In Linux, permissions are a fundamental aspect of the operating system’s security model and file management, used to control who can access files and directories and what actions they can perform. Understanding and properly managing these permissions is essential for system administrators, developers, and anyone working with Linux systems.
This tutorial will guide you through the process of setting permissions using the chmod
command (which changes file modes), chown
(which changes file ownership), and chgrp
(which changes group ownership). By mastering these linux commands, you’ll be able to secure your files, implement proper access controls, and prevent unauthorized access to sensitive data on your Linux systems.
Permissions in Linux are represented by three sets of numbers or letters, each corresponding to a different user or group. This hierarchical permission system is a core component of Linux security, allowing fine-grained control over file and directory access.
The three sets are:
For each of these categories, Linux defines three basic permission types:
The string representation of permissions, as displayed by the ls -l
command, is a 10-character string. The first character indicates the file type (e.g., -
for a regular file, d
for a directory, l
for a symbolic link, etc.). The next nine characters are divided into three groups of three characters each, representing the permissions for the user (owner), group, and others, respectively. Each group consists of a combination of the following characters:
r
for read permissionw
for write permissionx
for execute permission-
for no permissionFor example, the string -rwxr-xr--
can be broken down as follows:
-
indicates a regular file.rwx
represent the permissions for the user (owner): read, write, and execute.r-x
represent the permissions for the group: read and execute.r--
represent the permissions for others: read only.Understanding this string representation is essential for managing permissions effectively in Linux systems.
Note: Keep your most commonly used linux commands handy with our 50+ Linux commands cheat sheet.
Linux permissions can also be represented using a numeric (octal) notation, which provides a concise way to specify permissions for all three categories at once:
These values can be added together to create combinations:
For example, the permission chmod 755
sets:
This numeric system makes it efficient to specify complex permission sets with a simple three-digit number.
The table below summarises the different representations and their permissions:
Beyond the basic read, write, and execute permissions, Linux also supports special permissions:
SUID (Set User ID): When applied to an executable file, it runs with the permissions of the file owner rather than the user executing it.
chmod u+s filename
or chmod 4xxx filename
(where xxx represents other permissions)chmod 4755 /usr/bin/passwd
SGID (Set Group ID): When applied to an executable file, it runs with the permissions of the file group. When applied to a directory, new files created within it inherit the directory’s group.
chmod g+s filename
or chmod 2xxx filename
(where xxx represents other permissions)chmod 2775 /shared/project_dir
Sticky Bit: When set on a directory, files within can only be deleted by their owners, the directory owner, or the root user.
chmod +t directory
or chmod 1xxx directory
(where xxx represents other permissions)chmod 1777 /tmp
You can combine these special permissions. For example, to set SGID and sticky bit on a directory: chmod 3775 directory
(3 = 2+1, SGID + sticky bit).
These special permissions add another layer of control and are particularly useful for system files and shared directories.
Use the ls -l
command to view file and directory permissions. The -l
flag stands for “long” and displays detailed information about the file or directory, including its permissions, ownership, size, and modification time.
Use stat
for detailed information about a file or directory. The stat
command provides information about the file system status, including file type, permissions, ownership, and timestamps. You can use the -c
flag to specify the format of the output.
Some common flags for ls
and stat
include:
ls
flags:
-l
(long): Displays detailed information about the file or directory.-a
(all): Includes hidden files and directories in the listing.-d
(directory): Lists only the directory itself, not its contents.stat
flags:
-c
(format): Specifies the format of the output. For example, -c %A
displays the file permissions in human-readable format.-f
(filesystem): Displays information about the file system containing the file, rather than the file itself.-t
(terse): Displays the information in a terse format, suitable for parsing by scripts.Let’s dive into the details of the permission string displayed by the ls -l script.sh
command:
The first character -
indicates that script.sh
is a regular file. If it were a directory, this character would be d
.
The next three characters rwx
represent the permissions for the file owner (user). In this case, the owner has:
r
(read) permission, allowing them to view the file’s contents.w
(write) permission, enabling them to modify the file.x
(execute) permission, allowing them to run the file as a program.The following three characters r-x
represent the permissions for the group that owns the file. In this case, the group has:
r
(read) permission, allowing them to view the file’s contents.x
(execute) permission, enabling them to run the file as a program.w
(write) permission, meaning they cannot modify the file.The final three characters r--
represent the permissions for all other users (others). In this case, others have:
r
(read) permission, allowing them to view the file’s contents.w
(write) or x
(execute) permissions, meaning they cannot modify or run the file.Here is an example screenshot of ls -l
output, with labels of each column of output:
Numeric equivalents:
In Linux, permissions can also be represented using a numeric (octal) notation. This system assigns a value to each permission:
r
(read) = 4w
(write) = 2x
(execute) = 1By adding these values, you can create combinations that represent different permission sets. For example:
rwx
(read, write, execute) = 7 (4+2+1)rw-
(read, write) = 6 (4+2)r--
(read) = 4Using this numeric system, the permission 755
can be broken down as follows:
So, the permission 755
is equivalent to rwxr-xr-x
.
To set permissions using the numeric notation, you can use the chmod
command followed by the numeric value. For example, to set the permission 755
on a file or directory, you would use the command chmod 755 filename
.
chmod
Command: Symbolic and Numeric ModesThe chmod
command is used to change the mode (permissions) of a file or directory. It supports both symbolic and numeric modes.
The following examples demonstrate how to use the chmod
command with numeric mode to set permissions on files and directories:
chmod
UsageThe chmod
command is a powerful tool for managing file and directory permissions in Linux. Here are some examples of how to use chmod
to achieve specific permission settings:
To give a user read-only permission to a file, you can use the numeric mode 400
. This sets the permission to r--
, allowing the owner to read the file but not write or execute it.
To give a user write permission to a folder, you can use the symbolic mode u+w
. This adds write permission for the user (owner) of the folder, allowing them to modify its contents.
To make a script executable, you can use the symbolic mode +x
. This adds execute permission for the user (owner) of the script, allowing them to run it.
These examples demonstrate the flexibility of the chmod
command in managing permissions for different users and use cases.
chown
and chgrp
The chown
and chgrp
commands are essential tools for managing file and directory ownership in Linux. Understanding how to use these commands is crucial for maintaining proper access controls and ensuring that files and directories are accessible only to authorized users.
chown
CommandThe chown
command is used to change the ownership of a file or directory. It allows you to specify a new owner and group for the file or directory, ensuring that the correct user or group has access to it. The basic syntax of the chown
command is as follows:
In this example, username
is the new owner of the file file.txt
. You can also specify a group along with the owner using the following syntax:
This command sets both the owner and group of file.txt
to username
and groupname
, respectively.
chgrp
CommandThe chgrp
command is used to change the group ownership of a file or directory. It allows you to specify a new group for the file or directory without changing its owner. The basic syntax of the chgrp
command is as follows:
In this example, groupname
is the new group owner of the file file.txt
.
In Linux, recursive permissions allow you to apply permissions to a directory and all its contents simultaneously. This is particularly useful when you need to manage permissions for a large number of files or directories.
The basic syntax for applying recursive permissions is as follows:
In this example, permissions
is the permission string you want to apply, and directory
is the directory you want to apply the permissions to.
The following examples demonstrate how to apply recursive permissions to a directory and its contents.
This command sets the permissions of the /var/www/html
directory and all its contents to 755
. This means the owner has read, write, and execute permissions, the group has read and execute permissions, and others have read and execute permissions.
This command changes the ownership of the /var/www/html
directory and all its contents to user
and sets the group ownership to group
. This ensures that the specified user and group have the appropriate access to the directory and its contents.
When setting up a web hosting environment, it’s essential to ensure that the web server has the necessary permissions to access and serve files. For example, you might want to set the permissions of the /var/www/html
directory to 755
to allow the web server to read and execute files, while preventing others from writing to the directory. This can be achieved using the following command:
When deploying a script, you might need to ensure that it has execute permissions. For instance, if you have a script named deploy.sh
that needs to be executed during deployment, you can set its permissions to 755
using the following command:
This allows the owner to read, write, and execute the script, while others can only read and execute it.
In a collaborative environment, it’s common to have multiple users working on the same project. To facilitate collaboration, you might need to set group permissions to allow multiple users to access and modify files. For example, if you have a project directory named project
and you want to allow members of the developers
group to read, write, and execute files within the directory, you can use the following commands:
The first command sets the group ownership of the project
directory and its contents to developers
, while the second command sets the permissions to allow the group to read, write, and execute files, while others can only read and execute them.
Setting permissions to 777
for all files and directories can be a security risk, as it allows anyone to read, write, and execute them. This can lead to unauthorized access and potential security breaches.
Solution: Use more restrictive permissions based on the specific needs of each file or directory. For example, use 755
for directories and 644
for files to allow the owner to write and others to read.
Forgetting to set execute permissions on scripts can prevent them from being executed, leading to errors or unexpected behavior.
Solution: Ensure that scripts have execute permissions set for the appropriate users or groups. For example, to add execute permission for the owner, use the following command:
Incorrect permissions on web or application directories can prevent the server from accessing or serving files, leading to errors or downtime.
Solution: Ensure that the web server has the necessary permissions to access and serve files. For example, to set permissions for the Apache web server to access files in the /var/www/html
directory, use the following command:
DOs | Description | Example Command |
---|---|---|
Use least-privilege principle | Start with minimal permissions to ensure security. | chmod 755 directory |
Use groups for easier collaboration | Assign group permissions for efficient collaboration. | chown -R :group directory |
Always double-check recursive commands | Verify the impact of recursive commands to avoid unintended changes. | ls -lR directory |
DON’Ts | Description | Example Command |
---|---|---|
Avoid using chmod 777 |
Refrain from using chmod 777 unless it’s absolutely necessary to avoid security risks. |
chmod 755 directory |
Don’t forget to set execute permission on scripts | Ensure scripts have execute permission (chmod +x) to function correctly. | chmod +x script.sh |
Don’t break app access by over-restricting files | Balance permissions to avoid restricting access to applications. | chmod 644 file.txt |
To set permissions in Linux, you use the chmod
command. This command allows you to change the permissions of a file or directory. For example, to set the permissions of a file to allow the owner to read, write, and execute, the group to read and execute, and others to read and execute, you would use the following command:
This sets the permissions of filename
to rwxr-xr-x
, which is equivalent to the numeric value 755
.
chmod 755
sets the permissions of a file or directory to allow the owner to read, write, and execute, the group to read and execute, and others to read and execute. This is a common permission setting for directories and executable files.
chmod 777
, on the other hand, sets the permissions of a file or directory to allow everyone (owner, group, and others) to read, write, and execute. This is not recommended for security reasons, as it allows anyone to modify or execute the file or directory.
Here’s an example of how to set permissions using chmod 777
:
This sets the permissions of filename
to rwxrwxrwx
, which is equivalent to the numeric value 777
.
chmod 666
sets the permissions of a file or directory to allow everyone (owner, group, and others) to read and write, but not execute. This is not a common permission setting, as it does not allow the execution of files.
chmod 777
, as mentioned earlier, sets the permissions of a file or directory to allow everyone to read, write, and execute.
Here’s an example of how to set permissions using chmod 666
:
This sets the permissions of filename
to rw-rw-rw-
, which is equivalent to the numeric value 666
.
chmod 400
sets the permissions of a file or directory to allow only the owner to read, and denies all permissions to the group and others. This is a restrictive permission setting, suitable for sensitive files that should only be accessible by the owner.
Here’s an example of how to set permissions using chmod 400
:
This sets the permissions of filename
to r--------
, which is equivalent to the numeric value 400
.
Setting permissions in Linux is a crucial aspect of system administration and security. By understanding the different permission settings and how to use them, you can ensure that your files and directories are accessible only to authorized users and that your system is secure and reliable.
For a more comprehensive approach to system security, consider using DigitalOcean’s Cloud Firewalls to protect your infrastructure from unauthorized access. Additionally, DigitalOcean’s Block Storage can help you manage data storage securely and efficiently.
For further learning, make sure to check out the following tutorials:
Continue building with DigitalOcean Gen AI Platform.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!