Master Linux File Permissions: From Basics to Advanced ACLs

Linux Permission Management

1. Permission Overview

1.1 What is a Permission

Permission in a computer system refers to the rights a user has to use software resources.

Think: What are the two parts of computer resources?

Hardware resources such as disk, CPU, memory, network card.

Software resources: the operating system (special software) and applications. In Linux, everything is a file, so software resources are file resources.

Summary: The permissions we discuss are the file permissions associated with file resources.

1.2 Purpose of Permission Settings

The purpose of setting file permissions is to grant a specific user the right to operate on a file.

1.3 Types of File Permissions

Normal permissions : Permissions a user normally has to operate on a file.

Advanced permissions : Special permissions needed when normal permissions are insufficient.

Default permissions : The permissions a file receives automatically when created.

Note: Permissions are set on the file, not on the user.

2. Normal Permissions (Key)

2.1 Understanding rwx

Read Permission – r (read)

For directories: r allows listing the directory contents (ls).

For regular files: r allows viewing the file content (cat, less, etc.).

Numeric value: 4 .

Write Permission – w (write)

For directories: w allows creating, deleting, renaming entries (mkdir, touch, mv, rm).

For regular files: w allows modifying the file content (vi, vim).

Numeric value: 2 .

Execute Permission – x (execute)

For directories: x allows entering the directory (cd).

For regular files: x allows executing the file (scripts, binaries).

Numeric value: 1 .

No Permission – -

Represented by a dash, numeric value 0 .

2.2 Understanding UGO

UGO denotes the three user classes:

U – the file owner.

G – users belonging to the file’s group.

O – other users not in the group.

Additionally, a represents all users (U+G+O).

2.3 Checking Permissions

# ls -l

2.4 Modifying Normal Permissions (chmod)

2.4.1 Symbolic Mode

# chmod [options] filename
# Common option: -R (recursive)

2.4.2 Examples

Prepare environment:

# mkdir /tmp/dir1
# touch /tmp/dir1/file{1..5}
# touch /tmp/test{1..3}
# ll /tmp/ -R

Modify permissions using symbolic mode:

# chmod u+x test1
# chmod g+w test1
# chmod o-r test1
# chmod a+x test2
# chmod u+x,g+w,o-r test3
# chmod u=rw,g=rx,o+r test3

Recursive modification:

# chmod -R o+w dir1/

2.4.3 Numeric Mode

Mapping:

r = 4
w = 2
x = 1
- = 0

Examples:

# chmod 644 file1
# chmod 700 file2
# chmod -R 755 dir1

2.5 Summary

Whether a user can delete files in a directory depends on the directory’s permissions.

Normal directories should at least have r‑x permissions.

3. Advanced Permissions (Overview)

3.1 Types of Advanced Permissions

Setuid (S) : When set on an executable, the process runs with the file owner’s privileges. Numeric value 4 . Set with chmod u+s filename or chmod 4xxx filename.

Setgid (S) : When set on a directory, new files inherit the directory’s group. Numeric value 2 . Set with chmod g+s filename or chmod 2xxx filename.

Sticky (T) : For public directories, only the owner or root can delete files. Numeric value 1 . Set with chmod o+t filename or chmod 1xxx filename.

3.2 Examples

Setuid Example

# which vim
/usr/bin/vim
# chmod u+s /usr/bin/vim
# ls -l /usr/bin/vim
-rwsr-xr-x ... /usr/bin/vim

Setgid Example

# chmod g+s dir2
# chmod o+w dir2
# ls -d dir2
drwxr-srwx ... dir2

Sticky Example

# mkdir /tmp/dir3
# chmod 1777 /tmp/dir3
# ls -d /tmp/dir3
drwxrwxrwt ... /tmp/dir3

4. Default Permissions (Umask)

4.1 What is Default Permission

Default permissions (also called mask permissions) are the rights a newly created file receives automatically.

4.2 Controlling Default Permissions with umask

The umask value subtracts bits from the maximum permissions (777 for directories, 666 for files).

Temporary Control

# umask 0007   # sets temporary umask for current shell

Resulting default permissions: directory 770, file 660.

Permanent Control

Modify global config files such as /etc/bashrc or user‑specific ~/.bashrc to set umask 0007, then source the file.

5. File Owner and Group

5.1 Viewing Owner and Group

ls -l filename

5.2 Changing Owner and Group

Use chown:

# chown user filename               # change owner
# chown user:group filename         # change both
# chown :group filename             # change group only
# chown -R user:group directory     # recursive

Or chgrp to change only the group:

# chgrp group filename

6. ACL Access Control (Extended)

6.1 What ACL Can Do

Provide fine‑grained permission control beyond traditional rwx.

Assign specific permissions to individual users.

Assign permissions to groups or multiple users.

6.2 Setting ACLs (setfacl)

# setfacl -m u:user:rwx file1   # grant user permissions
# setfacl -m g:group:rwx file1  # grant group permissions
# setfacl -x u:user file1       # remove user entry
# setfacl -b file1              # delete all ACLs

6.3 Viewing ACLs (getfacl)

# getfacl filename