Skip to main content

What sysadmins need to know about Linux permissions

Managing user and group permissions to files is one of a Linux admin's most critical tasks.
Image
Keys with a lightbulb

Photo by Aphiwat chuangchoem from Pexels

Standard permissions in Linux are simple and direct, and they can be used to manage files and file shares on many different filesystems and file-sharing protocols. An access control list (ACL) adds even more functionality to Linux permissions. This article covers just a few permissions basics and provides links to other great Enable Sysadmin content that delves into permissions and ACLs in more detail.

Standard Linux permissions

Standard Linux permissions involve three identities and three levels of access.

Identities:

  • User (u): One user or owner of the resource
  • Group (g): One identified group
  • Others (o): Everyone who is not the user or in the group listed above

Access levels:

  • Read (r): View the contents of a file or directory
  • Write (w): Write to a file or directory
  • Execute (x): Run an executable, such as a script, and change directories using the cd command

Configure permissions

You set permissions by using the chmod command. Access levels can be defined by using either absolute or symbolic mode with chmod. For more details, see my article How to manage permissions for users, groups, and others. Shawshank Nandishwar Hedge also provides an overview of the chmod command in Linux permissions: An introduction to chmod.

Display permissions

You display permissions by using the ls -l command. The primary related output has nine fields:

  • The first three fields (leftmost) define rwx settings for the user
  • The second three fields define the permissions for the associated group
  • The final (rightmost) three fields display the permissions for others

Suraj Patil covers the ls command in the article Getting started with ls.

[ Get more tips by downloading the Bash shell scripting cheat sheet. ]

Special permissions

Probably the most complex part of Linux permissions is the Set owner User ID (SUID), Set Group ID up on execution (SGID), and sticky bit settings. These settings allow different functions and require some experimentation to understand fully.

  • SUID: Set user ID—execute programs as another user
  • SGID: Set group ID—define group inheritance within a directory
  • Sticky bit: Load files into memory

All three settings offer more functionality than what's listed here.

Tyler Carrigan covered these three special permissions in Linux permissions: SUID, SGID, and sticky bit. It's well worth your time to try various scenarios with all three settings.

Access control lists

One concern with standard permissions is that you can define only a single user and a single group. This makes it more difficult to grant user A read-write on a file, but user B read-only. Access control lists allow sysadmins to define different access levels for different users and groups, providing far more functionality. The use of ACLs is a feature of the filesystem, but most modern Linux filesystems now support this level of access control.

You display ACL settings using the getfacl command and configure them with the setfacl command. Glen Newell covers ACLs in detail in An introduction to access control lists (ACLs). Glen even provides a few example scenarios to work through.

Audit permissions

It's also helpful to display existing permissions for security documentation, auditing reports, or ensuring you configured access to resources correctly. You can use the find command to display permissions on resources. I wrote about using find this way in How to audit permissions with the find command. I encourage you to work with find to ensure users have the proper access levels to files and directories.

Wrapping up

Some aspects of Linux permissions can be tricky, especially for newer Linux sysadmins. Enable Sysadmin has many articles that review both standard permissions and ACLs. Rely on these articles to provide you with the skills necessary to manage Linux systems successfully.

Author’s photo

Damon Garn

Damon Garn owns Cogspinner Coaction, LLC, a technical writing, editing, and IT project company based in Colorado Springs, CO. Damon authored many CompTIA Official Instructor and Student Guides (Linux+, Cloud+, Cloud Essentials+, Server+) and developed a broad library of interactive, scored labs. He regularly contributes to Enable Sysadmin, SearchNetworking, and CompTIA article repositories. Damon has 20 years of experience as a technical trainer covering Linux, Windows Server, and security content. He is a former sysadmin for US Figure Skating. He lives in Colorado Springs with his family and is a writer, musician, and amateur genealogist. More about me

Try Red Hat Enterprise Linux

Download it at no charge from the Red Hat Developer program.