Day 6 - Permissions, Ownership, and umask

2025-09-267 min read

linuxpermissionschmodchowngroupsumaskacl

Day6 VHS

This lesson explains how access control works on Linux. It covers users and groups, the rwx model, how to read and change modes with chmod, ownership with chown and chgrp, directory semantics, special bits, default permissions with umask, and a short introduction to Access Control Lists.

Why this matters

Correct permissions protect files from accidental deletion and keep multi user systems safe. Good defaults reduce mistakes and support collaboration.

Prerequisites

Users, groups, and ownership recap

Every file has an owner and a group. Permissions are evaluated for three classes: user (owner), group, and other (everyone else).

bash
id                 # show current user and groups
ls -l /etc/hosts   # owner and group appear in columns 3 and 4

Ownership changes:

bash
sudo chown root:root /path/to/file
sudo chgrp developers /path/to/file

Add a user to a group (Debian and Ubuntu):

bash
sudo usermod -aG developers "$USER"
# re login or run: newgrp developers
Group membership cache

A new group assignment does not affect existing sessions. Log out and back in or use newgrp to refresh the group list in the current terminal.

Reading permissions from ls -l

Example:

bash
ls -l demo.txt
-rw-r----- 1 alice developers 1024 Sep 26 09:00 demo.txt

Breakdown of the left field:

  • first character: - file, d directory, l symlink, others for devices and special files
  • next nine characters: three triplets for user, group, and other: r read, w write, x execute

Directory rules that differ from files

  • Read on a directory allows listing names
  • Execute on a directory allows entering and traversing
  • Write on a directory allows creating, renaming, and deleting entries inside
Quick mental model

For files: read means view, write means modify, execute means run. For directories: read means list, write means create or remove names, execute means open files and traverse.

Changing permissions with chmod

Symbolic mode

bash
chmod u+rw,g=r,o= demo.txt   # user add rw, group read only, others none
chmod a+r shared.txt         # everyone can read
chmod go-w secrets/          # remove write for group and other
chmod -R u=rwX,go=rX project/  # recursive; X sets execute only on directories and already executable files

Numeric (octal) mode

Each triplet is a number: r=4, w=2, x=1.

bash
chmod 640 demo.txt   # u=6 (rw-), g=4 (r--), o=0 (---)
chmod 755 script.sh  # rwx r-x r-x
Common mistake

Running chmod -R 777 on a tree gives full access to everyone and often breaks programs by loosening directory semantics. Prefer the minimal rights needed.

Executable files and scripts

A text script must be executable and have a shebang.

bash
cat > ~/bin/hello <<'EOF'
#!/usr/bin/env bash
echo "hello"
EOF
chmod 755 ~/bin/hello
hello

If a program prints Permission denied, check the x bit and the mount options of the filesystem.

Special permission bits: setuid, setgid, sticky

setuid (4xxx) on files

Program runs with the file owner's effective user id.

bash
# view with ls; shows s in the user execute position
ls -l /usr/bin/passwd

setgid (2xxx) on files

Program runs with the file's group as the effective group id.

setgid on directories

New files inherit the directory group. Useful for team folders.

bash
sudo chgrp -R developers /srv/app
sudo chmod g+rwx /srv/app
sudo chmod g+s /srv/app      # setgid on directory

Sticky bit (1xxx) on directories

Prevents users from deleting files they do not own even if the directory is writable by others. Common on world writable directories like /tmp.

bash
sudo chmod +t /shared
ls -ld /tmp /shared
# look for t in the other execute position: drwxrwxrwt

Octal with special bits:

  • 4xxx setuid
  • 2xxx setgid
  • 1xxx sticky

Examples:

bash
chmod 2775 /srv/app    # rwxrwsr-x
aaaa
chmod 1777 /shared     # rwxrwxrwt
Be careful with setuid and setgid

Setting setuid or setgid on custom binaries can create privilege escalation risks. Avoid on scripts. Use only when the security model is well understood.

Default permissions and umask

When a process creates a file, it requests a default mode. The kernel applies the umask to remove bits.

  • typical requested modes: files 666 and directories 777
  • effective mode = requested mode minus umask bits

Check and set umask for the current shell:

bash
umask              # print current mask, for example 002 or 022
umask 022          # removes group and other write
umask 002          # good for team shares where group members collaborate

Examples:

  • with umask 022: new files become 644 and new directories become 755
  • with umask 002: new files become 664 and new directories become 775

Persistent configuration:

bash
# add to ~/.profile or ~/.bashrc
printf '\numask 002\n' >> ~/.profile
Service umask

System services can have their own umask. With systemd, set UMask= inside a unit file or a drop in. This is covered in service management later in the series.

Access Control Lists (ACLs) overview

Traditional rwx permissions are simple but limited. ACLs add per user and per group entries and a mask.

bash
# install tools if needed
sudo apt install -y acl 2>/dev/null || sudo dnf install -y acl 2>/dev/null

# show and set ACLs
getfacl project
setfacl -m u:alice:rw project/report.txt
setfacl -m g:developers:rwx project
setfacl -m m:rwx project           # update the ACL mask to allow entries to take effect

# default ACLs inherited by new files and directories
setfacl -d -m g:developers:rwX project
getfacl project

Notes:

  • The mask limits the effective rights of all named users and groups for a file or directory. Remember to adjust it when adding ACL entries.
  • ACLs complement, not replace, the traditional mode bits. Tools read both.

Practical lab

Create a shared team workspace with correct defaults and safe deletion rules.

  1. Create users and a team group (skip user creation on single user laptops).
bash
sudo groupadd developers || true
sudo usermod -aG developers "$USER"
  1. Create a shared directory that keeps group ownership and prevents accidental cross user deletes.
bash
sudo mkdir -p /srv/team
sudo chgrp developers /srv/team
sudo chmod 2775 /srv/team      # setgid and group rwx
sudo chmod +t /srv/team        # sticky to protect from non owners deleting
  1. Improve collaboration with a permissive umask for the group session.
bash
umask 002
  1. Optional: grant access to one extra user without changing the group using ACLs.
bash
sudo setfacl -m u:alice:rwx /srv/team
getfacl /srv/team | less
  1. Verify results.
bash
sudo -u "$USER" touch /srv/team/test1
ls -ld /srv/team
ls -l /srv/team

Troubleshooting

  • Permission denied when a directory shows r-- but not x. Add execute to allow traversal, for example chmod a+X dir or chmod 755 dir.
  • Cannot delete file in shared folder even as the file owner. Check the sticky bit on the directory. Owners can remove their own files, but not files owned by others when sticky is set.
  • Group changes do not apply until a new login. Use newgrp <group> to refresh in the current session.
  • ACL changes seem ignored. Update the ACL mask with setfacl -m m:rwX or setfacl -b to remove conflicting entries.

Next steps

Day 7 covers processes and job control. It explains how to view processes with ps and top or htop, control jobs with &, bg, and fg, send signals with kill, and adjust priorities with nice and renice. It also introduces logs for investigating misbehaving programs.