Control Access to Files with Linux File System Permissions:

Linux is a multi-user system and therefore directories and files inside a Linux computer need to
be protected from unauthorized use. Linux file access permissions are used to control who is
able to read, write and execute a certain file. Access permissions are implemented at a file level
with the appropriate permission set based on the file owner, the group owner of the file and
other access. In Linux, directories and device are also files and therefore the file permissions
apply on a directory and devices level as well, although some permissions are applied
differently depending upon whether the file is a regular file, directory or device. The access
permission design allows a good amount of flexibility in what permissions can be applied.

There are three categories of permissions which apply: read, write, and execute. These
permissions affect access to files and directories. The permissions can be assigned in octal
notation or in the more easily recognized character or symbolic format.
Abbreviation Description
r (Read) Permission to read a file.
Permission to read a directory (also requires "x")
w (Write) Permission to delete or modify a file.
Permission to delete or modify files in a directory
x (Execute) Permission to execute a file/script.
Permission to read a directory (also requires "r")

To View file and directory permissions and ownership use - l option of the ls command will
expand the file listing to include both the permissions of a file and the ownership.
# ls -l

1 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile# +966-564303717

 File Type:
Code Object Type Example
- Regular file Text file, Images
d Directory Text files, Folders
l Symbolic link Linked Files or Folder
c Character special device Terminal, tty
b Block special device Hard Disk
p FIFO
s Socket
Path to check all these File Type run this command: # ls -l /etc/dev

Changing Permission by Symbolic Method:

The symbolic method of changing file permissions uses letters to represent the different groups
of permissions: u for user, g for group, o for other, and a for all. Use three symbols: + to add
permissions to a set, - to remove permissions from a set, and = to replace the entire set for a
group of permissions.
Symbolic Method:
Abbreviation Description Abbreviation Description
u User access + Add access
g Group access - Remove access
o Other system user's access = Access explicitly assigned
A Equivalent to "ugo", for all

Description Abbreviation Octal Code Binary Code

No permission --- 0 000
Read access r-- 4 100
Write permission -w- 2 010
Execute script --x 1 001
Read and Write rw - 6 110
Read and Execute r-x 5 101
Write and Execute - wx 3 011
Read, Write and Execute rwx 7 111

Chmod Command:
The chmod command stands for "Change Mode", and allows changing permissions of files and
f1olders using symbolic or numeric format. Using this command, to set permissions (read,
write, execute) on a file and directory for the owner, group and other. Below table show
changing permission using Symbolic Method and Numerical Method.

2 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile# +966-564303717

 User User Group Group Other Other All All
Permission Permission Permission Permission
u+r Read g+r Read o+r Read a+r Read
Permission Permission Permission Permission
to User to Group to Other to All
u+w Writ g+w Writ o+w Writ a+w Writ
Permission Permission Permission Permission
u+x Execute g+x Execute o+x Execute a+x Execute
Permission Permission Permission Permission
u+rw Read & g+rw Read & o+rw Read & a+rw Read &
Write Write Write Write
Permission Permission Permission Permission
u+rx Read & g+rx Read & o+rx Read & a+rx Read &
Execute Execute Execute Execute
Permission Permission Permission Permission
u+rwx Read, Write g+rwx Read, o+rwx Read, a+rwx Read, Write
& Execute Write & Write & & Execute
Permission Execute Execute Permission
Permission Permission
u-r Remove g-r Remove o-r Remove a-r Remove
Read Read Read Read
Permission Permission Permission Permission
u-w Remove g-w Remove o-w Remove a-w Remove
Write Write Write Write
Permission Permission Permission Permission
u-x Remove g-x Remove o-x Remove a-x Remove
Execute Execute Execute Execute
Permission Permission Permission Permission
u-rw Remove g-rw Remove o-rw Remove a-rw Remove
Read & Read & Read & Read &
Write Write Write Write
Permission Permission Permission Permission
u-rx Remove g-rx Remove o-rx Remove a-rx Remove
Read & Read & Read & Read &
Execute Execute Execute Execute
Permission Permission Permission Permission
u-rwx Remove All g-rwx Remove All o-rwx Remove All a-rwx Remove All
Permission Permission Permission Permission

3 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile# +966-564303717

 Symbolic Method to Change Permission:
Commands Description
# chmod u+w filename Providing write access to a user
# chmod g+w filename Adding write permissions to a group
# chmod o+x filename Adding executable permissions to others
# chmod a+wx filename Adding executable and write permissions to all
# chmod u=g filename Replicating user permissions to a group
# chmod u-x filename Removing execute permissions to a user
# chmod o+x Adding execute permissions to others
# chmod u=rw Providing read and write access to a user
$ chmod u+r,g+x filename Provide read access to user & executable to group
$ chmod u-rx filename Remove read and write permission from user
$ chmod u+rwx ,g+rw,o+r file Provide read, write & execute to user, read & write to
group and read only to other.
$ chmod ugo+rwx filename Adding read, write and execute to everyone
$ chmod a+rwx filename Adding read, write and execute to everyone
$ chmod -R a+rwx directory Add read, write & execute to all directories

Changing Permission by Numerical Method:

Using numbers is another method which allows you to edit the permissions for all three owner,
group, and others at the same time. A numeric mode is from one to four octal digits, derived by
adding up the bits with values 4, 2, and 1. Omitted digits are assumed to be leading zeros. The
single octal digit represents the three symbolic letters using a numeric weighting scheme.
Description Abbreviation Octal Code Binary Code
No permission --- 0 000
Read access r-- 4 100
Write permission -w- 2 010
Execute script --x 1 001
Read and Write rw - 6 110
Read and Execute r-x 5 101
Write and Execute - wx 3 011
Read, Write and Execute rwx 7 111

Numerical Method to Change Permission:

Commands Description
# chmod 600 filename Owner can read and write
# chmod 700 filename Owner can read, write and execute
# chmod 666 filename All can read and write
# chmod 777 filename All can read, write and execute
# chmod 644 filename Owner can read & write the group & others can read only

4 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile# +966-564303717

Chown Command:
The chown command stands for "Change Owner", and allows changing the owner of a given file
or folder, which can be a user and a group. Chown command is used to change ownership as
well as group name associated to different one, whereas chgrp can change only group
associated to it.
Commands Description
# chown root filename Change the owner of a file
# chown :new-group filename Change the group of a file
# chown new-owner: new-group filename Change both owner and the group
# chown -R new-owner directory Change the owner off all contents inside

Chgrp Command:
Chgrp (Change Group) is a command which is useful to change group associated to a file or
folder from one group to other in a Linux. This is sister command to chown which is used to
change owner of the file or folder as well as group name associated with that file.
Commands Description
# chgrp new-group filename Change the group name
# chgrp -R new-group folder Change the group name of all contents inside

Umask:
UMASK (User Mask or User file creation Mask) is the default permission given when a new file
or folder is created. The default umask 002 used for normal user. With this mask default
directory permissions are 775 and default file permissions are 664. The default umask for the
root user is 022 results into default directory permissions are 755 and default file permissions
are 644. The minimum and maximum UMASK value for a folder is 000 and 777. The minimum
and maximum UMASK value for a file is 000 and 666. The file has 666 because only scripts and
binaries should have executed permissions, normal and regular files should have just read and
write permissions. Directories require execute permissions for viewing the contents in it, so
they can have 777 permissions. Simply subtract the umask from the default permissions to
determine the final permission for file: 666 – 002 = 664: Simply subtract the umask from the
default permissions to determine the final permission for directory:777 – 002 = 775:
Commands Description
# umask Show the default UMASK in octal notation
# umask -S Show the default UMASK in symbolic notation
# umask 022 To change default Umask value numerical value
# umask -S u=r, g=r, o= To change default Umask value symbolic value
# vi /etc/profile Change default UMASK for all new users
$ vi ~/.bashrc Change default UMASK for existing users
$ umask u=rwx, g=,o= To change default Umask value symbolic value

5 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile# +966-564303717

Special Permissions:
There will be times when the standard ugo and rwx permissions don’t provide enough flexibility
to allow a group of people to work collaboratively. That’s why another set of permissions,
called “Special Permissions” are available. There are three special permissions that can be
assigned to a file or directory apart from basic file permissions (RWX). With the help of
“chmod” command we can implement the special permissions or advanced permission on file
and directories. SUID – Set User ID, SGID – Set Group ID and Sticky Bit.

Permission Files Directories

Set User ID (SUID) Run executable files as owner N/A
Set Group ID (SGID) Run executable files as group Inherits Group ownership to all newly
owner created items
Sticky bit N/A Delete files only if owner

Set User ID (SUID):

This permission only makes sense if you apply it to a file that is an executable (shell script). You
can apply this permission with chmod command and the “s” value: chmod u+s testscript.sh
The “s” under the user’s permission means that if an “other” runs this script, then the script will
run with the same level of privileges as whoever is the owner of this file. For example, the suid
permission on the passwd command makes it possible for a normal user to change passwords
by updating few system files like /etc/passwd and /etc/shadow which can’t be updated by
non-root accounts. Therefore, passwd command always run with root user rights.

Set Group ID (SGID):

This is a special permission that can be applied to files and folder. You can apply SGID
permission to a file using chmod along with the “s” value being attached to the group setting:
chmod g+s testscript.sh. It is being run as if run by one of the group’s member.
SGID can also be used on a directory so that every file created in that directory will have the
directory group owner rather than the group owner of the user creating the file.

Sticky Bit:
If Sticky bit is applied on a file or directory, then only root and owner of that file or directory
can delete it. Even if other users are having full permissions they cannot delete the file or
directory. chmod o+t folder. “T”, which means sticky bit has been applied. The sticky bit is
primarily used on shared directories.

6 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile# +966-564303717

 Permission Symbolic Form Numeric Form Syntax
SETUID s or S 4 #chmod u+s or #chmod 4766
SETGID s or S 2 #chmod g+s or #chmod 2766
STICKYBIT t or T 1 #chmod o+t or #chmod 1766
Where s=setuid + execute permission and S= setuid only. Same is for SGID where s=setgid +
execute permission and S=setgid only. In Stickybit small t=stickybit + execute permission and
T=stickybit only.

Permissions Meaning
--S------ SUID is set, but user (owner) execute is not set.
--s------ SUID and user execute are both set.
-----S--- SGID is set, but group execute is not set.
-----s--- SGID and group execute are both set.
--------T Sticky bit is set, but other execute is not set.
--------t Sticky bit and other execute are both set.

7 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile# +966-564303717