In this guide, we show you how to manage files and permissions on Linux. The core security feature of Linux is file and directory permissions. To ensure the privacy of users who might want to keep the contents of their files confidential as well as to ensure collaboration by making certain files accessible to multiple users, Linux needs some way to track who owns each file and whether or not a user is allowed to perform actions on a file.

This is done through a three-level permissions system. Every file on disk is owned by a user and a user group and has three sets of permissions:

• Owner: Within the Linux system, each file and directory is assigned to a single owner.
• Group: The Linux system also assigns each file and directory to a single group of users. The administrator can assign that group specific privileges to the file or directory that differ from the owner privileges.
• Others: This category of permissions is assigned accounts that are neither the file owner nor in the assigned user group.

Checking Files and Directories Ownership

You can view the assigned owner and group for a file or directory by adding the -l (long listing format) and -h (print sizes like 1K 234M 2G etc) option to the ls command.

$ ls -lh
total 8.0K
-rw-rw-r-- 1 pilot frank    0 Apr 13 18:26 anotherlist.txt
-rw-rw-r-- 1 frank frank    0 Apr 13 18:21 classified.txt
drwxrwxr-x 2 pilot frank 4.0K Apr 14 14:23 Contents
drwxrwxr-x 2 frank Tech  4.0K Apr 14 10:39 Dir1
-rw-rw-r-- 1 frank Tech     0 Apr 14 16:03 file21.txt

In the output above;

The first column defines the access permissions assigned to the owner, group, and others. The third column shows the user account assigned as the owner of the file (pilot or frank). The fourth column shows the group assigned to the file (frank or Tech).

Changing a File’s Ownership

Files are owned by certain users and groups in Linux, ownership can be changed to certain users (owners) or groups.

Changing a File’s Owner

Users with super user privileges or root user account can change the owner assigned to a file or directory by using the chown command.

Syntax:

chown [OPTIONS] NEWOWNER FILENAMES

• NEWOWNER parameter: is the username of the new owner to assign to the file or directory.
• FILENAMES parameter: is the name of the file or directory to change.

You can specify more than one file or directory by placing a space between each file or directory name.

Using ls -lh command we can check the ownership of our files in the current directory.

$ ls -lh
total 8.0K
-rw-rw-r-- 1 pilot frank    0 Apr 13 18:26 anotherlist.txt
-rw-rw-r-- 1 frank frank    0 Apr 13 18:21 classified.txt
drwxrwxr-x 2 pilot frank 4.0K Apr 14 14:23 Contents

Changing a file’s owner to frank with the chown command,

$ sudo chown frank anotherlist.txt Contents

Now, we can issue ls -lh command to check the owner of anotherlist.txt and Contents files.

$ ls -lh
total 8.0K
-rw-rw-r-- 1 frank frank    0 Apr 13 18:26 anotherlist.txt
-rw-rw-r-- 1 frank frank    0 Apr 13 18:21 classified.txt
drwxrwxr-x 2 frank frank 4.0K Apr 14 14:23 Contents

You can see that the new owner of the files is frank. You can use -R option to recursively change the owner of all files under the specified directory.

Changing a File’s Group

The file or directory owner, the root user account, or an account with super user privileges can change the group assigned to the file or directory by using the chgrp command.

Syntax:

chgrp [OPTIONS] NEWGROUP FILENAMES

• NEWGROUP parameter: is the name of the new user group assigned to the file or directory.
• FILENAMES parameter: is the name of the file or directory to change.

Using ls -lh command let’s check the group owners of the file in the current directory;

$ ls -lh
total 8.0K
-rw-rw-r-- 1 frank frank    0 Apr 13 18:26 anotherlist.txt
-rw-rw-r-- 1 frank frank    0 Apr 13 18:21 classified.txt
drwxrwxr-x 2 frank frank 4.0K Apr 14 14:23 Contents

We find that the group who owns the files is frank.

Changing a file’s group to Tech with the chgrp command;

$ sudo chgrp Tech anotherlist.txt classified.txt Contents

Now, we can issue ls -lh command to check the owner of anotherlist.txt, classified.txt and Contents files.

$ ls -lh
total 8.0K
-rw-rw-r-- 1 frank Tech     0 Apr 13 18:26 anotherlist.txt
-rw-rw-r-- 1 frank Tech     0 Apr 13 18:21 classified.txt
drwxrwxr-x 2 frank Tech  4.0K Apr 14 14:23 Contents

You can see that the new group of the files is Tech. The chgrp command also uses the -R option to recursively change the group assigned to all files and directories under the specified directory.

Using the format below with the super user privileges, the chown command allows you to change both the owner and group assigned to a file or directory at the same time.

chown NEWOWNER:NEWGROUP FILENAMES
chown :NEWGROUP FILENAMES

You can check your current group’s name by issuing the id -gn command. And if you have membership in another group and need to make that group your current group, type newgrp groupname at the command line.

Controlling Access to Files

When ownership and group membership for a file or directory are set, Linux allows certain accesses based on those settings. You can assign any basic permission to a file or directory in your system.

Understanding Filetypes

When you use the -l option with ls command, you’ll find lots of information concerning a file, including its file type code.

Viewing a file’s long listing format with ls -l command;

$ ls -l classified.txt
-rw-rw-r-- 1 frank Tech 0 Apr 13 18:21 classified.txt

In the above output, we obtain the following information of the file:

• File type code (-)
• Permission string (rw-rw-r–)
• Hard link count (1)
• File owner (frank)
• File group (Tech)
• File size (0 bytes)
• Last modification date (Apr 13 18:21)
• Filename (classified.txt)

File Type Codes

• – (normal file): A file can contain data of any kind and help to manage this data. Files can be modified, moved, copied and deleted.
• d (directory): A directory contains other files or directories and helps to organize the file system. Technically, directories are a special kind of file.
• l (symbolic link): This “file” is a pointer to another file or directory elsewhere in the filesystem.
• b (block device): This file stands for a virtual or physical device, usually disks or other kinds of storage devices, such as the first hard disk which might be represented by /dev/sda.
• c (character device): This file stands for a virtual or physical device. Terminals (like the main terminal on /dev/ttyS0) and serial ports are common examples of character devices.
• s (socket): Sockets serve as “conduits” passing information between two programs.

Understanding Permissions

The file permissions are shown right after the filetype, as three groups of three characters each, in the order r, w and x. Here is what they mean. Keep in mind that a dash - represents the lack of a permission.

Permissions on Files

r: Stands for read and has an octal value of 4. This means permission to open a file and read its contents.

w: Stands for write and has an octal value of 2. This means permission to edit or delete a file.

x: Stands for execute and has an octal value of 1. This means that the file can be run as an executable or script.

So, for example, a file with permissions rw- can be read and written to, but cannot be executed.

Permissions on Directories

r: Stands for read and has an octal value of 4. This means permission to read the directory’s contents, like filenames. But it does not imply permission to read the files themselves.

w: Stands for write and has an octal value of 2. This means permission to create or delete files in a directory, or change their names, permissions and owners.

If a user has the w permission on a directory, the user can change permissions of any file in the directory (the contents of the directory), even if the user has no permissions on the file or if the file is owned by another user.

x: Stands for execute and has an octal value of 1. This means permission to enter a directory, but not to list its files (for that r is needed).

Changing a File’s Mode

The command chmod is used to modify the permissions for a file, and takes at least two parameters:

The first one:

Describes which permissions to change i.e read, write and execute.

The second one:

Points to the file or directory where the change will be made i.e owner, group and others.

Only the owner of the file, or the system administrator (root) can change the permissions on a file.

The permissions to change can be described in two different modes.

• symbolic mode: denote permissions by using a letter code for the read (r), write (w), or execute (x) permission.
• octal mode: With octal mode the nine permission bits are represented as three octal numbers, one each for the owner, group, and other permissions.

Using chmod with Symbolic Mode

Symbolic mode has the following level:

• u: owner
• g: group
• o: others
• a: all tier

The two codes are separated with a plus sign (+) if you want to add the permission, a minus sign (-) to remove the permission, or an equal sign (=) to set the permission as the only permission.

For example, having a file classified.txt with permission set:

$ ls -l classified.txt
-rw-rw-r-- 1 frank Tech 0 Apr 13 18:21 classified.txt

To grant execute permissions to the owner of the file, you would use the u+x parameter.

$ chmod u+x classified.txt

Let us check the result with ls -l command;

$ ls -l
total 0
-rwxrw-r-- 1 frank Tech     0 Apr 13 18:21 classified.txt

 To remove write permissions to members of the group owning the file, you would use the g-w parameter.

$ chmod g-w classified.txt

Let us check the result with ls -l command;

$ ls -l
total 0
-rwxr--r-- 1 frank Tech     0 Apr 13 18:21 classified.txt

 Set the permissions exactly as rwx for everyone.

$ chmod a=rwx classified.txt

Let us check the result with ls -l command;

$ ls -l
total 0
-rwxrwxrwx 1 frank Tech     0 Apr 13 18:21 classified.txt

When run on a directory, chmod modifies only the directory’s permissions. chmod also has a recursive mode, which is useful for when you want to change the permissions for “all files inside a directory and its subdirectories”. To use this, add the parameter -R after the command name, before the permissions to change:

$ chmod -R u+rwx Dir1

The above command can be interpreted as;

Recursively (-R), for the user (u), grant (+) read, write and execute (rwx) permissions.

Using chmod with Octal Mode

The octal mode permissions are as follows:

Octal mode 0 permission --- meaning no permissions for the file.
Octal mode 1 permission --x meaning you can execute the file only.
Octal mode 2 permission -w- meaning you can write the file only.
Octal mode 3 permission -wx meaning you can write and execute the file.
Octal mode 4 permission r-- meaning the file is read only.
Octal mode 5 permission r-x meaning you can read and execute the file.
Octal mode 6 permission rw- meaning you can read and write the file.
Octal mode 7 permission rwx meaning you can read, write, and execute the file.

Using octal mode to assign permission to anotherlist.txt file i.e rwx permission to everyone:

 $ chmod 777 anotherlist.txt

Let us check the result with ls -l command:

$ ls -l
total 0
-rwxrwxrwx 1 frank Tech     0 Apr 13 18:26 anotherlist.txt

anotherlist.txt file has been granted rwx permission to everyone.

Setting the Default Mode

When a user creates a new file or directory, the Linux system assigns it a default owner, group, and permissions. The default owner, as expected, is the user who created the file. The default group is the owner’s primary group.

The user mask feature defines the default permissions Linux assigns to the file or directory. The user mask is an octal value that represents the bits to be removed from the default octal mode 666 permissions for files, or 777 permissions for directories.

The user mask value is set with the umask command. You can view your current umask setting by entering the command by itself on the command.

Viewing the current user mask setting via the umask command;

$ umask
0002

We can use -S parameter, to get an output in symbolic mode;

$ umask -S
u=rwx,g=rwx,o=rx

The output of the umask command shows four octal values. The first octal value represents the mask for the SUID (4), SGID (2), and sticky (1) bits assigned to files and directories you create. In the above output the value is set to 0, which means these bits are ignored. The next three octal values mask the owner, group, and other permission settings.

Here is a table with every umask value and its respective meaning:

Value	Permission for Files	Permission for Directories
0	rw-	rwx
1	rw-	rw-
2	r--	r-x
3	r--	r--
4	-w-	-wx
5	-w-	-w-
6	---	--x
7	---	---

umask 000 can have 666(rw-rw-rw-) permission for created files and 777(rwxrwxrwx) permission for created directories.

Displaying the effect of the current user mask setting on permissions;

$ umask
0002

Let’s create a file and a directory and check the default permissions created by the current umask;

$ mkdir Testdir
$ touch testfile

Let’s check the results with ls -l command;

$ ls -l
total 4
drwxrwxr-x 2 frank frank 4096 Apr 22 07:45 Testdir
-rw-rw-r-- 1 frank frank    0 Apr 22 07:45 testfile

The umask value of 0002 created the default file permissions of rw-rw-r-- , or octal 664, on the testfile file, and rwxrwxr-x, or octal 775, on the Testdir directory, as expected.

Changing the User Mask

You can change the default umask setting for your user account by using the umask command from the command line.

$ umask 0025

Use umask command to check the new umask;

$ umask
0025

Effects of new umask on newly created files and directories. Create new file and directory to check the effect;

$ mkdir Newdir
$ touch Newfile

Let’s check the results with ls -l command;

$ ls -l
total 4
drwxr-x-w- 2 frank frank 4096 Apr 22 08:05 Newdir
-rw-r---w- 1 frank frank    0 Apr 22 08:05 Newfile

The default permissions for the new file and directory, Newfile and Newdir, have changed to reflect the new umask setting.

The umask value is normally set in a script that the Linux system runs at login time, such as in the /etc/profile file.

Changing Special Access Modes

There are three special permission bits that Linux uses for controlling advanced behavior of files and directories: SUID, SGID, and the sticky bit. They can be specified either in symbolic or octal mode.

Set UID

SUID, also known as Set User ID, has the octal value 4 and is represented by an s on the user permissions in symbolic mode. It only applies to files and has no effect on directories. It tells the Linux kernel to run the program with the permissions of the file owner and not the user account actually running the file.

The SUID bit is indicated by an s in place of the execute permission letter for the file owner: rwsr-xr-x. The execute permission is assumed for the system to run the file. If the SUID bit is set on a file that doesn’t have execute permission for the owner, it’s indicated by a capital S.

The passwd file utility is an example of a file with SUID, we can check it ls -l command;

$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 68208 May 28  2020 /usr/bin/passwd

Setting UID in Symbolic Mode

To set the SUID bit for a file, in symbolic mode add s to the owner permissions. Let’s look at Newfile file with ls -l command;

$ ls -l Newfile
-rwx-r---w- 1 frank frank 0 Apr 22 08:05 Newfile

Now, let’s set SUID to Newfile file;

$ chmod u+s Newfile

Let’s check the results with ls -l command;

$ ls -l Newfile
-rwsr---w- 1 frank frank 0 Apr 22 08:05 Newfile

Setting UID in Octal Mode

To set the SUID bit for a file, in octal mode include a 4 at the start of the octal mode setting. Let’s look at testfile file with ls -l command;

$ ls -l testfile
-rwxrw-r-- 1 frank frank 0 Apr 22 07:45 testfile

Now, let’s set SUID to testfile file;

$ chmod 4764 testfile

Let’s check the results with ls -l command;

$ ls -l testfile
-rwsrw-r-- 1 frank frank 0 Apr 22 07:45 testfile

Set GID

Set GID, also known as SGID or Set Group ID bit, has the octal value 2 and in symbolic mode is represented by an s on the group permissions. This can be applied to executable files or directories.

For files, it tells Linux to run the program file with the file’s group permissions. It’s indicated by an s in the group execute position: rwxrwsr--. Like SUID, if the execute permission is not granted, the setting is benign and shown as a capital S in the group execute position.

For directories, the SGID bit helps us create an environment where multiple users can share files. When a directory has the SGID bit set, any files users create in the directory are assigned the group of the directory and not that of the user. That way, all users in that group can have the same permissions to all of the files in the shared directory.

Setting GID in Symbolic Mode

To set the SGID bit, in symbolic mode add s to the group permissions, let’s look at tutor.txt file with ls -l command;

$ ls -l tutor.txt
-rwxrwxrwx 1 frank frank 0 Apr 14 14:38 tutor.txt

Now, let’s set GUID to tutor.txt file;

$ chmod g+s tutor.txt

Let’s check the results with ls -l command;

$ ls -l tutor.txt
-rwxrwsrwx 1 frank frank 0 Apr 14 14:38 tutor.txt

Setting GID in Octal Mode

To set the GUID bit for a file, in octal mode include a 2 at the start of the octal mode setting. Let’s look at troubleshoot.txt file with ls -l command;

$ ls -l troubleshoot.txt
-rw-rw-r-- 1 frank frank 0 Apr 14 14:59 troubleshoot.txt

Now, let’s set GUID to troubleshoot.txt file;

$ chmod 2664 troubleshoot.txt

Let’s check the results with ls -l command;

$ ls -l troubleshoot.txt
-rw-rwSr-- 1 frank frank 0 Apr 14 14:59 troubleshoot.txt

The above output has the uppercase s (S) in group position because the file troubleshoot.txt doesn’t have the execute permission.

SGID on Directories

Using touch command let’s create an empty file Test;

$ touch Test

Let’s check created file above with ls -l command;

$ ls -l Test
-rw-r---w- 1 frank frank 0 Apr 22 10:16 Test

As we can see, the file is owned by the user frank and group frank. But, if the directory had the SGID permission set, the result would be different. First, let us add the SGID bit to the Contents directory and check the results:

$ sudo chmod g+s Contents

Let’s check the results with ls -l command;

$ ls -l
total 4
drwxrwsr-x 2 frank Tech  4096 Apr 22 10:16 Contents

The s on the group permissions indicates that the SGID bit is set. Now, we will change to this directory and, again, create an empty file with the touch command;

$ cd Contents

create an empty file file2.txt with touch command;

$ touch file2.txt

Let’s check created file above with ls -l command;

$ ls -l file2.txt
-rw-r---w- 1 frank Tech 0 Apr 22 10:28 file2.txt

The group who owns the file is Tech. This is because the SGID bit made the file inherit the group owner of its parent directory, which is Tech.

Sticky Bit

The sticky bit, also called the restricted deletion flag, has the octal value 1 and in symbolic mode is represented by a t within the other’s permissions. This applies only to directories, and has no effect on normal files. On Linux it prevents users from removing or renaming a file in a directory unless they own that file or directory.

Directories with the sticky bit set show a t replacing the x on the permissions for others on the output of ls -l, i.e

$ ls -ld Newdir
drwxr-x-wt 2 frank Tech 4096 Apr 22 10:36 Newdir

Setting Sticky Bit in Symbolic Mode

To set the sticy bit, in symbolic mode add t to the others permissions, let’s look at Testdir directory with ls -l command;

$ ls -ld Testdir
drwxr-x-w- 2 frank frank 4096 Apr 22 10:44 Testdir

Now, let’s set sticky bit to Testdir directory;

$ chmod o+t Testdir

Let’s check the results with ls -l command;

$ ls -ld Testdir
drwxr-x-wt 2 frank frank 4096 Apr 22 10:44 Testdir

Setting Sticky Bit in Octal Mode

To set the sticy bit, in octal mode add include a 1 at the start of the octal mode setting, let’s look at dir1 directory with ls -l command;

$ ls -ld dir1
drwxr-x-w- 2 frank frank 4096 Apr 22 10:51 dir1

Now, let’s set sticky bit to dir1 directory;

$ chmod 1752 dir1

Let’s check the results with ls -l command;

$ ls -ld dir1
drwxr-x-wT 2 frank frank 4096 Apr 22 10:51 dir1

The above output has the uppercase t (T) in others position because dir1 directory doesn’t have the execute permission.

Conclusion

That’s all about Managing File Permissions on Linux. We hope this guide was helpful and thank you for reading through.

You can also check:

• LPIC 101 – Basic File Editing with vim|vi
• LPIC 101 Search Text Files on Linux Using Regular Expressions
• LPIC 101 – Compress and Uncompress Files Using tar, gzip, bzip2.
• LPIC 101 – Maintaining The Integrity of Linux Filesystems