Understanding Linux File Permissions

Posted 

8 min read

Linux File Permissions

In Linux, file permissions, attributes, and ownership control the access level that the system processes and users have to files. This ensures that only authorized users and processes can access specific files and directories.

Linux File Permissions

The basic Linux permissions model works by associating each system file with an owner and a group and assigning permission access rights for three different classes of users:

  • The file owner.
  • The group members.
  • Others (everybody else).

File ownership can be changed using the chown and chgrp commands.

Three file permissions types apply to each class of users:

  • The read permission.
  • The write permission.
  • The execute permission.

This concept allows you to control which users can read the file, write to the file, or execute the file.

To view the file permissions, use the ls command:

ls -l file_name
-rw-r--r-- 12 linuxize users 12.0K Apr  28 10:10 file_name
|[-][-][-]-   [------] [---]
| |  |  | |      |       |
| |  |  | |      |       +-----------> 7. Group
| |  |  | |      +-------------------> 6. Owner
| |  |  | +--------------------------> 5. Alternate Access Method
| |  |  +----------------------------> 4. Others Permissions
| |  +-------------------------------> 3. Group Permissions
| +----------------------------------> 2. Owner Permissions
+------------------------------------> 1. File Type

The first character indicates the file type. It can be a regular file (-), directory (d), a symbolic link (l), or other special types of files. The following nine characters represent the file permissions, three triplets of three characters each. The first triplet shows the owner permissions, the second one group permissions, and the last triplet shows everybody else permissions.

In the example above (rw-r--r--) means that the file owner has read and write permissions (rw-), the group and others have only read permissions (r--).

File permissions have a different meaning depending on the file type.

Each of the three permission triplets can be constructed of the following characters and have different effects, depending on whether they are set to a file or to a directory:

Effect of Permissions on Files

PermissionCharacterMeaning on File
Read-The file is not readable. You cannot view the file contents.
rThe file is readable.
Write-The file cannot be changed or modified.
wThe file can be changed or modified.
Execute-The file cannot be executed.
xThe file can be executed.
sIf found in the user triplet, it sets the setuid bit. If found in the group triplet, it sets the setgid bit. It also means that x flag is set.
When the setuid or setgid flags are set on an executable file, the file is executed with the file’s owner and/or group privileges.
SSame as s, but the x flag is not set. This flag is rarely used on files.
tIf found in the others triplet, it sets the sticky bit.
It also means that x flag is set. This flag is useless on files.
TSame as, t but the x flag is not set. This flag is useless on files.

Effect of Permissions on Directories (Folders)

Directories are special types of files that can contain other files and directories.

PermissionCharacterMeaning on Directory
Read-The directory’s contents cannot be shown.
rThe directory’s contents can be shown.
(e.g., You can list files inside the directory with ls.)
Write-The directory’s contents cannot be altered.
wThe directory’s contents can be altered.
(e.g., You can create new files, delete files ..etc.)
Execute-The directory cannot be changed to.
xThe directory can be navigated using cd.
sIf found in the user triplet, it sets the setuid bit. If found in the group triplet it sets the setgid bit. It also means that x flag is set. When the setgid flag is set on a directory, the new files created within it inherits the directory group ID (GID) instead of the primary group ID of the user who created the file.
setuid has no effect on directories.
SSame as s, but the x flag is not set. This flag is useless on directories.
tIf found in the others triplet, it sets the sticky bit.
It also means that x flag is set. When the sticky bit is set on a directory, only the file’s owner, the directory’s owner, or the administrative user can delete or rename the files within the directory.
TSame as t, but the x flag is not set. This flag is useless on directories.

Changing File permissions

The File permissions can be changed using the chmod command. Only root, the file owner, or user with sudo privileges can change the permissions of a file. Be extra careful when using chmod, especially when recursively changing the permissions. The command can accept one or more files and/or directories separated by space as arguments.

Permissions can be specified using a symbolic mode, numeric mode, or a reference file.

Symbolic (Text) Method

The syntax of the chmod command when using the symbolic mode has the following format:

chmod [OPTIONS] [ugoa…][-+=]perms…[,…] FILE...

The first set of flags ([ugoa…]), users flags, defines the users' classes for which the permissions to the file are changed.

  • u - The file owner.
  • g - The users who are members of the group.
  • o - All other users.
  • a - All users, identical to ugo.

When the users' flag is omitted, it defaults to a.

The second set of flags ([-+=]), the operation flags, defines whether the permissions are to be removed, added, or set:

  • - - Removes the specified permissions.
  • + - Adds specified permissions.
  • = - Changes the current permissions to the specified permissions. If no permissions are given after the = symbol, all permissions from the specified user class are removed.

The permissions (perms...) are explicitly set using either zero or one or more of the following letters: r, w, x, X, s, and t. Use a single letter from the set u, g, and o when copying permissions from one to another users' class.

When setting permissions for more than one user classes ([,…]), use commas (without spaces) to separate the symbolic modes.

Here are some examples of how to use the chmod command in symbolic mode:

  • Give the members of the group permission to execute the file, but not to read and write to it:

    chmod g=x filename
  • Remove the write permission for all users:

    chmod a-w filename
  • Repulsively remove the execute permission for other users:

    chmod -R o-x dirname
  • Remove the read, write, and execute permission for all users except the file’s owner:

    chmod og-rwx filename

    The same thing can also be accomplished by using the following form:

    chmod og= filename
  • Give read, write and execute permission to the file’s owner, read permissions to the file’s group, and no permissions to all other users:

    chmod u=rwx,g=r,o= filename

Numeric Method

The syntax of the chmod command when using the symbolic mode has the following format:

chmod [OPTIONS] NUMBER FILE...

When using the numeric mode, you can set the permissions for all three user classes (owner, group, and all others) at the same time.

The permission number can be a 3 or 4-digits number. When 3 digits number is used, the first digit represents the permissions of the file’s owner, the second one the file’s group, and the last one all other users.

Each write, read, and execute permissions have the following number value:

  • r (read) = 4
  • w (write) = 2
  • x (execute) = 1
  • no permissions = 0

The permissions number of a specific user class is represented by the sum of the values of the permissions for that group.

To find out the file’s permissions in numeric mode, simply calculate the totals for all users' classes. For example, to give read, write and execute permission to the file’s owner, read and execute permissions to the file’s group and only read permissions to all other users, you would do the following:

  • Owner: rwx=4+2+1=7
  • Group: r-x=4+0+1=5
  • Others: r-x=4+0+0=4

Using the method above, we come up to the number 754, which represents the desired permissions.

To set up the setuid, setgid, and sticky bit flags, use four digits number.

When the 4 digits number is used, the first digit has the following meaning:

  • setuid=4
  • setgid=2
  • sticky=1
  • no changes = 0

The next three digits have the same meaning as when using 3 digits number.

If the first digit is 0 it can be omitted, and the mode can be represented with 3 digits. The numeric mode 0755 is the same as 755.

To calculate the numeric mode, you can also use another method (binary method), but it is a little more complicated. Knowing how to calculate the numeric mode using 4, 2, and 1 is sufficient for most users.

You can check the file’s permissions in the numeric notation using the stat command:

stat -c "%a" file_name

Here are some examples of how to use the chmod command in numeric mode:

  • Give the file’s owner read and write permissions and only read permissions to group members and all other users:

    chmod 644 dirname
  • Give the file’s owner read, write and execute permissions, read and execute permissions to group members and no permissions to all other users:

    chmod 750 dirname
  • Give read, write, and execute permissions, and a sticky bit to a given directory:

    chmod 1777 dirname
  • Recursively set read, write, and execute permissions to the file owner and no permissions for all other users on a given directory:

    chmod -R 700 dirname

Conclusion

In Linux, access to the files is restricted using file permissions, attributes, and ownership. To change the file’s permissions use the chmod command.

If you have any questions or feedback, feel free to leave a comment.