Linux & Networking12 min

Linux File Permissions & Users Cheat Sheet

Complete Linux permissions reference — chmod symbolic/octal, chown, chgrp, SUID, SGID, sticky bit, ACLs, umask, and user/group management.

Permission Basics

-rwxr-xr--  1  alice  devs  4096  Jan 20  file.txt
 ^           ^  ^      ^     ^
 type+perms  links owner group size

File type prefix: - file, d directory, l symlink, c char device, b block device

Permission groups (left → right): Owner | Group | Others

Permission bits: r read=4, w write=2, x execute=1

chmod — Change Permissions

Symbolic Mode

chmod u+x file.sh            # Add execute for owner
chmod g-w file.txt           # Remove write from group
chmod o=r file.txt           # Others: read only
chmod a+r file.txt           # All (ugo): add read
chmod u+x,g-w file           # Multiple changes

# Recursive
chmod -R 755 ./directory/
chmod -R u=rwX,go=rX dir/    # Capital X: execute only if dir or already exec

Octal Mode

chmod 755 script.sh          # rwxr-xr-x  (owner: rwx, group: r-x, others: r-x)
chmod 644 conf.txt           # rw-r--r--  (common for config files)
chmod 600 ~/.ssh/id_rsa      # rw-------  (private key!)
chmod 700 ~/.ssh/            # rwx------  (SSH dir)
chmod 777 /tmp/shared        # rwxrwxrwx  (dangerous! avoid)
chmod 000 secret.txt         # no permissions for anyone

Octal	Binary	Permissions
7	111	rwx
6	110	rw-
5	101	r-x
4	100	r--
0	000	---

Common combos: 755 (dirs/executables), 644 (files), 600 (keys/secrets), 664 (group-writable files)

chown & chgrp

chown alice file.txt              # Change owner
chown alice:devs file.txt         # Change owner and group
chown :devs file.txt              # Change group only (same as chgrp)
chown -R alice:devs ./project/    # Recursive
chgrp devs file.txt               # Change group

# Check ownership
ls -la file.txt
stat file.txt

Special Permission Bits

SUID (Set User ID) — `4xxx`

chmod u+s /usr/bin/myprog         # Set SUID
chmod 4755 /usr/bin/myprog        # Same in octal
# When executed, runs as FILE OWNER, not the calling user
# ls output shows: -rwsr-xr-x (s in owner execute position)

# Find SUID files (audit)
find / -perm -4000 -type f 2>/dev/null

SGID (Set Group ID) — `2xxx`

chmod g+s ./shared-dir/           # Set SGID on directory
chmod 2775 ./shared-dir/          # In octal
# New files in dir inherit the dir's group (not creator's group)
# ls output shows: drwxrwsr-x (s in group execute position)
find / -perm -2000 -type f 2>/dev/null

Sticky Bit — `1xxx`

chmod +t /tmp                     # Set sticky bit
chmod 1777 /tmp                   # Typical /tmp perms
# Users can only delete their OWN files in the directory
# ls output shows: drwxrwxrwt (t in others execute position)

umask — Default Permissions

umask                             # Show current mask (e.g. 0022)
umask 027                         # Set new mask

# How it works:
# File default: 666 - umask = 666 - 022 = 644
# Dir default:  777 - umask = 777 - 022 = 755

# Common umasks
# 022 → files: 644, dirs: 755  (default on most systems)
# 027 → files: 640, dirs: 750  (more restrictive)
# 077 → files: 600, dirs: 700  (most restrictive)

ACLs (Access Control Lists)

# View ACL
getfacl file.txt

# Set ACL for a specific user
setfacl -m u:bob:rwx file.txt

# Set ACL for a specific group
setfacl -m g:devs:r-x file.txt

# Set default ACL on directory (inherited by new files)
setfacl -d -m u:bob:rwx ./project/

# Remove specific ACL entry
setfacl -x u:bob file.txt

# Remove all ACL entries
setfacl -b file.txt

User & Group Management

# Users
useradd -m -s /bin/bash alice      # Create user with home + bash shell
usermod -aG sudo alice             # Add to group (don't omit -a!)
usermod -s /bin/zsh alice          # Change shell
passwd alice                       # Set password
userdel -r alice                   # Delete user + home dir
id alice                           # Show UID, GID, groups
whoami
groups alice

# Groups
groupadd devs                      # Create group
groupdel devs                      # Delete group
gpasswd -a alice devs              # Add user to group
gpasswd -d alice devs              # Remove user from group
cat /etc/group | grep devs         # Check group members

# Switch user
su - alice                         # Switch to alice (full login)
sudo -i                            # Root shell
sudo -u alice command              # Run command as alice

Sudoers

visudo                             # Safe way to edit /etc/sudoers

# Allow alice full sudo (no password)
alice ALL=(ALL) NOPASSWD: ALL

# Allow alice to restart nginx only
alice ALL=(ALL) NOPASSWD: /bin/systemctl restart nginx

# Allow devs group full sudo
%devs ALL=(ALL) ALL

# Check sudo privileges
sudo -l -U alice

Key Files

File	Purpose
`/etc/passwd`	User accounts (no passwords)
`/etc/shadow`	Hashed passwords; root-only
`/etc/group`	Group definitions
`/etc/gshadow`	Group passwords
`/etc/sudoers`	Sudo privileges (edit with `visudo`)
`~/.ssh/authorized_keys`	SSH public keys; must be `600`
`~/.ssh/known_hosts`	Trusted host fingerprints