Master Linux File Permissions: From Basic rwx to Advanced ACLs

Basic Permission Model

Linux defines three identity classes for each file – owner (user), group, and others – each with three basic rights: read ( r), write ( w), and execute ( x). The nine‑character string shown by ls -l (e.g., rwxr-xr-x) groups the rights per identity.

Numeric Representation

Each permission maps to a numeric value (read = 4, write = 2, execute = 1). Adding the values for a class yields a digit, so the full mode is three digits: owner, group, others. For example, rwxrw-r-- becomes 764.

Permission Evaluation Process

Check if the accessing user is the file owner; if so, apply the owner bits.

If not, check whether the user belongs to the file’s group; if so, apply the group bits.

Otherwise, apply the others bits.

Changing Permissions with chmod

Two notations are supported:

Symbolic : chmod u+rwx,g=rw,o=- file – specify user (u), group (g), others (o) and the operation (+, -, =).

Numeric : chmod 644 file – directly set the three‑digit mode.

Recursive changes use the -R flag, e.g., chmod -R 755 /var/www.

Special Permission Bits

SUID (Set‑UID)

When the execute bit of the owner is replaced by s (e.g., -rwsr-xr-x), the program runs with the file owner’s privileges. It enables ordinary users to perform privileged actions, such as changing passwords with passwd. Set it with chmod u+s file or chmod 4755 file.

SGID (Set‑GID)

For files, SGID works like SUID but with the group’s privileges. For directories, SGID forces newly created files to inherit the directory’s group. Set it with chmod g+s dir or chmod 2755 dir.

Sticky Bit

Applied to directories (shown as t in the others execute position), it allows only the file’s owner, the directory owner, or root to delete or rename files within that directory. Enable with chmod o+t /tmp or chmod 1755 /tmp.

Changing Ownership

Use chown to change both owner and group (e.g., chown user:group file) and chgrp to modify only the group. Both commands support recursive operation with -R.

Default Creation Permissions – umask

The umask value masks bits that are cleared when a new file or directory is created. The default system mask is 022, resulting in files with mode 644 and directories with 755. Adjust it temporarily with umask 000 or permanently in /etc/login.defs.

Access Control Lists (ACL)

ACLs extend the traditional owner/group/others model, allowing fine‑grained permissions for multiple users and groups.

View ACLs with getfacl file.

Modify ACLs with setfacl, e.g., setfacl -m u:alice:rw file.

The mask entry limits the maximum effective rights for named users and groups (excluding the owner and others).

Default ACL entries ( default:) are inherited by newly created files/sub‑directories.

Example scenario: a file owned by tom in group admin is given specific ACLs so that tom has full rights, mary gets read/write, jack gets read‑only, and all others have no access.

Practical ACL Case

For a shared directory /shares/steamies, the group controller owns the directory, sodor members receive rwx, and a specific user james is denied all access. The configuration uses recursive setfacl with both explicit and default entries to enforce the policy.

Key Takeaways

Understand the three‑class rwx model and its numeric encoding.

Use chmod, chown, and umask for basic permission management.

Apply special bits (SUID/SGID/sticky) when elevated or shared‑directory behavior is required.

Leverage ACLs for granular access control beyond the traditional model.