Understand how Ubuntu / Linux file permissions and special mode bits work. Learn how to change these permissions using the chmod command. Find out how default permissions for new files are configured via a user's umask value.
- Linux File Permissions
- How Read, Write, And Execute Permissions Are Represented
- A File's "User" And "Group"
- Special Mode Bits
- Permissions: Octal Representation
- Changing File Permissions - Chmod
- Umask - Configuring Default File / Directory Permissions
- What's Next?
In Ubuntu / Linux everything is a file, so everything will have permissions also.
File permissions define which user or system accounts have permissions to read, write, and execute specific files.
These read, write, and execute permissions are defined for:
|user||the user that owns the file|
|group||users in the files group|
|other||every other user|
There are also three other components when it comes to file mode bits, namely the setuid bit, the setgid bit, and the sticky bit.
As you'll see later, these "special mode bits" can only be used for certain files.
File permissions are identified through file mode bits. These bits represent what actions can be carried out by specific user accounts.
For example, if you run the command
ls -l to list the files in the current directory, you'll see something similar to this at the beginning of each line in the results:
The repeated rwx sequences represent the notion of read (r), write (w), and execute (x) permissions for user, group, and other (in that order).
-rwxrwxrwx above indicates that user, group, and other have read, write and execute permissions for that file or in other words: the owner of the file, anyone in the file's group, and everybody else has read, write, and execute permissions for that file).
Note that the leading
- you'll see in permissions like
-rwxrwxrwx simply indicates that this is a normal file (file type regular).
The possible file types you may see are depicted by preceding the permissions by one of these:
-= Regular File
l= Symbolic Link
b= Block Special Device
c= Character Device
s= Unix Socket (local domain socket)
p= Named Pipe
Here are a few more examples of what you might see:
A regular file, readable and writeable by user and group, but only readable by everybody else.
Note that the
d above indicates that the permissions are for a directory (i.e. the file's type is a directory).
This directory is readable, writeable, and executable by "user" whilst only readable and executable by "group" and "other".
Also note that for directories, the execute mode bit
x indicates access / searchability of that directory for a particular category of user.
The above permissions show that the owner of this regular file has read and write permission but nobody else has any permissions for that file.
If you see a file with permissions like this:
You'll know it refers to a "character device" (such as a tty) where the "user" has read and write permission, the "group" has write permission, and "other" has no permissions.
To recap, the meanings of
x for each of the three categories "user", "group", and "other" are illustrated in the image below which shows an
ls -l command run in a directory which contains filename.txt:
The user name shown in the image above is the name of the user account which owns the file (normally the creator, but this can be changed using chown) whilst the group name is the creator's primary group (this can be changed using chgrp).
By default in Ubuntu, the default primary group is a group with the same name as the user. This is the case above where both the user and group are "tutonics" (for more info about user accounts and groups, please read our post about user account and group management).
To understand how default permissions are determined, skip to section "Umask - Configuring Default File / Directory Permissions" below.
When a process runs, it takes on the effective permissions of the user who started it. This means the process can only read / write / execute what the user has permissions for.
The same applies to the effective group id of a process, it assumes that of the user, so group permissions of the process mirror that of the user.
This behaviour gets changed when setuid and/or setgid bits are set as you'll see next.
When the setuid bit is set for a program, on execution the process's effective user ID gets set to that of the program file itself (rather than that of the user running it).
If a file with permissions
-rwxrwxrw- gets its setuid bit set, the permissions will be displayed as
-rwsrwxrw-. Note the lower case
s where the
If however, the file didn't have the
x permissions for the user, and then had the setuid bit set, you'd see
So to recap, there is a difference between
s the former indicates just the setuid bit, the latter indicates setuid bit and execute
x (for that position) in the permissions is set.
When the setgid bit is set for a program, on execution the process's effective group ID gets set to that of the program file (rather than that of the user's primary group).
Like setuid, the setgid bit is shown as either an
If a file starts out with
-rw-r--r-- (no group x) and has its setgid bit set, you'd see it being displayed as
-rw-r-Sr-- whereas if it started out as
-rw-r-xr-- it would be displayed as
-rw-r-sr-- once the setgid bit is set.
When the setuid bit is set as part of a directory's permissions in Ubuntu, it does nothing, i.e. it has no effect (This is not the case for the setgid bit, as you'll see next).
When the setgid bit is set for a directory, any files created in that directory will have the same group as that directory.
Also, any directories created in that directory will also have their setgid bit set.
Nowadays (for linux) the sticky bit is used only in relation to directories.
When a directory has the sticky bit set, only root or the file's owner has permission to change files in that directory.
t are used to indicate that the sticky bit is set. e.g. A directory with permissions
drwxr-xr-x having the sticky bit set, would change to
drwxr-xr-t whilst a dir with
drwxr-xr-- would change to
T depends on whether the "other" category has
x permissions set or not respectively).
Sometimes, you'll see permissions referred to numerically in base 8 octal (i.e. using digits 0-7).
|read, write, and execute||rwx||111||7|
|read and write||rw-||110||6|
|read and execute||r-x||101||5|
|write and execute||-wx||011||3|
So for example, using the table above, we can see that the file permissions
-rwxrwxrwx can be represented in octal as 777 (because each
rwx translates to an octal digit 7).
Note that the octal number refers to permissions, the file type does not matter.
So, if we wanted to represent the permissions
drwxrwxrwx of a directory in octal, the same octal number 777 would also apply.
|User / Group / Other rwx Mode Symbols||Octal Equivalent|
The chmod command is used to change the various permission bits of a file or directory.
The command takes the general form:
chmod MODE file
There are two ways to represent the MODE:
- Using symbolic modes (letters to indicate the categories and permission)
- Using numeric modes (An octal (base 8) number that represents the mode)
Using the "numeric modes" way of setting these permissions is shorter than the symbolic method, but not as flexible because you can't build on top of existing permissions which is possible when using "symbolic modes".
In order to change the permissions of a file using symbolic permissions, use the command format:
chmod SYMBOLIC-MODE FILENAME
where SYMBOLIC-MODE is the symbolic representation of permissions (which we describe below) that you wish to apply to FILENAME.
The letters for user, group, and other are u, g, and o respectively. The letter a is used to mean all three of these categories.
The MODE above takes the form (as per manpage):
So, the operations available are:
+(add the permissions to what currently exists).
-(remove the permissions from what currently exists).
=(set to this value only, replacing existing permissions).
When you combine the above with the permission letters
x you can run chmod commands like those shown below.
For example, to use chmod to set permissions of file "filename" to
-rwxrwxrwx you could run:
chmod a=rwx filename
Breaking this down, the
a means all and
rwx means set read, write, and execute.
= means that permissions are to be set to exactly what we specify.(i.e. we overwrite the current permissions).
In this case you can get the same result more explicitly using either:
chmod ugo=rwx filename
chmod ugo+=rwx filename
Regarding just the symbolic mode part of the command, here are a few more examples:
To add read permission for all:
To remove permissions for all:
To add execute permissions for all:
To remove execute permissions for all:
To assign read, write permissions only for user and group:
To add read, write permissions to user and group to the permissions that already exist:
To remove execute permissions from group and other (i.e from all users except the file's owner):
To remove permissions to do anything from all users except the owner:
Note in the examples above and in general that there are different combinations that have the same effect.
The setuid bit can be set using:
The setuid bit can be removed using:
Similarly, setgid can be set using:
and removed using:
The sticky bit can be set by using:
and removed using:
To set the permissions of a file or directory using numeric modes, simply use the format:
chmod OCTAL-MODE FILENAME
where OCTAL-MODE is the octal form of the permissions.
For example, to set the permissions of filename to
-rw-r--r-- you could run the command:
chmod 644 filename
or to change permissions to -rwxrwxrwx you could use the command:
chmod 777 filename
Be careful when setting permissions to 777 as this means every single user account can read, write, and execute that file.
The setuid, setgid, and sticky bit can be set using chmod where
- 1 = sticky bit
- 2 = setgid
- 4 = setuid
For example to set the setuid bit along with permissions 766:
chmod 4766 filename
To set the setgid bit along with 776:
chmod 2776 filename
To set sticky bit along with 766:
chmod 1776 fileanme
To set both setuid(2) and setgid(4) along with 766, prepend with 6. i.e. 2+4:
chmod 6766 filename
When a user creates a file, how does the system determine that file's initial permissions?
This is done based on the user's umask value.
The umask value specifies which permissions are not to be set.
In Ubuntu, the default umask value for a normal user is 002, while the default for root is 022.
You can find out the current umask value (or set it) using the
If (as a normal user) you run the command:
You'll see something like 0002 displayed, however octal numbers are preceded by a 0 (in the same way hex would be preceded by 0x), so the umask value itself is actually 002.
This value is an octal (base 8, digits 0-7) value which is subtracted from a base value of 777 for directories, or subtracted from a base value of 666 for files.
A umask of 002 basically means don't remove any permissions from the base value for "user" or "group", but "other" is not allowed write permission (write permission is octal 2, or binary 010 meaning
So if we create a new file:
The file permissions for this new file will be 666-002 = 664, i.e.
rw-rw-r-- (readable and writeable by user and group, but only readable by everyone else).
Similarly, if we create a new directory:
The file permissions for the directory newDir will be 777-002 = 775, i.e.
drwxrwxr-x (readable, writeable, executable by user and group, but only readable and executable by everyone else).
If you wish to set the umask value to something else, simply use umask command like so:
where "newvalue" is an octal number representing which permissions you do not want to be set when files are created.
We'll be covering how to change file ownership and group ownership in the next post.