Master Linux Permissions: From Basics to Advanced Management

Introduction

This article starts from the essential concept of permissions and gradually dissects core elements of Linux user roles, file permission flags, and permission commands. It aims to help both newcomers and seasoned administrators build a complete theoretical‑to‑practical framework for precise permission configuration in complex scenarios.

Core Concepts of Linux Permissions

Nature of Permissions: Role + Object Attributes

In Linux, permission can be understood as “role’s permission to operate on an object”. The role determines who can act, while the object attributes define what actions are allowed.

Permission = Role + Object Attributes

Person = Real Individual + Identity Role

Three Basic Roles in Linux

Owner : the creator of the file or directory, usually the user themselves.

Group : the user group associated with the file, used for collaborative scenarios.

Other : all users not covered by owner or group.

When using ls -l, the third and fourth fields display the owner and group names, e.g.:

-rwxr-xr-- 1 user1 dev 1024 Jan 10 08:00 test.txt

User Identity and Switching

Root vs. Regular Users

Root (superuser) has virtually unrestricted privileges; its prompt is #.

Regular users have limited rights, can only access their own directories, and their prompt is $.

su Command

The su (switch user) command changes the current user identity.

su username   # switch to specified user, keep current directory
su - username # switch and load the target user's login environment

To return to the previous user, use exit or Ctrl+D. Switching from root to a regular user does not require a password.

sudo Command

sudo

(superuser do) allows a normal user to execute commands with elevated privileges based on a whitelist defined in /etc/sudoers.

sudo command          # run as root
sudo -u user command  # run as a specific user

When sudo is invoked for the first time, the user must enter their own password; after successful authentication, the password is cached for 15 minutes. Users not listed in the whitelist must provide the root password.

# edit sudoers safely with visudo
user1 ALL=(ALL) ALL

File Permission Representation and Management

Permission Bits

The first character of ls -l output indicates the file type (e.g., - for regular file, d for directory). The next nine characters are three groups of rwx representing owner, group, and other permissions. r (read, 4): allows reading file contents or listing directory entries. w (write, 2): allows modifying file contents or creating/deleting files in a directory. x (execute, 1): allows executing a file or entering a directory. -: no permission.

chmod Command

Symbolic mode syntax: chmod [u/g/o/a][+/-/=][rwx] filename Examples:

chmod u+x script.sh   # add execute permission for owner
chmod g-w,o-r file.txt # remove write from group and read from others
chmod a=rwx directory   # set read/write/execute for everyone

Octal Mode

Each rwx triple maps to a binary number, which is then expressed in octal:

rwx = 111 = 7
rw- = 110 = 6
r-x = 101 = 5
r-- = 100 = 4
-wx = 011 = 3
-w- = 010 = 2
--x = 001 = 1
--- = 000 = 0

Octal examples:

chmod 755 script.sh   # owner rwx, group r-x, others r-x
chmod 644 config.txt  # owner rw-, group r--, others r--
chmod 700 private.sh  # only owner has rwx

chown and chgrp

Change file owner:

chown newowner file
chown newowner:newgroup file
chown -R owner directory

Change file group:

chgrp newgroup file
chgrp -R group directory

Both commands require root privileges; regular users can invoke them via sudo if permitted in sudoers.

Directory Permission Special Cases

For directories, the meaning of r, w, and x differs from regular files:

Read (r) : list the directory’s entries.

Write (w) : create, delete, or rename entries, even if the user does not own the files.

Execute (x) : enter the directory ( cd) and access files inside.

Typical scenarios:

chmod 555 dir   # read/execute only, no write or entry
chmod 775 dir   # owner and group can read/write/execute, others can read/execute
chmod 700 dir   # only owner has any permission

Default Permissions and umask

How umask Works

When a new file or directory is created, the system starts with default permissions (666 for files, 777 for directories) and applies the umask to clear bits:

umask          # display current mask, e.g., 0002
umask 0002     # set temporary mask

Examples:

With umask=0002, a new file gets 664 (rw‑rw‑r‑‑) and a directory gets 775 (rwx‑rwx‑r‑x).

With umask=022, a new file gets 644 (rw‑r‑‑r‑‑) and a directory gets 755 (rwx‑r‑x‑r‑x).

Persisting umask

Temporary changes affect the current shell only. To make them permanent, add the setting to /etc/profile for all users or to ~/.bashrc for a specific user, then source the file.

# Global permanent change
vim /etc/profile   # add: umask 0002
source /etc/profile

# User‑specific permanent change
vim ~/.bashrc      # add: umask 0002
source ~/.bashrc

Best Practices for Permission Management

Apply the principle of least privilege: grant only the permissions required for a task.

Avoid direct root usage; use sudo for precise authorization.

Regularly audit permissions to detect over‑privileged accounts or files.

Software installation to system directories (e.g., /usr/local) requires sudo.

For collaborative directories, create a shared group, assign the directory to that group, and set chmod 775.

User home directories should be 700 to prevent other users from accessing personal files.

Troubleshooting tips: check ownership and group membership for access issues, ensure execute bits are set for running files, verify directory write permission for deletions, and confirm sudoers entries for sudo problems.

By mastering Linux permission mechanisms, system administrators can construct secure, flexible access control, while ordinary users gain a clear understanding of their operational boundaries, leading to safer and more efficient use of Linux systems.