Permissions and ownership information for GNU/Linux file system objects can be viewed with the ls -l command.
Note: If you are not familiar with the GNU/Linux command line interface, review the Conventions page before proceeding.
Object Types
The first character in the long listing (i.e., ls -l
) for a file system object represents the object's type.
$ ls -l
total 36
drwxr-xr-x. 2 amnesia amnesia 4096 May 5 2020 Desktop
drwxr-xr-x. 2 amnesia amnesia 4096 May 5 2020 Documents
drwxr-xr-x. 2 amnesia amnesia 4096 May 5 2020 Downloads
drwxr-xr-x. 2 amnesia amnesia 4096 May 5 2020 Music
drwxr-xr-x. 2 amnesia amnesia 4096 May 5 2020 Pictures
drwxr-xr-x. 2 amnesia amnesia 4096 May 5 2020 Public
drwxr-xr-x. 2 amnesia amnesia 4096 May 5 2020 Templates
drwxr-xr-x. 2 amnesia amnesia 4096 May 5 2020 Videos
The object types are:
-
Regular fileb
Block device filec
Character device filed
Directoryl
Symbolic linkn
Network filep
FIFO (First In, First Out, i.e., a named pipe)s
Socket
Object Permissions
The next nine characters in the long listing are the object's permission trios, which represent the permissions for the object's User Owner, Group Owner, and Other.
Each permission trio is made up of three permission bits.
rwx | rwx | rwx |
u | g | o |
The permission bit values can be:
r
Permission to readw
Permission to writex
Permission to executes
Special Bit Permission, i.e., set user ID (SUID) and set group ID (SGID)t
Sticky Bit Permission
A -
for a permissions bit means no permissions.
Read permission grants the ability to view file contents. For directories, read permission grants the ability to view the directory contents and, if the execute permission is also present, the ability to view object attributes with the ls -l
command (i.e., to do a long-listing of the directory's contents).
Write permission grants the ability to change file contents. For directories, write permission grants the ability to add or delete items from directories, but only if the execute permission is also present.
Execute permission grants the ability to execute a file. If the file is a script and the read permission is also present, the script can be executed as well. For directories, execute permission grants the ability to use the cd
command to change to a directory and to use the directory in a pathname.
These permissions allow for odd occurrences. For example, a user that has write and execute permission on a directory can delete other users' files in that directory, regardless of those files' access mode (i.e., the sum total of a file's permissions) and user owner/group owner. GNU/Linux uses the special permission bits to address this.
After the permission trios, you may see a .
or a +
, which are related to SELinux and Access Control Lists (ACLs), respectively.
Setting Object Permissions
File system object permissions are set using the chmod
command.
chmod (Change Mode)
The format of the chmod
(Change Mode) command is:
# chmod ex_permissions ex_object
chmod ex_permissions ex_object
chmod
can work with search patterns, as well.
Only the root user and the object's User Owner can alter its permissions.
Useful chmod
options include:
-c
,--changes
- Report only which objects were changed.
-f
,--silent
,--quiet
- Suppress error messages.
-R
,--recursive
- Make
chmod
act recursively. -v
,--verbose
- Report all objects.
The --reference=ex_reference_file
option can be used to set permissions on an object using the permission bit set from a different object:
# chmod --reference=ex_reference_file ex_object
Object permissions can be set using two different modes:
- Numeric (Octal) Mode
- Symbolic Mode
Numeric (Octal) Mode
In Numeric Mode, each permission bit is represented by a number.
4
Read2
Write1
Execute
Permissions are read from left to right. As soon as a match is made, that trio alone becomes the effective permissions for that user and object.
When using Numeric Mode, if you only specify one permission bit, the chmod
command uses that value for the Other permissions set, and a value of 0
for the User Owner and Group Owner permissions. For example, # chmod 4 ex_object
results in a permissions trio of 004
for ex_object
.
Symbolic Mode
In Symbolic Mode, permission bits are set using symbols.
Ownership
u
User Ownerg
Group Ownero
Othera
All
Assignation
+
Add-
Remove=
Assign
Permissions
r
Readw
Writex
Executes
Sticky Bit Permission (SUID and SGID)t
Sticky Bit Permission
If you assign nothing, =
(i.e., an equals sign and a blank space), it is equivalent to a permission bit of 0
in Numeric Mode.
The different permission trios can be specified at once. To do so, separate them with a comma (no space after the comma), e.g., assuming a file system object with a permissions trio of rw-rw-rw-
(i.e., 666
), the # chmod u+x,g-w,o=
command results in a permissions trio of rwxr-----
(i.e., 740
).
When using Symbolic Mode, the permissions that you do not specify stay as they are before executing the chmod
command.
Here is an example that adds the execute permission for the User Owner and Other, and removes the write permission from the group owner for an object:
# chmod uo+x,g-w ex_object
Special Bit Permissions
Special bit permissions are used to address certain scenarios where more fine-grained control over object permissions is required. It works with GNU/Linux's set user ID and set group ID mechanism, which works for binary programs (but not for shell or interpreter scripts).
When setting permissions in numeric form with the chmod
command, a special bit permission is prepended to the permission set as an integer. When examining permission trios using the ls -l
command, special bit permissions appear as a letter.
The special bit permissions are:
SUID
(set-UID) |4XXX
XXsXXXXXX
- Allows users to run programs as the User Owner of the program (i.e., usually, this is the root user).
GUID
(set-GID) |2XXX
XXXXXsXXX
- For directories, automatically gives group ownership of all new files created in the directory to the Group Owner of the directory. When set on a file, allows users to run a program as the Group Owner of the file (usually to access other files assigned to that group).
Sticky Bit
|1XXX
XXXXXXXXt
- Used to keep non-User Owners from deleting files in a common directory. In a sticky bit directory, only the User Owner of an object, the User Owner of the sticky bit directory, or the root user can delete an object in the directory.
To view the file system objects on your system that have a special permission bit set, you can run the following command:
# find '/' -perm /7000 -ls
When you use find
's -perm
option with permissions, it matters whether you use a /
or -
symbol, or you do not use one at all.
To find any or all of the special bit combinations that make up the first numeral, use the /
symbol (e.g., -perm /7000
). The -
symbol means to look for the exact combination of special bits that result in the first numeral (e.g., -perm -7000
). If you do not use a /
or a -
, only the exact whole permission set that you specify is searched for (e.g., -perm 7764
).
umask
The default permissions for new file system objects on a GNU/Linux system are set by the system's umask. You can view the umask for the current shell in numeric notation with the umask
command (use the -S
option to view the umask in symbolic notation).
$ umask
0002
$ umask -S
u=rwx,g=rwx,o=rx
The default permissions for file system objects when no umask is set is:
666
for files777
for directories
The formula for determining bit permission values when setting a umask is:
Maximum default value - umask value = new bit permission value
A umask of 0022
would result in permissions of 644
for files and 755
for directories, since files and directories have different default permissions.
A umask of 0027
would result in permissions of 640
for files and 750
for directories.
A umask of 0022
and 0027
is equivalent to a umask of 022
and 027
, respectively (i.e., you can leave off the special permission bit of the umask).
Fixing Permissions
Sometimes, you may need to set the permissions for an entire directory tree with different permissions for directories and files. You can do this with the find
command:
# chmod -R ex_permissions ex_directory &&
find ex_directory -type f -exec chmod ex_permissions '{}' \;
The first chmod
command (# chmod -R ex_permissions ex_directory
) sets the permissions for the ex_directory
and all of its objects, regardless of whether they are directories or files. Then, the find
command filters out all the files in the ex_directory
directory tree and runs a separate chmod
command to set different permissions for files (find ex_directory -type f -exec chmod ex_permissions '{}' \;
).
Object Ownership
Several commands can be used to change file system object ownership.
chown (Change Owner)
The chown
(Change Owner) command can be used to change the User Owner of an object.
# chown ex_new_user_owner ex_object
ex_new_user_owner
can be a username or UID.
Only the root user can change the User Owner of an object.
The -R
(--recursive
) option can be used to make chown
act recursively. For example, the following command can be used when you change the UID for an existing user:
# chown -R --from=ex_old_uid ex_new_user_owner '/'
This command will find all objects where the user owner is ex_old_uid
, and set the new user owner to ex_new_user_owner
(with their corresponding new UID).
chgrp (Change Group)
The chgrp
(Change Group) command can be used to change the Group Owner of an object.
# chgrp ex_group_owner ex_object
chgrp ex_group_owner ex_object
ex_group_owner
can be a group name or GID.
A non-root user can change the Group Owner of an object if the user is the User Owner of the object and a member of the group that they are changing group ownership of the object to. Otherwise, you will need to be acting as the root user to change group ownership.
Like with chown
, the -R
(--recursive
) option can be used to make chgrp
act recursively.
Setting Both the User Owner and Group Owner
You can simultaneously set the User Owner and Group Owner of an object with chown
.
# chown ex_user_owner:ex_group_owner ex_object
chown
can also be used as an alternative to chgrp
for changing just the Group Owner of an object:
# chown :ex_new_group_owner ex_object
chown :ex_new_group_owner ex_object
Finally, if you want to set the User Owner to a new user and the Group Owner to the primary group of the new user, you can do the following:
# chown ex_user_owner: ex_object
newgrp
To temporarily change the primary group (via a new shell) of the current user, you can use the newgrp
command.
newgrp ex_group
This is useful when you want to create multiple new file system objects that need to have a specific Group Owner (that is distinct from your user's normal primary group).
When you are done with the newgrp
command, enter exit
to leave the new shell that was created when you issued the command and revert back to your user's normal primary group.
If the group in question has been assigned a password and your user is not acting as the root user, you will need to enter that password to use the newgrp
command, unless you have a password set for your user account and you are a member of the group that you are temporarily switching to.
Documentation
For more on the chmod
, umask
, chown
, chgrp
, and newgrp
commands, you can view their man pages, either at the command line or online.