Dung (Donny) Nguyen

Senior Software Engineer

Linux File Permissions Guide

Understanding Permission Structure

Every file/folder has three permission sets: owner, group, and others. Each set has three permission types:

Running ls -l shows permissions like: -rwxr-xr--

Core Commands

chmod — Change permissions

Symbolic mode:

chmod u+x file.txt       # Add execute for owner
chmod g-w file.txt       # Remove write for group
chmod o=r file.txt       # Set others to read-only
chmod a+r file.txt       # Add read for all (a = all)

Numeric (octal) mode:

chmod 755 file.txt       # rwxr-xr-x
chmod 644 file.txt       # rw-r--r-- (common for files)
chmod 700 folder/        # rwx------ (private folder)
chmod -R 755 folder/     # Recursive (applies to contents)

Common permission combos: | Octal | Symbolic | Use case | |——-|———-|———-| | 777 | rwxrwxrwx | Full access for all (avoid!) | | 755 | rwxr-xr-x | Public directories | | 644 | rw-r–r– | Regular files | | 600 | rw——- | Private files | | 700 | rwx—— | Private directories |

chown — Change owner

chown alice file.txt             # Change owner
chown alice:developers file.txt  # Change owner and group
chown -R alice:alice folder/     # Recursive

chgrp — Change group

chgrp developers file.txt
chgrp -R developers folder/

Managing Users & Groups

# Add a user to a group
sudo usermod -aG groupname username

# Create a new group
sudo groupadd groupname

# View a user's groups
groups username

# View file permissions
ls -l file.txt
ls -ld folder/       # Show folder itself, not contents

Special Permissions

# Setuid — run file as owner (e.g., passwd)
chmod u+s file

# Setgid — new files inherit group of directory
chmod g+s folder/

# Sticky bit — only owner can delete files (e.g., /tmp)
chmod +t folder/

ACLs — Fine-grained Permissions

For more granular control beyond owner/group/others:

# Install
sudo apt install acl

# Grant a specific user read/write on a file
setfacl -m u:alice:rw file.txt

# Grant a group read access
setfacl -m g:developers:r folder/

# View ACLs
getfacl file.txt

# Remove ACLs
setfacl -b file.txt

Quick rule of thumb: Use 644 for files, 755 for directories, and restrict further (600/700) for sensitive content. Avoid 777 — it grants full access to everyone.