Linux User Permissions

1. Basic Permissions

Permission Basics

Users and Groups

File Owner (User): The user who created the file, possessing the highest level of control.
Group: A set of users that share file permissions.
Others: Users who are neither the owner nor part of the group.

Three Basic Permissions

Read r=4: Permission to read. View file contents / list directory contents.
Write w=2: Permission to write. Modify file contents / create/delete files in a directory.
Execute x=1: Permission to execute. Run executable files / enter directories or access sub-contents.

Common File Types:

-: Regular file
d: Directory
l: Symbolic link
c: Character device, e.g., mouse, keyboard, serial port
b: Block device file, e.g., hard disk, USB drive
s: Socket file
p: Named pipe

Differences in File and Directory Permissions

Permission Type	File	Directory
r	View contents	List file names in the directory
w	Modify contents	Create or delete files within the directory
x	Execute as a program	Enter the directory or access sub-files/directories

Permission Management Commands

chmod Change File Permission Mode

chmod [options] permission_mode filename

Options:

-R: Set permissions recursively.

Permission Mode:

The format for chmod’s permission mode is [ugoa][[+-=][permission]], which means [user identity][[grant method][permission]].

User Identity

u: Represents the owner
g: Represents the group
o: Represents others
a: Represents all identities

Grant Method

+: Add permission
-: Remove permission
=: Set permission

Permission

r: Read
w: Write
x: Execute

chmod u+x file      # Owner adds execute permission
chmod g-w,o=r file  # Group removes write, others set to read-only

Using Numeric Mode

chmod 644 file      # Permissions: rw-r--r--

chown Change Owner and Group

chown [options] owner:group filename

Options:

-R: Set permissions recursively.

chown user:group file  # Change owner and group

umask Default Permissions

umask (User File Creation Mask) is used to control the default permissions for newly created files or directories.

View the system’s umask permissions

umask          # Output current value (e.g., 0022)
umask -S       # Symbolic mode display (e.g., u=rwx,g=rx,o=rx)

Temporarily set umask

umask 027      # Only effective in the current terminal session

Permanently set umask

# Modify user configuration files (e.g., ~/.bashrc, ~/.zshrc)
echo "umask 027" >> ~/.bashrc  # Effective permanently for the current user

# System-wide configuration (e.g., /etc/profile)
echo "umask 022" >> /etc/profile  # Effective for all users

umask Permission Calculation

Default Permissions:

Default directory permissions: 777 (binary 111 111 111, i.e., rwxrwxrwx).
Default file permissions: 666 (binary 110 110 110, i.e., rw-rw-rw-, default no execute permission).

Effect of umask:

The value of umask is a mask indicating the permission bits that need to be “masked”.
Actual permissions = Default permissions & (~umask) (where & is bitwise AND, ~ is bitwise NOT).

Calculation Steps (using umask=022 as an example):

Convert permissions to binary

Default directory permissions:777 → 111111111
umask=022 → 000010010 (binary)

Calculate ~umask (bitwise NOT)

~022 → 111101101 (each bit inverted: 000→111, 010→101, 010→101).

Bitwise AND

Directory permissions = 111 111 111 & 111 101 101 = 111 101 101 → Decimal 755 (i.e., rwxr-xr-x).
File permissions = 110 110 110 & 111 101101 = 110 100 100 → Decimal 644 (i.e., rw-r--r--).

2. Special Permissions

SUID (Set User ID) (s or 4000)

When an executable file is set with SUID, any user executing that file will temporarily run with the permissions of the file owner, rather than the executor’s permissions.

This is only meaningful for executable files and has no effect on directories or regular files.

chmod u+s /path/to/bin   # Set SUID (symbolic)
chmod 4755 /path/to/bin  # Numeric representation (starts with 4)

The owner execute bit will display s (if originally had execute permission) or S (if no execute permission)

root@debian:~# ls -la /usr/bin/passwd
-rwsr-xr-x 1 root root 68248 Mar 23  2023 /usr/bin/passwd

SGID (Set Group ID) (s or 2000)

For files: When executing the file, the process’s group identity temporarily changes to that of the file’s group.

For directories: New files or subdirectories created in that directory will inherit the directory’s group (rather than the creator’s primary group).

chmod g+s /shared_dir    # Set SGID (symbolic)
chmod 2770 /shared_dir   # Numeric representation (starts with 2)

The group execute bit will display s (if originally had execute permission) or S (if no execute permission).

test01@debian:~/share$ ls -l ~/

drwxrwsrwx 2 share share 4096 May 13 23:05 share

test01@debian:~/share$ touch bbb
test01@debian:~/share$ ls -l
-rw-r--r-- 1 test01 test01 0 May 13 23:05 aaa
-rw-r--r-- 1 test01 share  0 May 13 23:07 bbb

drwxr-Sr-- 2 share share 4096 May 13 23:07 share

Sticky Bit (t or 1000)

Only valid for directories. Once set, files in the directory can only be deleted or renamed by the file owner or root user, even if other users have write permissions.

chmod +t /tmp            # Symbolic
chmod 1777 /tmp          # Numeric (starts with 1)

The other users execute bit will display t (if originally had execute permission) or T (if no execute permission).

root@debian:~# ls -dl /tmp
drwxrwxrwt 9 root root 4096 May 13 22:48 /tmp

3. File System Attributes

chattr is a command in Linux used to set extended attributes for files or directories, providing lower-level control at the file system level to enhance file security and behavior management. Unlike traditional rwx permissions, attributes set by chattr directly affect the file system’s metadata and take precedence, making it impossible to bypass even with root permissions (unless the attributes are removed using chattr).

Affects file systems (such as ext4, XFS, Btrfs, etc.), not relying on traditional permission models, requiring file system support.
Even with root permissions, protected files cannot be deleted or modified directly (attributes must be removed first).

Setting File System Attributes

chattr [+-=] [options] filename or directory name

Options:

i: If the i attribute is set on a file, it cannot be deleted, renamed, or have data added or modified; if set on a directory, only the data of files within the directory can be modified, but files cannot be created or deleted.
a: If the a attribute is set on a file, data can only be added to the file, but not deleted or modified; if set on a directory, only new files can be created and modified, but not deleted.
e: Most files in Linux have the e attribute by default, indicating that the file is stored using the ext file system, and the chattr -e command cannot remove the e attribute.

Viewing File System Attributes

lsattr [options] filename

Options:

-a: Display all files and directories.
-d: If the target is a directory, only list the attributes of the directory itself, not those of sub-files.

# Example
root@debian:~# lsattr -d /home/test01
--------------e------- /home/test01
root@debian:~# chattr +a /home/test01
root@debian:~# lsattr -d /home/test01
-----a--------e------- /home/test01
root@debian:~# touch /home/test01/aaa
root@debian:~# ls -l /home/test01
total 4
-rw-r--r-- 1 root  root     0 May 14 23:50 aaa
drwxr-Sr-- 2 share share 4096 May 13 23:07 share
root@debian:~# rm -rf /home/test01/aaa
rm: cannot remove '/home/test01/aaa': Operation not permitted
root@debian:~#

4. ACL Permissions

ACL (Access Control List) provides more granular permission control.
Allows setting independent permissions for multiple users or groups, breaking the limitation of only one user/group.
Through default ACLs, new files/directories under a directory can automatically inherit permissions.
Suitable for shared environments, such as assigning different access levels to different users.

Enabling ACL Permissions

ext4 is enabled by default, but needs to be confirmed.

root@debian:~# dumpe2fs -h /dev/sda1
dumpe2fs 1.47.0 (5-Feb-2023)
...omitted...
Default mount options:    user_xattr acl
...omitted...

If not enabled, ACL permissions for the partition need to be manually enabled.

root@debian:~# mount -o remount,acl /
# Remount the root partition and add ACL permissions

ACL permissions can also be permanently enabled by modifying the /etc/fstab file.

root@debian:~# vim /etc/fstab
UUID=845ea764-933b-49d7-862d-e153d99562e2 /               ext4    defaults,acl  1       1

If prompted -bash: setfacl: command not found, the ACL toolkit needs to be installed.

root@debian:~# apt update
root@debian:~# apt install acl

Basic ACL Commands

setfacl Set ACL Permissions

setfacl [options] [rule type]:[object]:[permission] filename/directory

Key Parameter Descriptions

Parameter	Description	Example
`<span>-m</span>`	Modify/Add rule	`<span>setfacl -m u:alice:rw file</span>`
`<span>-x</span>`	Delete rule	`<span>setfacl -x u:bob file</span>`
`<span>-b</span>`	Delete all extended ACLs	`<span>setfacl -b dir</span>`
`<span>-d</span>`	Set default rule (must be used with -m)	`<span>setfacl -m d:g:team:rx dir</span>`
`<span>-R</span>`	Recursive operation	`<span>setfacl -R -m g:staff:r-x /data</span>`
`<span>-k</span>`	Delete all default rules	`<span>setfacl -k dir</span>`

Rule Type Prefixes

Prefix	Description	Full Example
`<span>u:</span>`	User rule	`<span>u:username:rwx</span>`
`<span>g:</span>`	Group rule	`<span>g:groupname:r-x</span>`
`<span>d:u:</span>`	Default user rule	`<span>d:u:username:rwx</span>`
`<span>d:g:</span>`	Default group rule	`<span>d:g:groupname:r--</span>`
(none)	Owner/Group rule	`<span>u::rw, g::r-x</span>`
`<span>m::</span>`	Mask rule	`<span>m::rwx</span>`

Options:

-m: Add or modify ACL permissions.
-x: Delete ACL (requires specifying user/group name, does not specify permission)
-b: Delete all ACLs
-k: Delete default ACL (only valid for directories)
-d: Set default ACL for directories (new files/directories inherit this permission)
-R: Recursive operation on directories and their subdirectories and files

Types

u: User
g: Group
m: Mask
o: Others

Object (omitting indicates file owner/group)

User: Username or UID
Group: Group name or GID

Permissions

r: Read
w: Write
x: Execute

Add permissions for a user

# Add read, write, execute permissions for user bob
setfacl -m u:bob:rwx project/

# Add read permission for group contractors
setfacl -m g:contractors:r-- project/

Set default permissions (directory inheritance)

# Set default ACL for the directory (newly created files automatically inherit)
setfacl -d -m u:alice:rwx shared_dir/
setfacl -d -m g:devteam:rwx shared_dir/

When you first set a default ACL (using the d: prefix), the system automatically copies the directory’s basic permissions to the default ACL.

# Default permissions
ls -lad test
drwxrwxr-x 5 root smbgroup 4096 May 31 17:33 test
getfacl test
# file: test
# owner: root
# group: smbgroup
user::rwx
group::rwx
other::r-x

# Set default user permissions
setfacl -m d:u:test01:rwx test
getfacl test
# file: test
# owner: root
# group: smbgroup
user::rwx
group::rwx
other::r-x
default:user::rwx
default:user:test01:rwx
default:group::rwx
default:mask::rwx
default:other::r-x

# Precisely control default permissions
setfacl -m d:u:test01:rwx,d:g::--,d:o::--,d:u::-- test
getfacl test
# file: test
# owner: root
# group: smbgroup
user::rwx
group::rwx
other::r-x
default:user::---
default:user:test01:rwx
default:group::---
default:mask::rwx
default:other::---

Delete ACL rules

# Delete ACL rule for user bob
setfacl -x u:bob project/

# Delete all extended ACL rules (retain basic permissions)
setfacl -b project/

Recursive ACL setting

# Recursively set permissions for the directory and all sub-contents
setfacl -R -m g:auditors:r-x /financial_data/

getfacl View ACL Permissions

getfacl [options] filename/directory

Options:

-R: Recursively list directory ACLs
-c: Omit comments (owner information)
-p: Display full path

root@shared:/# getfacl test
# file: test
# owner: root
# group: smbgroup
user::rwx
group::rwx
other::r-x
default:user::rwx
default:user:test01:rwx
default:group::rwx
default:mask::rwx
default:other::r-x

1. Basic Permissions

Permission Basics

Permission Management Commands

chmod Change File Permission Mode

chown Change Owner and Group

umask Default Permissions

2. Special Permissions

SUID (Set User ID) (s or 4000)

SGID (Set Group ID) (s or 2000)

Sticky Bit (t or 1000)

3. File System Attributes

Setting File System Attributes

Viewing File System Attributes

4. ACL Permissions

Enabling ACL Permissions

Basic ACL Commands

setfacl Set ACL Permissions

getfacl View ACL Permissions

Related posts

Leave a Comment Cancel reply