Linux permissions control how users access, modify, and execute files or directories on a system. Efficient management of user permissions improves system security and access control by preventing unauthorized access to sensitive data, files, and directories.
This article explains how to manage file and directory permissions in Linux. You will explore the available permission modes and use the chmod and chown commands to change permissions on your Linux workstation.
Linux Permissions
Linux permissions are categorized into read, write, execute (RWX), which define the user or group privileges to a file or directory. Each Linux permission provides a specific privilege level, as described below.
- Read (
r): View the contents of a file or list the contents of a directory. - Write (
w): Modify, add, remove, or rename files in a directory. - Execute (
x): Run a file or access the files in a directory.
Linux permissions can be assigned to the following user classes:
- Owner: The user who owns the file or directory.
- Group: The group associated with the file or directory.
- Others: All other system users.
If a user owns a file and belongs to its group, the owner's permissions override the group's permissions. If the owner has read permissions (r), but no write or execute permissions, they cannot write or execute a file even if the group has full permissions (rwx).
To grant users specific group permissions, you can add them to a group using the usermod or gpasswd command.
String Representation of Linux Permissions
Files and directories use a 10-character format to represent the user permissions. You can view the string-based permissions on a file or directory by running a command such as ls -l. Within the output:
The first character represents the file type, such as:
-: Regular file.d: Directory.l: Symbolic link.b: Block device or special file, such as disks and partitions.c: Character device or special file, such as terminals and serial ports.p: Named pipe.s: Socket.D: Door.
The next nine characters represent the user and group permissions on a file or directory in the following order:
- Owner: First three characters
- Group: Next three characters
- Others: Last three characters
Below is an example of a String-Based Permission.
For example:
drwxrw-r-- example.comIn the above ls -l command output:
d: Specifies thatexample.comis a directory.rwx: Represents the owner permissions to the directory. The user has read, write, and execute (rwx) permissions to the directory based on the above output.rw-: Represents the Group permissions. The group has read and write (rw) permissions based on the above output.r--: Represents the permissions for other users. Other system users have read-onlyrpermissions to the directory.
How to Calculate Linux Permissions
Linux permissions use binary values to represent different access levels with the following format.
| Permission | Binary | Value |
|---|---|---|
| Read (r) | 100 | 4 |
| Write (w) | 010 | 2 |
| Execute (x) | 001 | 1 |
| None (-) | 000 | 0 |
For example:
- Read + Write:
4 + 2 = 6(binary:110, symbol:rw-) - Read + Execute:
4 + 1 = 5(binary:101, symbol:r-x) - Write + Execute:
2 + 1 = 3(binary:011, symbol:-wx) - Read + Write + Execute:
4 + 2 + 1 = 7(binary:111, symbolrwx)
Common Linux Permissions
Below are the common Linux permissions and the representation for the owner, group, and other users.
- 644:
| Permission Type | Read (r) | Write (w) | Execute (x) | None (-) | Total Value |
|---|---|---|---|---|---|
| Owner (u) | 4 | 2 | 0 | 0 | 6 |
| Group (g) | 4 | 0 | 0 | 0 | 4 |
| Others (o) | 4 | 0 | 0 | 0 | 4 |
The owner can read and write the file based on the 644 representation while the group and other users can only read the file.
- 755:
| Permission Type | Read (r) | Write (w) | Execute (x) | None (-) | Total Value |
|---|---|---|---|---|---|
| Owner (u) | 4 | 2 | 1 | 0 | 7 |
| Group (g) | 4 | 0 | 1 | 0 | 5 |
| Others (o) | 4 | 0 | 1 | 0 | 5 |
The owner has full permissions (read, write, and execute) while the group and other users have read and execute permissions based on the above 755 representation.
- 777:
| Permission Type | Read (r) | Write (w) | Execute (x) | None (-) | Total Value |
|---|---|---|---|---|---|
| Owner (u) | 4 | 2 | 1 | 0 | 7 |
| Group (g) | 4 | 2 | 1 | 0 | 7 |
| Others (o) | 4 | 2 | 1 | 0 | 7 |
The owner, group, and other users have full permissions to the file based on the above 777 representation.
sudo while reading or executing a file enables the root superuser privileges, overriding any existing permissions.
View File and Directory Permissions
Long listing a file or directory using the ls -l displays the file permissions, ownership, size, and modification time. Long listing a directory with the -d option displays its permissions instead of the contents. Follow the steps below to view the file and directory permissions using the ls command.
Create a new sample file such as
file.txtand a directory such as/var/www/html.console$ touch file.txt && sudo mkdir /var/www/html
Use the
ls -lcommand to view the user permissions on a file.console$ ls -l file.txt
Your output should be similar to the one below:
-rwxr-xr-x 1 user group 1024 Jan 1 12:00 file.txtWithin the above output:
-: Shows thatfile.txtis a regular file.rwx: Represents the owner's permissions.r-xRepresents the group permissions.r-x: Represents other user permissions on the file.
Use the
ls -ldcommand to view the/var/www/htmldirectory permissions.console$ ls -ld /var/www/html
Your output should be similar to the one below:
drwxr-xr-x 2 user group 4096 Jan 1 12:30 /var/www/htmlWithin the output:
d: Shows that/var/www/htmlis a directory.rwx: Represents the directory owner's permissions.r-x: Represents the group permissions.r-x: Represents other user permissions on the directory.
Change File and Directory Permissions
You can change file and directory permissions using the chmod command in two modes, the numeric and symbolic mode. Follow the steps below to change file and directory permissions using the chmod command.
Use the following syntax to change permissions using the chmod command.
```console
$ chmod [permissions] [file or directory]
```Change Permissions Using Numeric Mode
You can assign permissions using three digits representing the owner, group, and others in numeric mode. Each digit is the sum of read (4), write (2), and execute (1) permissions as illustrated below.
- Read (
r):4 - Write (
w):2 - Execute (
x):1 - No permissions (
-):0
For example:
Change the
file.txtpermissions to755.console$ chmod 755 file.txt
The above command sets the permissions
file.txtpermissions to755to allow all users to read and execute the file, but only the owner to modify it.Change the
/var/www/htmldirectory permissions to755.console$ sudo chmod 755 /var/www/html
The above command sets the
/var/www/htmldirectory permissions to755, allowing all users to view the directory contents, but only the owner can add new files.Recursively apply permissions to all files and subdirectories in a directory using the
-Roption.console$ sudo chmod -R 755 /var/www/html
The above command enables
755permissions for all files and subdirectories in the/var/www/htmldirectory, allowing all users to navigate the directory read and execute files, but only the owner can modify the contents.
Change Permissions Using Symbolic Mode
Linux permissions are represented by symbols or letters in symbolic mode with the following classification.
u: Represents file or directory owner.g: Represents the group associated with a file or directory.o: Represents other system users who are neither the owner nor part of the group.a: Represents all users, including the owner, group, and others.
Use the following operators to assign, remove, or set permissions:
+: Adds a permission.-: Removes a permission.=: Explicitly sets the permission and overwrites the active permissions.
Use the following chmod command syntax to change permissions using the symbolic mode.
$ chmod [userclass][operator][permissions] [filename or directory]
For example:
Grant the owner read (
r), write (w), and execute (x) permissions onfile.txt.console$ chmod u+rwx file.txt
Remove execute (
x) permission from the group on the/var/www/htmldirectory.console$ sudo chmod g-x /var/www/html
Enable read (
r) permissions for all users onfile.txt.console$ chmod a+r file.txt
Change the file owner's permission to read-only, removing write (
w) and execute (x) permissions.console$ chmod u=r file.txt
Use the
-Roption to apply permissions recursively on the/var/www/htmldirectory.console$ sudo chmod -R a+rx /var/www/html
The above command adds read (
r) and execute (x) permissions for all users on the/var/www/htmland its contents.Modify multiple user categories in a single command.
console$ chmod ug+rw file.txt
The above command adds read (
r) and write (w) permissions to both the owner and group onfile.txt.Modify different permissions for multiple user classes on
file.txtin a single command.console$ chmod u+rwx,g+w,o+x file.txt
The above command enables read (
r), write (w), and execute (x) permissions for the owner, write (w) permission for the group, and execute (x) permissions to other users onfile.txt.
How to Set Special Permissions (Sticky Bit, SUID, SGID)
Sticky bit, Set User ID (SUID), and Set Group ID (SGID) are special permissions that enable administrators to control file and directory access in multi-user environments. Follow the sections below to use special permissions on files and directories on your workstation.
Sticky Bit
Sticky bit applies only to directories and ensures that only the owner can rename, delete, or move files in a directory. Sticky bit supports both numeric and symbolic modes to enable special permissions. Follow the steps below to enable sticky bit permissions on the /var/www/html directory you created earlier.
Use the
+toption to enable sticky bit on the/var/www/htmldirectory.console$ sudo chmod +t /var/www/html
Use the
1option with thechmodcommand to enable sticky bit on a directory. For example, set the/var/www/htmldirectory permissions to755and enable sticky bit.console$ sudo chmod 1755 /var/www/html
Within the above command:
1: Enables the sticky bit.7: Grants read (r), write (w), and execute (x) permissions to the owner.5: Grants read (r) and execute (x) permissions to the group.5: Grants read (r) and execute (x) permissions to other users.
List the directory permissions to verify the sticky bit changes.
console$ ls -ld /var/www/html
Your output should be similar to the one below:
drwxr-xr-t 2 user group 4096 Jan 1 12:00 /var/www/htmlSticky bit is active on the
/var/www/htmldirectory based on thetoption in the above output.
Set User ID (SUID)
Set User ID (SUID) enables the execution of a file with the privileges of its owner instead of the active user running it. This is useful for executable files such as scripts that may require elevated privileges. Follow the steps below to use the SUID permission on your Linux workstation.
Create a sample
hello.shscript to use as an executable file.console$ touch hello.sh
Use the
u+soption withchmodcommand to enable the SUID bit onhello.sh.console$ chmod u+s hello.sh
The above command allows all users to execute the
hello.shfile with the permissions of the file owner.Use numeric mode by adding
4as the leading digit in the permission value to enable SUID.console$ chmod 4755 hello.sh
Within the above command:
4: Enables the SUID bit.7: Grants read (r), write (w), and execute (x) permissions to the owner.5: Grants read (r) and execute (x) permissions to the group.5: Grants read (r) and execute (x) permissions to other users.
View the
hello.shscript permissions to verify that the SUID bit is active.console$ ls -l hello.sh
Your output should be similar to the one below:
-rwsr-xr-x 1 root root 1024 Jan 15 20:43 hello.shThe SUID bit is active on the
hello.shscript based on thesvalue in the owner permissions (rws).
Set Group ID (SGID)
Set Group ID (SGID) applies to executable files and directories and enables file execution using the group's permissions instead of the user's permissions. Follow the steps below to enable SGID with files and directories on your Linux workstation.
Use the
g+soption with thechmodcommand to enable SGID permissions. For example, enable SGID on thehello.shscript.console$ sudo chmod g+s hello.sh
Enable SGID on the
/var/www/htmldirectory.console$ sudo chmod g+s /var/www/html
Use the
2numeric mode to enable SGID while setting file permissions. For example, enable SGID and755permissions on thehello.shscript.console$ sudo chmod 2755 hello.sh
Within the above command:
2: Enables the SGID bit.7: Grants read (r), write (w), and execute (x) permissions to the owner.5: Grants read (r) and execute (x) permissions to the group.5: Grants read (r) and execute (x) permissions to other users.
View the
hello.shfile permissions and verify that SGID is active.console$ ls -l hello.sh
Your output should be similar to the one below:
-rwxr-sr-x 1 user group 123456 Jan 1 12:00 hello.shThe SGID bit is active on the
hello.shscript based on thesoption in the group permissions (-rwxr-sr-x) in the above output.List the
/var/www/htmlpermissions and verify that SGID is active.console$ ls -ld /var/www/html
Your output should be similar to the one below:
drwxr-sr-x 2 user group 4096 Jan 1 12:00 /var/www/htmlThe SGID bit is active on the
/var/www/htmldirectory based on thesoption in the group's permissions (drwxr-sr-x) in the above output.
Change User and Group Ownership Permissions
You can change user and group ownership permissions on files or directories using the chown command. Follow the steps below to change the user and group ownership permissions using the chown command on your Linux workstation.
Use the following chown command syntax when changing user and group ownership permissions:
$ chown [options] user:group [filename/directory]
For example:
Grant
linuxuserownership privileges tofile.txt.console$ sudo chown linuxuser file.txt
The above command sets
linuxuseras thefile.txtowner while keeping the group ownership unchanged.Grant the
www-datagroup ownership privileges to the/var/www/htmldirectory.console$ sudo chown :www-data /var/www/html
The above command sets the
www-dataas the/var/www/htmldirectory owner while the file ownership permissions remain unchanged.Specify the user and group separated by
:to change both the owner and group of a file or directory. For example, grant thewww-datauser and group ownership privileges to the/var/www/htmldirectory.console$ sudo chown www-data:www-data /var/www/html
Use the
Roption to recursively change the owner and group for all files and subdirectories. For example, grant thewww-datauser and group ownership privileges to the/var/www/htmldirectory and all subdirectories.console$ sudo chown -R www-data:www-data /var/www/html
Use the
--referenceoption to copy the ownership permissions of one file to another. For example, copy the/var/www/htmluser and group permissions tofile.txt.console$ sudo chown --reference=/var/www/html file.txt
View the owner and group permissions of
file.txtand the/var/www/htmldirectory to verify the changes.console$ ls -l file.txt && ls -ld /var/www/html
Your output should be similar to the one below:
-rwxr-xr-- 1 www-data www-data 1024 Jan 1 12:00 file.txt drwxr-xr-x 2 www-data www-data 4096 Jan 1 12:30 /var/www/html
Conclusion
You have managed file and directory permissions on your Linux workstation. Permissions define the access level and how system users interact with files or directories. You can use the chmod and chown commands to set permissions for specific files or directories to set up user access levels. For more information, run the man chown and man chmod commands to view the respective manual pages on your Linux workstations respectively.