Understanding File and Directory Permissions

File permissions are core to the security model used by Linux systems. The file permission in Linux specifies how much power each user has over a given file or directory.

Viewing Permissions

There are two ways of viewing file permissions in Linux:

Using a graphical user interface (GUI) by right-clicking the file/directory -> Properties -> Permissions
Using a command-line interface (CLI) by typing ls -l command.

The output of this command is explained further.

Permission Groups

Each file and directory in Linux can be accessed or modified by three different classes of users.

User (u): The user who owns the file.
Group : The group that the file belongs to.
Others: All other users.

/Permissions Types

Each file or directory has three basic permission types:

Read (r) - allows to read the contents of the file.
Write (w) - allows to write or modify a file or directory.
Execute (x) - allows to execute a file or view the contents of a directory.

How to Read File Permissions

The permissions are represented as a string of 10 characters, like -rw-rw-r--.

These characters can be broken down as follows:

The first character indicates the type of file
- - for regular files,
- d for directories,
- l for symbolic links,
The next three characters indicate the permissions for the user/owner of the file/directory (rw- read, write).
The following three characters indicate the permissions for the group the file/directory belongs to (rw- read, write).
The last three characters indicate the permissions for others (r-- read).

Permission string	directory	file
read (r)	The user can read the contents of the directory. In other words, he can view the listing of the directory.	The user can read the contents of the file.
write (w)	The user can add/remove files to/from the directory.	The user can write content to the file.
execute (x)	The user can go inside the directory. The user cannot read the directory's contents if it is not set.	The user can execute the file as if it were a program/script.

So, the file above weather-report.service is owned by the user vagrant and belongs to the group vagrant . Its owner vagrant and all group members vagrant can read and write to the file while all others can only read the file.

💡

Many distributions in Linux create a group when a user is created and by default, all the folders and files created inside the home directory will be owned by the user and the group.

Changing Permissions

Changing permissions in Linux can be done using the chmod command in 2 ways:

Symbolic mode;
Numeric (Octal) Mode:

Symbolic Mode

Symbolic mode allows to change file and directory permissions using symbolic representations of the

User classes
- User (u),
- Group (g),
- Others (o)
- All (user, group, and others) (a)
Permissions types
- Read (r),
- Write (w),
- Execute (x).
Operators
- +: Adds the specified permissions to the existing ones without altering other permissions.
- -: Removes the specified permissions.
- =: Sets the specified permissions and removes any permissions not listed.

To add read, write, and execute permissions for the user:

chmod u+rwx file

To set read and write permissions for the group:

chmod g=rw file

To remove execute permission for others:

chmod o-x file

Numeric Mode

When chmod command is used with numerical values three digits are specified. The first digit is for the user, the second is for the group and the third is for others. Each digit represents a different set of permissions. The digits are calculated by adding up the values of:

r (read) = 4,
w (write) = 2,
x (execute) = 1,
no permission = 0

The numbers are summed up and depicted by one number. Therefore, the possibilities are:

7 - for read, write, and execute permission.
6 - for read and write privileges.
5 - for read and execute privileges.
4 - for read privileges.

To give the owner read and write permissions, the group read permissions, and no rights for all others, type.

chmod 640 filename

To change the permission for every file all in one shot:

chmod 640 Download/*

Changing Ownership

Aside from changing file and directory permissions, we can also change user ownership and group ownership of the file and directory. Both of these tasks require superuser privileges.

Changing the Owner

To change the owner of a file or directory:

sudo chown username /Downloads/

Changing the Owner and Group

To change both the owner and the group:

sudo chown username:groupname filename

Changing Only the Group

To change only the group:

sudo chown :groupname filename

Special Permissions

In addition to the standard read, write, and execute permissions, Linux also supports special permissions that provide additional security and functionality features for files and directories.

Setuid (Set User ID) - When set on an executable file, the file runs with the permissions of the file's owner, not the person running it.

In order setuid to work, the file should be executable and owned by root in order to grant temporary elevated privileges to the person running it.
Setgid (Set Group ID) - Similar to setuid, the setgid permission allows a user to execute a file with the permissions of the file's group, rather than the permissions of the user executing the file. setgid is often used for directories to ensure that files created within the directory inherit the group ownership of the directory.
Sticky Bit: When the sticky bit is set on a directory, it restricts the deletion or renaming of files within that directory to only the file owner, the directory owner, or the root user, even if other users have write permissions on the directory. This is commonly used on directories like /tmp, where many users have write access, to prevent users from deleting or renaming each other's files. The sticky bit is more useful in shared directories where multiple users have write access.