Permissions_ownership
Chapter 8: File Permissions and Ownership
Section titled “Chapter 8: File Permissions and Ownership”Comprehensive Linux File Permissions and Access Control
Section titled “Comprehensive Linux File Permissions and Access Control”8.1 Permission Model Overview
Section titled “8.1 Permission Model Overview”Understanding Linux Permissions
Section titled “Understanding Linux Permissions”Linux uses a discretionary access control (DAC) model where each file and directory has:
- Owner: The user who created or owns the file
- Group: A group associated with the file
- Others: Everyone else on the system
┌────────────────────────────────────────────────────────────────────────┐│ LINUX PERMISSION MODEL │├────────────────────────────────────────────────────────────────────────┤│ ││ Each file/directory has: ││ ││ ┌──────────────────────────────────────────────────────────────┐ ││ │ PERMISSIONS │ ││ │ │ ││ │ Owner (u) │ Group (g) │ Others (o) │ ││ │ ┌─────────┐ │ ┌─────────┐ │ ┌─────────┐ │ ││ │ │ r │ w │ x│ │ │ r │ w │ x│ │ │ r │ w │ x│ │ ││ │ └─────────┘ │ └─────────┘ │ └─────────┘ │ ││ │ 4 2 1 │ 4 2 1 │ 4 2 1 │ ││ │ │ │ │ ││ └──────────────────────────────────────────────────────────────┘ ││ ││ Permission Evaluation Order: ││ ││ 1. Is the current user the owner? → Check owner permissions ││ 2. Is the current user's group the → Check group permissions ││ file's group? ││ 3. Otherwise → Check others permissions ││ ││ NOTE: Owner permissions always take precedence if user is owner ││ │└────────────────────────────────────────────────────────────────────────┘Permission Types Explained
Section titled “Permission Types Explained”| Permission | On Files | On Directories |
|---|---|---|
| Read (r) | View file contents (cat, less) | List directory contents (ls) |
| Write (w) | Modify file (vim, echo >>) | Create/delete files in directory |
| Execute (x) | Run as program (./script) | Access directory contents (cd) |
Permission Numeric Values
Section titled “Permission Numeric Values”┌────────────────────────────────────────────────────────────────────────┐│ PERMISSION NUMERIC VALUES │├────────────────────────────────────────────────────────────────────────┤│ ││ Permission Set │ Numeric │ Binary │ Permission String ││ ─────────────────────┼─────────┼────────┼─────────────────── ││ --- │ 0 │ 000 │ No permissions ││ --x │ 1 │ 001 │ Execute only ││ -w- │ 2 │ 010 │ Write only ││ -wx │ 3 │ 011 │ Write + Execute ││ r-- │ 4 │ 100 │ Read only ││ r-x │ 5 │ 101 │ Read + Execute ││ rw- │ 6 │ 110 │ Read + Write ││ rwx │ 7 │ 111 │ Full permissions ││ ││ Common Permission Sets: ││ ││ 755 │ rwxr-xr-x │ Standard for executables/scripts ││ 644 │ rw-r--r-- │ Standard for regular files ││ 600 │ rw------- │ Private files ││ 700 │ rwx------ │ Private directories ││ 777 │ rwxrwxrwx │ World-writable (avoid!) ││ 2755 │ rwxr-sr-x │ SetGID on directory ││ 4755 │ rwsr-xr-x │ SetUID (dangerous!) ││ 1755 │ rwxr-xr-t │ Sticky bit ││ │└────────────────────────────────────────────────────────────────────────┘8.2 chmod - Changing Permissions
Section titled “8.2 chmod - Changing Permissions”Symbolic Mode
Section titled “Symbolic Mode”# Format: [who][operator][permissions]
# WHO:# u = user (owner)# g = group# o = others# a = all (u+g+o)
# OPERATOR:# + = add permission# - = remove permission# = = set exact permission
# PERMISSIONS:# r = read# w = write# x = execute# s = setuid/setgid# t = sticky bit# X = execute only if directory or already executable
# Add permissionschmod u+x script.sh # Add execute for ownerchmod g+rw file.txt # Add read/write for groupchmod o+r file.txt # Add read for otherschmod a+x program # Add execute for allchmod +x script.sh # Same as a+x
# Remove permissionschmod u-x script.sh # Remove execute from ownerchmod go-w file.txt # Remove write from group and otherschmod -r file.txt # Remove read from allchmod o-rwx file.txt # Remove all from others
# Set exact permissionschmod u=rwx file.sh # Set exactly rwx for ownerchmod go=rw file.txt # Set exactly rw for group/otherschmod a=r file.txt # Set exactly r for allchmod = file.txt # Remove all permissions
# Multiple operationschmod u+x,g+rw file.txt # Multiple changes at oncechmod u=rwx,g=rw,o=r file # Different for each
# Copy permissionschmod --reference=file1.txt file2.txtNumeric Mode
Section titled “Numeric Mode”# Using octal numberschmod 644 file.txt # rw-r--r--chmod 755 script.sh # rwxr-xr-xchmod 600 secret.txt # rw-------chmod 700 private_dir # rwx------chmod 777 public # rwxrwxrwx (dangerous!)
# Special permissions with numericchmod 4755 program # SetUID + rwxr-xr-xchmod 2755 directory # SetGID + rwxr-sr-xchmod 1755 directory # Sticky bit + rwxr-xr-tchmod 6755 program # SetUID + SetGID + rwsr-sr-x
# What each digit means:# First digit: special (4=SetUID, 2=SetGID, 1=Sticky)# Second digit: owner permissions# Third digit: group permissions# Fourth digit: others permissionsRecursive Operations
Section titled “Recursive Operations”# Apply to all files in directorychmod -R 755 /path/to/dir
# Only apply to directoriesfind /path -type d -exec chmod 755 {} \;
# Only apply to filesfind /path -type f -exec chmod 644 {} \;
# Combinechmod -R u=rwX,g=rX,o=rX /path# Note: X = execute only for directories or files with existing execute
# Using find with permissionsfind /var/www -type f -exec chmod 644 {} +find /var/www -type d -exec chmod 755 {} +
# Modern approach (faster)chmod -R u+rwX,g+rwX,o=rX /pathPractical Examples
Section titled “Practical Examples”# Web server fileschmod -R 644 /var/www/htmlchmod -R 755 /var/www/cgi-binchmod 644 /var/www/html/index.html
# SSH keyschmod 600 ~/.ssh/id_rsachmod 644 ~/.ssh/id_rsa.pubchmod 700 ~/.ssh
# Shell scriptschmod 755 /usr/local/bin/myscriptchmod +x script.sh
# Configuration fileschmod 600 /etc/myapp/config.confchmod 640 /etc/myapp/app.conf
# Log files (append only)chmod 640 /var/log/app.logchattr +a /var/log/app.log
# Directorieschmod 755 /home/userchmod 700 /home/user/private8.3 chown - Changing Ownership
Section titled “8.3 chown - Changing Ownership”Basic Syntax
Section titled “Basic Syntax”# Change owner onlysudo chown username file.txtsudo chown john file.txt
# Change owner and groupsudo chown username:groupname file.txtsudo chown john:developers file.txt
# Change group onlysudo chown :groupname file.txtsudo chown :developers file.txt
# Same as abovesudo chgrp developers file.txt
# Change owner recursivelysudo chown -R username /path/to/dir
# Change owner and group recursivelysudo chown -R username:groupname /path/to/dirPreserving Ownership
Section titled “Preserving Ownership”# Copy ownership from another filechown --reference=original.txt new.txt
# Preserve ownership during copycp -a source destcp -p source dest
# Use rsync with ownershiprsync -aO source/ dest/User and Group IDs
Section titled “User and Group IDs”# Using numeric IDssudo chown 1000:1000 file.txtsudo chown :1000 file.txt
# Find UID/GID of userid usernameid -u usernameid -g username
# Change using IDsudo chown 1000:1000 file.txtSpecial Cases
Section titled “Special Cases”# Change owner of symbolic link (not target)chown -h user linkname
# Change owner recursively but not follow symlinkschown -HR user /path
# Only change if already owned by specified userchown --from=john mary file.txt
# Change files owned by one user to anotherfind /path -user olduser -exec chown newuser {} \;
# Change group for files owned by specific groupfind /path -group oldgroup -exec chgrp newgroup {} \;8.4 Special Permissions
Section titled “8.4 Special Permissions”SetUID (suid) - 4xxx
Section titled “SetUID (suid) - 4xxx”┌────────────────────────────────────────────────────────────────────────┐│ SETUID PERMISSION │├────────────────────────────────────────────────────────────────────────┤│ ││ What it does: ││ When a file with SetUID is executed, it runs with the permissions ││ of the file's OWNER, not the user running it. ││ ││ Security Implication: ││ - Very powerful, can lead to privilege escalation ││ - Only use when absolutely necessary ││ - Should never have SetUID on shell scripts ││ ││ Examples: ││ - /usr/bin/passwd (4,755) - runs as root to change passwords ││ - /usr/bin/su (4,755) - runs as root to switch users ││ - /usr/bin/mount (4,755) - runs as root to mount filesystems ││ - /usr/bin/umount (4,755) - runs as root to unmount ││ ││ How to identify: ││ ls -l /usr/bin/passwd ││ -rwsr-xr-x 1 root root 68000 Jan 15 10:30 /usr/bin/passwd ││ ^ ││ └── 's' instead of 'x' in owner execute ││ ││ Setting: ││ chmod 4755 program ││ chmod u+s program ││ ││ Removing: ││ chmod 0755 program ││ chmod u-s program ││ │└────────────────────────────────────────────────────────────────────────┘SetGID (sgid) - 2xxx
Section titled “SetGID (sgid) - 2xxx”┌────────────────────────────────────────────────────────────────────────┐│ SETGID PERMISSION │├────────────────────────────────────────────────────────────────────────┤│ ││ On Files: ││ - Runs with permissions of file's GROUP ││ - Similar to SetUID but for group ││ - Rarely used on files ││ ││ On Directories: ││ - New files/dirs inherit the group from the directory ││ - Essential for shared group directories ││ ││ Example: /var/www (web server group) ││ chmod 2775 /var/www ││ chown :www-data /var/www ││ ││ Any file created in /var/www will have www-data group ││ ││ How to identify: ││ ls -ld /var/www ││ drwxrwsr-x 2 root www-data 4096 Jan 15 10:30 /var/www ││ ^ ││ └── 's' instead of 'x' in group execute ││ ││ Setting: ││ chmod 2775 /shared ││ chmod g+s /shared ││ │└────────────────────────────────────────────────────────────────────────┘Sticky Bit - 1xxx
Section titled “Sticky Bit - 1xxx”┌────────────────────────────────────────────────────────────────────────┐│ STICKY BIT │├────────────────────────────────────────────────────────────────────────┤│ ││ What it does: ││ On directories, only the owner (or root) can delete or rename ││ files within that directory, even if others have write permission ││ ││ Use cases: ││ - /tmp (world-writable temp directory) ││ - Shared directories where users can create files ││ - Prevents users from deleting others' files ││ ││ How to identify: ││ ls -ld /tmp ││ drwxrwxrwt 10 root root 4096 Jan 15 10:30 /tmp ││ ^ ││ └── 't' instead of 'x' in others execute ││ ││ Setting: ││ chmod 1777 /tmp ││ chmod +t /tmp ││ ││ Removing: ││ chmod 777 /tmp ││ chmod -t /tmp ││ │└────────────────────────────────────────────────────────────────────────┘8.5 Viewing and Interpreting Permissions
Section titled “8.5 Viewing and Interpreting Permissions”ls -l Output
Section titled “ls -l Output”# Basic outputls -l file.txt-rw-r--r-- 1 john developers 1024 Jan 15 10:30 file.txt
# Breakdown:# - = file type (- = regular, d = directory, l = symlink)# rw- = owner permissions (rw-)# r-- = group permissions (r--)# r-- = other permissions (r--)# 1 = number of hard links# john = owner# developers = group# 1024 = size in bytes# Jan 15 10:30 = modification time# file.txt = filenameFile Type Indicators
Section titled “File Type Indicators”| Character | Type |
|---|---|
- | Regular file |
d | Directory |
l | Symbolic link |
c | Character device |
b | Block device |
p | Named pipe (FIFO) |
s | Socket |
Advanced Viewing
Section titled “Advanced Viewing”# Numeric formatstat -c "%a %n" file.txt# Output: 644 file.txt
# Detailed access control listsgetfacl file.txt
# Show permission in binarypython3 -c "print(f'{644:012b}')"# 110100100
# Show in human readablestat -c "%A (%a) %n" file.txt# -rw-r--r-- (644) file.txt
# Show owner and group numericallystat -c "%U:%G %a %n" file.txt# john:developers 644 file.txt8.6 Access Control Lists (ACL)
Section titled “8.6 Access Control Lists (ACL)”Basic ACL Operations
Section titled “Basic ACL Operations”# Install if neededsudo apt-get install acl
# View ACLgetfacl file.txt
# Set ACL for usersetfacl -m u:john:rw file.txt
# Set ACL for groupsetfacl -m g:developers:rw file.txt
# Set ACL for otherssetfacl -m o::r file.txt
# Remove specific ACLsetfacl -x u:john file.txt
# Remove all ACLssetfacl -b file.txtDefault ACLs
Section titled “Default ACLs”# Default ACL for directory (new files inherit)setfacl -R -m d:u:john:rw /path/to/dir
# Set default for groupssetfacl -R -m d:g:developers:rw /path/to/dir
# View default ACLsgetfacl /path/to/dir
# Remove default ACLsetfacl -k /path/to/dirACL Examples
Section titled “ACL Examples”# Give specific user read/writesetfacl -m u:bob:rw- /shared/file.txt
# Give group read accesssetfacl -m g:team:r-- /shared/file.txt
# Multiple ACLssetfacl -m u:alice:rwx,u:bob:rw-,g:team:r-- file.txt
# Copy ACL from another filegetfacl file1.txt | setfacl -b -f - file2.txt
# Backup and restore ACLsgetfacl -R /path > acl_backup.txtsetfacl -R --restore=acl_backup.txtACL Permission Mask
Section titled “ACL Permission Mask”# The effective permissions are determined by (owner permissions & mask)# Default mask is usually the group permissions
# Set masksetfacl -m m::r file.txt
# View maskgetfacl file.txt | grep mask8.7 umask
Section titled “8.7 umask”Understanding umask
Section titled “Understanding umask”┌────────────────────────────────────────────────────────────────────────┐│ UMASK EXPLAINED │├────────────────────────────────────────────────────────────────────────┤│ ││ umask subtracts from default permissions ││ ││ Default file permissions: 666 (rw-rw-rw-) ││ Default dir permissions: 777 (rwxrwxrwx) ││ ││ umask 022: ││ File: 666 - 022 = 644 (rw-r--r--) ││ Dir: 777 - 022 = 755 (rwxr-xr-x) ││ ││ Common umask values: ││ ┌─────────┬────────────┬────────────┐ ││ │ umask │ File │ Directory │ ││ ├─────────┼────────────┼────────────┤ ││ │ 000 │ 666 │ 777 │ ││ │ 022 │ 644 │ 755 │ (default) ││ │ 027 │ 640 │ 750 │ ││ │ 077 │ 600 │ 700 │ (restrictive) ││ │ 133 │ 644 │ 644 │ ││ └─────────┴────────────┴────────────┘ ││ │└────────────────────────────────────────────────────────────────────────┘Setting umask
Section titled “Setting umask”# View current umaskumask
# Set for current sessionumask 022
# Set in ~/.bashrc or ~/.profileecho "umask 022" >> ~/.bashrc
# Set for all users (system-wide)echo "umask 022" >> /etc/profileecho "umask 022" >> /etc/bash.bashrc
# Set for specific service# In /etc/pam.d/sshdsession optional pam_umask.so umask=00278.8 Secure Permissions Best Practices
Section titled “8.8 Secure Permissions Best Practices”Common Security Mistakes
Section titled “Common Security Mistakes”# DANGEROUS - Never do this!chmod 777 file # Anyone can modify!chmod -R 777 /directory # Huge security hole!chmod +s file # SetUID without understanding
# Safer alternativeschmod 755 /directory # Owner full, others read/executechmod 644 file # Owner rw, others readchmod 600 keyfile # Owner onlyHardening Scripts
Section titled “Hardening Scripts”#!/bin/bash# Web serverchown -R www-data:www-data /var/wwwfind /var/www -type f -exec chmod 644 {} \;find /var/www -type d -exec chmod 755 {} \;
# SSH keyschmod 700 ~/.sshchmod 600 ~/.ssh/*chmod 644 ~/.ssh/*.pub
# Configuration fileschmod 600 /etc/app/config.conf
# Log fileschown -R root:adm /var/log/appfind /var/log/app -type f -exec chmod 640 {} \;File Permission Checklist
Section titled “File Permission Checklist”┌────────────────────────────────────────────────────────────────────────┐│ PERMISSION SECURITY CHECKLIST │├────────────────────────────────────────────────────────────────────────┤│ ││ Files: ││ □ Private keys: 600 (owner only) ││ □ Config files: 640 or 600 ││ □ Scripts: 755 (if executable) or 644 ││ □ Data files: 644 or 600 ││ □ Sensitive data: 600 ││ ││ Directories: ││ □ Private: 700 (owner only) ││ □ Shared: 750 with appropriate group ││ □ Public writable with sticky bit: 1777 ││ ││ Special: ││ □ Avoid SetUID unless absolutely necessary ││ □ Use SetGID for shared group directories ││ □ Use sticky bit on /tmp-like directories ││ ││ Review: ││ □ Regular permission audits ││ □ Check for world-writable files ││ □ Monitor for new SetUID binaries ││ │└────────────────────────────────────────────────────────────────────────┘8.9 Troubleshooting
Section titled “8.9 Troubleshooting”Common Issues
Section titled “Common Issues”# Permission denied errorls -l /path/to/file# Check owner and permissions
# Cannot delete filels -ld /directory# Check directory permissions and sticky bit
# Cannot access directoryls -ld /path# Check execute permission on each parent
# "Operation not permitted" even as rootlsattr file# Check for immutable attribute
# Cannot change permissionsls -l file# Check if file is on NFS with nosuid
# "Too many levels of symbolic links"file link# Check circular linksDebugging Commands
Section titled “Debugging Commands”# Check who owns the filestat file.txt
# Check effective permissions for current usernamei -l /path/to/file
# Check ACLsgetfacl file.txt
# Check attributeslsattr file.txt
# Check process capabilitiesgetpcaps <pid>
# Monitor permission changesinotifywait -m -r -e mode /path &8.10 Interview Questions
Section titled “8.10 Interview Questions”Q1: What is the difference between chmod 755 and chmod 655?
Section titled “Q1: What is the difference between chmod 755 and chmod 655?”Answer:
-
chmod 755: rwxr-xr-x (owner: rwx, group: r-x, others: r-x)- Owner can read, write, execute
- Group and others can read and execute
-
chmod 655: rw-r-xr-x (owner: rw-, group: r-x, others: r-x)- Owner can read and write (not execute)
- Group and others can read and execute
The difference is that 755 allows execute for owner, while 655 does not.
Q2: What does the SetUID bit do and why is it dangerous?
Section titled “Q2: What does the SetUID bit do and why is it dangerous?”Answer: The SetUID (suid) bit makes a program run with the permissions of the file’s owner (usually root), regardless of who executes it.
Danger:
- If the program has vulnerabilities, any user can exploit them with root privileges
- Shell scripts with SetUID are especially dangerous (injection attacks)
- Many privilege escalation exploits target SetUID binaries
Safe examples:
/usr/bin/passwdneeds it to modify /etc/shadow/usr/bin/suneeds it to switch users
Best practice: Avoid SetUID on custom programs; use sudo instead.
Q3: How would you give a user read/write access to a specific file without affecting others?
Section titled “Q3: How would you give a user read/write access to a specific file without affecting others?”Answer:
# Using ACLsetfacl -m u:username:rw- /path/to/file
# Or change ownershipsudo chown username:groupname /path/to/filesudo chmod 640 /path/to/fileACL is more flexible as it doesn’t change the primary owner.
Q4: What is the sticky bit and where is it commonly used?
Section titled “Q4: What is the sticky bit and where is it commonly used?”Answer: The sticky bit on directories prevents users from deleting or renaming files they don’t own, even if they have write permission to the directory.
Common uses:
/tmp- allows anyone to create files but not delete others- Shared directories where users need to create files
Without sticky bit, any user with write access could delete any file in the directory.
Q5: What happens when you set execute permission on a directory?
Section titled “Q5: What happens when you set execute permission on a directory?”Answer: Execute permission on a directory allows:
- Entering (cd) into the directory
- Accessing files within (if you have permission to those files)
- Using the directory as part of a path
Without execute, you cannot access anything inside, even if you have read permission on the files.
Q6: What is the difference between chmod -R and chmod -R?
Section titled “Q6: What is the difference between chmod -R and chmod -R?”Answer:
chmod -R- Applies recursively to all files and directorieschmod -R(capital R) - Same as above but follows symbolic links
Be careful: chmod -R 777 / would be catastrophic!
Use -X (capital X) for safe recursion that only applies execute to directories.
Q7: How do you find all SetUID binaries on your system?
Section titled “Q7: How do you find all SetUID binaries on your system?”Answer:
# Find all SetUID filesfind / -perm /4000 2>/dev/null
# Find SetGID filesfind / -perm /2000 2>/dev/null
# Find bothfind / -perm /6000 2>/dev/null
# More readable outputfind / -perm /4000 -ls 2>/dev/nullQ8: What is the purpose of umask?
Section titled “Q8: What is the purpose of umask?”Answer: umask sets the default permissions for newly created files and directories by masking (subtracting) bits from the default permissions.
- Default file: 666
- Default directory: 777
- umask 022 removes write for group/others
This ensures files aren’t accidentally created with overly permissive access.
Quick Reference
Section titled “Quick Reference”Commands
Section titled “Commands”# Change modechmod 644 file # Numericchmod u+x file # Symbolicchmod -R 755 dir # Recursive
# Change ownerchown user:group file # Owner and groupchown user file # Owner onlychgrp group file # Group only
# Viewls -l file # Detailsstat file # Full infogetfacl file # ACLs
# Special bitschmod u+s file # SetUIDchmod g+s dir # SetGIDchmod +t dir # Sticky bitNumeric Permissions
Section titled “Numeric Permissions”| Octal | Binary | Permission |
|---|---|---|
| 0 | 000 | --- |
| 1 | 001 | —x |
| 2 | 010 | -w- |
| 3 | 011 | -wx |
| 4 | 100 | r— |
| 5 | 101 | r-x |
| 6 | 110 | rw- |
| 7 | 111 | rwx |
Common Values
Section titled “Common Values”| Value | Use Case |
|---|---|
| 600 | Private file |
| 644 | Public file |
| 700 | Private directory |
| 755 | Executable/public dir |
| 775 | Shared group dir |
| 777 | Public writable |
Summary
Section titled “Summary”In this chapter, you learned:
- ✅ Permission model (owner, group, others)
- ✅ chmod numeric and symbolic modes
- ✅ chown and chgrp for ownership
- ✅ Special permissions (SetUID, SetGID, sticky bit)
- ✅ Viewing and interpreting permissions
- ✅ Access Control Lists (ACLs)
- ✅ umask and default permissions
- ✅ Security best practices
- ✅ Troubleshooting common issues
- ✅ Interview questions and answers
Next Chapter
Section titled “Next Chapter”Chapter 9: sudo and Privilege Escalation
Last Updated: February 2026