Master Linux File Permissions: From Basics to SetUID, SetGID, and Sticky Bits

Permission Overview

In a Linux system, a permission defines what a user can do with a file or directory. Resources are divided into hardware (disk, CPU, memory, NIC) and software, and in Linux everything is treated as a file, so permissions are essentially file permissions.

Purpose of Permission Settings

Permissions are set so that a specific user (or group) has the rights to operate on a file.

Types of File Permissions

Ordinary permissions : The normal rights a user has to operate on a file.

Advanced permissions : Special rights (setuid, setgid, sticky) needed when ordinary permissions are insufficient.

Default permissions : The permissions a newly created file receives automatically.

Understanding rwx

Read (r) – value 4. For directories, it allows listing contents; for files, it allows viewing the content (e.g., cat, less).

Write (w) – value 2. For directories, it permits creating, deleting, or renaming entries; for files, it permits modifying the content (e.g., using vi).

Execute (x) – value 1. For directories, it allows entering the directory ( cd); for files, it allows executing the file (scripts, binaries).

None (-) – value 0.

UGO Model

Permissions are expressed for three classes of users:

U (owner): the file’s owner.

G (group): users belonging to the file’s group.

O (others): all other users.

a (all): a shortcut for U+G+O.

Checking Permissions

# ls -l

Example output shows the symbolic permission string (e.g., -rw-r--r--) and the owner/group.

Modifying Ordinary Permissions (chmod)

Symbolic Mode

# chmod u+x file1

# chmod g+w file1

# chmod o-r file1

Multiple changes can be combined, e.g., # chmod u+x,g+w,o-r file3.

Numeric Mode

Permission bits correspond to numbers: r=4, w=2, x=1, -=0. Combine them for each class (owner, group, others). Examples:

# chmod 644 file1   # rw‑r‑‑‑r‑‑‑

# chmod 700 file2   # rwx------

# chmod -R 755 dir1   # recursive change

Directory Permissions

Changing a directory’s own permissions does not affect the files inside it unless the -R (recursive) option is used.

Advanced Permissions

Setuid (SUID)

Allows a program to run with the file owner’s privileges.

Represented by s (or S) and numeric value 4.

Set with chmod u+s filename or chmod 4755 filename.

# which vim

# chmod u+s /usr/bin/vim

After setting, the permission string becomes -rwsr-xr-x, enabling any user to edit files they normally could not.

Setgid (SGID)

For directories, newly created files inherit the directory’s group.

Represented by s (or S) and numeric value 2.

Set with chmod g+s dirname or chmod 2xxx dirname.

# chmod g+s dir2

# chmod o+w dir2   # give write permission so users can create files

Files created inside dir2 now belong to the directory’s group.

Sticky Bit

Used on public directories to allow anyone to create/delete files, but only the file’s owner (or root) can delete them.

Represented by t (or T) and numeric value 1.

Set with chmod o+t dirname or chmod 1777 dirname.

# mkdir /tmp/dir3

# chmod 1777 /tmp/dir3

The resulting permission string is drwxrwxrwt.

Default Permissions (umask)

The umask value masks bits from the maximum possible permissions (777 for directories, 666 for files) to produce default permissions for newly created objects.

Temporary Control

# umask

Shows the current mask (e.g., 0022). Changing it with umask 0007 makes new directories default to 770 and files to 660.

Permanent Control

Modify shell initialization files:

Global: /etc/bashrc or /etc/profile User‑specific: ~/.bashrc or

~/.bash_profile

# echo "umask 0007" >> /etc/bashrc

# source /etc/bashrc

File Ownership and Group

Viewing

# ls -l filename

Changing

Use chown to modify owner and/or group, optionally with -R for recursion:

# chown user:group file

# chown .group file   # change only group

Use chgrp to change only the group:

# chgrp group file

ACL (Access Control List) – Extended Permissions

ACLs provide finer‑grained control beyond the traditional rwx model.

Setting ACLs

# setfacl -m u:user01:rwx /path/file1   # grant user

# setfacl -m g:sysadmin:rw /path/file1   # grant group

# setfacl -x u:user01 /path/file1       # remove user entry

# setfacl -b /path/file1               # delete all ACLs

Viewing ACLs

# getfacl /path/file1

Classroom Exercises (Sample Tasks)

Create users user01 – user05 and an admin group.

Add user01 – user03 to the admin group.

In user01 ’s home directory, create file1 – file3.

Have user02 edit /home/user01/file1 with the text “good good study, day day up!”.

Append “I known” to the same file as user05.

Let user04 delete all files in /home/user01 (requires appropriate permissions).