Master Linux File Permissions: From Basics to Advanced ACLs

Overview of Permissions

In Linux, a permission defines what actions a user can perform on a file or directory.

Hardware resources – disks, CPU, memory, network cards, etc.

Software resources – everything under the filesystem; in Linux, everything is a file.

Summary: The permissions discussed refer to file‑resource permissions, i.e., file permissions.

Purpose of Permission Settings

File permissions are set so that a specific user can operate on a file.

Types of File Permissions

Ordinary permissions – the normal rights a user has when accessing a file.

Advanced permissions – special rights needed when ordinary permissions are insufficient.

Default permissions – the permissions a newly created file receives automatically.

Ordinary Permissions (rwx)

Read (r)

Directory: ls can list its contents.

File: commands such as cat, head, less can view its content.

Numeric value:

4

Write (w)

Directory: can create, delete, rename entries ( mkdir, touch, mv, rm).

File: can modify its content (e.g., with vi).

Numeric value:

2

Execute (x)

Directory: can enter it ( cd).

File: can execute it (scripts, binaries).

Numeric value:

1

No Permission (-)

Represented by a dash; numeric value 0.

Understanding UGO

U – the file owner.

G – users belonging to the file’s group.

O – all other users.

Additionally, a stands for “all users” (U+G+O).

Checking Permissions

ls -l

Modifying Ordinary Permissions with chmod

Syntax

chmod [options] filename

Common option -R applies changes recursively.

Symbolic mode examples

# mkdir /tmp/dir1
# touch /tmp/dir1/file{1..5}
# chmod u+x test1
# chmod g+w test1
# chmod o-r test1
# chmod a+x test2
# chmod u=rw,g=rx,o+r test3
# chmod -R o+w dir1/

Numeric mode

# chmod 644 file1
# chmod 700 file2
# chmod -R 755 dir1

Advanced Permissions

Setuid (SETUID)

Allows a program to run with the file owner’s privileges. Set with chmod u+s filename or chmod 4xxx filename.

Setgid (SETGID)

On directories, forces newly created files to inherit the directory’s group. Set with chmod g+s dirname or chmod 2xxx dirname.

Sticky Bit

Used on public directories so that only the file’s owner or root can delete a file. Set with chmod o+t dirname or chmod 1777 dirname.

Advanced Permission Examples

# which vim
# chmod u+s /usr/bin/vim   # setuid on vim
# chmod g+s dir2           # setgid on a directory
# chmod o+t /tmp/dir3      # sticky bit on a public directory

Default Permissions and umask

umask

controls the default permissions for newly created files and directories.

Temporary control

# umask 0007   # set temporary mask
# umask        # view current mask

Calculation example: with umask 0007, directories get 0770 (rwxrwx---) and files get 0660 (rw-rw----).

Permanent control

Edit a global file such as /etc/bashrc or a user’s ~/.bashrc and add umask 0007, then source the file to apply immediately.

Owner and Group Management

chown

# chown user file
# chown user:group file
# chown -R user:group directory

chgrp

# chgrp group file

ACL Access Control

Setting ACLs with setfacl

# setfacl -m u:user:rwx file   # grant user permissions
# setfacl -m g:group:rwx file # grant group permissions
# setfacl -x u:user file      # remove a user’s ACL
# setfacl -b file              # delete all ACLs

Viewing ACLs with getfacl

# getfacl file