Chapter 5. Managing file permissions

5.1. Introduction to file permissions

Every file or directory has three levels of ownership:

  • User owner (u).
  • Group owner (g).
  • Others (o).

Each level of ownership can be assigned the following permissions:

  • Read (r).
  • Write (w).
  • Execute (x).

Note that the execute permission for a file allows you to execute that file. The execute permission for a directory allows you to access the contents of the directory, but not execute it.

When a new file or directory is created, the default set of permission is automatically assigned to it. The default permission for a file or directory is based on two factors:

  • Base permission.
  • The user file-creation mode mask (umask).

5.1.1. Base permissions

Whenever a new file or directory is created, a base permission is automatically assigned to it.

Base permissions for a file or directory can be expressed in symbolic or octal values.

Permission

Symbolic value

Octal value

No permission

---

0

Execute

--x

1

Write

-w-

2

Write and execute

-wx

3

Read

r--

4

Read and execute

r-x

5

Read and write

rw-

6

Read, write, execute

rwx

7

The base permission for a directory is 777 (drwxrwxrwx), which grants everyone the permissions to read, write, and execute. This means that the directory owner, the group, and others can list the contents of the directory, create, delete, and edit items within the directory, and descend into it.

Note that individual files within a directory can have their own permission that might prevent you from editing them, despite having unrestricted access to the directory.

The base permission for a file is 666 (-rw-rw-rw-), which grants everyone the permissions to read and write. This means that the file owner, the group, and others can read and edit the file.

Example 1

If a file has the following permissions:

$ ls -l
-rwxrw----. 1 sysadmins sysadmins 2 Mar 2 08:43 file
  • - indicates it is a file.
  • rwx indicates that the file owner has permissions to read, write, and execute the file.
  • rw- indicates that the group has permissions to read and write, but not execute the file.
  • --- indicates that other users have no permission to read, write, or execute the file.
  • . indicates that the SELinux security context is set for the file.

Example 2

If a directory has the following permissions:

$ ls -dl
drwxr-----. 1 sysadmins sysadmins 2 Mar 2 08:43 directory
  • d indicates it is a directory.
  • rwx indicates that the directory owner has the permissions to read, write, and access the contents of the directory.

    As a directory owner, you can list the items (files, subdirectories) within the directory, access the content of those items, and modify them.

  • r-- indicates that the group has permissions to read, but not write or access the contents of the directory.

    As a member of the group that owns the directory, you can list the items within the directory. You cannot access information about the items within the directory or modify them.

  • --- indicates that other users have no permission to read, write, or access the contents of the directory.

    As someone who is not an user owner, or as group owner of the directory, you cannot list the items within the directory, access information about those items, or modify them.

  • . indicates that the SELinux security context is set for the directory.
Note

The base permission that is automatically assigned to a file or directory is not the default permission the file or directory ends up with. When you create a file or directory, the base permission is altered by the umask. The combination of the base permission and the umask creates the default permission for files and directories.

5.1.2. User file-creation mode mask

The umask is variable that automatically removes permissions from the base permission value whenever a file or directory is created to increase the overall security of a linux system.

The umask can be expressed in symbolic or octal.

Permission

Symbolic value

Octal value

Read, write, and execute

rwx

0

Read and write

rw-

1

Read and execute

r-x

2

Read

r--

3

Write and execute

-wx

4

Write

-w-

5

Execute

--x

6

No permissions

---

7

The default umask for a standard user is 0002. The default umask for a root user is 0022.

The first digit of the umask represents special permissions (sticky bit, ). The last three digits of the umask represent the permissions that are removed from the user owner (u), group owner (g), and others (o) respectively.

Example

The following example illustrates how the umask with an octal value of 0137 is applied to the file with the base permission of 777, to create the file with the default permission of 640.

Figure 5.1. Applying the umask when creating a file

Users Groups Umask Example

5.1.3. Default permissions

The default permission for a new file or directory is determined by applying the umask to the base permission.

Example 1

When a standard user creates a new directory, the umask is set to 002 (rwxrwxr-x), and the base permission for a directory is set to 777 (rwxrwxrwx). This brings the default permission to 775 (drwxrwxr-x).

 

Symbolic value

Octal value

Base permission

rwxrwxrwx

777

Umask

rwxrwxr-x

002

Default permission

rwxrwxr-x

775

This means that the directory owner and the group can list the contents of the directory, create, delete, and edit items within the directory, and descend into it. Other users can only list the contents of the directory and descend into it.

Example 2

When a standard user creates a new file, the umask is set to 002 (rwxrwxr-x), and the base permission for a file is set to 666 (rw-rw-rw-). This brings the default permission to 664 (-rw-rw-r--).

 

Symbolic value

Octal value

Base permission

rw-rw-rw-

666

Umask

rwxrwxr-x

002

Default permission

rw-rw-r--

664

This means that the file owner and the group can read and edit the file, while other users can only read the file.

Example 3

When a root user creates a new directory, the umask is set to 022 (rwxr-xr-x), and the base permission for a directory is set to 777 (rwxrwxrwx). This brings the default permission to 755 (rwxr-xr-x).

 

Symbolic value

Octal value

Base permission

rwxrwxrwx

777

Umask

rwxr-xr-x

022

Default permission

rwxr-xr-x

755

This means that the directory owner can list the contents of the directory, create, delete, and edit items within the directory, and descend into it. The group and others can only list the contents of the directory and descend into it.

Example 4

When a root user creates a new file, the umask is set to 022 (rwxr-xr-x), and the base permission for a file is set to 666 (rw-rw-rw-). This brings the default permission to 644 (-rw-r—​r--).

 

Symbolic value

Octal value

Base permission

rw-rw-rw-

666

Umask

rwxr-xr-x

022

Default permission

rw-r—​r--

644

This means that the file owner can read and edit the file, while the group and others can only read the file.

Note

For security reasons, regular files cannot have execute permissions by default, even if the umask is set to 000 (rwxrwxrwx). However, directories can be created with execute permissions.

5.2. Displaying file permissions

The following section describes how to use the ls command to display the permissions for directories, files, files within directories.

Procedure

  • To see the permissions for a particular directory, use:

    $ ls -dl directory-name

    Replace directory-name with the name of the directory.

  • To see the permissions for a particular directory and all files within that directory, use:

    $ ls -l directory-name

    Replace directory-name with the name of the directory.

  • To see the permissions for a particular file, use:

    $ ls -l file-name

    Replace file-name with the name of the file.

Additional information

  • See the ls man page for more details.

5.3. Changing file permissions

The following section describes how to:

  • Change file permissions using symbolic values.
  • Change file permissions using octal values.

5.3.1. Changing file permissions using symbolic values

You can assign the following permissions:

  • Read (r).
  • Write (w).
  • Execute (x).

Permissions can be assigned to:

  • User owner (u).
  • Group owner (g).
  • Other (o).
  • All (a).

To add or take away the permissions you can use the following signs:

  • + to add the permissions on top of the existing permissions.
  • - to take away the permissions from the existing permission.
  • = to omit the existing permissions and explicitly define the new ones.

The following section describes how to set and remove file permissions using the symbolic values.

Procedure

  • To change the file permissions for an existing file or directory, use:

    $ chmod u=symbolic_value,g+symbolic_value,o-symbolic_value file-name

    Replace file-name with the name of the file or directory, and replace symbolic_value for user, groups, and others with corresponding symbolic values. See Section 5.1.1, “Base permissions” for more details.

    Example

    To change file permissions for my-file.txt from 664 (-rw-rw-r--) to 740 (-rwx-r---), use:

    $ chmod u+x,g-w,o= my-file.txt

    Note that any permission that is not specified after the equals sign (=) is automatically prohibited.

  • To set the same permissions for user, group, and others, use:

    $ chmod a=symbolic_value file-name

    Replace file-name with the name of the file or directory, and replace symbolic_value with a symbolic value. See Section 5.1.1, “Base permissions” for more details.

    Example

    To set the permission for my-file.txt to 777 (-rwxrwxrwx or drwxrwxrwx), use:

    $ chmod a=rwx my-file
  • To change the permissions for a directory and all its sub-directories, add the -R option:

    $ chmod -R symbolic_value directory-name

    Replace directory-name with the name of the directory, and replace symbolic_value with a symbolic value. See Section 5.1.1, “Base permissions” for more details.

    Example

    To change the permissions for /my-directory/ and all its sub-directories from 775 (drwxrwxr-x) to 740 (drwx-r---), use:

    $ chmod -R g-wx,o= /my-directory

5.3.2. Changing file permissions using octal values

The following section describes how to use the chmod command to change the permissions for a file or directory.

Procedure

  • To change the file permissions for an existing file or directory, use:

    $ chmod octal_value file-name

    Replace file-name with the name of the file or directory, and replace octal_value with an octal value. See Section 5.1.1, “Base permissions” for more details.

5.4. Displaying the umask

The following section describes how to:

  • Display the current octal value of the umask.
  • Display the current symbolic value of the umask.
  • Display the default bash umask.

5.4.1. Displaying the current octal value of the umask

The following section describes how to use the umask command to display the current umask.

Procedure:

  • To display the current octal value of the umask for a standard user, use:

    $ umask
  • To display the current octal value of the umask for a root user, use:

    $ sudo umask

    Or:

    # umask
Note

When displaying the umask, you may notice it displayed as a four digit number (0002 or 0022). The first digit of the umask represents a special bit (sticky bit, SGID bit, or SUID bit). If the first digit is set to 0, the special bit is not set.

5.4.2. Displaying the current symbolic value of the umask

The following section describes how to use the umask command to display the current umask.

Procedure

  • To display the current symbolic value of the umask, use:

    $ umask -S
  • To display the current symbolic value of the umask for a root user, use:

    $ sudo umask -S

    Or:

    # umask -S

5.4.3. Displaying the default bash umask

There are a number of shells you can use, such as bash, ksh, zsh and tcsh.

Those shells can behave as login or non-login shells. The login shell is typically invoked by opening a native or a GUI terminal.

To determine whether you are executing a command in a login or a non-login shell, use the echo $0 command.

In bash shell, if the output returns bash, you are executing a command in a non-login shell.

$ echo $0
bash

The default umask for the non-login shell is set in /etc/bashrc configuration file.

If the output returns -bash, you are executing a command in a login shell.

# echo $0
-bash

The default umask for the login shell is set in /etc/profile configuration file.

Procedure

  • To display the default bash umask for the non-login shell, use:

    $ grep umask /etc/bashrc

    The output returns:

    # By default, we want umask to get set. This sets it for non-login shell.
           umask 002
           umask 022
  • To display the default bash umask for the login shell, use:

    $ grep umask /etc/profile

    The output returns:

    # By default, we want umask to get set. This sets it for login shell
           umask 002
           umask 022

5.5. Setting the umask for the current shell session

The following section describes how to set the umask for the current shell session:

  • Using symbolic values.
  • Using octal values.

Note that the umask is valid only during the current shell session and reverts to the default umask after the session is complete.

5.5.1. Setting the umask using symbolic values

The following section describes how to set the umask with symbolic values.

Procedure

  • To set or remove permissions for the current shell session, you can use minus (-), plus (+), and equals (=) signs in combination with symbolic values.

    $ umask -S u=symbolic_value,g+symbolic_value,o-symbolic_value

    Replace symbolic_value for user, group, and others with symbolic values. See Section 5.1.2, “User file-creation mode mask” for more details.

    Example

    If your current umask is set to 113 (u=rw-,g=rw-,o=r--) and you want to set it to 037 (u=rwx,g=-r-,o=---), use:

    $ umask -S u+x,g-w,o=

    Note that any permission that is not specified after the equals sign (=) is automatically prohibited.

  • To set the same permissions for user, group, and others, use:

    $ umask a=symbolic_value

    Replace symbolic_value with a symbolic value. See Section 5.1.2, “User file-creation mode mask” for more details.

    Example

    To set the umask to 000 (u=rwx,g=rwx,o=rwx), use:

    $ umask a=rwx

Note that the umask is only valid for the current shell session.

5.5.2. Setting the umask using octal values

The following section describes how to set the umask with octal values.

Procedure

Note that the umask is only valid for the current shell session.

5.6. Changing the default umask

The following section describes how to:

  • Change the default bash umask for the non-login shell.
  • Change the default bash umask for the login shell.
  • Change the default bash umask for a specific user.
  • Set default permissions for newly created home directories.

Prerequisites

  • Root access.

5.6.1. Changing the default umask for the non-login shell

The following section describes how to change the default bash umask for standard users.

Procedure

  1. As root, open the /etc/bashrc file in an editor of your choice.
  2. Modify the following sections to set a new default bash umask:

        if [ $UID -gt 199 ] && [ “id -gn” = “id -un” ]; then
           umask 002
        else
           umask 022
        fi

    Replace the default octal value of the umask (002) with another octal value. See Section 5.1.2, “User file-creation mode mask” for more details.

  3. Save the changes.

5.6.2. Changing the default umask for the login shell

The following section describes how to change the default bash umask for the root user.

Procedure

  1. As root, open the /etc/profile file in an editor of your choice.
  2. Modify the following sections to set a new default bash umask:

    if [ $UID -gt 199 ] && [ “/usr/bin/id -gn” = “/usr/bin/id -un” ]; then
        umask 002
    else
        umask 022
    fi

    Replace the default octal value of the umask (022) with another octal value. See Section 5.1.2, “User file-creation mode mask” for more details.

  3. Save the changes.

5.6.3. Changing the default umask for a specific user

The following section describes how to change the default umask for a specific user.

Procedure

  • Put the line that specifies the octal value of the umask into the .bashrc file for the particular user.

    $ echo 'umask octal_value' >> /home/username/.bashrc

    Replace octal_value with an octal value and replace username with the name of the user. See Section 5.1.2, “User file-creation mode mask” for more details.

5.6.4. Setting default UMASK for newly created home directories

The following section describes how to change the permissions that specify the UMASK for newly created user home directories.

Procedure

  1. As root, open the /etc/login.defs file in an editor of your choice.
  2. Modify the following section to set a new default UMASK:

    # The permission mask is initialized to this value. If not specified,
    # the permission mask will be initialized to 022.
    UMASK 077

    Replace the default octal value (077) with another octal value. See Section 5.1.2, “User file-creation mode mask” for more details.

  3. Save the changes.

5.7. Access control list

Traditionally, each file and directory can only have one user owner and one group owner at a time. If you want to apply a more specific set of permissions to a file or directory (allow certain users outside the group to gain access to a specific file within a directory but not to other files) without changing the ownership and permissions of a file or directory, you can use the access control lists (ACL).

The following section describes how to:

  • Display the current ACL.
  • Set the ACL.

5.7.1. Displaying the current ACL

The following section describes how to display the current ACL.

Procedure

  • To display the current ACL for a particular file or directory, use:

    $ getfacl file-name

    Replace file-name with the name of the file or directory.

5.7.2. Setting the ACL

The following section describes how to set the ACL.

Prerequisites

  • Root access

Procedure

  • To set the ACL for a file or directory, use:
# setfacl -m u:username:symbolic_value file-name

Replace username with the name of the user, symbolic_value with a symbolic value, and file-name with the name of the file or directory. For more information see the setfacl man page.

Example

The following example describes how to modify permissions for the group-project file owned by the root user that belongs to the root group so that this file is:

  • Not executable by anyone.
  • The user andrew has the rw- permission.
  • The user susan has the --- permission.
  • Other users have the r-- permission.

Procedure

# setfacl -m u:andrew:rw- group-project
# setfacl -m u:susan:--- group-project

Verification steps

  • To verify that the user andrew has the rw- permission, the user susan has the --- permission, and other users have the r-- permission, use:

    $ getfacl group-project

    The output returns:

    # file: group-project
    # owner: root
    # group: root
    user:andrew:rw-
    user:susan:---
    group::r--
    mask::rw-
    other::r--