Master Linux File Permissions: UGO, ACL, and chmod/chown Commands Explained

Basic UGO Permissions

Linux classifies users into three categories: U (owner), G (group), and O (others). Each category can be assigned three basic permissions: read (r, value 4), write (w, value 2), and execute (x, value 1). This scheme is known as the UGO model.

Permission Bits

The three bits have the following meanings:

r – read permission (4)

w – write permission (2)

x – execute permission (1)

Effect on Files vs. Directories

For files:

r – read the file's contents

w – modify the file's contents

x – execute the file (relevant for binaries or scripts)

For directories (which are essentially files containing a list of entries):

r – list the directory's entries

w – create or delete entries within the directory

x – traverse the directory (enter it) and access attributes of its contents

Changing File Attributes and Permissions

Three common commands are used to manage ownership and permissions:

chown – change file owner and/or group

chgrp – change file group

chmod – change file permission bits

1. chmod – modify permissions

chmod [options] <mode> <file...>

Examples:

chmod ugo+r a.conf

chmod u+rwx c.sh

chmod a+rw *

chmod 777 file   # equivalent to u=rwx,g=rwx,o=rwx

chmod 600 file   # owner read/write, others no access

2. chown – change owner (and optionally group)

chown [options] user[:group] file...

Examples (requires root):

chown tom:users d.key e.scrt

chown -R James:users *

3. chgrp – change group

chgrp group file

Example:

chown user1 f1   # changes owner to user1

Basic ACL Permissions

The traditional UGO model has limitations; Access Control Lists (ACLs) provide finer-grained permissions for individual users or groups beyond the basic r/w/x bits.

ACL Basic Usage

Use getfacl to view current ACLs and setfacl -m to modify them.

touch /home/test.txt
getfacl /home/test.txt

setfacl -m u:alice:rw /home/test.txt

After the command, user alice has rw- permissions.

Mask and Default Permissions

The mask entry defines the maximum effective permissions for ACL entries; the default entry specifies permissions that new files or sub‑directories inherit.

setfacl -m m::rw- file

setfacl -d d::rw- directory

Important Notes

Both mask and default entries use the :: syntax to refer to all users.

Permissions can be expressed symbolically (rw-) or numerically (e.g., 6).

The allowed range is between - (no permission) and rwx (full permission).

File Permission Applications

Control which users can access or modify files.

Prevent execution of malicious programs.

Protect the integrity and confidentiality of data.