If you’re working as a Linux administrator or have just started learning the basics, then it’s essential to understand how file permissions work. In this tutorial, I will detail everything you need to know about Linux access control lists (ACLs), including how to change file permissions and file ownership.
How Linux file permissions work
On Linux, file permissions let you control the level of access users have to files. And file ownership is used to determine who has overall jurisdiction over a file. All files in Linux belong to an owner and a group.
Understanding how groups and owners are assigned and used to manage access to files and folders is important. Permissions are rarely determined by assigning individual user accounts to files and folders because it’s too difficult to manage at scale.
The 3 levels of permission in Linux
Here are the three different levels of permission that are used in Linux:
Owner: This group gives members complete control over a file.
Group: You can assign a group of users to a file or directory and give the group a specific set of permissions.
All users: This permission group applies to all other users. This is probably the group you want to keep an eye on the most for security reasons.
r: The read permission means that the file/directory is readable.
w: The write permission means that the file/directory can be modified.
x: The execute permission means that a user or group can execute a file.
How to check Linux file permissions with the ls command
Reading file ACLs on Linux is important because if a file is assigned the wrong permissions, it may allow attackers to access it and potentially corrupt the entire operating system.
For this tutorial, I will be using a device running Ubuntu 22.04 LTS with sudo privileges. To start this tutorial, you can create a directory named Documents in the home directory:
First, log in to Ubuntu using your favorite SSH client, PuTTY for example.
In the home directory, create a new folder named ‘Documents’ by running the command below.
mkdir Documents
After you’ve created the directory, run the following chmod command to change access permissions on the folder using a numeric code. I’ll explain what this command does to the file permissions below.
chmod 755 Documents/
Next, you can list permissions for this directory and other details by using the ls command. The ls command is used to list the names and features of files and directories, and the ‘-lh’ option displays entries in a human-readable format.
ls -lh
Now, let’s check out the attributes of the Documents directory:
The first character (d) is the object type (directory). However, it can also be a ‘-‘, which represents a file, or a ‘c’, which represents a character device, or a ‘b’, which represents a block device.
Block vs character devices in Linux
Linux distinguishes between block and character devices. Block devices are accessed via a buffer and Linux doesn’t need to know the specifics of how to write to them. Conversely, character devices can be accessed directly and without passing through a buffer.
After the directory (d), there are three different sets of permissions (rwx, r-x, and r-x) for the owner of the Documents directory, the group that has been assigned to the directory, and all other users, respectively.
Here, the ‘rwx’ set of permissions means that the owner of the Documents directory has read (r), write (w), and execute (x) permissions.
The group of users who has access to the directory has read and execute (r-x) permissions. Here, ‘-‘ indicates the absence of a specific permission.
All other users also have read and execute permissions (r-x).
‘ec2-user’ is the name of the owner of the Documents directory. It’s also the name of the primary group for this user.
‘Documents’ is the name of the file.
To give you another example, I’ll create a new file in the home directory:
In the Ubuntu terminal in the home directory, run the following command to create a new ‘my_file’ directory and switch to it:
mkdir my_file
Next, create an empty text file named ‘new_file’ using the touch command.
touch new_file
Finally, run the ls -lh command to list the permissions for the file you’ve just created.
Let’s analyze the results of this command:
The first character (-) indicates that ‘new_file’ is a regular file.
After the first character (-), there are three triplets of permissions (‘rw-‘,’r–‘,and ‘r–‘) for the owner of the file, the group that has been assigned to the file, and all other users.
The ‘rw-‘ set of permissions indicates that the owner of the file has read and write permissions
The ‘r–‘ set of permissions shows that the group and all other users are only allowed to read the file.
Here, ‘ec2-user’is the name of the owner of the file, and it’s also the name of the group that has been assigned to the file.
0 is the size of the file because it’s empty.
When you create new files in Linux, they are given a set of permissions by default. This differs from Windows, where new files and folders inherit permissions from the parent object. The umask command (user mask) can be used to change the default permissions that are assigned to new files and folders.
How to change Linux file permissions with the chmod command
On Linux, the chmod command can be used to change file permissions, and there are two different ways to do that: The symbolic (text) method and the numeric method.
Symbolic (text) method
As we’ve seen previously, the symbolic method uses the r, w, x letters to indicate permissions for the owner of a file or directory, the group that has been assigned to it, and everyone else. To define permissions with the chmod command, you need to use specific letters for each permission group:
u: The owner of the file or directory
g: The group associated to the file or directory
o: Other users
a (or ‘ugo’): all users
Let’s use another example to show you how to change file permissions with the symbolic method:
Let’s create a file named ‘file.txt’ in the home directory using the touch command.
touch file.txt
Next, we’ll review the permissions of the file.txt using the ls -lh command.
Now, we’ll use the chmod a-w command to remove the write permission for everyone. Here, the ‘-‘ sign is used to remove permissions, and the ‘+’ sign does the contrary. Next, we’ll once again review file permissions using the ls -lh command.
chmod a-w file.txt
This time, you can see that the write permission (w) has been removed from the user. The group and other users didn’t have the write permissions initially, so there’s no change for them.
If we only want to add the read, write, and execute permissions for the user who owns the file, we need to use the chmod command but start with a ‘u’ instead of an ‘a’, followed with a ‘+’ sign.
chmod u+rwx file.txt
As a last example, if we want to remove the read permission from the group, we’ll use the chmod command with a ‘g’ followed by a ‘-‘ sign.
chmod g-r file.txt
As you can see, the group has now lost the read permission for our file.txt file.
Numeric method
The other way to use the chmod command to change file permissions is the numeric method. Here’s how the syntax works:
r, which represents the read permission, has a 4 octal value.
w, which represents the write permission, has a 2 octal value.
x, which represents the execute permission, has a 1 octal value.
A 0 represents the absence of permissions.
When you use the numeric method with the chmod command, you just add up the octal values to determine the type of permission you want to assign. As an example, the read, write, and execute permissions (rwx) have an octal value of 7 (4+2+1).
Let’s check the permissions again for the file we created earlier using the ls -lh command.
Now, we’ll run the chmod 714 command to change the permissions for this file. Here, the ‘7’ grands read, write, and execute permissions to the owner of the file, the ‘1’ grants the execute permission to the group associated to it, and the ‘4’ grants the read permission to everyone else.
chmod 714 file.txt
As you can see, the group gained the execute permission while nothing changed for the two other permission groups.
What do the chmod 777, chmod 775 and chmod 755 commands do?
The chmod 777, 775, and 755 commands are used quite often to change file permissions, and here’s what they do:
The chmod 777 command grants the read, write, and execute permissions to all groups (owner, group, and everyone else).
The chmod 775 command will grant the read, write, and execute permissions to the owner of the file or directory and to the group associated to it. The ‘5’ in this command will grant both read and execute permissions (4+1) to other users.
The chmod 755 command once again grants read, write, and execute permissions to the owner of the file or directory. It also gives read and execute permissions to the group associated to the file or directory, as well as other users.
How to change file ownership in Linux with the chown command
If you need to change the ownership of a file or directory, then use the chown command.
To show you how this command works, I’ll use it on my previous file (file.txt). The basic syntax for this command is “chown owner:group filename”.
The command below changes the owner of the file and the group assignment to ‘root’.
sudo chown -R root:root file.txt
After running the ls -lh command, we can see that ‘root’ is the new owner of the file, as well as the new group associated to it.
How to change groups of files and directories in Linux with the chgrp command
I just explained how to assign or change the owner and group assigned to a file or directory with the chown command. However, if you just want to change the assigned group of a file or directory, you can use the chgrp command. The basic syntax for this command is “chgrp group file”.
In the command below, we are changing the group membership of the file.txt file from ‘root’ to ‘ec2-user’.
sudo chgrp ec2-user file.txt
Chmod, chown, and chgrp for managing Linux permissions on files and directories
In this tutorial, I explained everything you need to know about working with permissions on Linux. I detailed how to use the chmod command to add and remove permissions from different groups. I also explained how to use the chown and chgrp commands to change the group and ownership of files and directories.
I hope that this knowledge will help you in your various tasks as a Linux administrator.