Linux File Permissions and Access Control: Securing Your Filesystem
File permissions are fundamental to Linux security, controlling who can read, write, and execute files and directories. Understanding standard UNIX permissions, special permission bits, Access Control Lists (ACLs), and file attributes is essential for securing your filesystem. This comprehensive guide covers all aspects of Linux file permissions.
Understanding Permission Types
Linux uses three basic permission types:
Read (r): Numeric value 4
- For files: View file contents
- For directories: List directory contents
Write (w): Numeric value 2
- For files: Modify file contents
- For directories: Create, delete, or rename files
Execute (x): Numeric value 1
- For files: Run the file as a program
- For directories: Access (cd into) the directory
Permission Representation
Numeric Format
Permissions are represented as octal numbers (0-7):
0: No permissions (---)1: Execute only (--x)2: Write only (-w-)3: Write and execute (-wx)4: Read only (r--)5: Read and execute (r-x)6: Read and write (rw-)7: Read, write, and execute (rwx)
Symbolic Format
Permissions are represented as rwxrwxrwx:
- First three: Owner permissions
- Middle three: Group permissions
- Last three: Others permissions
Complete Permission Format
Symbolic: rwxrwxrwx
Numeric: 777
- Owner:
rwx(read, write, execute) - Group:
rwx(read, write, execute) - Others:
rwx(read, write, execute)
Managing File Permissions
chmod - Change File Permissions
Basic Syntax: chmod [options] <permissions> <file>
Common Options:
-R: Recursively change permissions-c: Display changes made-f: Suppress error messages-v: Verbose output
Numeric Method:
# Set permissions to 755 (rwxr-xr-x)
chmod 755 file.txt
# Set permissions to 644 (rw-r--r--)
chmod 644 file.txt
# Recursively set permissions
chmod -R 755 directory/
Symbolic Method:
# Add execute permission for owner
chmod u+x file.txt
# Remove write permission for group
chmod g-w file.txt
# Set read and write for others
chmod o=rw file.txt
# Add execute for all
chmod +x file.txt
# Set specific permissions
chmod u=rwx,g=rx,o=r file.txt
chown - Change File Owner
Basic Syntax: chown [options] <owner>[:group] <file>
Common Options:
-R: Recursively change ownership-c: Display changes made-f: Suppress error messages-v: Verbose output
Examples:
# Change owner
chown alex file.txt
# Change owner and group
chown alex:developers file.txt
# Change only group (using colon)
chown :developers file.txt
# Recursively change ownership
chown -R alex:developers directory/
chgrp - Change Group Ownership
Basic Syntax: chgrp [options] <group> <file>
Common Options:
-R: Recursively change group-c: Display changes made-f: Suppress error messages-v: Verbose output
Examples:
# Change group
chgrp developers file.txt
# Recursively change group
chgrp -R developers directory/
Viewing File Permissions
ls -l - List Files with Permissions
Basic Usage:
ls -l
# Output: -rwxr-xr-x 1 alex developers 1024 Nov 24 10:00 file.txt
Permission String Breakdown:
- First character: File type (
-= regular file,d= directory,l= symlink) - Next 9 characters: Permissions (owner, group, others)
- Next: Number of hard links
- Next: Owner name
- Next: Group name
- Next: File size
- Next: Date and time
- Last: Filename
Special Permissions
Setuid (s) - Set User ID
Purpose: Execute a file with the owner's permissions, regardless of who runs it.
Setting Setuid:
chmod +s file
# Or numerically:
chmod 4755 file # 4 = setuid bit
Example:
# Owner: rws (s replaces x)
# Group: r-x
# Others: r-x
chmod u+s /usr/bin/passwd
Security Note: Use setuid carefully. It can be a security risk if misconfigured.
Setgid (s) - Set Group ID
Purpose: Execute a file with the group's permissions, or create files with the group ownership in directories.
Setting Setgid:
chmod g+s file
# Or numerically:
chmod 2755 file # 2 = setgid bit
Example:
# Owner: rwx
# Group: rws (s replaces x)
# Others: r-x
chmod g+s /usr/bin/write
Setgid on Directories:
- Files created in the directory inherit the directory's group
- Useful for shared directories where multiple users need to collaborate
Sticky Bit (t) - Prevent Deletion
Purpose: Prevents users from deleting files in a directory (except the owner).
Setting Sticky Bit:
chmod +t directory
# Or numerically:
chmod 1777 directory # 1 = sticky bit
Example:
# Common on /tmp directory
chmod +t /tmp
# Permissions: drwxrwxrwt
Use Cases:
/tmpdirectory: Users can create files but only delete their own- Shared directories: Prevent accidental deletion of others' files
Immutable Flag with chattr
The immutable flag prevents file modification, even by root.
chattr - Change File Attributes
Setting Immutable Flag:
# Make file immutable
chattr +i file.txt
# Remove immutable flag
chattr -i file.txt
lsattr - List File Attributes
Viewing Attributes:
# List attributes
lsattr file.txt
# List all files with attributes
lsattr -a
# List directories with attributes
lsattr -d
# Recursively list attributes
lsattr -R
# Verbose mode
lsattr -v
Common Attributes:
i: Immutable (cannot be modified or deleted)a: Append-only (can only append data)A: No atime updates (access time not updated)c: Compressed (transparent compression)s: Secure deletion (overwrite with zeros before deletion)
Access Control Lists (ACLs)
ACLs provide finer-grained access control than standard UNIX permissions.
getfacl - Get File Access Control List
Basic Usage:
# Display ACL for a file
getfacl file.txt
# Recursively display ACLs
getfacl -R directory/
# Check ACLs
getfacl -c file.txt
# Verbose mode
getfacl -v file.txt
Example Output:
# file: file.txt
# owner: alex
# group: developers
user::rw-
user:john:r--
group::r--
mask::r--
other::---
setfacl - Set File Access Control List
Basic Syntax: setfacl [options] <rule> <file>
Common Options:
-m: Modify ACL (add or change)-x: Remove ACL entry-b: Remove all ACL entries-d: Set default ACL-k: Remove default ACL-R: Recursively set ACLs
Setting User Permissions:
# Grant user 'john' read and write access
setfacl -m u:john:rw file.txt
# Grant user read-only access
setfacl -m u:john:r file.txt
Setting Group Permissions:
# Grant group 'qa' read and execute access
setfacl -m g:qa:rx file.txt
Setting Others Permissions:
# Set others to no access
setfacl -m o::--- file.txt
Setting Mask:
# Set effective mask
setfacl -m m:rw file.txt
Removing ACL Entries:
# Remove user ACL
setfacl -x u:john file.txt
# Remove all ACLs
setfacl -b file.txt
Default ACLs (for directories):
# Set default ACL (applies to new files)
setfacl -d -m u:john:rw directory/
# Remove default ACL
setfacl -k directory/
Recursive ACLs:
# Recursively set ACLs
setfacl -R -m u:john:rw directory/
Understanding umask
The umask (user file creation mask) determines default permissions for newly created files and directories.
Default umask
Typical Default: 0022
- Files:
666 - 022 = 644(rw-r--r--) - Directories:
777 - 022 = 755(rwxr-xr-x)
Viewing umask
# Display current umask
umask
# Display in symbolic format
umask -S
# Output: u=rwx,g=rx,o=rx
# Display in octal format
umask -p
Setting umask
# Set umask for current session
umask 0022
# Set umask in ~/.bashrc for persistence
echo "umask 0022" >> ~/.bashrc
Common umask Values
0000: No restrictions (666 for files, 777 for directories)0022: Standard (644 for files, 755 for directories)0027: More restrictive (640 for files, 750 for directories)0077: Very restrictive (600 for files, 700 for directories)
Permission Calculation
How Permissions are Calculated
For Files:
- Default:
666(rw-rw-rw-) - With umask
022:666 - 022 = 644(rw-r--r--)
For Directories:
- Default:
777(rwxrwxrwx) - With umask
022:777 - 022 = 755(rwxr-xr-x)
Understanding the Calculation
The umask value is subtracted from the default permissions:
umask 022means: remove write for group and othersumask 027means: remove write for group, remove all for others
Best Practices
Security Considerations
- Principle of Least Privilege: Grant minimum necessary permissions
- Regular Audits: Periodically review file permissions
- Use Groups: Organize users into groups for easier permission management
- Avoid World-Writable: Be cautious with
777or666permissions - Protect Sensitive Files: Use
600or400for sensitive files
Permission Guidelines
Files:
- Executables:
755(rwxr-xr-x) - Configuration files:
644(rw-r--r--) - Sensitive files:
600(rw-------) - Scripts:
755(rwxr-xr-x)
Directories:
- User directories:
755(rwxr-xr-x) - Shared directories:
775(rwxrwxr-x) with setgid - Temporary directories:
1777(rwxrwxrwt) with sticky bit
Special Permission Guidelines
- Setuid: Use sparingly, only for trusted executables
- Setgid on Directories: Useful for shared project directories
- Sticky Bit: Essential for
/tmpand other shared writable directories - Immutable Flag: Use for critical system files
Troubleshooting Permission Issues
Common Problems
"Permission Denied" Errors:
- Check file permissions:
ls -l file - Verify user ownership:
ls -l file - Check directory permissions (need execute to access)
- Review ACLs:
getfacl file
Cannot Delete Files:
- Check directory write permission
- Verify file ownership
- Check for immutable flag:
lsattr file - Review sticky bit on directory
Cannot Execute Scripts:
- Ensure execute permission:
chmod +x script.sh - Check shebang line:
#!/bin/bash - Verify file is not on a noexec filesystem
Diagnostic Commands
# Check permissions
ls -l file
# Check ownership
ls -l file
# Check ACLs
getfacl file
# Check attributes
lsattr file
# Check umask
umask
# Check user groups
groups
id
Real-World Examples
Example 1: Web Server Directory
# Set proper permissions for web directory
chown -R www-data:www-data /var/www/html
chmod -R 755 /var/www/html
chmod 644 /var/www/html/*.html
Example 2: Shared Development Directory
# Create shared directory with setgid
mkdir /shared/project
chgrp developers /shared/project
chmod 2775 /shared/project # setgid + rwxrwxr-x
Example 3: Secure Configuration File
# Make config file readable only by owner
chmod 600 /etc/myapp/config.conf
chown root:root /etc/myapp/config.conf
Example 4: Using ACLs for Fine-Grained Access
# Grant specific user access without changing group
setfacl -m u:contractor:r-- /sensitive/data
setfacl -m u:contractor:rx /sensitive/
Conclusion
File permissions and access control are fundamental to Linux security. Understanding standard UNIX permissions, special bits, ACLs, and file attributes enables you to secure your filesystem effectively. From basic chmod and chown commands to advanced ACL management, these tools provide the flexibility needed for complex permission scenarios.
By following best practices, using the principle of least privilege, and regularly auditing permissions, you can maintain a secure filesystem while providing necessary access to users and applications. Whether you're securing web servers, managing shared directories, or protecting sensitive files, proper permission management is essential.
In the next article, we'll explore storage management and filesystems, covering partitions, mounting, and filesystem types. Stay tuned!