Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 13. Managing file system permissions

File system permissions control the ability of user and group accounts to read, modify, and execute the contents of the files and to enter directories. Set permissions carefully to protect your data against unauthorized access.

13.1. Managing file permissions

Every file or directory has three levels of ownership:

  • User owner (u).
  • Group owner (g).
  • Others (o).

Each level of ownership can be assigned the following permissions:

  • Read (r).
  • Write (w).
  • Execute (x).

Note that the execute permission for a file allows you to execute that file. The execute permission for a directory allows you to access the contents of the directory, but not execute it.

When a new file or directory is created, the default set of permissions are automatically assigned to it. The default permissions for a file or directory are based on two factors:

  • Base permission.
  • The user file-creation mode mask (umask).

13.1.1. Base file permissions

Whenever a new file or directory is created, a base permission is automatically assigned to it. Base permissions for a file or directory can be expressed in symbolic or octal values.

Permission

Symbolic value

Octal value

No permission

---

0

Execute

--x

1

Write

-w-

2

Write and execute

-wx

3

Read

r--

4

Read and execute

r-x

5

Read and write

rw-

6

Read, write, execute

rwx

7

The base permission for a directory is 777 (drwxrwxrwx), which grants everyone the permissions to read, write, and execute. This means that the directory owner, the group, and others can list the contents of the directory, create, delete, and edit items within the directory, and descend into it.

Note that individual files within a directory can have their own permission that might prevent you from editing them, despite having unrestricted access to the directory.

The base permission for a file is 666 (-rw-rw-rw-), which grants everyone the permissions to read and write. This means that the file owner, the group, and others can read and edit the file.

Example 13.1. Permissions for a file

If a file has the following permissions: 

$ ls -l
-rwxrw----. 1 sysadmins sysadmins 2 Mar 2 08:43 file
  • - indicates it is a file.
  • rwx indicates that the file owner has permissions to read, write, and execute the file.
  • rw- indicates that the group has permissions to read and write, but not execute the file.
  • --- indicates that other users have no permission to read, write, or execute the file.
  • . indicates that the SELinux security context is set for the file.

Example 13.2. Permissions for a directory

If a directory has the following permissions: 

$ ls -dl directory
drwxr-----. 1 sysadmins sysadmins 2 Mar 2 08:43 directory
  • d indicates it is a directory.

  • rwx indicates that the directory owner has the permissions to read, write, and access the contents of the directory.

    As a directory owner, you can list the items (files, subdirectories) within the directory, access the content of those items, and modify them.

  • r-x indicates that the group has permissions to read the content of the directory, but not write - create new entries or delete files. The x permission means that you can also access the directory using the cd command.

  • --- indicates that other users have no permission to read, write, or access the contents of the directory.

    As someone who is not a user owner, or as group owner of the directory, you cannot list the items within the directory, access information about those items, or modify them.

  • . indicates that the SELinux security context is set for the directory.
Note

The base permission that is automatically assigned to a file or directory is not the default permission the file or directory ends up with. When you create a file or directory, the base permission is altered by the umask. The combination of the base permission and the umask creates the default permission for files and directories.

13.1.2. User file-creation mode mask

The user file-creation mode mask (umask) is variable that controls how file permissions are set for newly created files and directories. The umask automatically removes permissions from the base permission value to increase the overall security of a Linux system. The umask can be expressed in symbolic or octal values.

Permission

Symbolic value

Octal value

Read, write, and execute

rwx

0

Read and write

rw-

1

Read and execute

r-x

2

Read

r--

3

Write and execute

-wx

4

Write

-w-

5

Execute

--x

6

No permissions

---

7

The default umask for a standard user is 0002. The default umask for a root user is 0022.

The first digit of the umask represents special permissions (sticky bit, ). The last three digits of the umask represent the permissions that are removed from the user owner (u), group owner (g), and others (o) respectively.

Example 13.3. Applying the umask when creating a file

The following example illustrates how the umask with an octal value of 0137 is applied to the file with the base permission of 777, to create the file with the default permission of 640.

Users Groups Umask Example

13.1.3. Default file permissions

The default permissions are set automatically for all newly created files and directories. The value of the default permissions is determined by applying the umask to the base permission.

Example 13.4. Default permissions for a directory created by a standard user

When a standard user creates a new directory, the umask is set to 002 (rwxrwxr-x), and the base permissions for a directory are set to 777 (rwxrwxrwx). This brings the default permissions to 775 (drwxrwxr-x).

 

Symbolic value

Octal value

Base permission

rwxrwxrwx

777

Umask

rwxrwxr-x

002

Default permission

rwxrwxr-x

775

This means that the directory owner and the group can list the contents of the directory, create, delete, and edit items within the directory, and descend into it. Other users can only list the contents of the directory and descend into it.

Example 13.5. Default permissions for a file created by a standard user

When a standard user creates a new file, the umask is set to 002 (rwxrwxr-x), and the base permissions for a file are set to 666 (rw-rw-rw-). This brings the default permissions to 664 (-rw-rw-r--).

 

Symbolic value

Octal value

Base permission

rw-rw-rw-

666

Umask

rwxrwxr-x

002

Default permission

rw-rw-r--

664

This means that the file owner and the group can read and edit the file, while other users can only read the file.

Example 13.6. Default permissions for a directory created by the root user

When a root user creates a new directory, the umask is set to 022 (rwxr-xr-x), and the base permissions for a directory are set to 777 (rwxrwxrwx). This brings the default permissions to 755 (rwxr-xr-x).

 

Symbolic value

Octal value

Base permission

rwxrwxrwx

777

Umask

rwxr-xr-x

022

Default permission

rwxr-xr-x

755

This means that the directory owner can list the contents of the directory, create, delete, and edit items within the directory, and descend into it. The group and others can only list the contents of the directory and descend into it.

Example 13.7. Default permissions for a file created by the root user

When a root user creates a new file, the umask is set to 022 (rwxr-xr-x), and the base permissions for a file are set to 666 (rw-rw-rw-). This brings the default permissions to 644 (-rw-r—​r--).

 

Symbolic value

Octal value

Base permission

rw-rw-rw-

666

Umask

rwxr-xr-x

022

Default permission

rw-r—​r--

644

This means that the file owner can read and edit the file, while the group and others can only read the file.

Note

For security reasons, regular files cannot have execute permissions by default, even if the umask is set to 000 (rwxrwxrwx). However, directories can be created with execute permissions.

13.1.4. Changing file permissions using symbolic values

You can use the chmod utility with symbolic values (a combination letters and signs) to change file permissions for a file or directory.

You can assign the following permissions:

  • Read (r)
  • Write (w)
  • Execute (x)

Permissions can be assigned to the following levels of ownership:

  • User owner (u)
  • Group owner (g)
  • Other (o)
  • All (a)

To add or remove permissions you can use the following signs:

  • + to add the permissions on top of the existing permissions
  • - to remove the permissions from the existing permission
  • = to remove the existing permissions and explicitly define the new ones

Procedure

  • To change the permissions for a file or directory, use: 

    $ chmod <level><operation><permission> file-name

    Replace <level> with the level of ownership you want to set the permissions for. Replace <operation> with one of the signs. Replace <permission> with the permissions you want to assign. Replace file-name with the name of the file or directory. For example, to grant everyone the permissions to read, write, and execute (rwx) my-script.sh, use the chmod a=rwx my-script.sh command.

    See Base file permissions for more details.

Verification steps

  • To see the permissions for a particular file, use: 

    $ ls -l file-name

    Replace file-name with the name of the file.

  • To see the permissions for a particular directory, use: 

    $ ls -dl directory-name

    Replace directory-name with the name of the directory.

  • To see the permissions for all the files within a particular directory, use: 

    $ ls -l directory-name

    Replace directory-name with the name of the directory.

Example 13.8. Changing permissions for files and directories

  • To change file permissions for my-file.txt from -rw-rw-r-- to -rw------, use:

    1. Display the current permissions for my-file.txt: 

      $ ls -l my-file.txt
-rw-rw-r--. 1 username username 0 Feb 24 17:56 my-file.txt

    2. Remove the permissions to read, write, and execute (rwx) the file from group owner (g) and others (o): 

      $ chmod go= my-file.txt

      Note that any permission that is not specified after the equals sign (=) is automatically prohibited.

    3. Verify that the permissions for my-file.txt were set correctly: 

      $ ls -l my-file.txt
-rw-------. 1 username username 0 Feb 24 17:56 my-file.txt

  • To change file permissions for my-directory from drwxrwx--- to drwxrwxr-x, use:

    1. Display the current permissions for my-directory: 

      $ ls -dl my-directory
drwxrwx---. 2 username username 4096 Feb 24 18:12 my-directory

    2. Add the read and execute (r-x) access for all users (a): 

      $ chmod o+rx my-directory

    3. Verify that the permissions for my-directory and its content were set correctly: 

      $ ls -dl my-directory
drwxrwxr-x. 2 username username 4096 Feb 24 18:12 my-directory

13.1.5. Changing file permissions using octal values

You can use the chmod utility with octal values (numbers) to change file permissions for a file or directory.

Procedure

  • To change the file permissions for an existing file or directory, use: 

    $ chmod octal_value file-name

    Replace file-name with the name of the file or directory. Replace octal_value with an octal value. See Base file permissions for more details.

13.2. Managing the Access Control List

Each file and directory can only have one user owner and one group owner at a time. If you want to grant a user permissions to access specific files or directories that belong to a different user or group while keeping other files and directories private, you can utilize Linux Access Control Lists (ACLs).

13.2.1. Displaying the current Access Control List

You can use the getfacl utility to display the current ACL.

Procedure

  • To display the current ACL for a particular file or directory, use: 

    $ getfacl file-name

    Replace file-name with the name of the file or directory.

13.2.2. Setting the Access Control List

You can use the setfacl utility to set the ACL for a file or directory.

Prerequisites

  • root access.

Procedure

  • To set the ACL for a file or directory, use: 
# setfacl -m u:username:symbolic_value file-name

Replace username with the name of the user, symbolic_value with a symbolic value, and file-name with the name of the file or directory. For more information see the setfacl man page.

Example 13.9. Modifying permissions for a group project

The following example describes how to modify permissions for the group-project file owned by the root user that belongs to the root group so that this file is:

  • Not executable by anyone.
  • The user andrew has the rw- permissions.
  • The user susan has the --- permissions.
  • Other users have the r-- permissions.

Procedure

# setfacl -m u:andrew:rw- group-project
# setfacl -m u:susan:--- group-project

Verification steps

  • To verify that the user andrew has the rw- permission, the user susan has the --- permission, and other users have the r-- permission, use: 

    $ getfacl group-project

    The output returns: 

    # file: group-project
# owner: root
# group: root
user:andrew:rw-
user:susan:---
group::r--
mask::rw-
other::r--

13.3. Managing the umask

You can use the umask utility to display, set, or change the current or default value of the umask.

13.3.1. Displaying the current value of the umask

You can use the umask utility to display the current value of the umask in symbolic or octal mode.

Procedure

  • To display the current value of the umask in symbolic mode, use: 

    $ umask -S

  • To display the current value of the umask in the octal mode, use: 

    $ umask
    Note

    When displaying the umask in octal mode, you may notice it displayed as a four digit number (0002 or 0022). The first digit of the umask represents a special bit (sticky bit, SGID bit, or SUID bit). If the first digit is set to 0, the special bit is not set.

13.3.2. Displaying the default bash umask

There are a number of shells you can use, such as bash, ksh, zsh and tcsh. Those shells can behave as login or non-login shells. You can invoke the login shell by opening a native or a GUI terminal.

To determine whether you are executing a command in a login or a non-login shell, use the echo $0 command.

Example 13.10. Determining if you are working in a login or a non-login bash shell

  • If the output of the echo $0 command returns bash, you are executing the command in a non-login shell. 

    $ echo $0
bash

    The default umask for the non-login shell is set in the /etc/bashrc configuration file.

  • If the output of the echo $0 command returns -bash, you are executing the command in a login shell. 

    # echo $0
-bash

    The default umask for the login shell is set in the /etc/profile configuration file.

Procedure

  • To display the default bash umask for the non-login shell, use: 

    $ grep umask /etc/bashrc

    The output returns: 

    # By default, we want umask to get set. This sets it for non-login shell.
       umask 002
       umask 022

  • To display the default bash umask for the login shell, use: 

    $ grep umask /etc/profile

    The output returns: 

    # By default, we want umask to get set. This sets it for login shell
       umask 002
       umask 022

13.3.3. Setting the umask using symbolic values

You can use the umask utility with symbolic values (a combination letters and signs) to set the umask for the current shell session

You can assign the following permissions:

  • Read (r)
  • Write (w)
  • Execute (x)

Permissions can be assigned to the following levels of ownership:

  • User owner (u)
  • Group owner (g)
  • Other (o)
  • All (a)

To add or remove permissions you can use the following signs:

  • + to add the permissions on top of the existing permissions
  • - to remove the permissions from the existing permission

  • = to remove the existing permissions and explicitly define the new ones

    Note

    Any permission that is not specified after the equals sign (=) is automatically prohibited.

Procedure

  • To set the umask for the current shell session, use: 

    $ umask -S <level><operation><permission>

    Replace <level> with the level of ownership you want to set the umask for. Replace <operation> with one of the signs. Replace <permission> with the permissions you want to assign. For example, to set the umask to u=rwx,g=rwx,o=rwx, use umask -S a=rwx.

    See User file-creation mode for more details.

    Note

    The umask is only valid for the current shell session.

13.3.4. Setting the umask using octal values

You can use the umask utility with octal values (numbers) to set the umask for the current shell session.

Procedure

  • To set the umask for the current shell session, use: 

    $ umask octal_value

    Replace octal_value with an octal value. See User file-creation mode mask for more details.

    Note

    The umask is only valid for the current shell session.

13.3.5. Changing the default umask for the non-login shell

You can change the default bash umask for standard users by modifying the /etc/bashrc file.

Prerequisites

  • root access

Procedure

  1. As root, open the /etc/bashrc file in the editor.

  2. Modify the following sections to set a new default bash umask: 

        if [ $UID -gt 199 ] && [ “id -gn” = “id -un” ]; then
       umask 002
    else
       umask 022
    fi

    Replace the default octal value of the umask (002) with another octal value. See User file-creation mode mask for more details.

  3. Save the changes and exit the editor.

13.3.6. Changing the default umask for the login shell

You can change the default bash umask for the root user by modifying the /etc/profile file.

Prerequisites

  • root access

Procedure

  1. As root, open the /etc/profile file in the editor.

  2. Modify the following sections to set a new default bash umask: 

    if [ $UID -gt 199 ] && [ “/usr/bin/id -gn” = “/usr/bin/id -un” ]; then
    umask 002
else
    umask 022
fi

    Replace the default octal value of the umask (022) with another octal value. See User file-creation mode mask for more details.

  3. Save the changes and exit the editor.

13.3.7. Changing the default umask for a specific user

You can change the default umask for a specific user by modifying the .bashrc for that user.

Procedure

  • Append the line that specifies the octal value of the umask into the .bashrc file for the particular user. 

    $ echo 'umask octal_value' >> /home/username/.bashrc

    Replace octal_value with an octal value and replace username with the name of the user. See User file-creation mode mask for more details.

13.3.8. Setting default permissions for newly created home directories

You can change the permission modes for home directories of newly created users by modifying the /etc/login.defs file.

Procedure

  1. As root, open the /etc/login.defs file in the editor.

  2. Modify the following section to set a new default HOME_MODE: 

    # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE       0700

    Replace the default octal value (0700) with another octal value. The selected mode will be used to create the permissions for the home directory.

  3. If HOME_MODE is set, save the changes and exit the editor.

  4. If HOME_MODE is not set, modify the UMASK to set the mode for the newly created home directories: 

    # Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.

UMASK           022

    Replace the default octal value (022) with another octal value. See User file-creation mode mask for more details.

  5. Save the changes and exit the editor.