Understanding Linux File Permissions, Ownership, ACL, Sudo and Special Attributes

Linux servers enforce strict permission levels to reduce the risk of accidental operations; understanding file types, permission bits, and how to assign appropriate rights to users and services is essential.

File basic permissions can be listed with ll or ls -l , showing file type, permission string, link count, owner, group, size, modification time and name. The seven file types are - (regular file), d (directory), l (symbolic link), b (block device), p (pipe), c (character device) and s (socket).

The permission string is divided into three triads: owner (u), group (g) and others (o). For example:

rwxr-xr-x  5 root root  94 Jun 27 2017 xdg

Here rwx is the owner’s rights, r-x the group’s, and the final r-x the others’.

Changing permissions is done with chmod :

chmod [options] mode filename

Examples:

# touch a.txt

# chmod u+x a.txt          # add execute for owner

# chmod a+x a.txt          # add execute for all

# chmod 755 a.txt          # set numeric mode

Permissions can also be removed by replacing + with - .

Changing ownership uses chown and chgrp :

# chown test123:test123 abc   # change owner and group

Listing with ll shows the updated ownership.

Default permissions are determined by the umask value. The current mask can be displayed:

# umask

0022

When a file is created, the system starts with a maximum mode (666 for files, 777 for directories) and subtracts the umask bits, effectively performing a logical AND. For example, 666 − 022 yields 644.

Creating a file and a directory demonstrates the defaults:

# touch a.txt

# mkdir dir

# ll

-rw-r--r--  1 root root 0 May 5 14:31 a.txt

drwxr-xr-x  2 root root 6 May 5 14:31 dir

ACL (Access Control List) provides fine‑grained permissions beyond the traditional owner/group/others model. To check if the filesystem supports ACL, use df to identify the device and then mount options or dmesg . Setting ACLs is done with setfacl :

# setfacl -m u:alice:rwx file

Common options are -m (modify), -x (remove), -b (remove all), -d (default), -R (recursive).

sudo allows a regular user to execute commands with root privileges. The sudoers file is edited with visudo to add entries such as:

# User privilege specification

song    ALL=(ALL) NOPASSWD: /sbin/shutdown -r now

After reloading, the user can verify allowed commands with sudo -l and run them without a password.

Special permission bits include SetUID, SetGID and Sticky Bit. SetUID (shown as s in the owner execute position) runs a program with the file owner’s UID; SetGID works similarly for the group; Sticky Bit ( t ) restricts deletion in a directory. They can be set numerically or symbolically:

# chmod 4755 /usr/bin/passwd   # SetUID

# chmod u+s file

Only executable files can have SetUID/SetGID, and only root can assign them. Improper use can create security risks.

Finding all SUID/SGID files on the system:

# find / -type f \( -perm -04000 -o -perm -02000 \) -exec ls -lg {} \;

chattr manipulates immutable and append‑only attributes. Example to make a file immutable:

# chattr +i aa.txt

# lsattr aa.txt

----i----------- aa.txt

Attempting to delete the file now fails with “operation not permitted”. Adding +i to a directory prevents creation of new files inside it.

Common permission modes summarized:

600 – only root can read/write.

644 – root read/write, group/others read only.

755 – root read/write/execute, group/others read/execute.

These concepts form the foundation for secure and reliable Linux system administration.