Understanding and Managing Linux File Permissions
Linux file permissions govern how users interact with files and directories—determining whether they can view, change, or run them. By carefully assigning permissions, system administrators enhance both security and access control, minimizing the risk of unauthorized access to important data.
This guide provides a practical overview of how to handle file and directory permissions in Linux. You’ll learn how permission modes work and how to apply changes using the chmod
and chown
commands.
Overview of Linux Permission Types
Permissions in Linux fall into three categories: read, write, and execute (abbreviated as RWX). These modes define the level of interaction allowed for files or directories. Here’s what each means:
- Read (r): Grants visibility into file content or directory listings.
- Write (w): Allows content editing, file creation or deletion, and renaming within a directory.
- Execute (x): Permits running a file or traversing a directory’s structure.
Linux permissions apply to three types of users:
- Owner: The file or directory creator.
- Group: The user group tied to the file or directory.
- Others: All other users on the system.
Note: When a user is both the owner and a group member, the owner’s permission settings take priority. For example, if the owner has only read access, they cannot edit or execute the file—even if the group has full access rights.
To assign group privileges to a user, use the usermod
or gpasswd
command to add them to the appropriate group.
How Linux Displays Permission Strings
Each file or directory’s permission status is shown as a 10-character string. You can view these permissions by running the following command:
ls -l
The output begins with a character that identifies the file type, followed by three sets of three characters each—representing access for the owner, group, and others:
- –: Standard file
- d: Directory
- l: Symbolic link
- b: Block device (e.g., disk drives)
- c: Character device (e.g., terminals)
- p: Named pipe
- s: Socket
- D: Door
The remaining nine characters detail permissions in this order:
- Owner: First three characters
- Group: Middle three characters
- Others: Last three characters
Take the following example:
drwxrw-r-- example.com
Here’s how to interpret it:
- d: Indicates that “example.com” is a directory.
- rwx: The owner has full rights—can read, write, and access the directory.
- rw-: The group can read and write but not execute.
- r–: Others can only view the directory’s contents.
How to Calculate File Permissions in Linux
In Linux, file and directory permissions are represented using binary values. Each permission type is mapped to a specific binary code and numerical value:
Permission | Binary | Value |
---|---|---|
Read (r) | 100 | 4 |
Write (w) | 010 | 2 |
Execute (x) | 001 | 1 |
None (-) | 000 | 0 |
Examples of combined permissions:
- Read + Write: 4 + 2 = 6 (binary: 110, symbol: rw-)
- Read + Execute: 4 + 1 = 5 (binary: 101, symbol: r-x)
- Write + Execute: 2 + 1 = 3 (binary: 011, symbol: -wx)
- All Permissions: 4 + 2 + 1 = 7 (binary: 111, symbol: rwx)
Typical Linux Permission Settings
644 Permission Breakdown
Permission Type | Read (r) | Write (w) | Execute (x) | None (-) | Total Value |
---|---|---|---|---|---|
Owner (u) | 4 | 2 | 0 | 0 | 6 |
Group (g) | 4 | 0 | 0 | 0 | 4 |
Others (o) | 4 | 0 | 0 | 0 | 4 |
With 644 permissions, the owner can read and modify the file, while group members and others are restricted to read-only access.
755 Permission Breakdown
Permission Type | Read (r) | Write (w) | Execute (x) | None (-) | Total Value |
---|---|---|---|---|---|
Owner (u) | 4 | 2 | 1 | 0 | 7 |
Group (g) | 4 | 0 | 1 | 0 | 5 |
Others (o) | 4 | 0 | 1 | 0 | 5 |
Permissions set to 755 give the owner full access, while group and other users can only read and execute the file.
777 Permission Breakdown
Permission Type | Read (r) | Write (w) | Execute (x) | None (-) | Total Value |
---|---|---|---|---|---|
Owner (u) | 4 | 2 | 1 | 0 | 7 |
Group (g) | 4 | 2 | 1 | 0 | 7 |
Others (o) | 4 | 2 | 1 | 0 | 7 |
The 777 setting enables complete access—read, write, and execute—for everyone: owner, group, and others.
Note on Root Access
The root user can bypass all standard permission restrictions. By using sudo
when accessing a file or running a command, root privileges are applied—effectively ignoring the set permissions.
How to View Permissions for Files and Directories in Linux
Using the ls -l
command in Linux provides a detailed view of a file or directory’s permissions, owner, group, file size, and the last modified timestamp. To display permission details of a directory itself instead of its contents, the -d
option can be used.
Follow these steps to check file and directory permissions with the ls
command:
Create Sample File and Directory
Start by creating a test file and directory, such as file.txt
and /var/www/html
:
$ touch file.txt && sudo mkdir /var/www/html
Check File Permissions
To review permissions for the file, run the following command:
$ ls -l file.txt
The output might resemble this:
-rwxr-xr-x 1 user group 1024 Jan 1 12:00 file.txt
Explanation of the output:
- –: Indicates that
file.txt
is a regular file. - rwx: The owner has read, write, and execute permissions.
- r-x: The group has read and execute permissions.
- r-x: All other users also have read and execute permissions.
Check Directory Permissions
Use the ls -ld
command to view permissions for the directory instead of listing its contents:
$ ls -ld /var/www/html
Example output:
drwxr-xr-x 2 user group 4096 Jan 1 12:30 /var/www/html
Explanation of the output:
- d: Shows that
/var/www/html
is a directory. - rwx: The owner has full directory access (read, write, and execute).
- r-x: The group has read and execute rights.
- r-x: Other users also have read and execute rights.
How to Modify File and Directory Permissions in Linux
The chmod
command is used to change permissions on Linux systems. It supports two modes: numeric and symbolic. Below are step-by-step instructions for using both approaches to adjust file and directory permissions.
chmod Command Syntax
The general format for using the chmod
command is as follows:
$ chmod [permissions] [file or directory]
Changing Permissions with Numeric Mode
In numeric mode, permissions are set using a three-digit number, where each digit reflects the permissions for the owner, group, and others. Each digit is calculated by adding values for read (4), write (2), and execute (1):
- Read (r): 4
- Write (w): 2
- Execute (x): 1
- No access (-): 0
Examples:
Set file.txt
to permission mode 755:
$ chmod 755 file.txt
This sets the file so that the owner has full access, while group members and other users can read and execute the file.
Set /var/www/html
directory to permission mode 755:
$ sudo chmod 755 /var/www/html
This command gives the directory full access to the owner, and read/execute access to others.
Apply permissions recursively to all contents within the directory:
$ sudo chmod -R 755 /var/www/html
All files and subdirectories under /var/www/html
will inherit 755 permissions—allowing read and execute access for everyone, while only the owner can modify content.
Changing Permissions with Symbolic Mode
Symbolic mode uses letters to represent permission categories:
- u: File or directory owner
- g: Associated group
- o: Other users
- a: All users (owner, group, and others)
Operators define the action to take:
- +: Add permission
- -: Remove permission
- =: Set exact permission (overwrites existing ones)
Symbolic mode syntax:
$ chmod [userclass][operator][permissions] [filename or directory]
Examples:
Grant the owner full permissions on file.txt
:
$ chmod u+rwx file.txt
Remove execute permission from the group on /var/www/html
:
$ sudo chmod g-x /var/www/html
Enable read access for all users on file.txt
:
$ chmod a+r file.txt
Set the owner’s permissions to read-only:
$ chmod u=r file.txt
Apply read and execute permissions for all users recursively to a directory:
$ sudo chmod -R a+rx /var/www/html
This sets read and execute rights for all users on /var/www/html
and its contents.
Modify owner and group permissions simultaneously:
$ chmod ug+rw file.txt
This grants read and write access to both the file owner and group members.
Set various permissions for different user classes in one command:
$ chmod u+rwx,g+w,o+x file.txt
This provides full access to the owner, write access to the group, and execute access to all others for file.txt
.
How to Set Special Permissions in Linux: Sticky Bit, SUID, and SGID
Special permission bits—Sticky Bit, Set User ID (SUID), and Set Group ID (SGID)—are essential for managing secure file and directory access in multi-user environments. These permissions allow administrators to enforce additional restrictions beyond standard read, write, and execute modes.
Sticky Bit for Directory Control
The Sticky Bit is applied only to directories. When active, it ensures that only the file owner can delete, move, or rename files within the directory. It can be enabled using either symbolic or numeric notation.
To activate the Sticky Bit using symbolic mode, run the following:
$ sudo chmod +t /var/www/html
To enable Sticky Bit along with 755 permissions using numeric mode:
$ sudo chmod 1755 /var/www/html
Explanation:
- 1: Activates the Sticky Bit
- 7: Grants full permissions to the owner
- 5: Grants read and execute permissions to both group and others
To confirm the Sticky Bit is set, check the directory permissions:
$ ls -ld /var/www/html
Sample output:
drwxr-xr-t 2 user group 4096 Jan 1 12:00 /var/www/html
The trailing t
confirms the Sticky Bit is active on the directory.
Using SUID to Run Files with Owner Privileges
SUID allows a file to be executed with the file owner’s privileges, regardless of which user launches it. This is often used for scripts or programs requiring elevated rights.
Create a sample script file:
$ touch hello.sh
To enable SUID with symbolic mode:
$ chmod u+s hello.sh
To enable SUID using numeric mode:
$ chmod 4755 hello.sh
Explanation:
- 4: Activates the SUID bit
- 7: Owner has read, write, and execute permissions
- 5: Group and others can read and execute
Verify the SUID flag:
$ ls -l hello.sh
Sample output:
-rwsr-xr-x 1 root root 1024 Jan 15 20:43 hello.sh
The s
in place of the owner’s execute bit confirms the SUID is active.
Using SGID to Run Files with Group Privileges
SGID allows a file or directory to be executed with the permissions of its group. For directories, files created within will inherit the parent’s group ID.
To apply SGID to the hello.sh
file:
$ sudo chmod g+s hello.sh
Apply SGID to a directory:
$ sudo chmod g+s /var/www/html
To use numeric mode and apply both SGID and 755 permissions to a file:
$ sudo chmod 2755 hello.sh
Explanation:
- 2: Activates SGID
- 7: Full owner access
- 5: Read and execute access for group and others
Check the script’s permissions to confirm SGID is enabled:
$ ls -l hello.sh
Sample output:
-rwxr-sr-x 1 user group 123456 Jan 1 12:00 hello.sh
The s
in the group section indicates the SGID bit is active.
To verify SGID on the /var/www/html
directory:
$ ls -ld /var/www/html
Sample output:
drwxr-sr-x 2 user group 4096 Jan 1 12:00 /var/www/html
The group section r-s
confirms SGID is active on the directory.
How to Change File and Directory Ownership in Linux
Use the chown
command in Linux to change ownership of files and directories. This command allows you to set or update the user and group assigned to a resource. Follow the steps below to manage ownership permissions on your Linux system.
Basic Syntax of chown
The general format for changing user and group ownership is:
$ chown [options] user:group [filename/directory]
Examples of Changing Ownership
Assign ownership of file.txt
to linuxuser
without modifying the group ownership:
$ sudo chown linuxuser file.txt
Change only the group ownership of /var/www/html
to www-data
:
$ sudo chown :www-data /var/www/html
Update both user and group ownership of /var/www/html
to www-data
:
$ sudo chown www-data:www-data /var/www/html
Apply ownership changes recursively to the directory and all its contents:
$ sudo chown -R www-data:www-data /var/www/html
Copy ownership from an existing directory to another file using the --reference
flag:
$ sudo chown --reference=/var/www/html file.txt
Verify Ownership Settings
Check the current ownership for both file.txt
and the /var/www/html
directory:
$ ls -l file.txt && ls -ld /var/www/html
Example output:
-rwxr-xr-- 1 www-data www-data 1024 Jan 1 12:00 file.txt
drwxr-xr-x 2 www-data www-data 4096 Jan 1 12:30 /var/www/html
Conclusion
By using chmod
and chown
, you’ve gained control over file and directory access on your Linux machine. Permissions define how users interact with files and directories—whether reading, modifying, or executing. For more advanced options or clarification, consult the manual pages using the following commands:
$ man chown
$ man chmod