Linux systems incorporate many built-in security features to protect your data and system integrity. One fundamental aspect of Linux security revolves around file permissions and ownership.
Since everything in Linux is represented as a file—whether it’s a text document, directory, or device—implementing proper file permissions is crucial to prevent unauthorized access and potential security breaches.
This comprehensive guide will help you understand Linux file permissions, explore how to manage ownership effectively, and learn practical techniques to implement secure access controls for your files and directories.
File Permission Types
Before we explore terminal commands for managing file permissions, let’s first examine how permissions appear in a graphical user interface (GUI).
Using GUI
When you right-click on a file in most Linux desktop environments and access its properties, you’ll typically see a “Permissions” tab that displays access controls:
Notice that there are three distinct permission categories:
- Owner (the user who created the file)
- Group (the group the owner belongs to)
- Others (all other users on the system)
For any file they own, users can assign specific permissions or restrict access to groups and other users through this interface.
How to fix EACCES: permission denied, access ;/usr/local/lib/node_modules
Using the Terminal
In the terminal, you can view file permissions by using the ls command with the -l option:
ls -l 
The output reveals several important pieces of information on each line:
- The first character indicates the file type:
-for regular filesdfor directorieslfor symbolic links
- The next nine characters (e.g.,
rwxr-xr-x) represent permission settings:- First three characters (positions 1-3): Owner permissions
- Middle three characters (positions 4-6): Group permissions
- Last three characters (positions 7-9): Other users’ permissions
- The file owner’s username
- The group that owns the file
- The file size in bytes
- The date and time of last modification
- The filename
Read: A Deep Dive into Linux Operating System Architecture: Components and Functions
Permission Types Explained
Understanding what each permission type allows is crucial for effective system security.
File Permissions
For regular files, the three basic permissions are:
- Read (r): Allows the assignee to view the file’s contents
- Write (w): Allows the assignee to modify the file
- Execute (x): Allows the assignee to run the file (if it’s a program or script)
- Dash (-): Indicates that a particular permission has not been granted
Directory Permissions
For directories, permissions have slightly different meanings:
- Read (r): Allows viewing the directory’s contents (using
ls) - Write (w): Allows creating, deleting, or renaming files within the directory
- Execute (x): Allows accessing the directory (using
cdcommand)
Read: Linux directories explained
For example, if a file has permission rw-rw-r--, this means:
- Owner can read and write to the file (
rw-) - Group members can read and write to the file (
rw-) - Other users can only read the file (
r--)
Since it’s not executable, no one can execute this file, as shown by the absence of ‘x’ in all three permission sets.
Here’s a visual breakdown of how file permissions work:
Read: A Beginner’s Guide to Symbolic Links in Linux
Modifying Permissions with chmod
The chmod command (change mode) allows you to modify file and directory permissions. You can use it with either numeric or symbolic notation. Using this command carelessly can create security vulnerabilities, so it’s important to understand how it works.
For example, the file rsyslog.conf has the following permissions:
This translates to:
- Owner: Read & Write (
rw-) - Group: Read only (
r--) - Others: Read only (
r--)
While the shadow file has even more restrictive permissions:
Using chmod with Numeric Mode
The basic syntax of the chmod command is:
chmod {options} file_name When using numeric mode, each permission has a corresponding value:
| Permission | Value |
|---|---|
| Read (r) | 4 |
| Write (w) | 2 |
| Execute (x) | 1 |
| No Permission (-) | 0 |
To set permissions, you add the values for each permission type you want to grant. You’ll need three digits—one each for owner, group, and other users.
Read: ‘usermod’ command usage in Ubuntu/Debian: a beginner’s guide
Example 1: To set permissions rw-r--r-- (owner can read/write; group and others can only read):
chmod 644 lion.jpg 
Breaking down the permissions:
- Owner: Read (4) + Write (2) = 6
- Group: Read (4) = 4
- Others: Read (4) = 4
Example 2: To set permissions rw-rw-rwx (owner and group can read/write; others can read/write/execute):
chmod 667 lion.jpg 
Breaking down the permissions:
- Owner: Read (4) + Write (2) = 6
- Group: Read (4) + Write (2) = 6
- Others: Read (4) + Write (2) + Execute (1) = 7
Example 3: To set permissions rwxr--r-- (owner can read/write/execute; group and others can only read):
chmod 744 lion.jpg 
Breaking down the permissions:
- Owner: Read (4) + Write (2) + Execute (1) = 7
- Group: Read (4) = 4
- Others: Read (4) = 4
Example 4: To set permissions r-x---w- (owner can read/execute; group has no permissions; others can only write):
chmod 502 lion.jpg 
Breaking down the permissions:
- Owner: Read (4) + Execute (1) = 5
- Group: No permissions = 0
- Others: Write (2) = 2
Here’s a summary table of common permission values:
| Value | Permission | Description |
|---|---|---|
| 0 | — | No permission |
| 1 | –x | Execute only |
| 2 | -w- | Write only |
| 3 | -wx | Write and execute |
| 4 | r– | Read only |
| 5 | r-x | Read and execute |
| 6 | rw- | Read and write |
| 7 | rwx | Read, write, and execute |
Read: How to fix 403 Forbidden Error
Using chmod with Symbolic Mode
Symbolic mode provides a more intuitive way to change permissions. The basic syntax is:
[ugoa...][[+-=][rwxXstugo...]...] This breaks down into three parts:
- Who: Specifies which users’ permissions to change
u: User (owner)g: Groupo: Othersa: All (u+g+o)
- Operation: Specifies how to change the permissions
+: Add the specified permissions-: Remove the specified permissions=: Set permissions to exactly what’s specified
- Permissions: Specifies which permissions to modify
r: Readw: Writex: ExecuteX: Execute only if the file is a directory or already has execute permissions: Set user or group ID on executiont: Save program text
Let’s look at some examples to understand how symbolic mode works:
Example 1: Grant execute permission to others for a file:
chmod o+x lion.jpg 
This adds execute permission (+x) for others (o), changing the permissions from rwx------ to rwx-----x.
Example 2: Remove write and execute permissions from others:
chmod o-wx lion.jpg 
This removes write and execute permissions (-wx) for others (o), resulting in rwx------.
Example 3: Grant all permissions to everyone:
chmod ugo+rwx lion.jpg 
This adds read, write, and execute permissions (+rwx) for the owner, group, and others (ugo), resulting in rwxrwxrwx.
Adding Multiple Permissions
You can specify multiple permission changes in a single command by separating them with commas:
chmod g+x,o+x lion.jpg 
This adds execute permission to both group and other users simultaneously.
Changing Permissions Recursively
To apply permissions to all files and directories within a specific directory, use the -R option:
chmod 777 -R /path_to_directory To change permissions for only files within a directory:
find /path_to_directory -type f -print0 | xargs -0 chmod 644 To change permissions for only directories within a directory:
find /path_to_directory -type d -print0 | xargs -0 chmod 755 Note: The standard permission for files is typically 644, while directories commonly use 755.
Cloning Permissions Between Files
You can copy permissions from one file to another using the --reference option:
chmod --reference=file1 file2 
In this example, tst.txt now has the same permissions as lion.jpg (changed from rw-r--r-- to -w--wx-wx).
Read: Ubuntu/Debian monitoring tools guide for system administrators
Changing File Ownership
In addition to permissions, Linux provides commands to change file ownership: chown for changing both user and group ownership, and chgrp for changing only group ownership.
Using chown Command
The basic syntax for chown is:
chown options User[.Group] File Where:
User: Username or UID of the new ownerGroup: New group name or GIDFile(s): Name of one or more files/directories
The various formats allow different changes:
user: Changes only the owneruser:: Changes the owner and sets the group to the user’s login groupuser:group: Changes both owner and group:group: Changes only the group
Note: Only the root user or a user with sudo privileges can change file ownership.
Read: How to use sudo without having to enter a password in Ubuntu
Changing the owner of a file:
chown new_owner file_name For example, to change the owner of a file named myfile to net2_adm:
chown net2_adm myfile You can specify multiple files or directories by separating them with spaces:
chown net2_adm myfile mydirectory Changing only the group of a file:
chown :new_group file_name For example, to change the group of myfile to normal_users:
chown :normal_users myfile Changing both the owner and group of a file:
chown user:group file_name For example, to change the owner to net2_adm and group to admins:
chown net2_adm:admins myfile Changing ownership recursively:
To change ownership of a directory and all its contents, use the -R option:
chown -R user:group directory For example:
sudo chown -R net2_adm:admins documents Cloning ownership between files:
chown --reference=reference_file target_file This assigns the same user and group ownership from the reference file to the target file.
Using chgrp Command
While chown can change both user and group ownership, chgrp is dedicated to changing only group ownership:
chgrp [options] new_group file(s) For example, to change the group of my_file to admins:
chgrp admins my_file For multiple files:
chgrp admins first_file first_directory second_directory second_file Like chown, you can use the -R option to recursively change group ownership.
Conclusion
Understanding and managing file permissions and ownership is essential for maintaining security in Linux systems. By mastering commands like chmod, chown, and chgrp, you can effectively control who can access, modify, and execute your files and directories.
This guide has covered how to view permissions, change permissions using both numeric and symbolic notation, modify file ownership, and apply these changes recursively. With these skills, you can help safeguard your Linux system against unauthorized access and potential security threats.
Frequently Asked Questions
The most common permission setting for regular files is 644 (rw-r–r–), which allows the owner to read and write while giving read-only access to everyone else. For executable files, 755 (rwxr-xr-x) is common, allowing the owner full control while others can read and execute. For sensitive configuration files, 600 (rw——-) is often used to restrict access completely to the owner.
When encountering “Permission denied” errors, check the file permissions using ls -l filename to verify if you have the necessary permissions. If you’re not the owner, use id to check if you’re in the file’s group. If needed, modify permissions with chmod or change ownership with chown (requiring sudo privileges). For system files, use sudo to execute commands with elevated privileges.
SETUID (Set User ID) allows a program to run with the permissions of the file owner rather than the user who executed it, set with chmod u+s filename. SETGID (Set Group ID) makes a program run with the group permissions of the file rather than the executing user’s group, set with chmod g+s filename. The sticky bit, typically used on directories like /tmp, prevents users from deleting files owned by others even if they have write permissions to the directory, set with chmod +t directory.
For a secure web server directory setup, assign ownership to the web server user (e.g., www-data, apache, or nginx) using chown -R webserver:webserver /var/www/html. Set directory permissions to 755 (rwxr-xr-x) to allow the web server to access and execute but restrict write access to the owner. Set file permissions to 644 (rw-r–r–) to allow reading by the web server while limiting modifications to the owner. For content upload directories, use 775 (rwxrwxr-x) with proper group membership to allow controlled write access.
For shared file access, create a group using groupadd shared_group and add all users who need access with usermod -aG shared_group username. Assign group ownership to files with chgrp -R shared_group /shared/directory. Set directory permissions to 770 (rwxrwx—) or 775 (rwxrwxr-x) depending on whether others should have access. Consider using SETGID with chmod g+s /shared/directory to ensure new files inherit the directory’s group. For sensitive operations, implement access control lists (ACLs) with setfacl for more granular permissions.
If you like the content, we would appreciate your support by buying us a coffee. Thank you so much for your visit and support.
