Post

Understanding File Permissions in Linux

Posted Updated
By Liviu Gelca
4 min read
Understanding File Permissions in Linux

File permissions in Linux are a fundamental concept that ensures security and proper access control. While the basics are often discussed, this post dives deeper into advanced topics to help you master file permissions.

The Basics: A Quick Recap

Every file and directory in Linux has three types of permissions:

  • Read (r): Allows viewing the contents of a file or listing a directory.
  • Write (w): Allows modifying a file or creating/deleting files in a directory.
  • Execute (x): Allows running a file as a program or accessing a directory.

Permissions are assigned to three categories:

  1. Owner: The user who owns the file.
  2. Group: A group of users who share access.
  3. Others: Everyone else.

Permissions are represented in two ways:

  • Symbolic Representation: A string like -rwxr-xr--, where:
    • The first character indicates the file type (- for a regular file, d for a directory, l for a symbolic link, etc.).
    • The next three characters represent the owner’s permissions.
    • The following three represent the group’s permissions.
    • The last three represent others’ permissions.
  • Numeric Representation: A three-digit number like 755, where:
    • Each digit is the sum of 4 (read), 2 (write), and 1 (execute).
    • For example, 7 (4+2+1) means full permissions, 5 (4+1) means read and execute, and 0 means no permissions.

Viewing File Permissions

To view file permissions, use the ls -l command:

1

ls -l

Example output:

1

-rwxr-xr-- 1 user group 1234 Aug 26 12:00 example.txt

This indicates:

  • The file is a regular file (-).
  • The owner has read, write, and execute permissions (rwx).
  • The group has read and execute permissions (r-x).
  • Others have read-only permissions (r--).

Changing Permissions with chmod

The chmod command is used to change file permissions.

Symbolic Mode

You can modify permissions symbolically:

1
2
3

chmod u+x file  # Add execute permission for the owner
chmod g-w file  # Remove write permission for the group
chmod o=r file  # Set read-only permission for others

Numeric Mode

You can also set permissions numerically:

1
2

chmod 755 file  # Owner: rwx, Group: r-x, Others: r-x
chmod 644 file  # Owner: rw-, Group: r--, Others: r--

Advanced Permission Management

1. Special Permission Bits

Linux supports three special permission bits for advanced use cases:

Setuid (Set User ID)

  • When applied to an executable file, the process runs with the file owner’s privileges.
  • Represented as s in the owner’s execute position (e.g., -rwsr-xr-x).

Setgid (Set Group ID)

  • When applied to a directory, new files inherit the directory’s group.
  • Represented as s in the group’s execute position (e.g., -rwxr-sr-x).

Sticky Bit

  • When applied to a directory, only the file owner (or root) can delete or modify files within it.
  • Represented as t in the others’ execute position (e.g., drwxrwxrwt).

Setting Special Bits

Use chmod to set these bits:

1
2
3

chmod u+s file  # Setuid
chmod g+s dir   # Setgid
chmod +t dir    # Sticky bit

Viewing Special Bits

Use ls -l to view special bits:

1

ls -l

2. Access Control Lists (ACLs)

ACLs provide fine-grained control over file permissions, allowing you to specify permissions for multiple users or groups.

Viewing ACLs

1

getfacl file

Setting ACLs

1
2

setfacl -m u:username:rw file  # Grant read and write permissions to a user
setfacl -m g:groupname:r file  # Grant read-only permissions to a group

Removing ACLs

1

setfacl -x u:username file  # Remove a user's ACL entry

Default ACLs

You can set default ACLs for directories:

1

setfacl -d -m u:username:rw dir

3. Default Permissions with umask

The umask command defines the default permissions for new files and directories. It subtracts permissions from the system default (666 for files, 777 for directories).

Viewing Current umask

1

umask

Setting a New umask

1

umask 022  # Default permissions: 755 for directories, 644 for files

Example:

If umask is 022:

  • New files will have permissions 644 (666 - 022).
  • New directories will have permissions 755 (777 - 022).

Symbolic links (ln -s) do not have their own permissions. Instead, they inherit permissions from the target file.

1

ln -s target_file link_name

Example:

1
2

ln -s /etc/passwd mylink
ls -l mylink

Output:

1

lrwxrwxrwx 1 user group 11 Aug 26 12:00 mylink -> /etc/passwd

5. File Attributes

Beyond standard permissions, Linux supports extended file attributes using chattr and lsattr.

Viewing File Attributes

1

lsattr file

Setting Immutable Attribute

1

chattr +i file

The immutable attribute prevents any modification, even by the root user.

Removing Immutable Attribute

1

chattr -i file

Best Practices

  1. Principle of Least Privilege: Assign the minimum permissions necessary to perform a task.
  2. Audit Regularly: Use tools like find to locate files with risky permissions:
    1

     find / -perm /o+w
  3. Use Groups Effectively: Organize users into groups for easier permission management.
  4. Leverage ACLs: For complex scenarios, use ACLs instead of over-complicating group assignments.
  5. Secure Sensitive Files: Use the immutable attribute for critical files:
    1

     chattr +i /etc/passwd

Conclusion

Understanding and managing file permissions is crucial for maintaining a secure and efficient Linux environment. By mastering advanced concepts like special permission bits, ACLs, and file attributes, you can take full control of your system’s security.

Have questions or tips to share? Reach out via any social network and let me know.

Linux, Tutorial
linux permissions security tutorial
This post is licensed under CC BY 4.0 by the author.