Introduction
In the world of Linux, everything is a file. From ordinary documents to system devices and process interfaces, all exist in the form of files.
To ensure system security and reliability, strict permission control must be enforced on these files.
Today, we will delve into understanding the Linux file system’s permission model, how permissions are represented, methods for setting permissions, and more advanced access control (ACL).
1. Overview of Linux File System Permissions
Linux adopts a multi-user, multi-tasking operating system design philosophy, thus it must define clear access rules for each file.
Each file has three categories of access subjects:
| Access Subject | Meaning |
|---|---|
| Owner | The user who created the file |
| Group | Users belonging to the same group |
| Others | All users in the system except the above two |
Each category of users can set three basic permissions for files:
| Permission | Symbol | Description |
|---|---|---|
| Read | <span>r</span> |
View file content or list directory contents |
| Write | <span>w</span> |
Modify the file or create/delete files in the directory |
| Execute | <span>x</span> |
Execute executable files or enter directories |
2. File Permission Representation and Default Permissions
We can use the <span>ls -l</span> command to view the permissions and ownership information of files:
ls -l
Example output:
-rwxr-xr-- 1 student wheel 2048 Nov 20 10:00 hello.sh
Understanding Permission Structure
| Field | Example | Meaning |
|---|---|---|
| File Type | <span>-</span> |
Regular file (directory is<span>d</span>, link is<span>l</span>) |
| Owner Permissions | <span>rwx</span> |
Has read, write, and execute permissions |
| Group Permissions | <span>r-x</span> |
Readable and executable, not writable |
| Other User Permissions | <span>r--</span> |
Read-only |
| Owner | <span>student</span> |
The owner of the file |
| Group | <span>wheel</span> |
The user group to which the file belongs |
Numeric Representation of Permissions
In Linux, permissions can also be represented using octal numbers:
| Permission Combination | Binary | Octal Value |
|---|---|---|
| — | 000 | 0 |
| –x | 001 | 1 |
| -w- | 010 | 2 |
| -wx | 011 | 3 |
| r– | 100 | 4 |
| r-x | 101 | 5 |
| rw- | 110 | 6 |
| rwx | 111 | 7 |
For example:
-rwxr-xr-- → 754
Corresponding meanings:
- Owner: rwx (7)
- Group: r-x (5)
- Others: r– (4)
🧩 Practical Case: Checking Permissions and File Types
ls -l /etc/passwd # Check the permissions of the system user file
ls -ld /home # Check the permissions of the /home directory itself
file /bin/bash # Check the file type (executable file)
📘 Note:
- ls -l: Displays detailed permission information.
- ls -ld: Checks the permissions of the directory itself.
- file: Identifies the file type (text, binary, script, etc.).
3. Setting Linux File System Permissions
Linux provides two ways to modify file permissions:
1️⃣ Using chmod to Modify Permissions
(1) Symbolic Method Modification
chmod u+x test.sh # Add execute permission for the file owner
chmod g-w test.txt # Remove write permission for the group
chmod o=r test.txt # Set read-only permission for others
| Symbol | Meaning |
|---|---|
<span>u</span> |
File owner (user) |
<span>g</span> |
Group (group) |
<span>o</span> |
Other users (others) |
<span>a</span> |
All users (all) |
(2) Numeric Method Modification
chmod 755 test.sh
📘 Note:
- Owner: 7 → rwx
- Group: 5 → r-x
- Other users: 5 → r-x
2️⃣ Using chown to Change File Owner
sudo chown root test.sh # Change the owner to root
sudo chown student:wheel test.sh # Change both owner and group
3️⃣ Using chgrp to Change Group Ownership
sudo chgrp wheel test.sh
🧩 Practical Case: Setting Permissions for Deployment Scripts
Suppose we have a shell script backup.sh that needs to be executed by users but not modified:
chmod 755 backup.sh # Owner can modify and execute, others can only execute
sudo chown root:wheel backup.sh # Owned by root and wheel group
ls -l backup.sh # Check the result for verification
📘 Note: This type of permission configuration is commonly used for deploying production environment scripts to prevent ordinary users from mistakenly modifying or deleting critical files.
4. Special Permissions and ACL Access Control
In addition to the basic rwx permissions, Linux also provides three special permissions and one advanced control method:
1️⃣ Special Permissions: SUID, SGID, Sticky Bit
| Permission | Symbol | Function | Common Use |
|---|---|---|---|
| SUID | <span>s</span> |
Program executes with the identity of the file owner | <span>/usr/bin/passwd</span> |
| SGID | <span>s</span> |
Program executes with the identity of the file group | <span>/usr/bin/mail</span> |
| Sticky Bit | <span>t</span> |
Only file owners can delete their files in the directory | <span>/tmp</span> |
📘 Example:
ls -l /usr/bin/passwd
The output may be:
-rwsr-xr-x 1 root root 54256 Jul 7 12:00 /usr/bin/passwd
📘 Note:
- The 4th position’s
<span>s</span>indicates that the SUID bit is set. - When a normal user executes this program, they will temporarily gain root privileges.
Setting Special Permissions:
chmod 4755 file # Set SUID
chmod 2755 dir # Set SGID
chmod 1755 dir # Set Sticky Bit
🧩 Practical Case: The Role of Sticky Bit
mkdir /tmp/testdir # Create a directory
chmod 1777 /tmp/testdir # Set Sticky Bit
touch /tmp/testdir/a.txt
su - otheruser # Switch to another user
rm /tmp/testdir/a.txt # Attempt to delete the file
📘 Result:
<span>otheruser</span><span> cannot delete </span><code><span>a.txt</span>, even though the directory is open to everyone. This is the important mechanism of the Sticky Bit to prevent accidental deletions.
2️⃣ ACL Access Control List
ACL is a more granular permission control method provided by Linux, allowing special access permissions to be granted to individual users or groups.
Enabling and Viewing ACL Support
Most modern file systems (like ext4, xfs) support ACL by default. You can confirm this with the following command:
tune2fs -l /dev/sda1 | grep "Default mount options"
If the output includes acl, it indicates support.
Setting ACL Permissions
setfacl -m u:devops:rwx test.sh # Add read, write, and execute permissions for user devops
getfacl test.sh # View the ACL rules of the file
Deleting ACL Permissions
setfacl -x u:devops test.sh
📘 Note: The flexibility of ACL far exceeds traditional rwx permissions, especially in multi-user systems, such as shared file directories or collaborative development environments.
🧩 Practical Case: Setting Additional Access Permissions for Specific Users
Suppose the <span>/project/data</span> directory belongs to the root user, but you want user <span>alice</span> to also be able to write files:
sudo setfacl -m u:alice:rw /project/data
getfacl /project/data
Output:
# file: project/data
# owner: root
# group: root
user::rwx
user:alice:rw-
group::r-x
mask::rwx
other::r-x
📘 Note: This is more flexible than changing ownership and does not affect the system’s default security policy.
Conclusion
In this article, we systematically learned about the Linux file system permission system:
- Basic permission model (Owner, Group, Others)
- Permission symbols and octal representation
- Permission setting commands (chmod, chown, chgrp)
- Special permissions (SUID, SGID, Sticky Bit)
- Advanced access control (ACL)
Understanding these permission mechanisms not only helps you protect system security but also enables efficient collaboration in multi-user environments.