Cycle Logo

Linux File Permissions

Linux file permissions are a cornerstone of the operating system's security model, governing who can read, write, and execute files. Mastering file permissions is crucial for managing access to sensitive data and maintaining the overall security of a Linux system. This guide covers the basics of Linux file permissions, how to modify them, and best practices for managing them effectively.

Understanding Linux File Permissions

The Permission Model

In Linux, every file and directory is associated with a set of permissions that determine what actions users can perform. These permissions are categorized into three groups:

  • User (u): The file's owner.
  • Group (g): Users who are part of the group associated with the file.
  • Others (o): All other users who are neither the owner nor part of the group.

Each category can have three types of permissions:

  • Read (r): Permission to read the contents of the file or list the contents of the directory.
  • Write (w): Permission to modify the file or its contents, or to create, delete, or rename files within a directory.
  • Execute (x): Permission to run the file as a program or script, or to access a directory.

Permission Representation

Permissions are typically represented in two formats:

  1. Symbolic Representation: A string of characters like -rwxr-xr--.

    • The first character indicates the file type (- for regular files, d for directories, l for symbolic links).
    • The next three characters represent the owner's permissions.
    • The following three characters represent the group's permissions.
    • The last three characters represent the permissions for others.

    Example: -rwxr-xr--

    • User: rwx (read, write, execute)
    • Group: r-x (read, execute)
    • Others: r-- (read only)

  2. Numeric (Octal) Representation: A three- or four-digit number like 755 or 0644.

    • Each digit represents the permissions for user, group, and others, respectively.
    • The digits are calculated by summing the values for read (4), write (2), and execute (1).

    Example: 755

    • User: 7 (read 4 + write 2 + execute 1 = 7)
    • Group: 5 (read 4 + execute 1 = 5)
    • Others: 5 (read 4 + execute 1 = 5)

Viewing File Permissions

To view the permissions of files and directories, use the ls -l command:

ls -l /path/to/file

This command outputs a detailed list that includes the permissions, owner, group, size, and modification time for each file or directory:

-rw-r--r-- 1 user group  4096 Aug  8 12:00 example.txt

Modifying File Permissions

Using chmod to Change Permissions

The chmod (change mode) command is used to modify file and directory permissions.

Symbolic Mode

You can change permissions using symbolic mode by specifying the category (user, group, others) and the permission to add (+), remove (-), or set exactly (=).

Examples:

  • Add execute permission for the user:

    chmod u+x /path/to/file

  • Remove write permission for the group:

    chmod g-w /path/to/file

  • Set read-only permission for others:

    chmod o=r /path/to/file

Numeric Mode

Alternatively, you can use numeric (octal) mode by specifying a three-digit number that represents the permissions for the user, group, and others.

Examples:

  • Set full permissions for the user, and read/execute for the group and others:

    chmod 755 /path/to/file

  • Set read/write permissions for the user, and read-only for the group and others:

    chmod 644 /path/to/file

Recursively Changing Permissions

To change the permissions of a directory and all its contents, use the -R (recursive) option:

chmod -R 755 /path/to/directory

This command applies the specified permissions to all files and subdirectories within the directory.

Changing Ownership with chown

The chown (change owner) command is used to change the ownership of files and directories. Ownership includes both a user and a group.

Changing the Owner

To change the owner of a file:

sudo chown newuser /path/to/file

Changing the Group

To change the group associated with a file:

sudo chown :newgroup /path/to/file

Changing Both Owner and Group

To change both the owner and group simultaneously:

sudo chown newuser:newgroup /path/to/file

Recursively Changing Ownership

Like chmod, the chown command can also be applied recursively:

sudo chown -R newuser:newgroup /path/to/directory

Learn more about Linux filesystem commands.

Special Permissions

Beyond the standard read, write, and execute permissions, Linux supports special modes like SUID, SGID, and the sticky bit.

SUID (Set User ID)

When the SUID bit is set on an executable file, the file runs with the permissions of its owner, rather than the user who executes it. This is often used for programs that need elevated privileges.

To set the SUID bit:

sudo chmod u+s /path/to/file

SGID (Set Group ID)

The SGID bit, when set on a directory, ensures that files created within the directory inherit the group ownership of the directory. When set on an executable, it allows the file to run with the permissions of the group owner.

To set the SGID bit:

sudo chmod g+s /path/to/file_or_directory

Sticky Bit

The sticky bit, when set on a directory, restricts file deletion within the directory so that only the file's owner, the directory owner, or the root user can delete them. This is commonly used on shared directories like /tmp.

To set the sticky bit:

sudo chmod +t /path/to/directory

Best Practices for Managing File Permissions

Principle of Least Privilege: Always apply the principle of least privilege when setting file permissions. Users and processes should have the minimum permissions necessary to perform their tasks.

Regularly Review Permissions: Periodically review the permissions of files and directories, especially those containing sensitive data, to ensure they are appropriately restricted.

Use Groups for Access Control: Use groups to manage access to files and directories rather than assigning permissions to individual users. This approach simplifies permission management and ensures consistency.

Avoid Setting World-Writable Permissions: Avoid setting the write permission for others (chmod o+w). World-writable files can be modified by any user, posing a significant security risk.

Secure Critical Directories with the Sticky Bit: For shared directories where multiple users have write access (e.g., /tmp), use the sticky bit to prevent users from deleting each other's files.