Master Linux Permissions: From Basic rwx to SUID, ACL, and Hidden Attributes

Linux uses a three‑level permission model (owner, group, others) represented by the characters r, w, and x. Each set of three bits can be expressed numerically (4 = read, 2 = write, 1 = execute) to form values such as 644 ( rw‑r‑‑r‑‑) or 755 ( rwxr-xr-x).

Changing Permissions

chmod modifies the mode of files or directories. Examples:

chmod 644 test.txt

chmod u+rwx,g+rw,o-r file

chown changes the owner, and chgrp changes the group.

chown root:staff /path/file

Special Permission Bits

The first digit of a four‑digit mode encodes special bits: 4 – SetUID (s) – runs a program with the file owner’s UID. 2 – SetGID (s) – runs a program with the file’s group ID or forces new files in a directory to inherit the directory’s group. 1 – Sticky bit (t) – restricts deletion/renaming of files in a directory to the file owner, directory owner, or root.

Examples:

chmod 4755 /usr/bin/passwd   # SetUID on passwd

chmod 2775 /shared/dir      # SetGID on a directory

Umask and Default Permissions

Umask subtracts permissions from the maximum defaults (files = 666, directories = 777). For a typical umask of 022, new files become 644 and new directories become 755:

new_file_mode = 666 - 022 = 644
new_dir_mode  = 777 - 022 = 755

Hidden Attributes (chattr / lsattr)

Beyond rwx, ext2/3/4 support immutable ( i) and append‑only ( a) flags. i – the file cannot be modified, renamed, or deleted; a directory can only have its contents altered. a – data can only be appended; existing content cannot be overwritten.

Commands:

lsattr -a /path/file          # view attributes
chattr +i /path/file          # set immutable
chattr -i /path/file          # clear immutable

Access Control Lists (ACL)

ACLs allow fine‑grained permissions for individual users or groups.

getfacl displays the current ACL. getfacl /project setfacl adds, modifies, or removes entries.

setfacl -m u:stu:rx /project          # give user stu read/execute
setfacl -d g:dev:rwx /shared           # default ACL for new files
setfacl -x u:stu /project              # remove stu's entry
setfacl -b /project                    # delete all ACLs

ACL entries are limited by the mask entry, which defines the maximum effective permissions for named users and groups.

sudo Configuration

The /etc/sudoers file controls which users may execute commands as other users (typically root). Common patterns:

# Allow a group to run any command
%admin ALL=(ALL) ALL

# Prevent a user from running dangerous commands
bob ALL=(ALL) ALL, !/bin/bash, !/bin/su

# Require a password for every sudo invocation
Defaults timestamp_timeout=0

Use visudo to edit the file safely.

Practical Example

Suppose a class project directory /project should be fully writable by the teacher (root) and the class group tgroup, but a guest student stu should only read and execute files. The steps are:

# Create group and users (as root)
groupadd tgroup
useradd -G tgroup zhangsan
useradd -G tgroup lisi
useradd stu

# Set ownership and permissions on the directory
chown root:tgroup /project
chmod 770 /project

# Give stu read/execute via ACL
setfacl -m u:stu:rx /project

# Verify
getfacl /project

The resulting ACL shows the explicit user:stu:r-x entry and a mask that limits effective rights.

Useful Command‑Line Shortcuts

!!

– repeat the previous command. Esc + . – insert the last argument of the previous command. cd - – return to the previous directory.

In vim, use :w !sudo tee % to write a file that requires root privileges.