# Understanding File and Directory Permissions

File permissions are core to the security model used by Linux systems. The file permission in Linux specifies how much power each user has over a given file or directory.

## Viewing Permissions

There are two ways of viewing file permissions in Linux:

1. Using a graphical user interface (GUI) by ***right-clicking the file/directory -&gt; Properties -&gt; Permissions***
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1720481106296/0c75ec59-d3ca-4fac-8c5b-1b642b32fc73.png align="center")
    
2. Using a command-line interface (CLI) by typing `ls -l` command.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1720563921328/c7437843-2787-4982-8cc6-f4cc2678a2db.png align="center")
    
    The output of this command is explained further.
    

### Permission Groups

Each file and directory in Linux can be accessed or modified by three different classes of users.

1. **User (u)**: The user who owns the file.
    
2. **Group** : The group that the file belongs to.
    
3. **Others**: All other users.
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1720453483726/3eedc979-58e7-4b91-873a-a600d0f0649e.png align="center")

## /Permissions Types

Each file or directory has three basic permission types:

1. **Read** (r) - allows to read the contents of the file.
    
2. **Write** (w) - allows to write or modify a file or directory.
    
3. **Execute** (x) - allows to execute a file or view the contents of a directory.
    

## How to Read File Permissions

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1720481597854/3c9284b3-38dd-4887-8461-2b14d28a4d02.png align="center")

The permissions are represented as a string of 10 characters, like `-rw-rw-r--`.

These characters can be broken down as follows:

* The first character indicates the type of file
    
    * `-` for regular files,
        
    * `d` for directories,
        
    * `l` for symbolic links,
        
* The next three characters indicate the permissions for the user/owner of the file/directory (`rw-` read, write).
    
* The following three characters indicate the permissions for the group the file/directory belongs to (`rw-` read, write).
    
* The last three characters indicate the permissions for others (`r--` read).
    

| Permission string | directory | file |
| --- | --- | --- |
| **read (r)** | The user can read the contents of the directory. In other words, he can view the listing of the directory. | The user can read the contents of the file. |
| **write (w)** | The user can add/remove files to/from the directory. | The user can write content to the file. |
| **execute (x)** | The user can go inside the directory. The user cannot read the directory's contents if it is not set. | The user can execute the file as if it were a program/script. |

So, the file above `weather-report.service` is owned by the user `vagrant` and belongs to the group `vagrant` . Its owner `vagrant` and all group members `vagrant` can read and write to the file while all others can only read the file.

<div data-node-type="callout">
<div data-node-type="callout-emoji">💡</div>
<div data-node-type="callout-text">Many distributions in Linux create a group when a user is created and by default, all the folders and files created inside the home directory will be owned by the user and the group.</div>
</div>

## Changing Permissions

Changing permissions in Linux can be done using the `chmod` command in 2 ways:

1. Symbolic mode;
    
2. Numeric (Octal) Mode:
    

### Symbolic Mode

Symbolic mode allows to change file and directory permissions using symbolic representations of the

* User classes
    
    * User **(u)**,
        
    * Group **(g)**,
        
    * Others **(o)**
        
    * All (user, group, and others) **(a)**
        
* Permissions types
    
    * Read **(r)**,
        
    * Write **(w)**,
        
    * Execute **(x)**.
        
* Operators
    
    * `+`: Adds the specified permissions to the existing ones without altering other permissions.
        
    * `-`: Removes the specified permissions.
        
    * `=`: Sets the specified permissions and removes any permissions not listed.
        

To add read, write, and execute permissions for the user:

```bash
chmod u+rwx file
```

To set read and write permissions for the group:

```bash
chmod g=rw file
```

To remove execute permission for others:

```bash
chmod o-x file
```

### Numeric Mode

When `chmod` command is used with numerical values three digits are specified. The first digit is for the user, the second is for the group and the third is for others. Each digit represents a different set of permissions. The digits are calculated by adding up the values of:

* r (read) = `4`,
    
* w (write) = `2`,
    
* x (execute) = `1`,
    
* no permission = `0`
    

The numbers are summed up and depicted by one number. Therefore, the possibilities are:

* `7` - for read, write, and execute permission.
    
* `6` - for read and write privileges.
    
* `5` - for read and execute privileges.
    
* `4` - for read privileges.
    

To give the owner read and write permissions, the group read permissions, and no rights for all others, type.

```bash
chmod 640 filename
```

To change the permission for every file all in one shot:

```bash
chmod 640 Download/*
```

## Changing Ownership

Aside from changing file and directory permissions, we can also change **user ownership** and **group ownership** of the file and directory. Both of these tasks require superuser privileges.

### Changing the Owner

To change the owner of a file or directory:

```bash
sudo chown username /Downloads/
```

### Changing the Owner and Group

To change both the owner and the group:

```bash
sudo chown username:groupname filename
```

### Changing Only the Group

To change only the group:

```bash
sudo chown :groupname filename
```

## Special Permissions

In addition to the standard read, write, and execute permissions, Linux also supports special permissions that provide additional security and functionality features for files and directories.

1. **Setuid (Set User ID)** - When set on an executable file, the file runs with the permissions of the file's owner, not the person running it.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1720567131692/97b5a6fc-3793-438e-a365-3f0d8dc4b960.png align="center")
    
    In order `setuid` to work, the file should be ***executable*** and owned by `root` in order to grant temporary elevated privileges to the person running it.
    
2. **Setgid (Set Group ID)** - Similar to `setuid`, the `setgid` permission allows a user to execute a file with the permissions of the file's group, rather than the permissions of the user executing the file. `setgid` is often used for directories to ensure that files created within the directory inherit the group ownership of the directory.
    
3. **Sticky Bit**: When the sticky bit is set on a directory, it restricts the deletion or renaming of files within that directory to only the file owner, the directory owner, or the root user, even if other users have write permissions on the directory. This is commonly used on directories like `/tmp`, where many users have write access, to prevent users from deleting or renaming each other's files. The sticky bit is more useful in shared directories where multiple users have write access.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1720568463953/ad9360c0-2f48-4f5f-8659-4e2bbae32d75.png align="center")
    

## References:

1. [Linux Crash Course - Understanding File & Directory Permissions](https://www.youtube.com/watch?v=4e669hSjaX8&list=PLT98CRl2KxKHKd_tH3ssq0HPrThx2hESW&index=21)
    
2. [Linux file permissions explained](https://www.redhat.com/sysadmin/linux-file-permissions-explained)
    
3. [Classic SysAdmin: Understanding Linux File Permissions](https://www.linuxfoundation.org/blog/blog/classic-sysadmin-understanding-linux-file-permissions)
    
4. [Linux Permissions Explained](https://phoenixnap.com/kb/linux-file-permissions)
