Master Linux File Permissions: From chmod to ACL and umask

File Permissions Overview

Each file has an owner (u), a group (g), and others (o); permissions are read (r), write (w), and execute (x). Regular files and directories interpret these permissions differently.

Regular file permissions: r – can read with cat; w – can edit; x – can execute.

Directory permissions: r – list contents; w – create or delete entries; x – enter the directory and view detailed information.

Default permissions are 644 for regular files, 755 for directories, and 777 for symbolic links; they can be altered via umask.

Permission Representation

Permissions can be expressed numerically (e.g., 764) or symbolically (rwx). The numeric values are r=4, w=2, x=1.

Changing Permissions with chmod

Only the file owner and root can modify permissions.

chmod [OPTION]... MODE[,MODE]... FILE...
chmod [OPTION]... num_mode FILE...
chmod --reference=RFILE FILE...

Numeric example: chmod 755 /tmp/a.txt Symbolic example:

chmod u-x,g-x,o-x test   # remove execute for all
chmod a+x test           # add execute for all

Group Ownership with chgrp

Change a file or directory’s group; for symbolic links the operation affects the target.

chgrp [OPTION]... GROUP FILE...
chgrp --reference=RFILE FILE...

Changing Owner with chown

Modify the owner and/or group; for symbolic links the target is changed by default.

chown [OPTION]... [OWNER][:GROUP] FILE...
chown --from=CURRENT_OWNER:CURRENT_GROUP FILE...
chown --reference=RFILE FILE...

Underlying Mechanism

Permission bits are stored in the inode table; the kernel checks them before each operation. Reading, writing, and executing correspond to accessing the file’s data blocks.

Read, Write, Execute Details

Read permission allows reading a file’s data block or a directory’s entries. Write permission allows modifying a file’s data block or creating/deleting entries in a directory (requires execute permission on the directory). Execute permission allows running a file or traversing a directory.

umask

umask

defines the default permissions for newly created files and directories. Root defaults to 022; regular users default to 002. Directories use 777‑umask, while files use 666‑umask with adjustments for odd bits.

umask          # show current umask
umask 022      # set a temporary umask

Extended ACLs

Access Control Lists provide fine‑grained permissions beyond the basic owner/group/others model. Use setfacl to set ACLs and getfacl to view them.

setfacl -m u:alice:rx /data/videos
setfacl -b /data/file   # remove all ACLs

The mask (m) limits effective permissions; use the -n option to avoid resetting the mask when adding new entries.

File Attributes ( chattr / lsattr )

chattr

can set immutable ( i) or append‑only ( a) flags; lsattr lists them.

chattr +i /etc/shadow
lsattr /etc/shadow

Special Bits (suid, sgid, sticky)

suid (numeric 4) grants executable files the owner’s privileges during execution; sgid (numeric 2) does the same for the group or causes new files in a directory to inherit the directory’s group; the sticky bit (numeric 1) on directories restricts deletion of contained files to their owners.