Open in app

Sign in

Write

Sign in

Deep Dive Into File & Directory Permissions in Linux

List, Set, and Change File & Directory Owner, Group, and Permissions

Harith Javed Bakhrani
11 min readJun 7, 2022

Overview

Linux file permissions

File and directory permissions in Linux refer to ways in which someone can use a file or a directory. Each file or directory has 3 sets of permissions that determine who has the permissions to do what. The “who”, here, represents either of the following:

  1. Owner: This is a Linux user who owns the file or directory. In most cases this is the creator of the file or directory.
  2. Group: This is a Linux group, basically a group of Linux users, who have been given certain privileges over a file or folder which other users do not possess.
  3. Others: These are all the other users in Linux who don’t own the file or folder nor are part of the group that is attached to the file or folder.

And the “what”, meaning what actions the owner, group, and other users can carry out, can be any (or all) of the following:

  1. Read: The user has permissions to read the file or directory. When applied to a directory, it means that the user can read the contents of the directory. To put it in simpler terms; the user can run the ls command on a directory to view the files and sub-directories.
  2. Write: The user has permissions to write to a file or directory. Writing to a directory means that the user can create or delete entries in the directory, like adding or deleting files or subdirectories.
  3. Execute: The user has permissions to execute a file or a folder. Some files can be programs or shell scripts, lists of instructions, that can be executed. And when applied to a directory, it means that the user can list information about the files and sub-directories. For example, if I have read permissions but not execute permissions on a directory, I will be able to list out the files and sub-directories but I will not be able to know any other information about these files and sub-directories.

Viewing and Understanding File and Folder Permissions

In order to see who owns a file or a directory in Linux, which group of users has special permissions, and what privileges the owner, the group and all the other users have, we can use the ls command with the -l flag:

Viewing file and directory permissions in Linux using the long listing format

From the command’s output, we can know that the owner who owns the app-directory directory and also the update.sh file is harith, and the group attached with the files is nooglers.

File owner and group in Linux

At the far left of the output, there are some letters that may seem cryptic at first but don’t worry, we will decipher them in a moment and by the end of the article you will be completely familiar and comfortable with them.

The very first letter implies whether the entry is a regular file, directory, special file, or something else. Linux has up to 7 kinds of entries and has a character to represent each one of them:

  • - => Regular file
  • d => Directory
  • l => Soft link
  • c => Character device
  • s => Socket file
  • p => Pipe
  • b => Block file

The next 9 characters show us the permissions. The first three are the owner permissions, the next three are permissions for the group that is attached to the file, and the last three are permissions for all the other users. The permissions for each individual entity are set in the following order;

  1. The first one is read permissions denoted by the letter r.
  2. The second one is write permissions represented by the letter w.
  3. And the last one is execute permissions symbolized by the letter x.

If any of the permissions are not set for a particular entity, then the letter is replaced by a dash (-).

Let’s have a look at some examples; let’s assume we have a photo named cat.jpg, it is owned by user harith, the group attached to it is named nooglers, and the permissions assigned to it are as follows -rw-r-----. As we had mentioned, the first character denotes what kind of entry it is, in this case it’s a - which means that it’s a regular file. The next three characters; rw-, reveal the owner permissions. The owner, “harith”, can read the file (view the image) and write to it (edit the image), but cannot execute the image because, as you can see, there is a - instead of x (in any case, execute permissions on an image file will have no effect). The next three characters; r--, show us that the group has only read permissions, meaning that the user can only view the image but cannot write or execute it, because only the letter r is displayed and the letters w and x have been replaced by a -. The last three characters have all been replaced by a -, meaning that all the other Linux users who are not the owner and neither are in the group don’t have any permissions on the file. They cannot view the image nor edit it.

Let’s have a look at one more example:

Directory permissions in Linux

From the output shown in the image above, we can immediately notice that the app entity is owned by harith and the group attached to it is named nooglers. We can also identify that the entity is actually a directory as it is pointed out by the letter d in the first 10 characters; “drwx-xr-x”. harith, the owner, has all the permissions on this directory as all of the letters are turned on. While the users who are part of the nooglers group can only read the contents of the app directory and cd into the directory, but cannot create a file or sub-directory inside the app directory because the letter w has been replaced by a -. Lastly, all the other users have the same permissions as the group; they can read the contents of the app directory, cd into the directory, but cannot create a file or sub-directory.

Before we move on, one important thing to note is that Linux applies the permissions from left to right. Meaning that if, for example, harith does NOT have any permissions on the app directory but is part of the nooglers group which has read and execute permissions, harith would still NOT be able to read the contents or cd into the app directory because Linux has already applied the owner’s permissions and wouldn’t look any further.

Changing owner and group

Linux provides us with a command to change the file’s owner and another command to change the file’s group. In order to change the file’s group, we can use the chgrp command which simply stands for “change group”. The syntax for the chgrp command is as follows:

chgrp [group_name] [file]

Let’s assume that we want to change the group of our directory named app to amazonians, we would then use the chgrp command as follows:

chgrp amazonians app

The command to change the owner is chown which stands for “change owner”. Its syntax is as follows:

chown [user] [file]

We can also use the chown command to change both the user and the group at the same time, like this:

chown [user]:[group] [file]

It’s important to note that any user can change the group to another group to which (s)he belongs, while only the root has the privileges to change the owner of a file or directory.

Changing permissions

When a file or a folder is created, Linux assigns default permissions to it. For a file, Linux by default grants read and write permissions to the owner and only read permissions to the group and others. When a directory is created, Linux grants read, write, and execute permissions to the owner, while only read and execute permissions to the group and others.

It’s really important to understand how permissions work and assign only the necessary permissions to a file or directory. For instance, if you create a script file, you will need to add execute permissions before you are able to actually run it because Linux will only assign read and write permissions as discussed above. It’s also important to assign only the necessary permissions to a file, if you have multiple users using the same Linux system, you don't want the wrong people to be able to write to the script file. At times, Linux servers might also be hacked and hijackers might be able to access the file system. In this case, assigning only the required permissions might prevent the hijackers from reading, writing, or executing the script (or any other file or directory).

Linux provides us with a special command to enable us change file or directory permissions to suit our needs. The command is chmod which means “change mode” (yes, permissions are also known as mode in Linux), and the syntax for the command is as follows:

chmod [mode] [file or directory]

chmod is a bit more complicated to use than the chgrp or the chown commands we saw earlier. chmod offers us different ways in which we can alter the file or directory permissions. One of the ways is by adding or removing permissions without affecting other permissions, this is achieved through the + or the - signs. Let’s say that we want to add execute permissions for the owner, we would do that as follows:

chmod u+x [file or directory]

u tells the chmod command that we want to alter the owner’s permissions, the + sign instructs the command to add permissions, and the x stands for execute permission. To put it all together; u+x instructs the chmod command to add execute permissions for the owner without affecting any other owner permissions (read and write permissions would remain as they are). To change the group’s permission we use the letter g instead of u, and to change other users' permissions we use the letter o.

Adding permissions for owner, group, and other users

What if we want to remove the execute permissions for the group? Instead of using the + sign, we now use the - sign:

chmod g-x [file or directory]

g-x instructs the command to remove execute permissions for the group without affecting any other permissions.

Removing permissions for owner, group, and other users

As you might have already noticed from the pictures attached, we can actually add or remove more than one permissions in the same command. We can also change mode for multiple entities at the same time; to add execute permissions for both, the owner and the group, we can use this command:

chmod gu+x [file or directory]

To add execute permissions for the owner and the group and to remove read permissions for others, we can execute:

chmod ug+x,o-r [file or directory]

Depending on how we want to alter the mode, we can either separate the different entities by placing a comma between them as seen in the second example, “ug+x,o-r”, or we can just group them together as seen in the first example, “gu+x”.

Addition or subtraction signs add or remove permissions on top of the existing ones, but sometimes, we might have a different scenario, we may want to make sure that the permissions are set to exactly certain values. In this case, we can use the equals-to sign:

chmod ug=rw [file or folder]

The above command sets the permissions of a given file or folder to read and write for both the owner and the group. It completely rewrites the existing permissions for the owner and the group, which means that if the execute permissions were set, they would be evacuated. However, it is important to note that the “others” permissions wouldn’t be affected.

Rewritng an entity’s permissions by using the equals-to sign

From a security point of view, I recommend using the equal-to sign so as to make sure that you are assigning only the required permissions to each entity.

It is also completely valid to leave out the u, g, and the o letters:

chmod +x script.sh

In the above command, we are applying the execute permissions to all three entities; the owner, the group, and others.

So far we have seen how Linux uses the r, w, and x letter to evaluate permissions, this is known as the symbolic mode. There is, however, one more method which Linux uses as well and it is known as the absolute mode.

In absolute method, Linux uses binary to represent the letters. If the owner would be having read permissions, 1 would be placed instead of r, and if the owner would not be having execute permissions, 0 would be placed instead of -.

Binary numbers representing permissions

After having assigned binary numbers, Linux converts the binary number to a decimal number. In our above example, owner would be assigned a 6 because 110 equals-to 6 in decimal, group would be assigned 4 as 100 equals-to 4 in decimal, and others would be assigned 0. How to convert binary to decimal is beyond the scope of this blog post, but I am going to leave the binary-to-decimal table below for your reference:

Binary to decimal conversion

The ls command shows us the file permissions in symbolic mode only, in order to view the permissions in absolute mode we can use the stat command;

Using stat command to see file or folder permissions in absolute mode

As we can see in the above image, the app-directory has 0755 permissions. For now we can ignore the first digit; 0, as it stands for special permissions and it is beyond the scope of this blog post. The next digit, which is number 7 for our app-directory, stands for the owner permissions and it means that the owner has read, write, and execute permissions (have a look at the “binary to decimal conversion” table above; 7 translates to 111 in binary). The third digit; 5, defines the group permissions and the last digit, 5, defines what permissions other users have.

Depending on what permissions we want to set, we can use the chmod command followed by the decimal digits and finally the file or the folder name:

chmod [decimal number] [file or folder]

For example, if we want to assign read, write and execute permissions for all users; the owner, the group, and others, on the app-directory directory, wewould execute:

chmod 777 app-directory
Linux
Linux Tutorial
DevOps
Security
Servers

--

--

Harith Javed Bakhrani
Harith Javed Bakhrani

Written by Harith Javed Bakhrani

136 Followers
6 Following

Muslim DevOps Engineer ready to learn and bring to life new and better ways of automating deployments and keeping them alive!

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams