Cycle Logo

Permissions Commands

File and directory permissions are a cornerstone of Linux security and system administration. They dictate who can read, write, or execute files and directories, playing a critical role in protecting data from unauthorized access or modification. This guide covers essential permissions commands in Linux, giving you the tools you need to manage access control effectively.

Understanding Linux File Permissions

Linux permissions are built around three key entities:

  • Owner: The user who owns the file.
  • Group: A group of users who have been granted permissions for the file.
  • Others: Everyone else on the system.

Each of these entities can have three types of permissions:

  • Read (r): Permission to view the contents of the file or directory.
  • Write (w): Permission to modify the contents of the file or directory.
  • Execute (x): Permission to execute the file (if it's a script or binary) or traverse the directory.

Permissions are represented by a string of 10 characters (e.g., -rwxr-xr--):

  • The first character indicates the file type (- for a regular file, d for a directory).
  • The next three characters represent the owner's permissions.
  • The following three represent the group's permissions.
  • The last three represent others' permissions.

Viewing and Modifying Permissions

ls -l - List Files with Permissions

The ls -l command provides a detailed listing of files and directories, including their permissions.

ls -l
  • Example Output: 
    -rwxr-xr-- 1 user group 4096 Aug  7 12:34 filename

This command is your go-to for a quick overview of file permissions in a directory.

chmod - Change File Permissions

The chmod command allows you to change the permissions of a file or directory. You can modify permissions using either symbolic or octal notation.

  • Symbolic Notation:
    • r: Read permission.
    • w: Write permission.
    • x: Execute permission.
    • +: Add permission.
    • -: Remove permission.
    • =: Set exact permission.
chmod u+x filename
chmod g-w filename
chmod o=r filename

  • Examples:

    • chmod u+x filename: Adds execute permission for the owner.
    • chmod g-w filename: Removes write permission for the group.
    • chmod o=r filename: Sets read-only permission for others.

  • Octal Notation:

    • 4: Read (r)
    • 2: Write (w)
    • 1: Execute (x)
    • Combine values for each entity (Owner, Group, Others).
chmod 755 filename
chmod 644 filename
  • Examples:
    • chmod 755 filename: rwxr-xr-x (Owner can read, write, and execute; Group and Others can read and execute).
    • chmod 644 filename: rw-r--r-- (Owner can read and write; Group and Others can read only).

chown - Change File Ownership

The chown command changes the ownership of a file or directory, both in terms of the user and the group.

chown new_owner:new_group filename
  • Examples:
    • chown user:group filename: Changes the owner to user and the group to group.
    • chown user filename: Changes only the owner to user.
    • chown :group filename: Changes only the group to group.

This command is particularly useful when managing files across different users or groups, especially in shared environments.

Learn more about linux file permissions.

chgrp - Change Group Ownership

The chgrp command is a more specific tool, used solely to change the group ownership of a file or directory.

chgrp new_group filename
  • Example:
    • chgrp developers filename: Changes the group ownership to developers.

Advanced Permissions Commands

umask - Set Default Permissions

The umask command sets the default permissions for new files and directories. The umask value is subtracted from the default permissions (typically 666 for files and 777 for directories).

umask 022
  • Example:
    • umask 022: New files will have permissions 644 (rw-r--r--), and new directories will have permissions 755 (rwxr-xr-x).

Setting the correct umask is crucial for maintaining consistent security practices across the system. Dive deeper into Linux security.

setfacl - Set File Access Control Lists

The setfacl command allows for more granular control over file permissions through Access Control Lists (ACLs).

setfacl -m u:user:rw filename

  • Options:

    • -m: Modify ACL for a specific user or group.
    • -x: Remove a specific ACL entry.
    • -b: Remove all ACL entries.

  • Examples:

    • setfacl -m u:alice:rwx filename: Grants user alice read, write, and execute permissions.
    • setfacl -x u:alice filename: Removes ACL entry for user alice.

ACLs are particularly useful in environments where you need to manage permissions beyond the basic owner-group-others model. Theres much more to learn about Linux user management.

getfacl - Get File Access Control Lists

The getfacl command displays the ACLs associated with a file or directory.

getfacl filename
  • Example:
    • getfacl filename: Shows all ACL entries for filename.

This command is essential for verifying and auditing ACL settings.

stat - Display File Status

The stat command provides detailed information about a file or directory, including permissions, ownership, and timestamps.

stat filename
  • Example Output: 
    File: 'filename'
Size: 4096       Blocks: 8          IO Block: 4096   regular file
Device: 803h/2051d  Inode: 12345678    Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/   user)   Gid: ( 1000/   group)
Access: 2024-08-08 12:34:56.000000000 +0000
Modify: 2024-08-08 12:34:56.000000000 +0000
Change: 2024-08-08 12:34:56.000000000 +0000

The stat command is invaluable for digging deeper into file properties and diagnosing permission-related issues.

Special Permissions

SUID, SGID, and Sticky Bit

  • SUID (Set User ID): When set on an executable file, it allows the file to run with the permissions of the file owner, rather than the user who is executing it.

    chmod u+s filename

  • SGID (Set Group ID): When applied to a directory, new files created within it inherit the group of the directory.

    chmod g+s directory_name

  • Sticky Bit: Applied to a directory, it restricts file deletion within that directory to the file owner, even if others have write access.

    chmod +t directory_name

  • Examples:

    • chmod 4755 filename: Set SUID on a file (rwsr-xr-x).
    • chmod 2755 directory_name: Set SGID on a directory (rwxr-sr-x).
    • chmod 1777 directory_name: Set the Sticky Bit on a directory (rwxrwxrwt).

These special permissions are powerful tools for controlling how files and directories are accessed and executed, particularly in multi-user environments.