Skip to content

Click on each book below to review & buy on Amazon.

As an Amazon Associate, I earn from qualifying purchases.

CompTIA Linux+ XK0-005 - 2.5 - File Permissions & Access Controls

Managing file permissions and access controls is a foundational aspect of Linux system administration. This guide delves into the various tools and commands available in Linux for handling file permissions, access control lists (ACLs), file attributes, and ownership. These components are integral to ensuring the security and proper management of files and directories on a Linux system.

File Permissions (read, write, execute)

In Linux, every file and directory is assigned specific access permissions, which are crucial for defining the level of interaction users or groups can have with these files and directories. These permissions are categorized into three basic types:

  • Read Permission: This allows the viewing of the contents of a file or the ability to list the files within a directory.
  • Write Permission: This enables the modification of a file's content or the ability to add, delete, and rename files within a directory.
  • Execute Permission: For files, this means the ability to run the file as a program or script. For directories, it grants the ability to access and traverse them.

Linux file permissions are depicted in a 10-character string format, such as -rwxr-xr-x. This string can be dissected as follows:

  • The first character signifies the file type. A dash (-) represents a regular file, while a d indicates a directory.
  • The subsequent nine characters are grouped into three sets, each containing three characters. These sets represent permissions for three different categories:
    • The first set (characters 2-4) indicates permissions for the file owner (user).
    • The second set (characters 5-7) displays permissions for the group.
    • The third set (characters 8-10) shows permissions for others (everyone else).

Each set of permissions (for user, group, and others) in the string is a combination of three characters, representing read (r), write (w), and execute (x) permissions. A hyphen (-) is used to denote the absence of a permission. Below are two examples on reading file permissions:

  1. A file with -rw-r--r-- permissions allows the owner to read and write, while the group and others can only read it.
  2. A directory with drwxr-xr-x permissions allows the owner full access, while the group and others can only list and access the files within it but can't modify its contents.

Permissions form the foundation of Linux's file security and management, providing a structured approach to controlling how files and directories are accessed and manipulated. By understanding these basic permissions, users can appreciate the more complex permission types and modifications covered in later sections of this guide.

File Permissions (SUID, SGID, Sticky Bit)

In Linux, apart from the basic read, write, and execute permissions, there are special permissions known as Set User ID (SUID), Set Group ID (SGID), and the Sticky Bit. These permissions provide additional control and security mechanisms for file and directory access.

Set User ID (SUID)

SUID is a special type of permission for executable files. When an executable file with SUID permission is run, it executes with the privileges of the file's owner, rather than the user who is running the file. This is particularly useful for allowing users to execute programs that require higher privileges in a controlled manner.

SUID can pose security risks if not managed properly, as it grants elevated privileges. It's important to ensure that only trusted and essential executables have this permission.

Set Group ID (SGID)

SGID is similar to SUID but operates at the group level. For executable files, SGID allows them to run with the privileges of the file's group. When applied to directories, it ensures that files created within the directory inherit the directory's group, maintaining a consistent group ownership for all files in the directory.

SGID is particularly useful in collaborative environments where multiple users are part of a common group and need to share files with consistent group ownership.

Sticky Bit

The Sticky Bit is a permission bit that's primarily used on directories. It restricts file deletion within the directory. When the Sticky Bit is set on a directory, only the file owner, the directory owner, or the root user can delete or rename files within that directory. This is an important feature for shared directories like /tmp, where it prevents users from deleting or renaming each other's files.

The Sticky Bit is widely used in public directories to maintain order and prevent users from removing or altering files they don't own.

These special permissions - SUID, SGID, and the Sticky Bit - are key tools for enhancing the security and management of files and directories in Linux. They enable fine-grained control over who can execute files and how file ownership is handled within shared environments, making them indispensable in multi-user Linux systems.

Listing File Permissions Command (ls)

The ls command is a fundamental utility in Linux used for listing files and directories in a specified location. It provides various options to display different attributes of files, including permissions and ownership. Understanding how to interpret the output of ls is essential for managing and navigating the file system effectively.

When running the ls -l command, the permissions and ownership of files and directories are displayed in the following format:

-rwxr-xr-x  1 user group   4096 May 10 12:34 file.txt
drwxr-xr-x  2 user group   4096 May 10 12:34 directory/

Let's break down the output:

  1. The first column represents the permissions of the file or directory. It consists of ten characters, divided into four sections:

    • The first character indicates the type of the entry. - represents a regular file, d represents a directory, and other characters may indicate special types such as symbolic links.
    • The next nine characters are divided into three sets of three characters each. Each set represents the permissions for the owner, group, and others, respectively. The characters can be one of the following:
      • r: Read permission
      • w: Write permission
      • x: Execute permission
      • -: No permission

  2. The second column indicates the number of hard links to the file or directory.

  3. The third and fourth columns represent the owner and group of the file or directory, respectively.
  4. The fifth column specifies the size of the file or the size occupied by the directory.
  5. The sixth column displays the date and time of the last modification.
  6. The last column indicates the name of the file or directory.

Special Permissions

Special permissions are additional settings that provide more control over file and directory access. They include:

  • Set User ID (SUID): Indicated by an s or S in the user's execute position. It allows a program to run as the user who owns the file, regardless of the user executing it.
  • Set Group ID (SGID): Shown as an s or S in the group's execute position. For files, it allows them to run with the permissions of the file's group. For directories, new files created within inherit the directory's group.
  • Sticky Bit: Represented by a t or T in the others' execute position. When set on a directory, it restricts file deletion within the directory to the file's owner, the directory's owner, or the root user.

Here are examples demonstrating these special permissions:

  • SUID:

    -rwsr-xr-x 1 root root 27768 Jan  1 12:00 /usr/bin/passwd

    The rws indicates that SUID is set for the user permissions.

  • SGID:

    drwxr-sr-x 2 user group 4096 Jan  1 12:00 /shared_directory

    The r-s in the group permissions signifies SGID is set for this directory.

  • Sticky Bit:

    drwxrwxrwt 14 root root 4096 Jan  1 12:00 /tmp

    The rwt indicates the Sticky Bit is set, enhancing the security of the /tmp directory.

Commonly Used Options

Here are some commonly used options with the ls command to view permissions and ownership:

  • List files and directories with detailed permissions and ownership:

    ls -l

    This command displays the long format listing, including permissions, ownership, size, and modification date.

  • List files and directories with human-readable file sizes:

    ls -lh

    This command provides a more readable output by displaying file sizes in a human-friendly format.

  • List all files and directories, including hidden ones:

    ls -a

    This command shows all entries, including those starting with a dot (which denotes hidden files or directories).

  • Sort files and directories by modification time:

    ls -lt

    This command lists the files and directories with the most recently modified ones appearing first.

  • Sort files and directories by modification time, in reverse order:

    ls -ltr

    This command lists the files and directories with the most recently modified ones appearing last.

  • Recursively list files and directories, including subdirectories:

    ls -R

    This command displays all files and directories in the specified location and its subdirectories.

The ls command is a versatile tool for listing files and directories in Linux. By understanding the format of the output and interpreting the permissions and ownership information, you can gain valuable insights into the file system structure. This knowledge is essential for managing file permissions, identifying file types, and navigating directories effectively.

Change Mode Command (chmod)

The `chmod`` (change mode) command in Linux is used to change the access permissions of files and directories. This command allows users to set or modify the read, write, and execute permissions for the owner (user), group, and others.

The basic syntax of the chmod command is as follows:

chmod [options] mode file(s)

Here's an explanation of the components:

  • options: The chmod command provides various options that allow you to customize its behavior. We will explore some commonly used options shortly.
  • mode: Specifies the permission mode to be set for the file(s). It can be specified in either symbolic or octal form.
  • file(s): Specifies the file or directories for which the permissions should be modified.

The chmod command offers several options to customize its behavior. Here are some commonly used options:

  • -v or --verbose: Displays detailed output, indicating the changes made to the permissions of each file.
  • -R or --recursive: Recursively modifies the permissions of files and directories within a directory.
  • -f or --silent or --quiet: Suppresses error messages, making the command run silently.
  • -h or --help: Displays the help message and usage information for the chmod command.

Symbolic Mode

The symbolic mode is a human-readable way to specify the permissions using symbols and operators. It consists of three parts: the target, the operator, and the permissions. The target represents the user group for which the permissions are modified (u for user, g for group, o for others, or a for all). The operator can be + to add permissions, - to remove permissions, or = to set permissions explicitly. The permissions are represented by the symbols r (read), w (write), and x (execute).

Here are some examples of using symbolic mode:

  • To add read and write permissions for the user and group on a file named "example.txt":

    chmod ug+rw example.txt

  • To remove execute permissions for others on a directory named "docs":

    chmod o-x docs

  • To set execute permission explicitly for all users on a script file named "script.sh":

    chmod a=x script.sh

Octal Mode

The octal mode represents the permissions using a three-digit octal number. Each digit corresponds to the permissions for the user, group, and others, respectively. Each digit is calculated by assigning a value of 4 for read, 2 for write, and 1 for execute, and summing up the values as per the desired permissions.

Here are some examples of using octal mode:

  • To set read, write, and execute permissions for the user, read and execute permissions for the group, and read permission for others on a file named "example.txt":

    chmod 751 example.txt

  • To set read, write & execute permissions for the user and group, and read and execute permission for others on a directory named "docs":

    chmod 775 docs

  • To remove all permissions for the user, and set read and execute permissions for the group and others on a file named "data.txt":

    chmod 055 data.txt

The chmod command is a powerful tool for managing file permissions in Linux. By understanding its syntax and the different permission symbols, you can easily modify the permissions of files and directories to control access and enhance security.

File Mode Creation Mask Command (umask)

The umask command is used to set the default file permissions for newly created files and directories. The term "umask" stands for "user file creation mask" and it helps determine the permissions that are automatically assigned to files when they are created.

Each file and directory has a set of permissions that define who can read, write, or execute the file. These permissions are represented by three sets of characters: user, group, and others. The default permission value for files is 666 (rw-rw-rw-), while for directories it is 777 (rwxrwxrwx).

The basic syntax of the umask command is as follows:

umask [options] [mode]

Here's an explanation of the components:

  • options: The umask command provides various options that allow you to customize its behavior. We will explore some commonly used options shortly.
  • mode: (Optional) Specifies the file permission mode to be set as the new umask value. If no mode is provided, the current umask value is displayed.

The umask command offers several options to customize its behavior. Here are some commonly used options:

  • -S or --symbolic: Displays the current umask value in symbolic form instead of the default octal form.
  • -p or --pretty: Displays the current umask value in both octal and symbolic forms.
  • -h or --help: Displays the help message and usage information for the umask command.

The umask command is typically executed as part of the login process for each user. When a user logs in, the system reads the umask value from the user's profile files, such as ~/.bashrc or ~/.profile. This ensures that the desired umask value is applied consistently for that user's session. By setting the umask value in the login process, you can establish a consistent file permission policy for all files created by the user.

The umask command uses a numerical mode to set file permissions. The numerical mode consists of a combination of three octal digits, each representing the permissions for user, group, and others, respectively. Each digit represents a three-bit binary value, where each bit corresponds to a specific permission: read (4), write (2), and execute (1).

By default, the umask value is subtracted from the default permission value to determine the actual permissions for newly created files and directories. For files, the default permission value is 666, and for directories, it is 777. If the umask value is 022, the resulting permissions for a file would be 644 (666 - 022 = 644), and for a directory, it would be 755 (777 - 022 = 755).

To set a umask value, in our example 022, you would run:

umask 022

By using the umask command, you can control the permissions assigned to newly created files and directories, ensuring they align with your security requirements and organizational policies. The umask value, when subtracted from the default permission values of 666 for files and 777 for directories, determines the actual permissions for newly created items.

Remember that the umask command is typically executed during the login process, allowing you to establish a consistent file permission policy for each user's session. Take advantage of the options provided by the umask command to customize its behavior according to your needs.

Access Control List (ACL)

Access Control Lists (ACLs) provide a finer level of control over file and directory permissions in Linux systems. While traditional Unix permissions use the owner, group, and other bits to control file access, ACLs extend this model by allowing you to grant and restrict permissions for specific users and groups.

ACLs allow you to define more granular access permissions beyond the standard Unix permissions. With ACLs, you can specify individual or group permissions for specific files and directories. This added flexibility makes ACLs particularly useful in scenarios where you need to manage access for multiple users and groups with different levels of permissions.

ACLs consist of the following components:

  • Access Control Entries (ACEs): ACEs are the building blocks of ACLs. Each ACE contains information about a user or group and the permissions granted or denied to them. ACEs allow you to define more specific access rights beyond the traditional owner, group, and other permissions.
  • Permission mask: The permission mask, represented by the mask entry in the ACL, defines the default permissions for new files and directories. It acts as a filter that masks out any permissions not explicitly granted by the ACL.
  • Default ACLs: Default ACLs are ACL entries that are automatically applied to newly created files and directories within a specific directory. They provide a way to define default permissions for new objects, ensuring consistent access control throughout a directory tree.

Get File Access Control Lists Command (getfacl)

In Linux, the getfacl command is used to retrieve the Access Control List (ACL) for a file or directory. ACLs provide a more fine-grained level of access control by allowing permissions to be set for specific users or groups beyond the traditional owner, group, and others permissions. Understanding the getfacl command is essential for examining and managing ACLs on a Linux system. In this guide, we will explore the usage of the getfacl command, its syntax, and the information it provides about file and directory permissions.

Access Control Lists (ACLs) are extensions to traditional file permissions that allow you to define access rules for additional users and groups. While traditional permissions (read, write, execute) apply to the owner, group, and others, ACLs provide more granularity by allowing permissions to be granted or revoked for specific users or groups. This level of control is particularly useful in multi-user environments or when complex access requirements exist.

The basic syntax of the getfacl command is as follows:

getfacl [options] file

Here's an explanation of the components:

  • options: The getfacl command provides various options that allow you to customize its behavior. We will explore some commonly used options shortly.
  • file: Specifies the file or directory for which you want to retrieve the ACL.

Here are some commonly used options with the getfacl command:

  • -a, --access: Display the file access control list.
  • -d, --default: Display the default access control list.
  • -c, --omit-header: Do not display the comment header.
  • -R, --recursive: List the ACLs of all files and directories recursively.

By running the getfacl command, you can retrieve the ACL (Access Control List) information for a file or directory. It displays the permissions granted to the owner, group, and others, as well as any additional entries for specific users or groups, known as Access Control Entries (ACEs).

The output of the getfacl command typically includes the following information:

  • The owner and group of the file or directory: This indicates who owns the file and which group is associated with it.
  • The standard permissions for the owner, group, and others: These are the basic permissions that are commonly displayed using the ls -l command. They include read (r), write (w), and execute (x) permissions for the owner, group, and others.
  • The Access Control Entries (ACEs): These define additional access rules for specific users or groups. ACEs allow for more granular control over who can access a file or directory and in what manner.

To illustrate, here's an example of using getfacl on a file named sample.txt:

getfacl sample.txt

This command might produce output similar to the following:

# file: sample.txt
# owner: alice
# group: users
user::rw-
user:bob:r--
group::r--
mask::rw-
other::r--

In this example, the output details are as follows:

  • # file: This line indicates the file to which the ACL applies.
  • # owner: The user 'alice' is the owner of the file.
  • # group: The file is associated with the 'users' group.
  • user::rw-: The owner (alice) has read and write permissions.
  • user:bob:r--: A specific user, 'bob', has been granted read-only access.
  • group::r--: The group (users) has read-only access.
  • mask::rw-: The effective permissions that group members and named users have on the file. In this case, it’s read and write.
  • other::r--: All other users have read-only access.

This output reflects a more detailed set of permissions than what is typically available through basic file permission settings, enabling fine-grained access control.

Set File Access Control Lists Command (setfacl)

The setfacl command in Linux is used to set or modify the access control lists (ACLs) of files and directories. ACLs provide a more granular level of permission control beyond the traditional file permission bits. With setfacl, you can define specific permissions for users and groups, granting or revoking access to files and directories.

The basic syntax of the setfacl command is as follows:

setfacl [options] file ...

Here are some commonly used options:

  • -m, --modify: Modify the ACL of a file or directory.
  • -x, --remove: Remove specified ACL entries from a file or directory.
  • -b, --remove-all: Remove all ACL entries from a file or directory.
  • -d, --default: Modify the default ACL of a directory.
  • -R, --recursive: Apply changes recursively to files and directories.
  • --mask: Set the mask entry of the ACL.
  • -n, --no-mask: Do not set the mask entry of the ACL.
  • -k, --remove-default: Remove the default ACL from a directory.

ACL entries are specified using the following format:

entity:qualifier:permissions
  • entity can be one of the following:
    • u: User
    • g: Group
    • m: Mask
    • o: Other
  • qualifier specifies the specific user or group to which the ACL entry applies. It can be a username or a group name.
  • permissions represent the access permissions granted or revoked for the specified user or group. These permissions can include r for read, w for write, and x for execute.

Here are some examples of using the setfacl command:

  1. Grant read and write permissions to a specific user on a file:

    setfacl -m u:username:rw file.txt

    This command grants read and write (rw) permissions to the user specified by username on the file.txt.

  2. Revoke write permission for a specific group on a directory and its contents recursively:

    setfacl -R -x g:groupname:w directory/

    This command recursively removes the write (w) permission for the group specified by groupname on the directory/ and its contents.

  3. Remove all ACL entries from a file:

    setfacl -b file.txt

    This command removes all ACL entries from the file.txt.

  4. Set a default ACL for a directory:

    setfacl -d -m u:username:rw,g:groupname:rx directory/

    This command sets a default ACL for the directory/. It grants read and write (rw) permissions to the user specified by username and read and execute (rx) permissions to the group specified by groupname.

  5. Remove the default ACL from a directory:

    setfacl -k directory/

    This command removes the default ACL from the directory/.

Changing & Listing File Attributes (chattr & lsattr Commands)

The chattr and lsattr commands in Linux are used to manage and view file attributes. File attributes are special properties associated with a file or directory that control its behavior, access permissions, and other characteristics. The term "chattr" stands for "change attributes", while "lsattr" stands for "list attributes".

chattr Command

The chattr command allows you to modify file attributes on a file or directory. It follows the syntax:

chattr [options] [+/- attribute] [file/directory]

One notable option is the -R option that recursively applies attribute changes to files and directories within the specified directory.

To modify file attributes using chattr, you need to specify the attribute you want to add (+) or remove (-), followed by the file or directory path.

Here are some commonly used file attributes with chattr:

  • Immutable (i): Makes the file immutable and prevents any modifications, deletions, or renames. Only the root user can modify or remove this attribute.
  • Append-only (a): Allows new data to be added to the end of the file but prohibits modifying or deleting existing data. This attribute is often used for log files to maintain data integrity.
  • No dump (d): Excludes the file from system backup utilities. This attribute is useful for files that don't need to be included in regular backups, such as cache or temporary files.

To set or remove file attributes using chattr, you would use commands like:

chattr +i filename   # Set the immutable attribute
chattr -i filename   # Remove the immutable attribute

lsattr Command

The lsattr command allows you to view the file attributes on a file or directory. It follows the syntax:

lsattr [options] [file/directory]

Here are some commonly used options for lsattr:

  • -a: Lists all files in a directory, including hidden files, and displays their attributes.
  • -d: Shows information about directories themselves, rather than their contents.
  • -R: Recursively lists the attributes of all files and directories within the specified directory.

To view the attributes of a file or directory, provide the file or directory path as an argument to the lsattr command:

lsattr filename

Example Output of lsattr Command may look like:

$ lsattr myfile.txt
----i--------- myfile.txt

In the example output above, the file "myfile.txt" has the "immutable" attribute set (indicated by the "i" flag). This means the file cannot be modified, deleted, or renamed unless the attribute is removed using the chattr command.

Change Ownership Command (chmod)

The chown command allows you to change the ownership of files and directories. Ownership refers to the user and group associated with a file or directory. The chown command is a powerful tool that can be used to manage file ownership and control access to resources on a Linux system.

Before diving into the details of the chown command, it is essential to understand the concept of file ownership in Linux. Each file and directory on a Linux system is associated with a specific user and group. The owner of a file has certain permissions and control over the file, while the group determines which set of users share those permissions. By using the chown command, you can modify these ownership settings according to your requirements.

The basic syntax of the chown command is as follows:

chown [options] owner[:group] file(s)

Here's a breakdown of the components:

  • options: The chown command provides various options that allow you to customize its behavior. We will explore some commonly used options shortly.
  • owner: Specifies the new owner of the file or directory. It can be either a user name or a user ID.
  • group: (Optional) Specifies the new group owner of the file or directory. It can be either a group name or a group ID.
  • file(s): Specifies the file or directory to which the ownership changes should be applied. You can provide multiple files or use wildcards to specify a group of files.

The chown command offers several options that can be used to modify ownership in different ways. Here are some commonly used options:

  • -R or --recursive: Recursively changes ownership for directories and their contents. This is useful when you want to modify ownership in a directory tree.
  • -v or --verbose: Displays a detailed output of the changes made by the chown command.
  • -c or --changes: Shows only the modified files, skipping those that remain unchanged.
  • -h or --no-dereference: Changes the ownership of symbolic links themselves instead of the files they point to.

To illustrate the practical application of the chown command, here are some common scenarios where it is used. These examples demonstrate how to change the ownership of files and directories, either for the owner, the group, or both, and include options for applying these changes recursively.

  • Changing Owner: To change the owner of a file:

    chown newowner filename

  • Changing Owner and Group: To change both the owner and the group of a file:

    chown newowner:newgroup filename

  • Changing Ownership Recursively: To change the ownership of a directory and all its contents:

    chown -R newowner:newgroup directory_name

  • Changing Group Only: The chgrp command or the chown :newgroup format can be used to change only the group ownership:

    chown :newgroup filename

    or

    chgrp newgroup filename

The chown command, with its ability to alter ownership, is essential for maintaining the correct access and control over files. It's particularly important when managing a system with multiple users, ensuring that files and directories are accessible to those who need them while preventing unauthorized access by others.

Conclusion

In this guide, we have covered essential aspects of file permissions and access controls in Linux, including basic file permissions, special permissions (SUID, SGID, Sticky Bit), the use of commands like ls, chmod, chown, lsattr, and chattr, as well as Access Control Lists (ACLs). Understanding and applying these concepts and tools is crucial for effective file management and security in a Linux environment. Proper use of these permissions and commands ensures a secure and well-managed system, crucial for any Linux user or administrator.

Support DTV Linux

Click on each book below to review & buy on Amazon. As an Amazon Associate, I earn from qualifying purchases.

NordVPN ®: Elevate your online privacy and security. Grab our Special Offer to safeguard your data on public Wi-Fi and secure your devices. I may earn a commission on purchases made through this link.