What sysadmins need to know about Linux permissions
Standard permissions in Linux are simple and direct, and they can be used to manage files and file shares on many different filesystems and file-sharing protocols. An access control list (ACL) adds even more functionality to Linux permissions. This article covers just a few permissions basics and provides links to other great Enable Sysadmin content that delves into permissions and ACLs in more detail.
Standard Linux permissions
Standard Linux permissions involve three identities and three levels of access.
- User (u): One user or owner of the resource
- Group (g): One identified group
- Others (o): Everyone who is not the user or in the group listed above
- Read (r): View the contents of a file or directory
- Write (w): Write to a file or directory
- Execute (x): Run an executable, such as a script, and change directories using the
You set permissions by using the
chmod command. Access levels can be defined by using either absolute or symbolic mode with
chmod. For more details, see my article How to manage permissions for users, groups, and others. Shawshank Nandishwar Hedge also provides an overview of the
chmod command in Linux permissions: An introduction to chmod.
You display permissions by using the
ls -l command. The primary related output has nine fields:
- The first three fields (leftmost) define rwx settings for the user
- The second three fields define the permissions for the associated group
- The final (rightmost) three fields display the permissions for others
Suraj Patil covers the
ls command in the article Getting started with ls.
[ Get more tips by downloading the Bash shell scripting cheat sheet. ]
Probably the most complex part of Linux permissions is the Set owner User ID (SUID), Set Group ID up on execution (SGID), and sticky bit settings. These settings allow different functions and require some experimentation to understand fully.
- SUID: Set user ID—execute programs as another user
- SGID: Set group ID—define group inheritance within a directory
- Sticky bit: Load files into memory
All three settings offer more functionality than what's listed here.
Tyler Carrigan covered these three special permissions in Linux permissions: SUID, SGID, and sticky bit. It's well worth your time to try various scenarios with all three settings.
Access control lists
One concern with standard permissions is that you can define only a single user and a single group. This makes it more difficult to grant user A read-write on a file, but user B read-only. Access control lists allow sysadmins to define different access levels for different users and groups, providing far more functionality. The use of ACLs is a feature of the filesystem, but most modern Linux filesystems now support this level of access control.
You display ACL settings using the
getfacl command and configure them with the
setfacl command. Glen Newell covers ACLs in detail in An introduction to access control lists (ACLs). Glen even provides a few example scenarios to work through.
It's also helpful to display existing permissions for security documentation, auditing reports, or ensuring you configured access to resources correctly. You can use the
find command to display permissions on resources. I wrote about using
find this way in How to audit permissions with the find command. I encourage you to work with
find to ensure users have the proper access levels to files and directories.
Some aspects of Linux permissions can be tricky, especially for newer Linux sysadmins. Enable Sysadmin has many articles that review both standard permissions and ACLs. Rely on these articles to provide you with the skills necessary to manage Linux systems successfully.