File Permissions & Ownership

Linux File Ownership

Files and directories in Linux are owned by a user and a group.

chown

The chown command can be used to set or change the user or group associated with ownership of the file.

To change only the owner of a file;

chown username filename

To change only the group of a file;

chown :groupname filename

To change the owner and group of a file;

chown newuser:newgroup filename

Flags

chgrp

The chgrp command is a dedicated command for changing the group associated with a file.

chgrp groupname filename

Linux File Permissions

Every file in Linux has permissions, these define which actions can be undertaken by the user, group, and other.

As seen on the file below, permissions are set at the start of the line using 10 characters.

-r--r-xrw- 1 root root       27 May 26 10:56 test.txt

These 10 characters are the permission classes and are used as follows:

File Type

chmod

The chmod command is used for changing file or directory permissions.

chmod [options] {mode} filename

chmod Modes

The chmod command supports 2 'modes'. These are methods in which the command can be used to implement permission alterations.

Symbolic Mode

Symbolic mode allows for changes to be made using 3 components;

chmod u+w test.txt

chmod u=rwx,g=rwx,o=r filename

Absolute Mode

Absolute mode allows for changes to be made using the octal numbering system, as shown below;

These numbers can be combined to set permissions on a file or directory.

chmod 641 filename

Flags

(Flags are usable with either mode)

Special Permissions

Special permissions are used in circumstances where additional permissions may need to be granted to specific users.

SUID - SetUID

SUID (Set User ID) - SUID is a special permission that can be applied to executable files. When a file has the SUID bit set and someone runs it, the program runs with the permissions of the file’s owner, not the user who launched it.

SUID permissions can be set using the chmod command in both symbolic and absolute mode;

Symbolic:

chmod u+s filename

Absolute:

chmod 4### filename

(where ### are numeric values following the standard absolute permissions format)

SGID - SetGID

SGID (Set Group ID) - Special permission set to ensure that any files created within a directory have a specific group owner by default.

SGID Permissions can be set using the chmod command in both symbolic and absolute mode;

Symbolic;

chmod g+s filename

Absolute;

chmod 2### filename

Sticky Bit

In Linux, the sticky bit is a special permission that can be set on directories to control user access to the files within those directories. When the sticky bit is set on a directory, it restricts the deletion or renaming of files within that directory. Specifically, only the file's owner, the directory's owner, or the root user can delete or rename files.

Again, the sticky bit can be controlled using the chmod command in either symbolic or absolute mode;

Symbolic;

Enable sticky bits 

chmod +t directoryname

Absolute;

chmod 1### filename

Immutable

Immutability is a special permission that can be set on a file to prevent it from being modified by any user, including root. This permission is set using the chattr command;

chattr +i filename

To remove the permission.;

chattr -i filename

To view file attributes;

lsattr filename

umask & default permissions

Linux users will have a configuration option set to decide on the default permissions to be used on a file created by that user, this is known as the 'umask'.

umask is represented as a numeric value comprised of 4 numbers.

daniel@test:~$ umask
0002

Firstly, the starting number is used to represent a special default bit being set - ie a sticky bit. The following 3 numbers are used to represent permissions.

As you can see, the numbering system used to represent permissions differs from the standard numeric permissions system. This is because when a file or directory is created on a linux system, it initially takes the default max permissions, which is 777 for directories and 666 for files. The umask value is then imposed onto these files/directories. The value represents the number of bits that need to be subtracted from the max value.

For example, a directory is created and initially takes a 777 permission. The umask value is then imposed; in this example we have a 022 umask. 777 - 022 = 755.

Changing umask value

To change the umask value for the current user;

umask [numeric value]

The default permissions can also be altered via the bashrc file for a given user. This will typically be located within /home/user/.bashrc.

To alter the umask value within .bashrc, you'd simply need to either change or add the following line to your desired value;

umask 0022

FACL - File Access Control List

File Access Control Lists (FACLs) provide a robust mechanism for managing file permissions in Linux, offering greater flexibility and control than traditional Unix permissions. By using commands like setfacl and getfacl, administrators can easily set and view ACLs to fine-tune access to files and directories for multiple users and groups.

View file/directory ACL

getfacl filename

Grant an additional user permissions on a file

setfacl -m u:username:rwx filename

Remove a user's permissions on a file

setfacl -x u:username filename

Define default ownership/permissions for directory

setfacl -m d:u:username:rwx filename 

setfacl flags