Linux File Permissions

BeginnerTopic30 min6 min read12 Jan 2025Linux

Master Linux file permissions — read/write/execute for owner/group/others, chmod, chown, SUID, SGID, sticky bit, and ACLs.

What you'll learn

Read the permission string from ls -l output
Use chmod with symbolic and octal notation
Use chown and chgrp to change ownership
Understand and set umask
Explain SUID, SGID, and sticky bit

Relevant for certifications

LFCS

#linux #permissions #chmod #chown #umask #suid #sgid #acl

Symbol	Permission	Numeric
`r`	Read	4
`w`	Write	2
`x`	Execute	1
`-`	No perm	0

chmod — Change File Mode

Symbolic notation

chmod u+x script.sh       # Add execute for owner
chmod g-w file.txt        # Remove write for group
chmod o=r readme.md       # Set other to read-only
chmod a+x deploy.sh       # Add execute for all (u+g+o)
chmod u+x,g-w file        # Multiple changes at once
chmod -R 755 /var/www     # Recursive — apply to all files in dir

Octal notation

chmod 755 script.sh   # rwxr-xr-x  owner: full, group+other: r+x
chmod 644 config.txt  # rw-r--r--  owner: rw, group+other: r
chmod 600 secret.key  # rw-------  owner only
chmod 777 /tmp/share  # rwxrwxrwx  full for everyone (avoid in production)
chmod 000 locked      # ---------- no access for anyone

Common permission combos to memorise

Octal	String	Typical use
644	rw-r--r--	Regular files
755	rwxr-xr-x	Scripts, directories
600	rw-------	Private keys, secrets
700	rwx------	Private directories
664	rw-rw-r--	Shared group files

chown and chgrp

chown alice file.txt           # Change owner to alice
chown alice:devs file.txt      # Change owner AND group
chown :devs file.txt           # Change group only (same as chgrp)
chown -R alice:devs /srv/app   # Recursive ownership change
chgrp devs config.conf         # Change group only

Warning

Only root can change ownership to another user. A regular user can change the group, but only to a group they belong to.

umask — Default Permission Mask

The umask defines which permissions are removed from new files and directories by default.

umask          # Show current umask (e.g. 0022)
umask 027      # Set umask — 027 means new files = 640, dirs = 750

# How it works:
# Files start at:       666 (rw-rw-rw-)
# Directories start at: 777 (rwxrwxrwx)
# Subtract umask 022:
#   Files:     666 - 022 = 644 (rw-r--r--)
#   Dirs:      777 - 022 = 755 (rwxr-xr-x)

Common umask values:

umask	File result	Dir result	Use case
022	644	755	Default for most systems
027	640	750	Security-conscious, group can read
077	600	700	Private — owner only

Special Permissions: SUID, SGID, Sticky Bit

SUID (Set User ID) — bit 4

When set on an executable, it runs with the owner's permissions (not the caller's).

chmod u+s /usr/bin/passwd    # passwd runs as root regardless of caller
chmod 4755 myapp             # 4 = SUID prefix

ls -l /usr/bin/passwd
# -rwsr-xr-x   → 's' in owner execute position = SUID set

SGID (Set Group ID) — bit 2

On an executable: runs with the group's permissions. On a directory: new files inherit the directory's group.

chmod g+s /srv/shared        # New files in /srv/shared inherit its group
chmod 2755 /srv/shared       # 2 = SGID prefix

ls -l /srv/shared
# drwxr-sr-x  → 's' in group execute position = SGID set

Sticky Bit — bit 1

On a directory: only the owner of a file (or root) can delete it, even if others have write permission.

chmod +t /tmp                # Classic sticky bit use case
chmod 1777 /tmp              # 1 = sticky bit prefix

ls -ld /tmp
# drwxrwxrwt   → 't' in other execute position = sticky bit

Tip

Remember the order: SUID (4), SGID (2), Sticky (1) — same as chmod octal but in the 4th leading digit.

ACLs — Access Control Lists

When standard owner/group/other isn't granular enough, use ACLs:

# View ACLs
getfacl file.txt

# Grant read to a specific user
setfacl -m u:bob:r file.txt

# Grant rw to a specific group
setfacl -m g:contractors:rw project/

# Recursive ACL
setfacl -R -m u:bob:rx /srv/app

# Remove a specific ACL entry
setfacl -x u:bob file.txt

# Remove all ACLs
setfacl -b file.txt

Note

If ls -l shows a + after the permission string (e.g., rw-r--r--+), ACLs are set on that file.

Quick Reference Cheat Sheet

# Identify permissions
ls -l file          # Show file permissions
stat file           # Detailed file metadata
find / -perm 777    # Find world-writable files (security check)
find / -perm -4000  # Find SUID files

# Common fixes
chmod 600 ~/.ssh/id_rsa          # SSH private key must be 600
chmod 644 ~/.ssh/authorized_keys # SSH authorized_keys
chmod 700 ~/.ssh/                # SSH directory must be 700

Common Interview Questions

Q: What does chmod 755 mean? Owner gets read + write + execute (7). Group gets read + execute (5). Others get read + execute (5). In string form: rwxr-xr-x.

Q: What is SUID and when is it dangerous? SUID causes an executable to run with the file owner's privileges. It's dangerous when set on scripts or programs owned by root, because any user running the program gains root privileges — making it a common privilege escalation vector.

Q: What is the sticky bit used for? The sticky bit on a directory means only the file's owner (or root) can delete files within it, even if the directory itself is world-writable. The canonical example is /tmp — every user can write there, but can't delete each other's files.

Q: How do you find all SUID files on a system?

find / -perm -4000 -type f 2>/dev/null

Common Mistakes

Setting 777 on files — avoids every security principle; never do this in production
Forgetting -R for directories — chmod 755 /srv/app won't recurse into subdirectories
SSH key permissions wrong — OpenSSH refuses keys that are not 600 (private) or 644 (public)
Confusing SUID on directories (no effect) with SGID on directories (inherits group)

What to Learn Next

Linux Users and Groups — managing users, groups, passwd, shadow
Linux Process Management — ps, top, signals
Linux Networking Basics — ip, ss, netstat

Back to Linux