File permissions are central to the security model used by Linux systems. They determine who can access files and directories on a system and how. This article provides an overview of Linux file permissions, how they work, and how to change them.
What do Linux file permissions look like?
The ls command along with its -l option (for a long list) will show you metadata about your Linux files, including the permissions set on the file.
$ ls -l drwxr-xr-x. 4 root root 68 Jun 13 20:25 tuned -rw-r-r-. 1 root root 4017 February 24, 2022 vimrc
In this example, you will see two different listings. The first field of the ls -l output is a metadata group that includes the permissions for each file. These are the components of the vimrc list
: File Type: fx –
- Permission settings: rw-r-r- Extended attributes:
- Group owner: root
- Extended attributes
period (.) User owner: root
The “File type” and “
” fields
are beyond the scope of this article, but in the highlighted output above, the vimrc file is a normal file, which is file type (i.e. no special type).
The wrapped list is for a file of type d or directory. There are also other file types, but these two are the most common. The attributes available depend on the format of the file system in which the files are stored. For Red Hat Enterprise Linux 7, 8, and 9, the default file system format is XFS.
Great Linux Resources
Linux
- Advanced Command Cheat Sheet
- Download RHEL 9 free of charge through the Red Hat Developer program
- A Guide to Installing Applications on
- System Administration Skills Assessment
- How well do you know Linux? Take a quiz and get a badge
Linux Linux
How do I read
file permissions?
This article is about setting permissions for a file. The interesting permissions in the vimrc list are
: rw-r-r-
This string is actually an expression of three different sets of permissions:
- rw- r-r
- –
The first set of permissions is applied to the owner of the file. The second set of permissions applies to the user group that owns the file. The third set of permissions is usually referred to as “other.” All Linux files belong to an owner and a group.
When permissions and users are represented by letters, it is called symbolic mode. For users, u means user owner, g for group owner, and o for others. For permissions, r stands for read, w for write, and x for execute.
[ Learn how to manage your Linux environment for success. ]
When the system examines a file’s permissions to determine what information to provide it when it interacts with a file, it runs through a series of checks:
- It first checks if you are the user who owns the file. If so, you are granted the permissions of the user owner and no further checks will be completed.
- If you are not the user who owns the file, your group membership is then validated to see if you belong to the group that matches the group owner of the file. If so, then it is covered in the group owner’s permissions field, and no further checks will be performed.
- “Other” permissions apply when the account interacting with the file is neither the user owner nor the group that owns the files. Or, to put it another way, the three fields are mutually exclusive: You cannot be covered by more than one of the permission settings fields in a file.
Permissions go beyond the different types of people who can interact with a file. Each user gets an expression that includes the three basic types of permissions. In the previous example, the file owner receives the following permissions:
rw-
Each character in the expression indicates whether or not a specific permission is granted. In the previous example, read permissions (r) and write permissions (w) have been granted on the file. However, the execution permission (x) is not granted, so there is an – sign in the expression. The permission in this field is disabled.
Note the
permissions of the group owner in this example:
a-
Read permission (r) is granted to group members, but write and execute have been disabled
.
[ Keep your most used commands handy with the Linux command cheat sheet
. ]
What are octal values?
When Linux file permissions are represented by numbers, it is called numeric mode. In numeric mode, a three-digit value represents specific file permissions (for example, 744). These are called octal values. The first digit is for owner permissions, the second digit is for group permissions, and the third is for other users. Each permission is assigned a numeric
value:
- r (read): 4
- w (write): 2 x (execute):
- 1
In the 744 permission value, the first digit corresponds to the user, the second digit to the group, and the third digit to others. By adding the value of each user classification, you can find the file permissions.
For example, a file can have read, write, and execute permissions for its owner, and only read permissions for all other users. That looks like this
: Owner: rwx = 4 + 2 + 1 = 7 Group: r- = 4 + 0 + 0 = 4 Others: r- = 4 + 0
- + 0 = 4
The results produce the three-digit value 744.
Safety
Linux What is security automation? Red Hat
- OpenShift Service on AWS
- Simplify your security operations center
- DevSecOps Implementation Guide
- Red Hat CVE Checker
- What
Security FAQ
do Linux file permissions
actually do
?
I’ve talked about how to view file permissions, who they apply to, and how to read which permissions are enabled or disabled. But what do these permits actually do in practice?
Read permission
(r) Read
permission is used to access the contents of the file. You can use a tool such as cat or less in the file to display the contents of the file. You can also use a text editor such as Vi or View in File to display the contents of the file. Read permission is required to make copies of a file, as you need to access the contents of the file to make a duplicate of it.
Write (w)
The write permission allows you to modify or change the contents of a file. The write permission also allows you to use the redirect or append operators in the shell (> or >>) to change the contents of a file. Without write permission, changes to the contents of the file are not allowed.
Run
(x)
The Execute permission allows you to execute the contents of a file. Typically, executables would be things like commands or compiled binary applications. However, the execute permission also allows someone to run Bash shell scripts, Python programs, and a variety of interpreted languages.
[ Download Now: A System Administrator’s Guide to Bash Scripts. ]
There are other ways to run the contents of a file without execute permission. For example, you can use an interpreter that has execute permission to read a file with instructions for the interpreter to execute it. An example would be to invoke a Bash shell script:
$ bash script.sh
The executable that runs is bash. The Bash interpreter reads the script.sh file and its commands are executed. The content in this article is general purpose, but on Linux, there are often additional ways to accomplish tasks.
How do directory permissions work?
Directory file types are indicated by d. Conceptually, permissions work the same way, but directories interpret these operations differently.
Read (r)
Like regular files, this permission allows you to read the contents of the directory. However, that means you can see the content (or files) stored in the directory. This permission is required for things like the ls command to work.
Type (w)
As with regular files, this allows someone to modify the contents of the directory. When you change the contents of the directory, you are adding files to the directory or removing files from the directory. As such, you must have write permission to a directory to move (mv) or delete files (rm) from it. You also need write permission to create new files (using touch input or a file redirection operator) or copy files (cp) to the directory.
Run (x)
This permission is very different on directories compared to files. Essentially, you can think of it as providing access to the directory. Having execute permission on a directory authorizes you to view extended information about the files in the directory (using ls -l, for example), but it also allows you to change your working directory (using cd) or pass through this directory on your way to a subdirectory below.
The lack of execute permission on one directory can limit the other permissions in interesting ways. For example, how can you add a new file to a directory (taking advantage of write permission) if you cannot access the directory’s metadata to store the information of an additional new file? You can’t. It is for this reason that directory-type files usually offer execute permission to one or more of the user’s owners, group owners, or others.
[ Want to test your system administrator skills? Take a skills assessment today. ]
How do I change
Linux file permissions?
You can modify file and directory permissions with the chmod command, which stands for “change mode.” To change file permissions in numeric mode, type chmod and the octal value you want, such as 744, along with the file name. To change file permissions in symbolic mode, enter a user class and the permissions you want to grant them next to the file name. For example:
example of $ chmod ug+rwx.txt example of $ chmod or+
r2.txt This provides read, write, and execute for the user and group, and read-only for others. In symbolic mode, chmod u represents permissions for the user owner, chmod g represents other users in the file group, chmod, or represents other users who are not in the file group. For all users, use chmod a.
You may want to change the owner of the user itself. You can do it with the chown command. Similarly, the chgrp command can be used to change the group ownership of a file.
Professional advice
- Take a System Administrator Skills Assessment
- Explore training and certification options
- remote exam FAQ
- 10 Resources to Become a Better Communicator How to
- explain modern software development in plain English
- Learning Path: Getting Started with Red Hat OpenShift Service on AWS (ROSA)
Red Hat Certification
What are special file permissions?
Special permissions are available for files and directories and they provide additional privileges over the standard permission sets that have been covered.
- SUID is the special permission for the user access level and always runs as the user who owns the file, no matter who is passing the command. SGID allows
- ; a file created in the directory has its group property set to the directory owner. This is useful for directories used collaboratively between different members of a group, as all members can access and run new files.
a file to run as the owner of the file’s group
The “sticky bit” is a special directory-level permission that restricts file deletion, meaning that only the file owner can delete a file within the directory. Want to
dig deeper into special permissions? Read Linux permissions: SUID, SGID and sticky bit.
Understanding
Linux file permissions (how to find, read, and change them) is an important part of maintaining and protecting your systems. You can learn more about file permissions for Red Hat Enterprise Linux by consulting the documentation or practicing with a self-paced lab on using file permissions.
[ Cheat sheet: Get a list of Linux utilities and commands for managing servers and networks. ]