Linux file permissions
In Linux everything is a file, so everything will have permissions also.
File permissions define which user or system accounts have permissions to read, write, and execute specific files.
These read, write, and execute permissions are defined for:
- user = the user that owns the file
- group = users in the files group
- other = every other user
There are also three other components when it comes to file mode bits, namely the
setuid bit, the
setgid bit, and the sticky bit.
As you'll see later, these "special mode bits" can only be used for certain files.
execute permissions are represented
File permissions are identified through file mode bits. These bits represent what actions can be carried out by specific user accounts.
For example, if you run the command
ls -l to list the files in the current directory, you'll see something similar to this at the beginning of each line in the results:
rwx sequences represent the notion of read (
r), write (
w), and execute (
x) permissions for user, group, and other (in that order).
-rwxrwxrwx above indicates that user, group, and other have read, write and execute permissions for that file or in other words: the owner of the file, anyone in the file's group, and everybody else has read, write, and execute permissions for that file).
Note that the leading
- you'll see in permissions like
-rwxrwxrwx simply indicates that this is a normal file (file type regular).
The possible file types you may see are depicted by preceding the permissions by one of these:
-= regular file
l= symbolic link
b= block special device
c= character device
s= unix socket (local domain socket)
p= named pipe
Here are a few more examples of what you might see:
A regular file, readable and writable by user and group, but only readable by everybody else.
Note that the
d above indicates that the permissions are for a directory (that is the file's type is a directory).
This directory is readable, writable, and executable by "user" whilst only readable and executable by "group" and "other".
Also note that for directories, the execute mode bit `x` indicates access / search-ability of that directory for a particular category of user.
The above permissions show that the owner of this regular file has read and write permission but nobody else has any permissions for that file.
If you see a file with permissions like this:
You'll know it refers to a "character device" (such as a tty) where the "user" has read and write permission, the "group" has write permission, and "other" has no permissions.
To recap, the meanings of `r`, `w`, and `x` for each of the three categories "user", "group", and "other" are illustrated in the image below which shows an `ls -l` command run in a directory which contains filename.txt:
The user name shown in the image above is the name of the user account which owns the file (normally the creator, but this can be changed using
chown) whilst the group name is the creator's primary group (this can be changed using
By default in Ubuntu, the default primary group is a group with the same name as the user. This is the case above where both the user and group are "tutonics".
Note: for more info about user accounts and groups, please read our post about user account and group management.
To understand how default permissions are determined, skip to section "umask - configuring default file / directory permissions" below.
Special mode bits
Normal process permissions
When a process runs, it takes on the effective permissions of the user who started it. This means the process can only read / write / execute what the user has permissions for.
The same applies to the effective group id of a process, it assumes that of the user, so group permissions of the process mirror that of the user.
This behaviour gets changed when setuid and/or setgid bits are set as you'll see next.
Setuid - set user id
setuid bit is set for a program, on execution the process's effective user ID gets set to that of the program file itself (rather than that of the user running it).
If a file with permissions
-rwxrwxrw- gets its
setuid bit set, the permissions will be displayed as
-rwsrwxrw- (note the lower case
If however, the file didn't have the
x permissions for the user, and then had the setuid bit set, you'd see
So to recap, there is a difference between
s the former indicates just the
setuid bit, the latter indicates
setuid bit and execute
x (for that position) in the permissions is set.
Setgid - set group id
setgid bit is set for a program, on execution the process's effective group ID gets set to that of the program file (rather than that of the user's primary group).
setgid bit is shown as either an
If a file starts out with
-rw-r--r-- (no group x) and has its
setgid bit set, you'd see it being displayed as
-rw-r-Sr-- whereas if it started out as
-rw-r-xr-- it would be displayed as
-rw-r-sr-- once the
setgid bit is set.
Setuid for directories
setuid bit is set as part of a directory's permissions in Ubuntu, it does nothing, for example it has no effect (This is not the case for the
setgid bit, as you'll see next).
Setgid for directories
setgid bit is set for a directory, any files created in that directory will have the same group as that directory.
Also, any directories created in that directory will also have their
setgid bit set.
Nowadays (for Linux) the sticky bit is used only in relation to directories.
When a directory has the sticky bit set, only root or the file's owner has permission to change files in that directory.
t are used to indicate that the sticky bit is set. For example a directory with permissions
drwxr-xr-x having the sticky bit set, would change to
drwxr-xr-t whilst a dir with
drwxr-xr-- would change to
T depends on whether the "other" category has
x permissions set or not respectively).
Permissions: octal representation
Sometimes, you'll see permissions referred to numerically in base 8 octal (that is using digits 0-7).
read, write, and execute
read and write
read and execute
write and execute
So for example, using the table above, we can see that the file permissions
-rwxrwxrwx can be represented in octal as
777 (because each
rwx translates to an octal digit
Note that the octal number refers to permissions, the file type does not matter.
So, if we wanted to represent the permissions
drwxrwxrwx of a directory in octal, the same octal number
777 would also apply.
Other octal permission examples:
|user / group / other rwx mode symbols||octal equivalent|
Changing file permissions -
chmod command is used to change the various permission bits of a file or directory.
The command takes the general form:
chmod MODE file
There are two ways to represent the MODE:
- Using symbolic modes (letters to indicate the categories and permission)
- Using numeric modes (An octal (base 8) number that represents the mode)
Using the "numeric modes" way of setting these permissions is shorter than the symbolic method, but not as flexible because you can't build on top of existing permissions which is possible when using "symbolic modes".
Using symbolic modes with
In order to change the permissions of a file using symbolic permissions, use the command format:
chmod SYMBOLIC-MODE FILENAME
SYMBOLIC-MODE is the symbolic representation of permissions (which we describe below) that you wish to apply to FILENAME.
The letters for user, group, and other are
o respectively. The letter
a is used to mean all three of these categories.
The MODE above takes the form (as per manpage):
So, the operations available are:
+(add the permissions to what currently exists).
-(remove the permissions from what currently exists).
=(set to this value only, replacing existing permissions).
When you combine the above with the permission letters`
x you can run
chmod commands like those shown below.
For example, to use chmod to set permissions of file
-rwxrwxrwx you could run:
chmod a=rwx filename
Breaking this down, the
a means all and
rwx means set read, write, and execute.
= means that permissions are to be set to exactly what we specify. (that is we overwrite the current permissions).
In this case you can get the same result more explicitly using either:
chmod ugo=rwx filename
chmod ugo+=rwx filename
Regarding just the symbolic mode part of the command, here are a few more examples:
To add read permission for all:
To remove permissions for all:
To add execute permissions for all:
To remove execute permissions for all:
To assign read, write permissions only for user and group:
To add read, write permissions to user and group to the permissions that already exist:
To remove execute permissions from group and other (i.e from all users except the file's owner):
To remove permissions to do anything from all users except the owner:
Note in the examples above and in general that there are different combinations that have the same effect.
Changing Special Modes Using Symbols
setuid bit can be set using:
setuid bit can be removed using:
setgid can be set using:
and removed using:
The sticky bit can be set by using:
and removed using:
Using numeric modes with
To set the permissions of a file or directory using numeric modes, simply use the format:
chmod OCTAL-MODE FILENAME
OCTAL-MODE is the octal form of the permissions.
For example, to set the permissions of filename to
-rw-r--r-- you could run the command:
chmod 644 filename
or to change permissions to
-rwxrwxrwx you could use the command:
chmod 777 filename
Be careful when setting permissions to
777 as this means every single user account can read, write, and execute that file.
Special mode bits
setgid, and sticky bit can be set using
1= sticky bit
For example to set the
setuid bit along with permissions
chmod 4766 filename
To set the
setgid bit along with
chmod 2776 filename
To set sticky bit along with
chmod 1776 fileanme
To set both
setgid(4) along with
766, prepend with
6 (that is
chmod 6766 filename
Configuring default file / directory permissions with
When a user creates a file, how does the system determine that file's initial permissions?
This is done based on the user's
umask value specifies which permissions are not to be set.
In Ubuntu, the default
umask value for a normal user is
002, while the default for root is
You can find out the current
umask value (or set it) using the
If (as a normal user) you run the command:
You'll see something like
0002 displayed, however octal numbers are preceded by a
0 (in the same way hex would be preceded by
0x), so the
umask value itself is actually
This value is an octal (base 8, digits 0-7) value which is subtracted from a base value of
777 for directories, or subtracted from a base value of
666 for files.
002 basically means don't remove any permissions from the base value for
other is not allowed write permission (write permission is octal
2, or binary
So if we create a new file:
The file permissions for this new file will be
664, that is
rw-rw-r-- (readable and writable by user and group, but only readable by everyone else).
Similarly, if we create a new directory:
The file permissions for the directory
newDir will be
775, that is
drwxrwxr-x (readable, writable, executable by user and group, but only readable and executable by everyone else).
If you wish to set the
umask value to something else, simply use
umask command like so:
newvalue is an octal number representing which permissions you do not want to be set when files are created.
We'll be covering how to change file ownership and group ownership in the next post.