Linux Basics: File Permissions and Access Control

Introduction

In the world of Linux, everything is a file. From ordinary documents to system devices and process interfaces, all exist in the form of files.

To ensure system security and reliability, strict permission control must be enforced on these files.

Today, we will delve into understanding the Linux file system’s permission model, how permissions are represented, methods for setting permissions, and more advanced access control (ACL).

1. Overview of Linux File System Permissions

Linux adopts a multi-user, multi-tasking operating system design philosophy, thus it must define clear access rules for each file.

Each file has three categories of access subjects:

Access Subject Meaning
Owner The user who created the file
Group Users belonging to the same group
Others All users in the system except the above two

Each category of users can set three basic permissions for files:

Permission Symbol Description
Read <span>r</span> View file content or list directory contents
Write <span>w</span> Modify the file or create/delete files in the directory
Execute <span>x</span> Execute executable files or enter directories

2. File Permission Representation and Default Permissions

We can use the <span>ls -l</span> command to view the permissions and ownership information of files:

ls -l

Example output:

-rwxr-xr--  1 student  wheel   2048  Nov 20  10:00  hello.sh

Understanding Permission Structure

Field Example Meaning
File Type <span>-</span> Regular file (directory is<span>d</span>, link is<span>l</span>)
Owner Permissions <span>rwx</span> Has read, write, and execute permissions
Group Permissions <span>r-x</span> Readable and executable, not writable
Other User Permissions <span>r--</span> Read-only
Owner <span>student</span> The owner of the file
Group <span>wheel</span> The user group to which the file belongs

Numeric Representation of Permissions

In Linux, permissions can also be represented using octal numbers:

Permission Combination Binary Octal Value
000 0
–x 001 1
-w- 010 2
-wx 011 3
r– 100 4
r-x 101 5
rw- 110 6
rwx 111 7

For example:

-rwxr-xr--  →  754

Corresponding meanings:

  • Owner: rwx (7)
  • Group: r-x (5)
  • Others: r– (4)

🧩 Practical Case: Checking Permissions and File Types

ls -l /etc/passwd   # Check the permissions of the system user file
ls -ld /home        # Check the permissions of the /home directory itself
file /bin/bash      # Check the file type (executable file)

📘 Note:

  • ls -l: Displays detailed permission information.
  • ls -ld: Checks the permissions of the directory itself.
  • file: Identifies the file type (text, binary, script, etc.).

3. Setting Linux File System Permissions

Linux provides two ways to modify file permissions:

1️⃣ Using chmod to Modify Permissions

(1) Symbolic Method Modification

chmod u+x test.sh     # Add execute permission for the file owner
chmod g-w test.txt     # Remove write permission for the group
chmod o=r test.txt     # Set read-only permission for others
Symbol Meaning
<span>u</span> File owner (user)
<span>g</span> Group (group)
<span>o</span> Other users (others)
<span>a</span> All users (all)

(2) Numeric Method Modification

chmod 755 test.sh

📘 Note:

  • Owner: 7 → rwx
  • Group: 5 → r-x
  • Other users: 5 → r-x

2️⃣ Using chown to Change File Owner

sudo chown root test.sh        # Change the owner to root
sudo chown student:wheel test.sh  # Change both owner and group

3️⃣ Using chgrp to Change Group Ownership

sudo chgrp wheel test.sh

🧩 Practical Case: Setting Permissions for Deployment Scripts

Suppose we have a shell script backup.sh that needs to be executed by users but not modified:

chmod 755 backup.sh       # Owner can modify and execute, others can only execute
sudo chown root:wheel backup.sh  # Owned by root and wheel group
ls -l backup.sh           # Check the result for verification

📘 Note: This type of permission configuration is commonly used for deploying production environment scripts to prevent ordinary users from mistakenly modifying or deleting critical files.

4. Special Permissions and ACL Access Control

In addition to the basic rwx permissions, Linux also provides three special permissions and one advanced control method:

1️⃣ Special Permissions: SUID, SGID, Sticky Bit

Permission Symbol Function Common Use
SUID <span>s</span> Program executes with the identity of the file owner <span>/usr/bin/passwd</span>
SGID <span>s</span> Program executes with the identity of the file group <span>/usr/bin/mail</span>
Sticky Bit <span>t</span> Only file owners can delete their files in the directory <span>/tmp</span>

📘 Example:

ls -l /usr/bin/passwd

The output may be:

-rwsr-xr-x 1 root root 54256 Jul  7 12:00 /usr/bin/passwd

📘 Note:

  • The 4th position’s<span>s</span> indicates that the SUID bit is set.
  • When a normal user executes this program, they will temporarily gain root privileges.

Setting Special Permissions:

chmod 4755 file      # Set SUID
chmod 2755 dir       # Set SGID
chmod 1755 dir       # Set Sticky Bit

🧩 Practical Case: The Role of Sticky Bit

mkdir /tmp/testdir           # Create a directory
chmod 1777 /tmp/testdir      # Set Sticky Bit
touch /tmp/testdir/a.txt
su - otheruser               # Switch to another user
rm /tmp/testdir/a.txt        # Attempt to delete the file

📘 Result:

<span>otheruser</span><span> cannot delete </span><code><span>a.txt</span>, even though the directory is open to everyone. This is the important mechanism of the Sticky Bit to prevent accidental deletions.

2️⃣ ACL Access Control List

ACL is a more granular permission control method provided by Linux, allowing special access permissions to be granted to individual users or groups.

Enabling and Viewing ACL Support

Most modern file systems (like ext4, xfs) support ACL by default. You can confirm this with the following command:

tune2fs -l /dev/sda1 | grep "Default mount options"

If the output includes acl, it indicates support.

Setting ACL Permissions

setfacl -m u:devops:rwx test.sh   # Add read, write, and execute permissions for user devops
getfacl test.sh                   # View the ACL rules of the file

Deleting ACL Permissions

setfacl -x u:devops test.sh

📘 Note: The flexibility of ACL far exceeds traditional rwx permissions, especially in multi-user systems, such as shared file directories or collaborative development environments.

🧩 Practical Case: Setting Additional Access Permissions for Specific Users

Suppose the <span>/project/data</span> directory belongs to the root user, but you want user <span>alice</span> to also be able to write files:

sudo setfacl -m u:alice:rw /project/data
getfacl /project/data

Output:

# file: project/data
# owner: root
# group: root
user::rwx
user:alice:rw-
group::r-x
mask::rwx
other::r-x

📘 Note: This is more flexible than changing ownership and does not affect the system’s default security policy.

Conclusion

In this article, we systematically learned about the Linux file system permission system:

  • Basic permission model (Owner, Group, Others)
  • Permission symbols and octal representation
  • Permission setting commands (chmod, chown, chgrp)
  • Special permissions (SUID, SGID, Sticky Bit)
  • Advanced access control (ACL)

Understanding these permission mechanisms not only helps you protect system security but also enables efficient collaboration in multi-user environments.

Leave a Comment