File Permissions
File Permissions#
Concepts#
Why Permissions Matter#
Linux is a multi-user operating system. Multiple users can have accounts on the same machine. Permissions control:
- Who can read a file
- Who can modify a file
- Who can run a program
Without permissions, any user could read your private documents, modify system configuration, or delete other users’ files.
Please note that a user does not necessarily need to be a human!
The Permission Model#
Every file and directory has three sets of permissions for three classes of users:
| Class | Abbreviation | Who |
|---|---|---|
| Owner (user) | u |
The user who owns the file |
| Group | g |
Members of the file’s group |
| Others | o |
Everyone else on the system |
Each class has three permission types:
| Permission | Symbol | On Files | On Directories |
|---|---|---|---|
| Read | r |
Can view file contents | Can list directory contents (ls) |
| Write | w |
Can modify file contents | Can create/delete files in the directory |
| Execute | x |
Can run the file as a program | Can enter the directory (cd) |
Reading ls -l Output#
ls -l /etc/hosts
-rw-r--r-- 1 root root 221 Oct 15 12:00 /etc/hosts
Breaking it down:
- rw- r-- r-- 1 root root 221 Oct 15 12:00 /etc/hosts
│ │ │ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ └─ Timestamp └─ Filename
│ │ │ │ │ │ │ └─ Size in bytes
│ │ │ │ │ │ └─ Group owner
│ │ │ │ │ └─ User owner
│ │ │ │ └─ Hard link count
│ │ │ └─ Others: r-- (read only)
│ │ └─ Group: r-- (read only)
│ └─ Owner: rw- (read and write)
└─ File type: - (regular file), d (directory), l (symlink)
The permission string is always 10 characters:
| Position | Meaning |
|---|---|
| 1 | File type: - regular, d directory, l symlink, c char device, b block device |
| 2-4 | Owner permissions: rwx |
| 5-7 | Group permissions: rwx |
| 8-10 | Others permissions: rwx |
A - in a permission slot means that permission is denied.
Common Permission Patterns#
-rw-r--r-- Owner can read/write. Group and others can only read.
-rwxr-xr-x Owner can read/write/execute. Group and others can read/execute.
-rw------- Owner can read/write. Nobody else has any access.
drwxr-xr-x Directory: owner full access, group/others can list and enter.
drwx------ Directory: only the owner can list, enter, or modify.
-rwxrwxrwx Everyone can do everything (dangerous — avoid this).
Changing Permissions with chmod#
chmod (change mode) modifies file permissions. There are two syntaxes:
Symbolic Mode#
chmod who±what file
# who: u (user/owner), g (group), o (others), a (all = u+g+o)
# ±: + (add), - (remove), = (set exactly)
# what: r (read), w (write), x (execute)
Examples:
chmod u+x script.sh # Add execute for owner
chmod g+w file.txt # Add write for group
chmod o-r file.txt # Remove read from others
chmod a+r file.txt # Add read for everyone
chmod u=rwx,g=rx,o=r file.txt # Set exact permissions
chmod go-rwx secret.txt # Remove all permissions for group and others
chmod +x script.sh # Add execute for all (shorthand for a+x)
Octal (Numeric) Mode#
Each permission has a numeric value:
| Permission | Value |
|---|---|
| Read (r) | 4 |
| Write (w) | 2 |
| Execute (x) | 1 |
| None (-) | 0 |
Add the values for each class to get a three-digit number:
rwx = 4+2+1 = 7
rw- = 4+2+0 = 6
r-x = 4+0+1 = 5
r-- = 4+0+0 = 4
--- = 0+0+0 = 0
Examples:
| Octal | Symbolic | Meaning |
|---|---|---|
755 |
rwxr-xr-x |
Owner: full. Group/others: read and execute. |
644 |
rw-r--r-- |
Owner: read/write. Group/others: read only. |
700 |
rwx------ |
Owner: full. Nobody else has any access. |
600 |
rw------- |
Owner: read/write. Nobody else. |
777 |
rwxrwxrwx |
Everyone: full. (Avoid this.) |
750 |
rwxr-x--- |
Owner: full. Group: read/execute. Others: none. |
chmod 755 script.sh # rwxr-xr-x
chmod 644 document.txt # rw-r--r--
chmod 600 private.key # rw-------
chmod 700 ~/secret_dir # rwx------
Both syntaxes achieve the same result. Octal is faster to type; symbolic is more self-documenting. There is no right way to do it.
Changing Ownership with chown and chgrp#
chown — Change Owner (and optionally Group)#
sudo chown alice file.txt # change owner to alice
sudo chown alice:developers file.txt # change owner to alice, group to developers
sudo chown :developers file.txt # change only the group
sudo chown -R alice:developers dir/ # recursive (all files in dir/)
chown requires sudo because only root can change a file’s owner.
chgrp — Change Group Only#
sudo chgrp developers file.txt
sudo chgrp -R developers dir/ # recursive
You can also change the group without sudo if you are a member of the target group.
Directory Permissions — The Tricky Part#
Directory permissions work differently from file permissions:
| Permission | On a File | On a Directory |
|---|---|---|
r |
Read file contents | List files (ls) |
w |
Modify file contents | Create, rename, or delete files in the directory |
x |
Execute as a program | Enter the directory (cd) and access files in it |
Key insight: to access a file, you need x on every directory in the path.
Example: to read /home/kmiguel/Documents/report.txt, you need:
xon/homexon/home/kmiguelxon/home/kmiguel/Documentsronreport.txt
Another key insight: w on a directory lets you delete files in it, even if you do not own those files. This is why the sticky bit exists (covered in the next lesson).
Default Permissions: umask#
When you create a file or directory, the permissions are determined by the umask — a mask that removes permissions from the default.
- Default for files:
666(rw-rw-rw-) - Default for directories:
777(rwxrwxrwx) - The umask is subtracted from these defaults.
# Check your current umask
umask
# Common output: 0022
# With umask 0022:
# Files: 666 - 022 = 644 (rw-r--r--)
# Directories: 777 - 022 = 755 (rwxr-xr-x)
# Set a more restrictive umask
umask 0077
# Files: 666 - 077 = 600 (rw-------)
# Directories: 777 - 077 = 700 (rwx------)
The umask is set in your shell profile (.bashrc or /etc/profile).
Lab#
Exercise 1: Read Permissions#
mkdir -p ~/lab/permissions
cd ~/lab/permissions
# Create files with different permissions
touch public.txt private.txt shared.txt
# View current permissions
ls -la
# Check the numeric equivalent
stat -c "%a %n" public.txt private.txt shared.txt
# %a = octal permissions, %n = filename
Exercise 2: Change Permissions with Symbolic Mode#
# Make a file private (owner only)
chmod go-rwx private.txt
ls -l private.txt
# -rw-------
# Make a file readable by everyone
chmod a+r public.txt
ls -l public.txt
# -rw-r--r--
# Make a file writable by the group
chmod g+w shared.txt
ls -l shared.txt
# -rw-rw-r--
# Create a script and make it executable
echo '#!/bin/bash' > hello.sh
echo 'echo "Hello from the script!"' >> hello.sh
chmod u+x hello.sh
ls -l hello.sh
# -rwxr--r--
# Run it
./hello.sh
Exercise 3: Change Permissions with Octal Mode#
# Set exact permissions using octal
chmod 600 private.txt
stat -c "%a %A %n" private.txt
# 600 -rw------- private.txt
chmod 755 hello.sh
stat -c "%a %A %n" hello.sh
# 755 -rwxr-xr-x hello.sh
chmod 644 public.txt
stat -c "%a %A %n" public.txt
# 644 -rw-r--r-- public.txt
Exercise 4: Directory Permissions#
# Create a test directory
mkdir testdir
echo "secret" > testdir/secret.txt
# Remove execute from the directory
chmod -x testdir
# Try to enter it
cd testdir
# Permission denied!
# Try to list it (read still works)
ls testdir
# May show filenames but not details
# Restore execute
chmod +x testdir
cd testdir
# Works now
cd ..
# Remove read from the directory
chmod -r testdir
# Try to list it
ls testdir
# Permission denied — cannot list contents
# But you can still access a file if you know the name
cat testdir/secret.txt
# Works! (because you have x on the directory)
# Restore everything
chmod 755 testdir
Exercise 5: chown and chgrp#
# See current ownership
ls -l public.txt
# Try to change owner without sudo (fails)
chown root public.txt
# Operation not permitted
# Change owner with sudo
sudo chown root public.txt
ls -l public.txt
# Now owned by root
# Change it back to yourself
sudo chown $(whoami) public.txt
# See what groups you belong to
groups
id
# Change group
sudo chgrp root shared.txt
ls -l shared.txt
Exercise 6: Understand umask#
# Check your current umask
umask
# Create a file and directory — observe default permissions
touch default_file.txt
mkdir default_dir
ls -l default_file.txt
ls -ld default_dir
# Change umask temporarily
umask 0077
touch restricted_file.txt
mkdir restricted_dir
ls -l restricted_file.txt
ls -ld restricted_dir
# Much more restrictive permissions!
# Reset umask
umask 0022
# Clean up
cd ~
rm -rf ~/lab/permissions
Review#
1. What are the three permission types and what do they mean for files?
- Read (r): Can view the file’s contents.
- Write (w): Can modify the file’s contents.
- Execute (x): Can run the file as a program or script.
2. What do read, write, and execute mean for directories?
- Read (r): Can list the directory’s contents (
ls). - Write (w): Can create, rename, or delete files within the directory.
- Execute (x): Can enter the directory (
cd) and access files within it.
3. What does the permission string `-rwxr-xr--` mean?
Regular file (-). Owner: read, write, execute (rwx). Group: read and execute (r-x). Others: read only (r--). Octal: 754.
4. What is the octal representation of `rw-r-----`?
Owner: rw- = 4+2+0 = 6. Group: r– = 4+0+0 = 4. Others: — = 0. Octal: 640.
5. Why does `chown` require `sudo`?
Only the root user can change a file’s owner. This prevents users from “giving away” files to other users, which could be used to bypass disk quotas or create security issues.
6. What is the umask and how does it work?
The umask is a mask that is subtracted from the default permissions when creating new files (default 666) or directories (default 777). For example, a umask of 022 results in files created with 644 and directories with 755.
7. Why do you need `x` permission on a directory to access files inside it?
The x (execute) permission on a directory means “can traverse” — it allows you to enter the directory and access its contents by name. Without x, you cannot cd into the directory or access any files in it, even if you have r on the directory and r on the files.
Previous: Paths, Links, and Inodes | Next: Special Permissions