Linux is a multi-user operating system with good built-in features to secure. To enhance security it uses ownership and permission for files and directories.
In this tutorial, we learn Linux file permissions and how to change the access permissions of file system objects sometimes known as modes.
Linux file Permissions
In Linux/Unix like operating systems, every file and directory is owned by the user and group. When we talk about Linux file permission it involves file owner, group owner, and permissions.
There are three user based permission groups:
- owner - The user who owns the file or directory. By default when a user creates a file or directory the same user will become its owner.
- Group - The group which owns the file or directory. All the members in the group will have the same access permission on the file or directory.
- Other - The user who is not the owner of file or directory and doest belong to group. This means "everyone" or other way say the "world".
The files and directories ownership can be changed using chown command. To only change the group of files or directories can use chgrp command.
There are three file permissions types for each file or directory:
The read permission for a file means the file can be opened and read.
The read permission for a directory (folder) means the user can list the contents of the directory.
The write permission for a file means the file can be altered (changed or modified).
The write permission for a directory means the directory contents can be altered. For example, the user can create a new file, remove or rename files from the directory.
The execute permission for a file means the file can be executed. For example, the user can execute a program or a shell script file.
The execute permission for a directory means the user can change (cd) to the directory. But this won't allow users to list directory contents.
Special Permission Modes
Other than read, write and execute there are a few special permission modes you can assign on files and directories. The special permission modes are SUID (setUID), SGID (setGID) and sticky bit.
When SUID bit is set on a file, the file always runs as the user who owns the file, not as the user who initiated the program. One example of a Linux command that uses SUID is
ls -l /usr/bin/passwd, which gives elevated privileges when run by a normal user.
When SGID is set on a file, the effective group is set to the group of the file. When executing a program, the users will get the file group permissions
The sticky bit is commonly set for directories. Once the sticky bit is set on a directory, then files or directories inside that directory can only be altered by the file owner or root.
How to view Linux Permissions
ls -l command to view the files and directories permissions in the current directory. An Alternative command is stat command, which is not commonly used for this purpose.
The first column for
ls -l shows the file permissions. The permission string contains of total 10 characters. The first character indicates the object type (file, directory, or link). The following 3 characters show permission of the owner, the next 3 characters show permissions for the group and the last 3 characters for others (world).
Identifying the permission characters:
"r" - read permission
"w" - write permission
"x" - execute permission
"-" - indicates no permission (But the first character "-" denotes object type is file)
"s" - SUID or SGID bit
"t" - sets the sticky bit
You can identify SUID permission by checking the character "s" instead of an x or a dash in the owner’s permissions.
In the same way, you can identify SGID permission by checking the character "s" instead of an x or a dash in the group's permissions.
The sticky bit file or directory have the last character of the permission string with "t" character.
Change File Permissions
To change file permissions in Linux use chmod command. Files and directories should have specific permission settings to have the desired outcome.
Incorrect file permissions cause security issues, websites to break and users to access files. You can simply fix it by changing file permissions. You should make sure configurations and system files are not given write permissions to inappropriate users and restrict only to read permissions.
Chmod uses either symbolic mode or numerical mode to specify permissions. You need to be root, file owner, or sudo user privileges to change to file permission.
Change file/directory permissions using chmod (numerical mode)
Chmod numerical mode is also known as absolute mode. This is the most commonly used method.
The read, write and execute is assigned with a specific numerical number. We use that number or combinations to set permissions on files and directories.
Linux permissions numbers (octal value) are:
r (read) = 4 w (write) = 2 x (execute) = 1 no permission = 0
Syntax of chmod in numerical mode:
chmod <permission-number> <file-name or directory-name>
The permission number is normally a 3 digit number ( each triplet by an octal mode number ). The first digit represents the owner, the second digit for the group, and the last digit is for others.
For example to set chmod permission for a folder:
chmod 777 hello-programs
Here the first 7 permission means rwx ( 4+2 +1) permissions is given to the owner of the file. 777 means full permission (read, write and execute) is given to the owner, group, and others.
You can set permissions for user, owner, and others at the same time.
To add special permission such as sticky bit, SUID or SGID we use 4 digits. The first digit is used to set the following special permissions:
SUID = 4 SGID = 2 sticky bit = 1 zero effect = 0
For example to set special permission sticky bit on /tmp directory:
chmod 1777 /tmp
When there are many files and directories you can recursively change permission:
chmod -R 755 directory-name
Change file/directory permissions using chmod (symbolic mode)
The chmod symbolic mod is also known as relative mode. The chmod when using symbolic mode uses characters
g ( group), o ( other) and
a ( all users).
Basic Syntax of chmod symbolic mode:
chmod <ugoa><-+=><rwxst> file-name or directory-name
"-" - Removes only the specified permission
"+" - Add permissions to other permissions that already has
"=" - Ignore all permissions and change permissions as specified
For example to set full permission on directory:
chmod u=rwx,g=rwx,o=rwx directory-name
chmod ugx+rwx directory-name
chmod a+rwx directory-name
Change Permissions examples
Let check some more examples to change permission using chmod command.
1. chmod 755 directory-name
This equivalent to chmod u=rwx,go=rx
This set read, write and execute permissions (full permission) for the owner and read and execute permission for others.
2. chmod +x filename
This equivalent to chmod ugo+x or chmod u+x,g+x,o+x
This set execute permission for the owner, group, and others.
3. chmod 750 directory-name
This equivalent to chmod u+rwx,g=rx,o=
This set full permission for the owner, read & execute for the group, and no permission for others.
4. chmod u+rwx directory-name
Ignore all permission and set read, write and execute permissions for the owner.
5. chmod -R 700 directory-name
Recursively set full permission for the owner of the directory
6. chmod go-rwx filename
Remove read, write and execute permission for group and others to the file
In this tutorial, we learned about Linux permissions. We also go through how to modify permissions using the numerical/symbolic mode and view permissions.