chmod 600 private.txt#### Using Symbolic Mode
Syntax Components: - Who: u (user/owner), g (group), o (others), a (all) - Operation: + (add), - (remove), = (set exactly) - Permission: r (read), w (write), x (execute)
Examples:
`bash
Add execute permission for owner
chmod u+x script.shRemove write permission for group and others
chmod go-w document.txtSet read and execute for group, no permissions for others
chmod g=rx,o= file.txtAdd read permission for all users
chmod a+r public.txtSet full permissions for owner, read/execute for group and others
chmod u=rwx,go=rx program#### Advanced chmod Options
| Option | Description | |--------|-------------| | -R | Recursive: apply to directories and their contents | | -v | Verbose: show files being processed | | -c | Changes: only show files that are changed | | --reference=file | Copy permissions from reference file |
Examples:
`bash
Recursively set permissions on directory and contents
chmod -R 755 /path/to/directoryVerbose output showing changes
chmod -v 644 *.txtCopy permissions from one file to another
chmod --reference=template.sh script.shThe chown Command
The chown (change owner) command changes file ownership.
Syntax:
`bash
chown [options] owner[:group] file(s)
`
Examples:
`bash
Change owner to john
chown john file.txtChange owner to john and group to developers
chown john:developers project.txtChange only the group (owner remains unchanged)
chown :admin file.txtRecursively change ownership
chown -R john:users /home/john/documentsThe chgrp Command
The chgrp (change group) command changes group ownership.
Syntax:
`bash
chgrp [options] group file(s)
`
Examples:
`bash
Change group to developers
chgrp developers project.txtRecursively change group
chgrp -R admin /var/log/applicationDirectory Permissions
How Directory Permissions Work
Directory permissions have different meanings than file permissions:
| Permission | Files | Directories | |------------|-------|-------------| | Read (r) | View file contents | List directory contents | | Write (w) | Modify file contents | Create/delete files in directory | | Execute (x) | Run file as program | Enter directory (cd command) |
Directory Permission Examples
`bash
Create a directory with full permissions for owner, read/execute for others
mkdir test_dir chmod 755 test_dirDirectory that can be entered but contents cannot be listed
chmod 711 secret_dirDirectory where files can be created but not listed by others
chmod 733 dropbox_dirSpecial Directory Considerations
Important Notes: - Execute permission on a directory is required to access files within it - Write permission on a directory allows creating and deleting files - Read permission allows listing directory contents but not accessing files
Special Permissions
Setuid (Set User ID)
The setuid bit allows a file to be executed with the permissions of the file owner rather than the user running it.
Setting Setuid:
`bash
Using octal notation (4000 + regular permissions)
chmod 4755 programUsing symbolic notation
chmod u+s programExample:
`bash
The passwd command uses setuid to allow users to change their password
ls -l /usr/bin/passwd -rwsr-xr-x 1 root root 68208 Mar 15 10:30 /usr/bin/passwdSetgid (Set Group ID)
The setgid bit can be applied to files and directories: - Files: Execute with group permissions - Directories: New files inherit the directory's group
Setting Setgid:
`bash
Using octal notation (2000 + regular permissions)
chmod 2755 directoryUsing symbolic notation
chmod g+s directorySticky Bit
The sticky bit on directories prevents users from deleting files they don't own, even if they have write permission to the directory.
Setting Sticky Bit:
`bash
Using octal notation (1000 + regular permissions)
chmod 1755 /tmpUsing symbolic notation
chmod +t directoryExample:
`bash
The /tmp directory typically has the sticky bit set
ls -ld /tmp drwxrwxrwt 10 root root 4096 Mar 15 12:00 /tmpSpecial Permissions Summary
| Special Permission | Octal | Symbol | Effect | |-------------------|-------|--------|--------| | Setuid | 4000 | s (user execute position) | Execute as file owner | | Setgid | 2000 | s (group execute position) | Execute as file group | | Sticky Bit | 1000 | t (others execute position) | Prevent deletion by non-owners |
Access Control Lists (ACLs)
Introduction to ACLs
Access Control Lists provide more granular permission control beyond the traditional owner/group/others model.
ACL Commands
#### getfacl Command
View ACL information for files and directories:
`bash
View ACL for a file
getfacl filenameView ACL for multiple files
getfacl file1 file2 directory/Example Output:
`
file: document.txt
owner: john
group: developers
user::rw- user:alice:r-- group::r-- group:admin:rw- mask::rw- other::---#### setfacl Command
Set ACL permissions:
`bash
Grant read permission to user alice
setfacl -m u:alice:r document.txtGrant read/write permission to group admin
setfacl -m g:admin:rw document.txtRemove ACL entry for user alice
setfacl -x u:alice document.txtRemove all ACL entries
setfacl -b document.txtACL Examples and Use Cases
| Command | Description |
|---------|-------------|
| setfacl -m u:user:rwx file | Grant full access to specific user |
| setfacl -m g:group:r-x dir | Grant read/execute to specific group |
| setfacl -m d:u:user:rw- dir | Set default ACL for new files in directory |
| setfacl -R -m u:user:r-- dir | Recursively grant read access |
Practical Examples and Scenarios
Web Server File Permissions
Setting up proper permissions for a web server:
`bash
Set directory permissions for web root
chmod 755 /var/www/htmlSet file permissions for web content
find /var/www/html -type f -exec chmod 644 {} \;Set directory permissions
find /var/www/html -type d -exec chmod 755 {} \;Special permissions for upload directory
chmod 775 /var/www/html/uploads chgrp www-data /var/www/html/uploadsShared Directory Setup
Creating a shared directory for team collaboration:
`bash
Create shared directory
mkdir /shared/project chgrp developers /shared/projectSet group write permission and setgid
chmod 2775 /shared/projectVerify permissions
ls -ld /shared/project drwxrwsr-x 2 root developers 4096 Mar 15 14:30 /shared/projectScript File Permissions
Setting up executable scripts:
`bash
Create script file
echo '#!/bin/bash' > myscript.sh echo 'echo "Hello World"' >> myscript.shMake executable for owner
chmod u+x myscript.shMake executable for everyone
chmod 755 myscript.shVerify permissions
ls -l myscript.sh -rwxr-xr-x 1 user group 29 Mar 15 15:00 myscript.shTroubleshooting Permission Issues
Common Permission Problems
| Problem | Symptoms | Solution |
|---------|----------|----------|
| Cannot execute file | "Permission denied" when running | chmod +x filename |
| Cannot access directory | "Permission denied" when using cd | chmod +x directory |
| Cannot create files | Write operations fail | Check directory write permissions |
| Cannot list directory | ls shows permission denied | chmod +r directory |
Diagnostic Commands
`bash
Check current permissions
ls -la filenameCheck effective permissions
namei -l /path/to/fileCheck user and group membership
id usernameCheck file system mount options
mount | grep filesystemPermission Restoration
`bash
Restore default permissions for home directory
chmod 755 $HOME find $HOME -type d -exec chmod 755 {} \; find $HOME -type f -exec chmod 644 {} \;Restore execute permission for scripts
find $HOME -name "*.sh" -exec chmod +x {} \;Security Best Practices
Principle of Least Privilege
Always grant the minimum permissions necessary:
`bash
Good: Specific permissions
chmod 644 data.txt # Read/write for owner, read for others chmod 755 script.sh # Execute for owner, read/execute for othersAvoid: Overly permissive
chmod 777 filename # Full permissions for everyone (security risk)Regular Permission Audits
`bash
Find files with world-write permissions
find /home -type f -perm -002 -lsFind files with setuid bit
find /usr -type f -perm -4000 -lsFind directories with unusual permissions
find /var -type d -perm -002 ! -perm -1000 -lsSecure File Creation
`bash
Set restrictive umask
umask 077 # New files: 600, new directories: 700Create private files
touch private.txt chmod 600 private.txtCreate secure temporary files
temp_file=$(mktemp) chmod 600 "$temp_file"Advanced Topics
Understanding umask
The umask (user mask) determines default permissions for newly created files and directories:
`bash
View current umask
umaskSet umask (octal)
umask 022Set umask (symbolic)
umask u=rwx,g=rx,o=rxUmask Calculation: - Default file permissions: 666 - Default directory permissions: 777 - Actual permissions = Default - umask
File Attributes
Extended file attributes provide additional security features:
`bash
View file attributes
lsattr filenameSet immutable attribute (prevents modification)
chattr +i important.txtRemove immutable attribute
chattr -i important.txtSet append-only attribute
chattr +a logfile.txtSELinux and Permissions
Security-Enhanced Linux adds additional access controls:
`bash
View SELinux context
ls -Z filenameSet SELinux context
chcon -t admin_home_t filenameRestore default SELinux context
restorecon filenameConclusion
Linux file permissions are a powerful and essential security mechanism that every Linux user and administrator must understand. This comprehensive guide has covered:
- Basic permission concepts and representations - Symbolic and octal notation systems - Essential commands for managing permissions - Special permissions and their applications - Access Control Lists for granular control - Practical examples and troubleshooting - Security best practices and advanced topics
Mastering file permissions is crucial for maintaining system security, enabling proper collaboration, and ensuring that files and directories are accessible to the right users with appropriate levels of access. Regular practice with these concepts and commands will help you become proficient in managing Linux file permissions effectively.
Remember that permission management is not just about technical implementation but also about understanding the security implications of each decision. Always follow the principle of least privilege and regularly audit your system's permissions to maintain a secure environment.