Linux is known for its robust security and multi-user environment, and a cornerstone of this security model is its file permission system. Understanding how file permissions work is crucial for anyone working with Linux, whether you’re a developer, system administrator, or just a curious user. Incorrect permissions can lead to security vulnerabilities, operational issues, or simply prevent you from accessing your own files.
In this guide, we’ll break down Linux file permissions into easy-to-understand concepts, covering how they’re represented, how to interpret them, and how to change them effectively.
Table of Contents
Open Table of Contents
The Basics: Understanding ls -l Output
Let’s start by looking at how file permissions are displayed in Linux. When you use the ls -l command, you get a detailed listing of files and directories, including their permissions.
Consider the following output:
ls -l my_document.txt my_script.sh my_directory/-rw-r--r-- 1 siddharth staff 1234 Oct 26 10:30 my_document.txt
-rwxr-xr-- 1 siddharth staff 567 Oct 26 10:35 my_script.sh
drwxr-xr-x 2 siddharth staff 4096 Oct 26 10:40 my_directory/The first character block (-rw-r--r-- or drwxr-xr-x) is what we’re interested in. This 10-character string tells you everything about the file’s type and its permissions.
Let’s break it down:
- 1st character: Indicates the file type.
-: Regular filed: Directoryl: Symbolic linkc: Character device fileb: Block device file
- Characters 2-4: Permissions for the User (owner)
- Characters 5-7: Permissions for the Group
- Characters 8-10: Permissions for Others (everyone else)
Who Are We Talking About? Users, Groups, and Others
Linux categorizes entities that interact with files into three main types:
- User (u): This is the owner of the file or directory. Typically, the user who creates a file becomes its owner.
- Group (g): Every file and directory is assigned to a group. Multiple users can belong to the same group, and all members of that group will have the permissions defined for the group. This is useful for collaborative work.
- Others (o): This category refers to anyone else on the system who is neither the owner nor a member of the file’s assigned group.
Decoding the Permissions: r, w, x
Within each of the three categories (User, Group, Others), three types of permissions can be assigned:
r(Read):- For a file: Allows viewing the file’s content.
- For a directory: Allows listing the contents of the directory (i.e., seeing what files and subdirectories are inside).
w(Write):- For a file: Allows modifying, saving, or deleting the file.
- For a directory: Allows creating, deleting, or renaming files within that directory. Note that to delete a file, you need write permission on the directory containing the file, not necessarily on the file itself.
x(Execute):- For a file: Allows running the file as a program or script.
- For a directory: Allows entering (or “cd-ing into”) the directory. Without execute permission, you cannot access files inside, even if you have read permission.
If a permission is not granted, a hyphen (-) appears in its place. For example, rw- means read and write, but no execute.
Changing Permissions with chmod
The chmod (change mode) command is used to modify file and directory permissions. There are two primary ways to use chmod: symbolic mode and octal (numeric) mode.
Symbolic Mode
Symbolic mode uses characters to represent who you’re changing permissions for (u, g, o, a for all), the action (+ add, - remove, = set exactly), and the permissions (r, w, x).
- Who:
u: User (owner)g: Groupo: Othersa: All (user, group, and others)
- Operator:
+: Add a permission-: Remove a permission=: Set permissions exactly as specified (removes any not listed)
- Permissions:
r: Readw: Writex: Execute
Examples:
- Add execute permission for the owner to
my_script.sh:
(e.g.,chmod u+x my_script.sh-rw-r--r--becomes-rwxr--r--) - Remove write permission for group and others from
my_document.txt:
(e.g.,chmod go-w my_document.txt-rw-rw-r--becomes-rw-r--r--) - Set permissions for
my_directory/to berwxfor owner,rxfor group, andrfor others:
(e.g.,chmod u=rwx,g=rx,o=r my_directory/drwxrwxrwxbecomesdrwxr-xr--)
Octal (Numeric) Mode
Octal mode uses a three-digit number to represent permissions for user, group, and others. Each permission (r, w, x) has a numeric value:
r(Read) = 4w(Write) = 2x(Execute) = 1_(No permission) = 0
To get the octal value for each category, you sum the values of the permissions granted.
| Permission | r (4) | w (2) | x (1) | Total (Octal Digit) | Binary |
|---|---|---|---|---|---|
--- | 0 | 0 | 0 | 0 | 000 |
--x | 0 | 0 | 1 | 1 | 001 |
-w- | 0 | 2 | 0 | 2 | 010 |
-wx | 0 | 2 | 1 | 3 | 011 |
r-- | 4 | 0 | 0 | 4 | 100 |
r-x | 4 | 0 | 1 | 5 | 101 |
rw- | 4 | 2 | 0 | 6 | 110 |
rwx | 4 | 2 | 1 | 7 | 111 |
You then combine these three digits (one for user, one for group, one for others) to form a three-digit octal number.
Common Octal Examples:
755(rwxr-xr-x): Owner has full permissions, group and others can read and execute. This is common for executable scripts and directories.- User:
rwx(4+2+1 = 7) - Group:
r-x(4+0+1 = 5) - Others:
r-x(4+0+1 = 5)
- User:
644(rw-r—r—): Owner can read and write, group and others can only read. This is typical for regular text files or configuration files.- User:
rw-(4+2+0 = 6) - Group:
r--(4+0+0 = 4) - Others:
r--(4+0+0 = 4)
- User:
700(rwx------): Only the owner has full permissions. Very restrictive.- User:
rwx(7) - Group:
---(0) - Others:
---(0)
- User:
Examples:
- Make
my_script.shexecutable by the owner and readable/executable by group/others (common for scripts):chmod 755 my_script.sh - Make
my_document.txtreadable and writable by owner, and only readable by group/others:chmod 644 my_document.txt
Changing Ownership with chown and chgrp
While chmod manages permissions, chown (change owner) and chgrp (change group) manage ownership. These commands usually require superuser (root) privileges to execute.
chown: Changes the owner of a file or directory. You can also change the group simultaneously.sudo chown new_user file_name sudo chown new_user:new_group file_name # Change user and group sudo chown :new_group file_name # Only change group (same as chgrp)chgrp: Changes only the group ownership of a file or directory.sudo chgrp new_group file_name
Example:
If you uploaded files as root and need them to be owned by your web server user (e.g., www-data on Ubuntu/Debian), you might do:
sudo chown www-data:www-data /var/www/html/my_webapp -RThe -R flag recursively applies the changes to directories and their contents.
Practical Examples and Use Cases
- Executable Scripts: For a shell script to run directly, it needs execute permission for the user trying to run it.
chmod +x myscript.sh # or chmod 755 myscript.sh - Web Server Content: Files served by a web server (like Apache or Nginx) often need to be readable by the web server’s user/group. Directories might need
755(rwxr-xr-x) and files644(rw-r—r—) to allow the server to read them but prevent accidental writes from other users. - Secure Configuration Files: Sensitive files like SSH keys or database credentials should have very restrictive permissions, often
600(rw-------), meaning only the owner can read and write, and no one else has any access.chmod 600 ~/.ssh/id_rsa - Shared Directories: For a directory where multiple users in a specific group need to collaborate, you might set permissions like
770(rwxrwx---) or2770(with SGID bit, but that’s a topic for another blog!), and ensure files created within inherit the group.
Conclusion
Understanding Linux file permissions is a fundamental skill that enhances your ability to manage your system, secure your files, and collaborate effectively. By mastering ls -l for inspection, chmod for changing permissions (both symbolic and octal modes), and chown/chgrp for managing ownership, you gain precise control over who can do what with your data. Always strive for the principle of least privilege: grant only the permissions necessary for a task to minimize security risks. Keep practicing, and you’ll soon navigate the Linux filesystem with confidence!