Back to Articles
Linux

Linux File Permissions and Access Control: Securing Your Filesystem

Understanding Standard Permissions, Special Bits, ACLs, and File Attributes

Alex Lux2023-11-248 min read
LinuxFile PermissionsACLSecuritychmodchown
Linux File Permissions and Access Control: Securing Your Filesystem
Use this link for review flash cards

Linux File Permissions and Access Control: Securing Your Filesystem

File permissions are fundamental to Linux security, controlling who can read, write, and execute files and directories. Understanding standard UNIX permissions, special permission bits, Access Control Lists (ACLs), and file attributes is essential for securing your filesystem. This comprehensive guide covers all aspects of Linux file permissions.

Understanding Permission Types

Linux uses three basic permission types:

  • Read (r): Numeric value 4

    • For files: View file contents
    • For directories: List directory contents
  • Write (w): Numeric value 2

    • For files: Modify file contents
    • For directories: Create, delete, or rename files
  • Execute (x): Numeric value 1

    • For files: Run the file as a program
    • For directories: Access (cd into) the directory

Permission Representation

Numeric Format

Permissions are represented as octal numbers (0-7):

  • 0: No permissions (---)
  • 1: Execute only (--x)
  • 2: Write only (-w-)
  • 3: Write and execute (-wx)
  • 4: Read only (r--)
  • 5: Read and execute (r-x)
  • 6: Read and write (rw-)
  • 7: Read, write, and execute (rwx)

Symbolic Format

Permissions are represented as rwxrwxrwx:

  • First three: Owner permissions
  • Middle three: Group permissions
  • Last three: Others permissions

Complete Permission Format

Symbolic: rwxrwxrwx Numeric: 777

  • Owner: rwx (read, write, execute)
  • Group: rwx (read, write, execute)
  • Others: rwx (read, write, execute)

Managing File Permissions

chmod - Change File Permissions

Basic Syntax: chmod [options] <permissions> <file>

Common Options:

  • -R: Recursively change permissions
  • -c: Display changes made
  • -f: Suppress error messages
  • -v: Verbose output

Numeric Method:

# Set permissions to 755 (rwxr-xr-x)
chmod 755 file.txt

# Set permissions to 644 (rw-r--r--)
chmod 644 file.txt

# Recursively set permissions
chmod -R 755 directory/

Symbolic Method:

# Add execute permission for owner
chmod u+x file.txt

# Remove write permission for group
chmod g-w file.txt

# Set read and write for others
chmod o=rw file.txt

# Add execute for all
chmod +x file.txt

# Set specific permissions
chmod u=rwx,g=rx,o=r file.txt

chown - Change File Owner

Basic Syntax: chown [options] <owner>[:group] <file>

Common Options:

  • -R: Recursively change ownership
  • -c: Display changes made
  • -f: Suppress error messages
  • -v: Verbose output

Examples:

# Change owner
chown alex file.txt

# Change owner and group
chown alex:developers file.txt

# Change only group (using colon)
chown :developers file.txt

# Recursively change ownership
chown -R alex:developers directory/

chgrp - Change Group Ownership

Basic Syntax: chgrp [options] <group> <file>

Common Options:

  • -R: Recursively change group
  • -c: Display changes made
  • -f: Suppress error messages
  • -v: Verbose output

Examples:

# Change group
chgrp developers file.txt

# Recursively change group
chgrp -R developers directory/

Viewing File Permissions

ls -l - List Files with Permissions

Basic Usage:

ls -l
# Output: -rwxr-xr-x 1 alex developers 1024 Nov 24 10:00 file.txt

Permission String Breakdown:

  • First character: File type (- = regular file, d = directory, l = symlink)
  • Next 9 characters: Permissions (owner, group, others)
  • Next: Number of hard links
  • Next: Owner name
  • Next: Group name
  • Next: File size
  • Next: Date and time
  • Last: Filename

Special Permissions

Setuid (s) - Set User ID

Purpose: Execute a file with the owner's permissions, regardless of who runs it.

Setting Setuid:

chmod +s file
# Or numerically:
chmod 4755 file  # 4 = setuid bit

Example:

# Owner: rws (s replaces x)
# Group: r-x
# Others: r-x
chmod u+s /usr/bin/passwd

Security Note: Use setuid carefully. It can be a security risk if misconfigured.

Setgid (s) - Set Group ID

Purpose: Execute a file with the group's permissions, or create files with the group ownership in directories.

Setting Setgid:

chmod g+s file
# Or numerically:
chmod 2755 file  # 2 = setgid bit

Example:

# Owner: rwx
# Group: rws (s replaces x)
# Others: r-x
chmod g+s /usr/bin/write

Setgid on Directories:

  • Files created in the directory inherit the directory's group
  • Useful for shared directories where multiple users need to collaborate

Sticky Bit (t) - Prevent Deletion

Purpose: Prevents users from deleting files in a directory (except the owner).

Setting Sticky Bit:

chmod +t directory
# Or numerically:
chmod 1777 directory  # 1 = sticky bit

Example:

# Common on /tmp directory
chmod +t /tmp
# Permissions: drwxrwxrwt

Use Cases:

  • /tmp directory: Users can create files but only delete their own
  • Shared directories: Prevent accidental deletion of others' files

Immutable Flag with chattr

The immutable flag prevents file modification, even by root.

chattr - Change File Attributes

Setting Immutable Flag:

# Make file immutable
chattr +i file.txt

# Remove immutable flag
chattr -i file.txt

lsattr - List File Attributes

Viewing Attributes:

# List attributes
lsattr file.txt

# List all files with attributes
lsattr -a

# List directories with attributes
lsattr -d

# Recursively list attributes
lsattr -R

# Verbose mode
lsattr -v

Common Attributes:

  • i: Immutable (cannot be modified or deleted)
  • a: Append-only (can only append data)
  • A: No atime updates (access time not updated)
  • c: Compressed (transparent compression)
  • s: Secure deletion (overwrite with zeros before deletion)

Access Control Lists (ACLs)

ACLs provide finer-grained access control than standard UNIX permissions.

getfacl - Get File Access Control List

Basic Usage:

# Display ACL for a file
getfacl file.txt

# Recursively display ACLs
getfacl -R directory/

# Check ACLs
getfacl -c file.txt

# Verbose mode
getfacl -v file.txt

Example Output:

# file: file.txt
# owner: alex
# group: developers
user::rw-
user:john:r--
group::r--
mask::r--
other::---

setfacl - Set File Access Control List

Basic Syntax: setfacl [options] <rule> <file>

Common Options:

  • -m: Modify ACL (add or change)
  • -x: Remove ACL entry
  • -b: Remove all ACL entries
  • -d: Set default ACL
  • -k: Remove default ACL
  • -R: Recursively set ACLs

Setting User Permissions:

# Grant user 'john' read and write access
setfacl -m u:john:rw file.txt

# Grant user read-only access
setfacl -m u:john:r file.txt

Setting Group Permissions:

# Grant group 'qa' read and execute access
setfacl -m g:qa:rx file.txt

Setting Others Permissions:

# Set others to no access
setfacl -m o::--- file.txt

Setting Mask:

# Set effective mask
setfacl -m m:rw file.txt

Removing ACL Entries:

# Remove user ACL
setfacl -x u:john file.txt

# Remove all ACLs
setfacl -b file.txt

Default ACLs (for directories):

# Set default ACL (applies to new files)
setfacl -d -m u:john:rw directory/

# Remove default ACL
setfacl -k directory/

Recursive ACLs:

# Recursively set ACLs
setfacl -R -m u:john:rw directory/

Understanding umask

The umask (user file creation mask) determines default permissions for newly created files and directories.

Default umask

Typical Default: 0022

  • Files: 666 - 022 = 644 (rw-r--r--)
  • Directories: 777 - 022 = 755 (rwxr-xr-x)

Viewing umask

# Display current umask
umask

# Display in symbolic format
umask -S
# Output: u=rwx,g=rx,o=rx

# Display in octal format
umask -p

Setting umask

# Set umask for current session
umask 0022

# Set umask in ~/.bashrc for persistence
echo "umask 0022" >> ~/.bashrc

Common umask Values

  • 0000: No restrictions (666 for files, 777 for directories)
  • 0022: Standard (644 for files, 755 for directories)
  • 0027: More restrictive (640 for files, 750 for directories)
  • 0077: Very restrictive (600 for files, 700 for directories)

Permission Calculation

How Permissions are Calculated

For Files:

  • Default: 666 (rw-rw-rw-)
  • With umask 022: 666 - 022 = 644 (rw-r--r--)

For Directories:

  • Default: 777 (rwxrwxrwx)
  • With umask 022: 777 - 022 = 755 (rwxr-xr-x)

Understanding the Calculation

The umask value is subtracted from the default permissions:

  • umask 022 means: remove write for group and others
  • umask 027 means: remove write for group, remove all for others

Best Practices

Security Considerations

  1. Principle of Least Privilege: Grant minimum necessary permissions
  2. Regular Audits: Periodically review file permissions
  3. Use Groups: Organize users into groups for easier permission management
  4. Avoid World-Writable: Be cautious with 777 or 666 permissions
  5. Protect Sensitive Files: Use 600 or 400 for sensitive files

Permission Guidelines

Files:

  • Executables: 755 (rwxr-xr-x)
  • Configuration files: 644 (rw-r--r--)
  • Sensitive files: 600 (rw-------)
  • Scripts: 755 (rwxr-xr-x)

Directories:

  • User directories: 755 (rwxr-xr-x)
  • Shared directories: 775 (rwxrwxr-x) with setgid
  • Temporary directories: 1777 (rwxrwxrwt) with sticky bit

Special Permission Guidelines

  1. Setuid: Use sparingly, only for trusted executables
  2. Setgid on Directories: Useful for shared project directories
  3. Sticky Bit: Essential for /tmp and other shared writable directories
  4. Immutable Flag: Use for critical system files

Troubleshooting Permission Issues

Common Problems

"Permission Denied" Errors:

  • Check file permissions: ls -l file
  • Verify user ownership: ls -l file
  • Check directory permissions (need execute to access)
  • Review ACLs: getfacl file

Cannot Delete Files:

  • Check directory write permission
  • Verify file ownership
  • Check for immutable flag: lsattr file
  • Review sticky bit on directory

Cannot Execute Scripts:

  • Ensure execute permission: chmod +x script.sh
  • Check shebang line: #!/bin/bash
  • Verify file is not on a noexec filesystem

Diagnostic Commands

# Check permissions
ls -l file

# Check ownership
ls -l file

# Check ACLs
getfacl file

# Check attributes
lsattr file

# Check umask
umask

# Check user groups
groups
id

Real-World Examples

Example 1: Web Server Directory

# Set proper permissions for web directory
chown -R www-data:www-data /var/www/html
chmod -R 755 /var/www/html
chmod 644 /var/www/html/*.html

Example 2: Shared Development Directory

# Create shared directory with setgid
mkdir /shared/project
chgrp developers /shared/project
chmod 2775 /shared/project  # setgid + rwxrwxr-x

Example 3: Secure Configuration File

# Make config file readable only by owner
chmod 600 /etc/myapp/config.conf
chown root:root /etc/myapp/config.conf

Example 4: Using ACLs for Fine-Grained Access

# Grant specific user access without changing group
setfacl -m u:contractor:r-- /sensitive/data
setfacl -m u:contractor:rx /sensitive/

Conclusion

File permissions and access control are fundamental to Linux security. Understanding standard UNIX permissions, special bits, ACLs, and file attributes enables you to secure your filesystem effectively. From basic chmod and chown commands to advanced ACL management, these tools provide the flexibility needed for complex permission scenarios.

By following best practices, using the principle of least privilege, and regularly auditing permissions, you can maintain a secure filesystem while providing necessary access to users and applications. Whether you're securing web servers, managing shared directories, or protecting sensitive files, proper permission management is essential.

In the next article, we'll explore storage management and filesystems, covering partitions, mounting, and filesystem types. Stay tuned!

Related Reading