KhueApps
Home/DevOps/Linux Permissions: The Ultimate Cheat Sheet

Linux Permissions: The Ultimate Cheat Sheet

Last updated: February 07, 2025

Linux is renowned for its security and flexibility, and at the heart of its robust security model lie file permissions. Whether you’re a system administrator, developer, or just a curious Linux user, mastering permissions is essential for controlling access, safeguarding data, and managing multi-user environments. This comprehensive guide will take you through every aspect of Linux permissions—from the basics to advanced topics like Access Control Lists (ACLs).

Table of Contents

  1. Understanding Linux Permissions
    1. The Basics
    2. Understanding Symbols
    3. User, Group, and Others
  2. Viewing Permissions
  3. Changing Permissions with chmod
    1. Symbolic Mode
    2. Numeric (Octal) Mode
    3. Recursive Changes
    4. The umask Value
  4. Changing Ownership with chown and chgrp
    1. Changing the Owner: chown
    2. Changing the Group: chgrp
  5. Special Permission Bits
    1. Setuid (Set User ID)
    2. Setgid (Set Group ID)
    3. Sticky Bit
  6. Access Control Lists (ACLs)
    1. Viewing ACLs
    2. Setting ACLs
    3. Default ACLs
  7. Tips and Best Practices
  8. Common Pitfalls and Troubleshooting
    1. Permission Denied Errors
    2. Recursive Permission Changes
    3. Sudo and Root Privileges
  9. Conclusion

Understanding Linux Permissions

The Basics

In Linux, every file and directory is assigned three types of permissions:

  • Read (r): Permission to view the contents of a file or list the contents of a directory.
  • Write (w): Permission to modify the contents of a file or change the contents of a directory (e.g., add, delete, or rename files).
  • Execute (x): Permission to run a file as a program or traverse a directory.

Understanding Symbols

  • - indicates a regular file
  • d indicates a directory
  • r means read permission
  • w stands for write permission
  • x signifies execute permission
  • - (in the position of permission) means permission is not granted

User, Group, and Others

Permissions are divided into three classes:

  • User (u): The owner of the file.
  • Group (g): Users who are members of the file’s group.
  • Others (o): Everyone else who is not the owner or a member of the group.

For example, a typical permission string might look like:

-rwxr-xr--
  • The first character represents the file type (e.g., - for a regular file, d for a directory).
  • The next three characters (rwx) are the user permissions.
  • The following three (r-x) are the group permissions.
  • The final three (r--) are the permissions for others.

Viewing Permissions

To inspect file and directory permissions, you can use the ls command with the -l (long listing) option:

ls -l filename

A sample output:

-rwxr-xr-- 1 alice staff 4096 Jan  1 12:00 example.sh
  • -rwxr-xr--: Shows the permissions.
  • 1: Number of hard links.
  • alice: The file owner.
  • staff: The group.
  • 4096: The file size in bytes.
  • Jan 1 12:00: Last modification date.
  • example.sh: The file name.

Directories follow similar rules; however, the execute permission on a directory allows you to traverse it.

Changing Permissions with chmod

The chmod command is used to modify file and directory permissions. There are two primary modes: symbolic and numeric (octal).

Symbolic Mode

Symbolic mode lets you change permissions using letters to represent user classes and operators:

  • + to add a permission.
  • - to remove a permission.
  • = to set an exact permission.

Examples:

Add execute permission for the user:

chmod u+x script.sh

Remove write permission for the group:

chmod g-w document.txt

Set exact permissions for others:

chmod o=r report.txt

Numeric (Octal) Mode

In numeric mode, permissions are represented by a three-digit (or four-digit with special bits) octal number. Each digit corresponds to the user, group, and others respectively:

  • 4 stands for read (r).
  • 2 stands for write (w).
  • 1 stands for execute (x).

The sum of these values gives the numeric representation:

  • 7 (4+2+1): Full permissions (rwx).
  • 6 (4+2): Read and write (rw-).
  • 5 (4+1): Read and execute (r-x).
  • 0: No permissions.

Examples:

Set permissions to rwxr-xr-x:

chmod 755 program

Set permissions to rw-r-----:

chmod 640 confidential.txt

Recursive Changes

To change permissions for a directory and all its contents, use the -R option:

chmod -R 755 /path/to/directory

The umask Value

The umask determines the default permission set for new files and directories. To view the current umask:

umask

Modify the umask to suit your security requirements (e.g., a umask of 022 creates files with permissions 644 for files and 755 for directories by default).

Changing Ownership with chown and chgrp

Changing the Owner: chown

The chown command changes the owner of a file or directory. Syntax:

chown new_owner filename

Example:

sudo chown bob myfile.txt

You can also change both the owner and group simultaneously:

sudo chown bob:developers project_dir

Changing the Group: chgrp

To change the group ownership of a file or directory:

chgrp new_group filename

Example:

sudo chgrp staff document.pdf

Both chown and chgrp can operate recursively with the -R flag:

sudo chown -R alice:alice /home/alice

Special Permission Bits

Beyond the basic read, write, and execute permissions, Linux supports three special permission bits:

Setuid (Set User ID)

When set on an executable file, the process that runs the file gains the privileges of the file owner. This is represented by an s in the user’s execute position:

chmod u+s some_program
  • Display example in a long listing: -rwsr-xr-x

Setgid (Set Group ID)

When set on an executable, the process gains the group privileges of the file, and when set on a directory, new files and subdirectories inherit the group of the parent directory.

chmod g+s shared_directory
  • Display example: drwxr-sr-x

Sticky Bit

Primarily used on directories, the sticky bit prevents users from deleting files that are not owned by them within that directory. Commonly seen on shared directories like /tmp.

chmod +t /tmp
  • Display example: drwxrwxrwt

Access Control Lists (ACLs)

ACLs provide a more granular permission mechanism than the traditional user/group/others model. They allow you to specify permissions for individual users or groups on a per-file basis.

Viewing ACLs

Use getfacl to view ACLs on a file or directory:

getfacl filename

Setting ACLs

Use setfacl to assign ACL permissions:

1. Granting permissions:

setfacl -m u:bob:rw file.txt

This grants user bob read and write permissions.

2. Removing permissions:

setfacl -x u:bob file.txt

Default ACLs

On directories, you can set default ACLs so that new files and subdirectories inherit these permissions:

setfacl -d -m g:developers:rw /shared/dir

ACLs are especially useful in complex multi-user environments where fine-tuned access control is required.

Tips and Best Practices

  • Regular Audits: Regularly check file and directory permissions to ensure they adhere to your security policies.
  • Least Privilege Principle: Grant only the minimum permissions necessary for a task.
  • Avoid 777: Never set permissions to 777 unless absolutely necessary. It opens up security vulnerabilities.
  • Back Up Configurations: Always back up important files before modifying permissions or ownership.
  • Document Changes: Especially in multi-user environments, keep records of permission changes for troubleshooting and compliance.

Common Pitfalls and Troubleshooting

Permission Denied Errors

  • Misconfigured Permissions: Ensure that both file permissions and directory permissions (including execute rights on directories) are set correctly.
  • Ownership Issues: Verify file ownership with ls -l and use chown as needed.
  • ACL Overrides: Remember that ACLs can override traditional permissions. Use getfacl to diagnose issues.

Recursive Permission Changes

Be cautious when applying changes recursively (chmod -R or chown -R), as mistakes can propagate unintended permissions across critical system directories.

Sudo and Root Privileges

Many permission changes require root privileges. Use sudo responsibly to avoid inadvertently altering system-critical files.

Conclusion

Understanding and managing Linux permissions is a cornerstone of system administration and security. Whether you’re setting up a new server, maintaining a multi-user environment, or securing your personal computer, knowing how to view, change, and troubleshoot permissions can save you time and prevent potential security issues. This cheat sheet covers everything from basic concepts to advanced ACL configurations, ensuring you have the knowledge to control access to your files and directories with confidence.

Keep this guide handy as a reference and remember: proper permission management is key to a secure and efficient Linux system.

Happy securing!

Previous Article: How to reset Ubuntu to factory settings (4 approaches)

Series: Ubuntu

DevOps