🔐 Linux File Permissions — A Beginner-Friendly Guide

Ever wondered why you can open some files but not others on Linux? Or why you can run some programs but not all? Behind the scenes, Linux carefully manages who can do what through permissions. Understanding this is crucial for every beginner.

In this guide, I will break down:

• File permissions and what they mean

• How to modify permissions safely

• Ownership and special permission bits (SUID, SGID, Sticky Bit)

• How processes respect these permissions

I will use real-life analogies to make it easy to understand, even if you are new to tech.

---

1️⃣ File Permissions — Who Can Do What

Think of a file as a room in an office building:

• Read (r) = you can look inside the room

• Write (w) = you can add, remove, or modify items in the room

• Execute (x) = you can enter and perform tasks in the room

Permissions are divided into three groups:

1. User — the owner of the file

2. Group — a set of users with shared access

3. Other — everyone else

Example:

d | rwx | r-x | r-x

• d → directory

• rwx → user (owner) can read, write, execute

• r-x → group can read and execute

• r-x → others can read and execute

💡 Analogy: The owner is like the room manager, the group is the team sharing the room, and others are visitors.

---

2️⃣ Modifying Permissions — Granting Access

Use the chmod command to change permissions.

Add executable permission for the owner:

chmod u+x myfile

Remove executable permission for the owner:

chmod u-x myfile

Add write permission for owner and group:

chmod ug+w myfile

You can also use numeric codes to set permissions all at once:

Example:

chmod 755 myfile

• 7 = 4 + 2 + 1 → read, write, execute for user

• 5 = 4 + 1 → read and execute for group

• 5 = 4 + 1 → read and execute for others

💡 Tip: Don’t set permissions carelessly. You might expose sensitive files.

---

3️⃣ Ownership — Who Controls the File

Just like a room has an owner, files have user and group ownership:

• Change owner:

sudo chown patty myfile

• Change group:

sudo chgrp whales myfile

• Change both:

sudo chown patty:whales myfile

💡 Analogy: Changing ownership is like handing the room key to someone else.

---

4️⃣ Umask — Default Access Rules (In-Depth)

In Linux, every new file or directory has a default set of permissions when it’s created. This default is usually full access for the owner, read access for the group, and read access for others.

However, sometimes we don’t want new files to have all these permissions. That’s where umask comes in: it removes specific permissions from the default set.

How it Works

Think of it like pre-set security rules for new rooms in a building:

• The building (Linux) has a default rule: “Owner can do everything, team can read, everyone else can read.”

• Umask is like the custom restrictions you set when building a new room: “Don’t let the team write, don’t let others execute anything.”

---

Numeric Representation

Permissions are represented as numbers:

When creating a file, the default permissions are usually:

• Files: 666 → read and write for everyone

• Directories: 777 → read, write, execute for everyone

Umask subtracts permissions from these defaults.

---

Example: umask 021

1. Break down the umask: 0 2 1

2. Apply to default permissions:

• Default file permissions: 666 (rw-rw-rw-)

• Umask removes 021 → result 644 (rw-r--r--)

So the new file will have:

• Owner: read & write ✅

• Group: read only ✅

• Others: read only ✅

For directories, default is 777. Applying the same umask 021:

• 777 − 021 → 756 (rwxr-xrw-)

• Owner: read, write, execute ✅

• Group: read & execute ✅

• Others: read & write ❌ (or only specific perms depending on exact calculation)

---

💡Analogy

Imagine building a shared office room:

• By default, everyone gets a key to read and write documents.

• You decide the group can’t move things around (remove write), and outsiders can’t enter at all (remove execute).

• This ensures only the right people can access or change things by default.

---

5️⃣ Setuid — Running Programs with Owner Permissions

Sometimes, a normal user needs temporary access to a file or program that is normally restricted, like changing their password. Set User ID (SUID) is the special permission that allows this.

---

How Setuid Works

Think of SUID like borrowing a manager’s keys temporarily:

• You are an employee (normal user).

• The office has a secure file room (protected file owned by root).

• You need to access it to do your job.

• The office grants you temporary manager access only while using a specific tool (program with SUID).

---

Real Example: passwd Command

passwd

• This changes your password, which is stored in /etc/shadow — a file owned by root.

• How can a normal user update it? The passwd program has SUID set, allowing it to run as root temporarily.

Check the permissions:

$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 47032 Dec 1 11:45 /usr/bin/passwd

• Notice the s in -rwsr-xr-x → this is the SUID bit.

• While running passwd, you inherit root permissions only for the program. You cannot modify other root files.

• rwsr-xr-x = owner can read, write, execute as root; group and others have normal permissions.

---

Setting SUID

Symbolic method:

sudo chmod u+s myfile

Numeric method:

sudo chmod 4755 myfile

• The 4 at the start represents the SUID bit.

---

6️⃣ Setgid — Running Programs with Group Permissions

Setgid (Set Group ID) works similarly to Setuid, but it applies to group permissions instead of user permissions.

---

How Setgid Works

Think of Setgid like borrowing a team’s access for a project:

• You are part of a small team (normal group).

• There is a shared folder accessible only to a specific group.

• You need temporary access while working with a program.

• The program with Setgid lets you act as if you belong to the folder’s group, just while using that program.

---

Real Example: wall Command

$ ls -l /usr/bin/wall
-rwxr-sr-x 1 root tty 19024 Dec 14 11:45 /usr/bin/wall

• Notice the s in the group section (rwxr-sr-x) → this is the Setgid bit.

• While running wall, your process temporarily inherits the group permissions of the file.

• rwxr-sr-x = owner has normal permissions, group temporarily gets file’s group permissions, others remain normal.

---

Setting Setgid

Symbolic method:

sudo chmod g+s myfile

Numeric method:

sudo chmod 2755 myfile

• The 2 at the start represents the Setgid bit.

---

7️⃣ Process Permissions — How UIDs Work

Every process runs with a real UID (the user who launched it), an effective UID (permissions it temporarily has), and a saved UID (to switch between them).

Example: passwd runs with SUID:

• Effective UID = root (can access /etc/shadow)

• Real UID = your user ID (cannot modify other users’ passwords)

💡 Analogy: Like wearing a manager’s badge for a task, but still being tracked as yourself.

---

8️⃣ The Sticky Bit — Protecting Shared Files

The Sticky Bit is a special permission that helps protect files in shared directories.

---

How the Sticky Bit Works

Think of it like locking your locker in a shared gym:

• You and others can put items in the locker room (shared directory).

• Everyone can add or modify their items.

• But only the owner of an item (or admin/root) can delete it.

• This prevents someone else from accidentally or intentionally removing your files.

---

Real Example: /tmp Directory

$ ls -ld /tmp
drwxrwxrwx+t 6 root root 4096 Dec 15 11:45 /tmp

• The t at the end indicates the Sticky Bit.

• Everyone can write files here, but only the file owner or root can delete or rename them.

---

Setting the Sticky Bit

Symbolic method:

sudo chmod +t mydir

Numeric method:

sudo chmod 1755 mydir

• The 1 at the start represents the Sticky Bit.

• Combined with normal permissions, this ensures the shared directory is protected.

---

Mastering Linux file permissions may seem tricky at first, but it’s really about three things: who can access a file, what they can do with it, and how you control it. Whether you are using symbolic notation (rwxr-xr--) or numeric mode (754), understanding these basics keeps your system secure and your workflow smooth. Start practicing with real files, and soon managing permissions will feel second nature, like putting the right locks on the right doors.