Page Body

GNU/Linux Permissions and Ownership

Permissions and ownership information for GNU/Linux file system objects can be viewed with the ls -l command.

Note: If you are not familiar with the GNU/Linux command line interface, review the Conventions page before proceeding.

Object Types

The first character in the long listing (i.e., ls -l) for a file system object represents the object's type.

$ ls -l
total 36
drwxr-xr-x. 2 amnesia amnesia 4096 May  5  2020 Desktop
drwxr-xr-x. 2 amnesia amnesia 4096 May  5  2020 Documents
drwxr-xr-x. 2 amnesia amnesia 4096 May  5  2020 Downloads
drwxr-xr-x. 2 amnesia amnesia 4096 May  5  2020 Music
drwxr-xr-x. 2 amnesia amnesia 4096 May  5  2020 Pictures
drwxr-xr-x. 2 amnesia amnesia 4096 May  5  2020 Public
drwxr-xr-x. 2 amnesia amnesia 4096 May  5  2020 Templates
drwxr-xr-x. 2 amnesia amnesia 4096 May  5  2020 Videos

The object types are:

  • - Regular file
  • b Block device file
  • c Character device file
  • d Directory
  • l Symbolic link
  • n Network file
  • p FIFO (First In, First Out, i.e., a named pipe)
  • s Socket

Object Permissions

The next nine characters in the long listing are the object's permission trios, which represent the permissions for the object's User Owner, Group Owner, and Other.

Each permission trio is made up of three permission bits.

Permission Trios
rwx rwx rwx
u g o

The permission bit values can be:

A - for a permissions bit means no permissions.

Read permission grants the ability to view file contents. For directories, read permission grants the ability to view the directory contents and, if the execute permission is also present, the ability to view object attributes with the ls -l command (i.e., to do a long-listing of the directory's contents).

Write permission grants the ability to change file contents. For directories, write permission grants the ability to add or delete items from directories, but only if the execute permission is also present.

Execute permission grants the ability to execute a file. If the file is a script and the read permission is also present, the script can be executed as well. For directories, execute permission grants the ability to use the cd command to change to a directory and to use the directory in a pathname.

These permissions allow for odd occurrences. For example, a user that has write and execute permission on a directory can delete other users' files in that directory, regardless of those files' access mode (i.e., the sum total of a file's permissions) and user owner/group owner. GNU/Linux uses the special permission bits to address this.

After the permission trios, you may see a . or a +, which are related to SELinux and Access Control Lists (ACLs), respectively.

Setting Object Permissions

File system object permissions are set using the chmod command.

chmod (Change Mode)

The format of the chmod (Change Mode) command is:

# chmod ex_permissions ex_object

chmod ex_permissions ex_object

chmod can work with search patterns, as well.

Only the root user and the object's User Owner can alter its permissions.

Useful chmod options include:

-c, --changes
Report only which objects were changed.
-f, --silent, --quiet
Suppress error messages.
-R, --recursive
Make chmod act recursively.
-v, --verbose
Report all objects.

The --reference=ex_reference_file option can be used to set permissions on an object using the permission bit set from a different object:

# chmod --reference=ex_reference_file ex_object

Object permissions can be set using two different modes:

  1. Numeric (Octal) Mode
  2. Symbolic Mode
Numeric (Octal) Mode

In Numeric Mode, each permission bit is represented by a number.

  • 4 Read
  • 2 Write
  • 1 Execute

Permissions are read from left to right. As soon as a match is made, that trio alone becomes the effective permissions for that user and object.

When using Numeric Mode, if you only specify one permission bit, the chmod command uses that value for the Other permissions set, and a value of 0 for the User Owner and Group Owner permissions. For example, # chmod 4 ex_object results in a permissions trio of 004 for ex_object.

Symbolic Mode

In Symbolic Mode, permission bits are set using symbols.

Ownership

  • u User Owner
  • g Group Owner
  • o Other
  • a All

Assignation

  • + Add
  • - Remove
  • = Assign

Permissions

  • r Read
  • w Write
  • x Execute
  • s Sticky Bit Permission (SUID and SGID)
  • t Sticky Bit Permission

If you assign nothing, = (i.e., an equals sign and a blank space), it is equivalent to a permission bit of 0 in Numeric Mode.

The different permission trios can be specified at once. To do so, separate them with a comma (no space after the comma), e.g., assuming a file system object with a permissions trio of rw-rw-rw- (i.e., 666), the # chmod u+x,g-w,o= command results in a permissions trio of rwxr----- (i.e., 740).

When using Symbolic Mode, the permissions that you do not specify stay as they are before executing the chmod command.

Here is an example that adds the execute permission for the User Owner and Other, and removes the write permission from the group owner for an object:

# chmod uo+x,g-w ex_object

Special Bit Permissions

Special bit permissions are used to address certain scenarios where more fine-grained control over object permissions is required. It works with GNU/Linux's set user ID and set group ID mechanism, which works for binary programs (but not for shell or interpreter scripts).

When setting permissions in numeric form with the chmod command, a special bit permission is prepended to the permission set as an integer. When examining permission trios using the ls -l command, special bit permissions appear as a letter.

The special bit permissions are:

SUID (set-UID) | 4XXX XXsXXXXXX
Allows users to run programs as the User Owner of the program (i.e., usually, this is the root user).
GUID (set-GID) | 2XXX XXXXXsXXX
For directories, automatically gives group ownership of all new files created in the directory to the Group Owner of the directory. When set on a file, allows users to run a program as the Group Owner of the file (usually to access other files assigned to that group).
Sticky Bit | 1XXX XXXXXXXXt
Used to keep non-User Owners from deleting files in a common directory. In a sticky bit directory, only the User Owner of an object, the User Owner of the sticky bit directory, or the root user can delete an object in the directory.

To view the file system objects on your system that have a special permission bit set, you can run the following command:

# find '/' -perm /7000 -ls

When you use find's -perm option with permissions, it matters whether you use a / or - symbol, or you do not use one at all.

To find any or all of the special bit combinations that make up the first numeral, use the / symbol (e.g., -perm /7000). The - symbol means to look for the exact combination of special bits that result in the first numeral (e.g., -perm -7000). If you do not use a / or a -, only the exact whole permission set that you specify is searched for (e.g., -perm 7764).

umask

The default permissions for new file system objects on a GNU/Linux system are set by the system's umask. You can view the umask for the current shell in numeric notation with the umask command (use the -S option to view the umask in symbolic notation).

$ umask
0002
$ umask -S
u=rwx,g=rwx,o=rx

The default permissions for file system objects when no umask is set is:

  • 666 for files
  • 777 for directories

The formula for determining bit permission values when setting a umask is:

Maximum default value - umask value = new bit permission value

A umask of 0022 would result in permissions of 644 for files and 755 for directories, since files and directories have different default permissions.

A umask of 0027 would result in permissions of 640 for files and 750 for directories.

A umask of 0022 and 0027 is equivalent to a umask of 022 and 027, respectively (i.e., you can leave off the special permission bit of the umask).

Fixing Permissions

Sometimes, you may need to set the permissions for an entire directory tree with different permissions for directories and files. You can do this with the find command:

# chmod -R ex_permissions ex_directory &&
    find ex_directory -type f -exec chmod ex_permissions '{}' \;

The first chmod command (# chmod -R ex_permissions ex_directory) sets the permissions for the ex_directory and all of its objects, regardless of whether they are directories or files. Then, the find command filters out all the files in the ex_directory directory tree and runs a separate chmod command to set different permissions for files (find ex_directory -type f -exec chmod ex_permissions '{}' \;).

Object Ownership

Several commands can be used to change file system object ownership.

chown (Change Owner)

The chown (Change Owner) command can be used to change the User Owner of an object.

# chown ex_new_user_owner ex_object

ex_new_user_owner can be a username or UID.

Only the root user can change the User Owner of an object.

The -R (--recursive) option can be used to make chown act recursively. For example, the following command can be used when you change the UID for an existing user:

# chown -R --from=ex_old_uid ex_new_user_owner '/'

This command will find all objects where the user owner is ex_old_uid, and set the new user owner to ex_new_user_owner (with their corresponding new UID).

chgrp (Change Group)

The chgrp (Change Group) command can be used to change the Group Owner of an object.

# chgrp ex_group_owner ex_object

chgrp ex_group_owner ex_object

ex_group_owner can be a group name or GID.

A non-root user can change the Group Owner of an object if the user is the User Owner of the object and a member of the group that they are changing group ownership of the object to. Otherwise, you will need to be acting as the root user to change group ownership.

Like with chown, the -R (--recursive) option can be used to make chgrp act recursively.

Setting Both the User Owner and Group Owner

You can simultaneously set the User Owner and Group Owner of an object with chown.

# chown ex_user_owner:ex_group_owner ex_object

chown can also be used as an alternative to chgrp for changing just the Group Owner of an object:

# chown :ex_new_group_owner ex_object

chown :ex_new_group_owner ex_object

Finally, if you want to set the User Owner to a new user and the Group Owner to the primary group of the new user, you can do the following:

# chown ex_user_owner: ex_object

newgrp

To temporarily change the primary group (via a new shell) of the current user, you can use the newgrp command.

newgrp ex_group

This is useful when you want to create multiple new file system objects that need to have a specific Group Owner (that is distinct from your user's normal primary group).

When you are done with the newgrp command, enter exit to leave the new shell that was created when you issued the command and revert back to your user's normal primary group.

If the group in question has been assigned a password and your user is not acting as the root user, you will need to enter that password to use the newgrp command, unless you have a password set for your user account and you are a member of the group that you are temporarily switching to.

Documentation

For more on the chmod, umask, chown, chgrp, and newgrp commands, you can view their man pages, either at the command line or online.

Enjoyed this post?

Subscribe to the feed for the latest updates.