Master Linux File Permissions: chmod, chown, umask, SUID/SGID, ACL & sudo Explained

1. Permission Overview

Linux defines three classes of objects for each file: owner (user), group , and other . Each class can have read ( r), write ( w), and execute ( x) permissions. Directories use the same letters, where r allows listing, w permits creating or deleting entries, and x enables entering the directory.

2. Permission Management Commands

2.1 chmod – change mode

Syntax: chmod MODE file.... Options include: -R – recursive

Specify user classes ( u, g, o, a) and operations ( +, -, =) e.g., chmod u+w file or chmod g=rw file.

# ll
-rw-r--r--. 1 root root 0 Jul 4 12:22 111
# chmod u-w 111
# ll
-r--r--r--. 1 root root 0 Jul 4 12:22 111

2.2 chown – change owner/group

Only root can use chown. Syntax examples:

chown user:group file

chown -R user:group directory

# ll
-rw-rw-rw-. 1 root root 0 Jul 4 12:56 111
# chown lxb:lxb 111
# ll
-rw-rw-rw-. 1 lxb lxb 0 Jul 4 12:56 111

3. Umask and Default Permissions

The umask masks bits that are removed from newly created files (default 022) and directories (default 022). File default mode is 666, directory default is 777; the umask subtracts bits, resulting in typical defaults of 644 for files and 755 for directories.

# umask
0022
# mkdir testdir
# touch testfile
# ll
-rw-r--r--. 1 root root 0 Jul 4 13:54 testfile
drwxr-xr-x. 2 root root 6 Jul 4 13:54 testdir

4. Linux Security Context & Special Permissions

4.1 Security Context

Execution permission determines whether a program can be started. The resulting process inherits the initiator’s UID/GID unless special bits alter this behavior.

4.2 Special Permissions

SUID (4) – when set on an executable, the process runs with the file’s owner UID. Use chmod u+s file to set, chmod u-s file to clear.

SGID (2) – when set on a file, the process runs with the file’s group GID; when set on a directory, new files inherit the directory’s group. Use chmod g+s DIR and chmod g-s DIR.

Sticky (1) – on a directory, only the file’s owner or root can delete/rename files within it. Set with chmod o+t DIR and clear with chmod o-t DIR.

Examples of combined modes: 4755 (SUID + 755), 2755 (SGID + 755), 1755 (Sticky + 755).

5. Filesystem Access Control Lists (facl)

ACLs provide fine‑grained permissions beyond the traditional owner/group/other model.

Set ACL: setfacl -m u:UID:perm file or setfacl -m g:GID:perm file.

Default ACL for a directory: prefix d:, e.g., setfacl -m d:u:test:rw dir.

Remove ACL entry: setfacl -x u:UID file.

Clear all ACLs: setfacl -b file.

# setfacl -m u:lxb:x 111
# getfacl 111
# file: 111
# owner: lxb
# group: lxb
user::rw-
user:lxb:--x
group::rw-
mask::rwx
other::rw-
# setfacl -b 111
# getfacl 111
# file: 111
# owner: lxb
# group: lxb
user::rw-
group::rw-
other::rw

6. sudo – privilege delegation

sudo

lets a user run commands as another user (default root) on specified hosts. Configuration resides in /etc/sudoers and is edited with visudo. A sudo rule follows the format: who which_hosts=(runas) command Example entry allowing user lxb to run /usr/sbin/useradd as root: lxb ALL=(root) /usr/sbin/useradd Common sudo options include -l (list privileges), -v (validate timestamp), -k (reset timestamp), -V (show version), and -h (help).

7. Management Commands

Useful system utilities: w – shows who is logged in and what they are doing. sleep – pauses execution (e.g., sleep 3). last, lastb, lastlog – display login history. basename – extracts the filename from a path.

# sleep 3; echo 123
123
# time sleep 3
real    0m3.021s
user    0m0.000s
sys     0m0.003s