Linux File Permissions
1) The model in one picture
Every file/dir has permissions for three “audiences”:
[ owner | group | others ] → each gets: r (read) w (write) x (execute)Example from ls -l:
rwxr-x--- 1 alice devs 1256 Oct 08 script.sh^ ^^^ ^^^| | └── others: r-x (5)| └────── group: r-x (5)└──────── owner: rwx (7)·
First character:
file type (- regular, d
directory, l symlink, etc).
· Then 9 permission bits: owner / group / others.
What r/w/x mean
·
Files: r read contents, w modify,
x run as a program/script.
· Directories:
o
r list names (ls)
o
w create/rename/delete entries in that
directory
o
x “enter/traverse” (needed for cd and to
access items inside)
For directories, x is
crucial. A dir with r but no x
lets you see names but not enter.
2) Numeric (octal) vs symbolic modes
·
Weights: r=4, w=2, x=1 → add them.
o
7
= rwx, 6 = rw-, 5 = r-x, 4
= r--, 0 = ---.
Using chmod (change mode)
chmod 755 script.sh # owner rwx, group r-x, others r-xchmod 640 report.txt # owner rw-, group r--, others ---chmod u+x deploy.sh # add execute for owner (symbolic)chmod g-w notes.txt # remove write for groupchmod o=r logs/summary # others get read onlychmod -R 750 app/ # recursive on a directory tree3) Ownership: user & group
Each item has an owner and a group.
chown alice file.txt # change owner (needs sudo if not you)chown alice:devs file.txt # owner + groupchgrp devs file.txt # change group onlyTip (teams): Put collaborators into a group and give the group
the right perms (avoid 777).
4) Default permissions & umask
When you create files/dirs, permissions start from:
·
Files: 666
(rw for all) minus umask
·
Dirs: 777
(rwx for all) minus umask
Typical umask
values:
·
022 → files 644, dirs
755
·
002 → files 664, dirs
775 (good for teamwork)
Check/set:
umask # showumask 002 # set for current shell session(For permanent: add to ~/.bashrc.)
5) Special permission bits (exam-relevant)
setuid (s on owner bit, value 4000)
· On executables: run with file owner’s privileges.
·
Example: /usr/bin/passwd is setuid root so users can change passwords.
chmod 4755 prog # rwxr-xr-x with setuidls -l prog # shows: -rwsr-xr-xsetgid (s on group bit, value 2000)
· On executables: run with file group’s privileges.
· On directories: new files inherit the directory’s group (great for shared folders).
chmod 2775 shared/ls -ld shared # drwxrwsr-x (note the 's' in group slot)sticky bit (t on others bit, value 1000)
·
On
directories: only the owner
of a file (or root) can delete it, even if the dir is group/other
writable. Classic example: /tmp.
chmod 1777 /tmp # drwxrwxrwtDon’t set setuid/setgid casually; use only when you understand the security impact.
6) Practical reads with ls/stat
ls -l filestat file # shows mode, owner, group, ACLs if any7) Access Control Lists (ACLs) — per-user fine control (intro)
Standard rwx is coarse. ACLs let you say “give bob read, carol rwx” even if they’re not in the group.
# Install tools (Ubuntu/Debian):sudo apt install acl # Add/inspect ACLs:setfacl -m u:bob:r file.txtsetfacl -m g:design:rwx project/ -Rgetfacl file.txtsetfacl -b file.txt # remove all ACL entriesMany distros enable ACLs by default on ext4;
if not, the FS must be mounted with acl.
8) Capabilities (advanced awareness)
Instead of making a binary setuid root, give it just one power:
sudo setcap cap_net_bind_service=+ep /usr/local/bin/myservergetcap /usr/local/bin/myserverThis lets it bind to ports <1024 without full root. (Good security hygiene.)
9) Common errors & quick fixes
·
Permission
denied (file): you lack r to read, w to modify, or x to run.
Fix with chmod (if owner) or ask owner/admin to adjust chown/group.
·
Permission
denied (dir): you may be missing
x on the directory.
Add +x on the directory to traverse it.
·
Script
won’t run: make it executable: chmod +x script.sh; run as ./script.sh.
· Team dir not keeping group: set setgid on the dir and set its group:
·chgrp devs /shared/proj && chmod 2775 /shared/proj
10) Safer defaults for students
·
Prefer least
privilege: e.g., 640 for files, 750 for dirs
in projects.
·
Use groups for
collaboration (avoid 777).
·
Use umask 002 in shared repos so teammates can edit.
·
Version control (git) for source; backups for data.
11) Mini-labs (hands-on, ~30–40 min)
Lab A: Decode permissions
mkdir -p ~/lab/perms && cd ~/lab/permsecho "hello" > a.txtchmod 640 a.txtls -l a.txt # explain each character in the mode stringstat a.txt # see octal mode under "Access"Lab B: Directory semantics
mkdir sandbox && cd sandboxecho "secret" > note.txtchmod 644 note.txtchmod 744 . # remove write for group/others on dirls -l # can you read note.txt? (yes)chmod 704 . # remove read for group/others on dir# Try: ls, cat note.txt, cd ..; observe how dir x/r affect accessLab C: Team folder with setgid
sudo groupadd devs # (once, needs sudo; or use an existing group)sudo mkdir -p /shared/appsudo chgrp devs /shared/appsudo chmod 2775 /shared/app# Put two users in 'devs', create files and check they inherit groupLab D: ACL quick test
mkdir ~/lab/acl && cd ~/lab/aclecho "data" > d.txtsetfacl -m u:$(whoami):rw d.txtgetfacl d.txt12) Exam-ready bullets
·
Triplet
model: owner/group/others; r=4,w=2,x=1; files vs dirs differ for r/w/x.
·
Change
perms: chmod 755 file or symbolic chmod
u+r,g-w.
·
Ownership: chown
user:group file; chgrp group file.
·
Defaults via
umask: files
from 666-umask, dirs from 777-umask.
·
Special
bits: setuid(4xxx),
setgid(2xxx), sticky(1xxx); setgid on dirs makes new files inherit group;
sticky on shared dirs (e.g., /tmp).
·
ACLs: setfacl/getfacl for per-user/group entries.
·
Capabilities: finer privileges than setuid (e.g., setcap cap_net_bind_service=+ep).
·
Dirs need
x to enter; r just lists; w lets
create/delete entries.
Want this turned into a 2-page printable PDF or a slide or lab sheet for your class? I can format and share it.