Interpret Linux File System Permissions
After completing the work in this module you will be able to:
List file system permissions on files and directories, and interpret the effect of those permissions on access by users and groups.
Every file on a Linux system has an owner and belongs to a group. File permissions control who can access which files.
| Permission | Effect on Files | Effect on Directories |
|---|---|---|
| r (read) | Content of files can be read. | Contents can be listed. |
| w (write) | Content of files can be changed. | Files can be created or deleted. |
| x (execute) | File can be run as a commands. | The cd command can be used. |
The effect of permissions on directories is different than that of ordinary files. Read permission means the contents of the directory can be listed. Write permission allows files to be created or deleted in the directory. The execute permission allows use of the cd command to make the directory the current directory.
[student@workstation ~]$ ls -l myscript.sh
-rwxrwxr--. 1 student student 1520 May 18 07:36 myscript.sh
The -l option to the ls command displays file permissions and file ownership.
-rwxrwxr--. 1 student student 1520 May 18 07:36 myscript.sh
The first character indicates the file type. The most common are a - (dash) for an ordinary file while d indicates a directory and l a symbolic link.
-rwxrwxr--. 1 student student 1520 May 18 07:36 myscript.sh
The next field shows permissions for the owner of the file, the group the file belongs to, and finally for others on the system. The possible permissions are read, write, and execute. A dash in this field indicates the lack of that permission.
-rwxrwxr--. 1 student student 1520 May 18 07:36 myscript.sh
SELinux is a mandatory access control mechanism. A period here indicates that permissions are controlled by SELinux.
-rwxrwxr--. 1 student student 1520 May 18 07:36 myscript.sh
A file will have at least one link but you can create additional links either hard or symbolic with the ln command.
-rwxrwxr--. 1 student student 1520 May 18 07:36 myscript.sh
This is the account that owns the file.
-rwxrwxr--. 1 student student 1520 May 18 07:36 myscript.sh
This is the group that the file belongs to. Regular users will have a private group.
-rwxrwxr--. 1 student student 1520 May 18 07:36 myscript.sh
This field shows the file size in bytes. Adding the h option to the ls command makes the size easier to read.
-rwxrwxr--. 1 student student 1520 May 18 07:36 myscript.sh
This is the date the file was created or last modified.
-rwxrwxr--. 1 student student 1520 May 18 07:36 myscript.sh
The last field is the name of the file.
After reading this section in the textbook complete the quiz in Canvas.
Change the permissions and ownership of files with command-line tools.
[student@workstation ~]$ man -k permissions
access (2) - check user's permissions for a file
chmod (2) - change permissions of a file
console.perms (5) - permissions control file for users at the system console
...
The chmod or "change mode" command is used to change file permissions. The command can be used to change permissions by the symbolic method or the octal method.
[joe@localhost ~]$ ls -l myscript.sh
-rw-r--r-- 1 joe joe 1824 Sep 14 12:47 myscript.sh
[joe@localhost ~]$ chmod +x myscript.sh
[joe@localhost ~]$ ls -l myscript.sh
-rwxr-xr-x 1 joe joe 1824 Sep 14 12:47 myscript.sh
Often using the octal or "numeric" method to set permissions is easier. In this example the ssh command will not use a private key that is accessible by others.
| Number | Description |
|---|---|
| 4 | Permission to read file. |
| 2 | Permission to write to file. |
| 1 | Permission to run file as a program. |
| 0 | No permissions |
The number can be added together to get the desired permission. For example, 4+2=6 which is read plus write permissions.
[student@workstation ~]$ ls -l ~/.ssh/id_rsa
-rw-rw-rw- 1 student student 2675 Jul 29 2022 .ssh/id_rsa
[student@workstation ~]$ chmod 0600 .ssh/id_rsa
[student@workstation ~]$ ls -l ~/.ssh/id_rsa
-rw- - - - - - - 1 student student 2675 Jul 29 2022 .ssh/id_rsa
The chmod command used here fixes the issue with the SSH private key shown previously. The order of permissions is special permissions (0), User permissions (read plus write), and no permissions (0) for group or others.
Every file (directories are files, too.) on a Linux system belongs to a group and has an owner.
[student@workstation ~]$ ls -l ~/mydoc.md
-rw-rw-rw- 1 student student 2675 Jul 29 2022 mydoc.md
[student@workstation ~]$ chown :consultants mydoc.md
[student@workstation ~]$ ls -l ~/mydoc.md
-rw- - - - - - - 1 student consultants 2675 Jul 29 2022 mydoc.md
A new file is owned by the user that creates it and belongs to that owner’s primary group. Only root can change the owner of a file and a user can change the group to which a file belongs to another group which the user is a member of. Notice the colon preceding consultant.
Use file system permissions to create a directory in which all members of a particular group can add and delete files.
When a new file is created it inherits the default permissions set on the system. These permissions are set in the umask section of the /etc/login.defs file.
[student@workstation ~]$ which passwd
/usr/bin/passwd
[student@workstation ~]$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 59976 Nov 24 2022 /usr/bin/passwd
Sometimes a program needs to be run with the permissions of the owner of the program rather than the user who runs the program. The passwd command is an example. The /etc/shadow file must be updated when a user sets a new password. Root privileges are required to change that file. Running with normal unprivileged permissions would be impossible.
[student@workstation ~]$ ls -ld /tmp
drwxrwxrwt 19 root root 4096 Feb 7 08:26 /tmp/
The sticky bit assigned to a directory such as /tmp prevents files from being changed or deleted except by the owner of the file.
When a new file is created it inherits the default permissions set on the system. These permissions are set in the umask section of the /etc/login.defs file. The executable bit (1) must always be explicitly set.
umask Utility on Permissions
umask command
[student@workstation ~]$ umask
0022
The umask command without an arguments displays the current value of the umask.
umask
[student@workstation ~]$ umask 0002
Regular users can temporarily change the umask. Given the umask in the previous slide (0022) what would be the resulting umask after student runs this command?
Use the Vim text editor to create this script in the /etc/profile.d directory which changes the default umask for regular users.
Control the permissions on files that are created in a directory by using umask settings and the setgid permission.
ls -l command displays file permissions and file ownership.-d option to ls -l to display the permissions for the directory itself.chmod command changes permissions.chown command changes the owner of a file or the group to which a file belongs.umask command displays or changes temporarily the default permissions for files.suid, sgid, and sticky bit special permissions provide additional access-related features to files.
This is a good lab to practice using Esc+. to insert the previous command's argument into the current command. See Chapter 2: Execute Commands with the Bash Shell.
Thanks for watching. This is the end of the presentation.
Created on 17 February 2025 by Dennis Kibbe. Last modified on 9 June 2025 09:21:00 by DNK.
Keyboard Shortcuts
This slide presentation was created by B6Plus. The audio accompanying this presentation is AI-generated.