Linux Professional Institute Learning Logo.
Skip to main content
  • Home
    • All Resources
    • LPI Learning Materials
    • Become a Contributor
    • Publishing Partners
    • Become a Publishing Partner
    • About
    • FAQ
    • Contributors
    • Roadmap
    • Contact
  • LPI.org
104.5 Lesson 1
Topic 101: System Architecture
101.1 Determine and configure hardware settings
  • 101.1 Lesson 1
101.2 Boot the system
  • 101.2 Lesson 1
101.3 Change runlevels / boot targets and shutdown or reboot system
  • 101.3 Lesson 1
Topic 102: Linux Installation and Package Management
102.1 Design hard disk layout
  • 102.1 Lesson 1
102.2 Install a boot manager
  • 102.2 Lesson 1
102.3 Manage shared libraries
  • 102.3 Lesson 1
102.4 Use Debian package management
  • 102.4 Lesson 1
102.5 Use RPM and YUM package management
  • 102.5 Lesson 1
102.6 Linux as a virtualization guest
  • 102.6 Lesson 1
Topic 103: GNU and Unix Commands
103.1 Work on the command line
  • 103.1 Lesson 1
  • 103.1 Lesson 2
103.2 Process text streams using filters
  • 103.2 Lesson 1
103.3 Perform basic file management
  • 103.3 Lesson 1
  • 103.3 Lesson 2
103.4 Use streams, pipes and redirects
  • 103.4 Lesson 1
  • 103.4 Lesson 2
103.5 Create, monitor and kill processes
  • 103.5 Lesson 1
  • 103.5 Lesson 2
103.6 Modify process execution priorities
  • 103.6 Lesson 1
103.7 Search text files using regular expressions
  • 103.7 Lesson 1
  • 103.7 Lesson 2
103.8 Basic file editing
  • 103.8 Lesson 1
Topic 104: Devices, Linux Filesystems, Filesystem Hierarchy Standard
104.1 Create partitions and filesystems
  • 104.1 Lesson 1
104.2 Maintain the integrity of filesystems
  • 104.2 Lesson 1
104.3 Control mounting and unmounting of filesystems
  • 104.3 Lesson 1
104.5 Manage file permissions and ownership
  • 104.5 Lesson 1
104.6 Create and change hard and symbolic links
  • 104.6 Lesson 1
104.7 Find system files and place files in the correct location
  • 104.7 Lesson 1
How to get certified
  1. Topic 104: Devices, Linux Filesystems, Filesystem Hierarchy Standard
  2. 104.5 Manage file permissions and ownership
  3. 104.5 Lesson 1

104.5 Lesson 1

Certificate:

LPIC-1

Version:

5.0

Topic:

104 Devices, Linux Filesystems, Filesystem Hierarchy Standard

Objective:

104.5 Manage file permissions and ownership

Lesson:

1 of 1

Introduction

Being a multi-user system, Linux needs some way to track who owns each file and whether or not a user is allowed to perform actions on a file. This is to ensure the privacy of users who might want to keep the contents of their files confidential, as well as to ensure collaboration by making certain files accessible to multiple users.

This is done through a three-level permissions system. Every file on disk is owned by a user and a user group and has three sets of permissions: one for its owner, one for the group who owns the file and one for everyone else. In this lesson, you will learn how to query the permissions for a file, the meaning of these permissions and how to manipulate them.

Querying Information about Files and Directories

The command ls is used to get a listing of the contents of any directory. In this basic form, all you get are the filenames:

$ ls
Another_Directory  picture.jpg  text.txt

But there is much more information available for each file, including its type, size, ownership and more. To see this information you must ask ls for a “long form” listing, using the -l parameter:

$ ls -l
total 536
drwxrwxr-x 2 carol carol   4096 Dec 10 15:57 Another_Directory
-rw------- 1 carol carol 539663 Dec 10 10:43 picture.jpg
-rw-rw-r-- 1 carol carol   1881 Dec 10 15:57 text.txt

Each column on the output above has a meaning. Let us have a look at the columns relevant for this lesson.

  • The first column on the listing shows the file type and permissions. For example, on drwxrwxr-x:

    • The first character, d, indicates the file type.

    • The next three characters, rwx, indicate the permissions for the owner of the file, also referred to as user or u.

    • The next three characters, rwx, indicate the permissions of the group owning the file, also referred to as g.

    • The last three characters, r-x, indicate the permissions for anyone else, also known as others or o.

Tip

It is also common to hear the others permission set referred to as world permissions, as in “Everyone else in the world has these permissions”.

  • The third and fourth columns show ownership information: respectively the user and group that own the file.

  • The seventh and last column shows the file name.

The second column indicates the number of hard links pointing to that file. The fifth column shows the filesize. The sixth column shows the date and time the file was last modified. But these columns are not relevant for the current topic.

What about Directories?

If you try to query information about a directory using ls -l, it will show you a listing of the directory’s contents instead:

$ ls -l Another_Directory/
total 0
-rw-r--r-- 1 carol carol 0 Dec 10 17:59 another_file.txt

To avoid this and query information about the directory itself, add the -d parameter to ls:

$ ls -l -d Another_Directory/
drwxrwxr-x 2 carol carol 4096 Dec 10 17:59 Another_Directory/

Viewing Hidden Files

The directory listing we have retrieved using ls -l before is incomplete:

$ ls -l
total 544
drwxrwxr-x 2 carol carol   4096 Dec 10 17:59 Another_Directory
-rw------- 1 carol carol 539663 Dec 10 10:43 picture.jpg
-rw-rw-r-- 1 carol carol   1881 Dec 10 15:57 text.txt

There are three other files in that directory, but they are hidden. On Linux, files whose name starts with a period (.) are automatically hidden. To see them we need to add the -a parameter to ls:

$ ls -l -a
total 544
drwxrwxr-x 3 carol carol   4096 Dec 10 16:01 .
drwxrwxr-x 4 carol carol   4096 Dec 10 15:56 ..
drwxrwxr-x 2 carol carol   4096 Dec 10 17:59 Another_Directory
-rw------- 1 carol carol 539663 Dec 10 10:43 picture.jpg
-rw-rw-r-- 1 carol carol   1881 Dec 10 15:57 text.txt
-rw-r--r-- 1 carol carol      0 Dec 10 16:01 .thisIsHidden

The file .thisIsHidden is simply hidden because its name starts with ..

The directories . and .. however are special. . is a pointer to the current directory. And .. is a pointer to the parent directory, the one which contains the current one. In Linux, every directory contains at least these two directories.

Tip

You can combine multiple parameters for ls (and many other Linux commands). ls -l -a can, for example, be written as ls -la.

Understanding Filetypes

We have already mentioned that the first letter in each output of ls -l describes the type of the file. The three most common file types are:

- (normal file)

A file can contain data of any kind and help to manage this data. Files can be modified, moved, copied and deleted.

d (directory)

A directory contains other files or directories and helps to organize the file system. Technically, directories are a special kind of file.

l (symbolic link)

This “file” is a pointer to another file or directory elsewhere in the filesystem.

In addition to these, there are three other file types that you should at least know about, but are out of scope for this lesson:

b (block device)

This file stands for a virtual or physical device, usually disks or other kinds of storage devices, such as the first hard disk which might be represented by /dev/sda.

c (character device)

This file stands for a virtual or physical device. Terminals (like the main terminal on /dev/ttyS0) and serial ports are common examples of character devices.

s (socket)

Sockets serve as “conduits” passing information between two programs.

Warning

Do not alter any of the permissions on block devices, character devices or sockets, unless you know what you are doing. This may prevent your system from working!

Understanding Permissions

In the output of ls -l the file permissions are shown right after the filetype, as three groups of three characters each, in the order r, w and x. Here is what they mean. Keep in mind that a dash - represents the lack of a permission.

Permissions on Files

r

Stands for read and has an octal value of 4 (do not worry, we will discuss octals shortly). This means permission to open a file and read its contents.

w

Stands for write and has an octal value of 2. This means permission to edit or delete a file.

x

Stands for execute and has an octal value of 1. This means that the file can be run as an executable or script.

So, for example, a file with permissions rw- can be read and written to, but cannot be executed.

Permissions on Directories

r

Stands for read and has an octal value of 4. This means permission to read the directory’s contents, like filenames. But it does not imply permission to read the files themselves.

w

Stands for write and has an octal value of 2. This means permission to create or delete files in a directory.

Keep in mind that you cannot make these changes with write permissions alone, but also need execute permission (x) to change to the directory.

x

Stands for execute and has an octal value of 1. This means permission to enter a directory, but not to list its files (for that r is needed).

The last bit about directories may sound a bit confusing. Let us imagine, for example, that you have a directory named Another_Directory, with the following permissions:

$ ls -ld Another_Directory/
d--x--x--x 2 carol carol 4,0K Dec 20 18:46 Another_Directory

Also imagine that inside this directory you have a shell script called hello.sh:

-rwxr-xr-x 1 carol carol 33 Dec 20 18:46 hello.sh

If you are the user carol and try to list the contents of Another_Directory, you will get an error message, as your user lacks read permission for that directory:

$ ls -l Another_Directory/
ls: cannot open directory 'Another_Directory/': Permission denied

However, the user carol does have execute permissions, which means that she can enter the directory. Therefore, the user carol can access files inside the directory, as long as she has the correct permissions for the respective file. Let us assume the user has full permissions (rwx) for the script hello.sh. Then she can run the script, even though she cannot read the contents of the directory containing it if she knows the complete filename:

$ sh Another_Directory/hello.sh
Hello LPI World!

As we said before, permissions are specified in sequence: first for the owner of the file, then for the owning group, and then for other users. Whenever someone tries to perform an action on the file, the permissions are checked in the same fashion.

First the system checks if the current user owns the file, and if this is true it applies the first set of permissions only. Otherwise, it checks if the current user belongs to the group owning the file. In that case, it applies the second set of permissions only. In any other case, the system will apply the third set of permissions.

This means that if the current user is the owner of the file, only the owner permissions are effective, even if the group or other permissions are more permissive than the owner’s permissions.

Modifying File Permissions

The command chmod is used to modify the permissions for a file, and takes at least two parameters: the first one describes which permissions to change, and the second one points to the file or directory where the change will be made. Keep in mind that only the owner of the file, or the system administrator (root) can change the permissions on a file.

The permissions to change can be described in two different ways, or “modes”.

The first one, called symbolic mode offers fine grained control, allowing you to add or revoke a single permission without modifying others on the set. The other mode, called octal mode, is easier to remember and quicker to use if you wish to set all permission values at once.

Both modes will lead to the same end result. So, for example, the commands:

$ chmod ug+rw-x,o-rwx text.txt

and

$ chmod 660 text.txt

will produce exactly the same output, a file with the permissions set:

-rw-rw---- 1 carol carol  765 Dec 20 21:25 text.txt

Now, let us see how each mode works.

Symbolic Mode

When describing which permissions to change in symbolic mode the first character(s) indicate(s) whose permissions you will alter: the ones for the user (u), for the group (g), for others (o) and/or for everyone (a).

Then you need to tell the command what to do: you can grant a permission (+), revoke a permission (-), or set it to a specific value (=).

Lastly, you specify which permission you wish to act on: read (r), write (w), or execute (x).

For example, imagine we have a file called text.txt with the following permission set:

$ ls -l text.txt
-rw-r--r-- 1 carol carol 765 Dec 20 21:25 text.txt

If you wish to grant write permissions to members of the group owning the file, you would use the g+w parameter. It is easier if you think about it this way: “For the group (g), grant (+) write permissions (w)”. So, the command would be:

$ chmod g+w text.txt

Let us check the result with ls:

$ ls -l text.txt
-rw-rw-r-- 1 carol carol 765 Dec 20 21:25 text.txt

Do you wish to remove read permissions for the owner of the same file? Think about it as: “For the user (u), revoke (-) read permissions (r)”. So the parameter is u-r, like so:

$ chmod u-r text.txt
$ ls -l text.txt
--w-rw-r-- 1 carol carol 765 Dec 20 21:25 text.txt

What if we want to set the permissions exactly as rw- for everyone? Then think of it as: “For all (a), set exactly (=) read (r), write (w), and no execute (-)”. So:

$ chmod a=rw- text.txt
$ ls -l text.txt
-rw-rw-rw- 1 carol carol 765 Dec 20 21:25 text.txt

Of course, it is possible to modify multiple permissions at the same time. In this case, separate them with a comma (,):

$ chmod u+rwx,g-x text.txt
$ ls -lh text.txt
-rwxrw-rw- 1 carol carol 765 Dec 20 21:25 text.txt

The example above can be read as: “For the user (u), grant (+) read, write and execute (rwx) permissions, for the group (g), revoke (-) execute permissions (x)”.

When run on a directory, chmod modifies only the directory’s permissions. chmod also has a recursive mode, which is useful for when you want to change the permissions for “all files inside a directory and its subdirectories”. To use this, add the parameter -R after the command name, before the permissions to change:

$ chmod -R u+rwx Another_Directory/

This command can be read as: “Recursively (-R), for the user (u), grant (+) read, write and execute (rwx) permissions”.

Warning

Be careful and think twice before using the -R switch, as it is easy to change permissions on files and directories which you do not want to change, especially on directories with a large number of files and subdirectories.

Octal Mode

In octal mode, the permissions are specified in a different way: as a three-digit value on octal notation, a base-8 numeric system.

Each permission has a corresponding value, and they are specified in the following order: first comes read (r), which is 4, then write (w), which is 2 and last is execute (x), represented by 1. If there is no permission, use the value zero (0). So, a permission of rwx would be 7 (4+2+1) and r-x would be 5 (4+0+1).

The first of the three digits on the permission set represents the permissions for the user (u), the second for the group (g) and the third for others (o). If we wanted to set the permissions for a file to rw-rw----, the octal value would be 660:

$ chmod 660 text.txt
$ ls -l text.txt
-rw-rw---- 1 carol carol 765 Dec 20 21:25 text.txt

Besides this, the syntax in octal mode is the same as in symbolic mode, the first parameter represents the permissions you wish to change, and the second parameter points to the file or directory where the change will be made.

Tip

If a permission value is odd, the file surely is executable!

Which syntax should you use? The octal mode is recommended if you want to change the permissions to a specific value, for example 640 (rw- r-- ---).

The symbolic mode is more useful if you want to flip just a specific value, regardless of the current permissions for the file. For example, you can add execute permissions for the user using just chmod u+x script.sh without regard to, or even touching, the current permissions for the group and others.

Modifying File Ownership

The command chown is used to modify the ownership of a file or directory. The syntax is quite simple:

chown USERNAME:GROUPNAME FILENAME

For example, let us check a file called text.txt:

$ ls -l text.txt
-rw-rw---- 1 carol carol 1881 Dec 10 15:57 text.txt

The user who owns the file is carol, and the group is also carol. Now, we will change the group owning the file to some other group, like students:

$ chown carol:students text.txt
$ ls -l text.txt
-rw-rw---- 1 carol students 1881 Dec 10 15:57 text.txt

Keep in mind that the user who owns a file does not need to belong to the group who owns a file. In the example above, the user carol does not need to be a member of the students group.

The user or group permission set can be omitted if you do not wish to change them. So, to change just the group owning a file you would use chown :students text.txt. To change just the user, the command would be chown carol: text.txt or just chown carol text.txt. Alternatively, you could use the command chgrp students text.txt.

Unless you are the system administrator (root), you cannot change ownership of a file to another user or group you do not belong to. If you try to do this, you will get the error message Operation not permitted.

Querying Groups

Before changing the ownership of a file, it might be useful to know which groups exist on the system, which users are members of a group and to which groups a user belongs.

To see which groups exist on your system, type getent group. The output will be similar to this one (the output has been abbreviated):

$ getent group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,rigues
tty:x:5:rigues
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:rigues

If you want to know to which groups a user belongs, add the username as a parameter to groups:

$ groups carol
carol : carol students cdrom sudo dip plugdev lpadmin sambashare

To do the reverse (see which users belong to a group) use groupmems. The parameter -g specifies the group, and -l will list all of its members:

# groupmems -g cdrom -l
carol
Tip

groupmems can only be run as root, the system administrator. If you are not currently logged in as root, add sudo before the command.

Default Permissions

Let us try an experiment. Open a terminal window and create an empty file with the following command:

$ touch testfile

Now, let us take a look at the permissions for this file. They may be different on your system, but let us assume they look like the following:

$ ls -lh testfile
-rw-r--r-- 1 carol carol 0 jul 13 21:55 testfile

The permissions are rw-r—​r--: read and write for the user, and read for the group and others, or 644 in octal mode. Now, try creating a directory:

$ mkdir testdir
$ ls -lhd testdir
drwxr-xr-x 2 carol carol 4,0K jul 13 22:01 testdir

Now the permissions are rwxr-xr-x : read, write and execute for the user, read and execute for the group and others, or 755 in octal mode.

No matter where you are in the filesystem every file or directory you create will get those same permissions. Did you ever wonder where they come from?

They come from the user mask or umask, which sets the default permissions for every file created. You can check the current values with the umask command:

$ umask
0022

But that does not look like rw-r—​r--, or even 644. Maybe we should try with the -S parameter, to get an output in symbolic mode:

$ umask -S
u=rwx,g=rx,o=rx

Those are the same permissions our test directory got in one of the examples above. But, why is it that when we created a file the permissions were different?

Well, it makes no sense to set global execute permissions for everyone on any file by default, right? Directories need execute permissions (otherwise you cannot enter them), but files do not, so they do not get them. Hence the rw-r—​r--.

Besides displaying the default permissions, umask can also be used to change them for your current shell session. For example, if we use the command:

$ umask u=rwx,g=rwx,o=

Every new directory will inherit the permissions rwxrwx---, and every file rw-rw---- (as they do not get execute permissions). If you repeat the examples above to create a testfile and testdir and check the permissions, you should get:

$ ls -lhd test*
drwxrwx--- 2 carol carol 4,0K jul 13 22:25 testdir
-rw-rw---- 1 carol carol    0 jul 13 22:25 testfile

And if you check the umask without the -S (symbolic mode) parameter, you get:

$ umask
0007

The result does not look familiar because the values used are different. Here is a table with every value and its respective meaning:

Value Permission for Files Permission for Directories

0

rw-

rwx

1

rw-

rw-

2

r--

r-x

3

r--

r--

4

-w-

-wx

5

-w-

-w-

6

---

--x

7

---

---

As you can see, 007 corresponds to rwxrwx---, exactly as we requested. The leading zero can be ignored.

Special Permissions

Besides the read, write and execute permissions for user, group and others, each file can have three other special permissions which can alter the way a directory works or how a program runs. They can be specified either in symbolic or octal mode, and are as follows:

Sticky Bit

The sticky bit, also called the restricted deletion flag, has the octal value 1 and in symbolic mode is represented by a t within the other’s permissions. This applies only to directories, and has no effect on normal files. On Linux it prevents users from removing or renaming a file in a directory unless they own that file or directory.

Directories with the sticky bit set show a t replacing the x on the permissions for others on the output of ls -l:

$ ls -ld Sample_Directory/
drwxr-xr-t 2 carol carol 4096 Dec 20 18:46 Sample_Directory/

In octal mode, the special permissions are specified using a 4-digit notation, with the first digit representing the special permission to act upon. For example, to set the sticky bit (value 1) for the directory Another_Directory in octal mode, with permissions 755, the command would be:

$ chmod 1755 Another_Directory
$ ls -ld Another_Directory
drwxr-xr-t 2 carol carol 4,0K Dec 20 18:46 Another_Directory

Set GID

Set GID, also known as SGID or Set Group ID bit, has the octal value 2 and in symbolic mode is represented by an s on the group permissions. This can be applied to executable files or directories. On files, it will make the process run with the privileges of the group who owns the file. When applied to directories, it will make every file or directory created under it inherit the group from the parent directory.

Files and directories with SGID bit show an s replacing the x on the permissions for the group on the output of ls -l:

$ ls -l test.sh
-rwxr-sr-x 1 carol root 33 Dec 11 10:36 test.sh

To add SGID permissions to a file in symbolic mode, the command would be:

$ chmod g+s test.sh
$ ls -l test.sh
-rwxr-sr-x 1 carol root     33 Dec 11 10:36 test.sh

The following example will help you better understand the effects of SGID on a directory. Suppose we have a directory called Sample_Directory, owned by the user carol and the group users, with the following permission structure:

$ ls -ldh Sample_Directory/
drwxr-xr-x 2 carol users 4,0K Jan 18 17:06 Sample_Directory/

Now, let us change to this directory and, using the command touch, create an empty file inside of it. The result would be:

$ cd Sample_Directory/
$ touch newfile
$ ls -lh newfile
-rw-r--r-- 1 carol carol 0 Jan 18 17:11 newfile

As we can see, the file is owned by the user carol and group carol. But, if the directory had the SGID permission set, the result would be different. First, let us add the SGID bit to the Sample_Directory and check the results:

$ sudo chmod g+s Sample_Directory/
$ ls -ldh Sample_Directory/
drwxr-sr-x 2 carol users 4,0K Jan 18 17:17 Sample_Directory/

The s on the group permissions indicates that the SGID bit is set. Now, we will change to this directory and, again, create an empty file with the touch command:

$ cd Sample_Directory/
$ touch emptyfile
$ ls -lh emptyfile
 -rw-r--r-- 1 carol users 0 Jan 18 17:20 emptyfile

The group who owns the file is users. This is because the SGID bit made the file inherit the group owner of its parent directory, which is users.

Set UID

SUID, also known as Set User ID, has the octal value 4 and is represented by an s on the user permissions in symbolic mode. It only applies to files and has no effect on directories. Its behavior is similar to the SGID bit, but the process will run with the privileges of the user who owns the file. Files with the SUID bit show a s replacing the x on the permissions for the user on the output of ls -l:

$ ls -ld test.sh
-rwsr-xr-x 1 carol carol 33 Dec 11 10:36 test.sh

You can combine multiple special permissions on one parameter. So, to set SGID (value 2) and SUID (value 4) in octal mode for the script test.sh with permissions 755, you would type:

$ chmod 6755 test.sh

And the result would be:

$ ls -lh test.sh
-rwsr-sr-x 1 carol carol 66 Jan 18 17:29 test.sh
Tip

If your terminal supports color, and these days most of them do, you can quickly see if these special permissions are set by glancing at the output of ls -l. For the sticky bit, the directory name might be shown in a black font with blue background. The same applies for files with the SGID (yellow background) and SUID (red background) bits. Colors may be different depending on which Linux distribution and terminal settings you use.

Guided Exercises

  1. Create a directory named emptydir using the command mkdir emptydir. Now, using ls, list the permissions for the directory emptydir.

  2. Create an empty file named emptyfile with the command touch emptyfile. Now, using chmod in symbolic mode, add execute permissions for the owner of the file emptyfile, and remove write and execute permissions for everyone else. Do this using only one chmod command.

  3. What would the default permissions for a file be if the umask value is set to 027?

  4. Let us assume a file named test.sh is a shell script with the following permissions and ownership:

    -rwxr-sr-x 1 carol root     33 Dec 11 10:36 test.sh
    • What are the permissions for the owner of the file?

    • Using the octal notation, what would the syntax of chmod be to “unset” the special permission granted to this file?

  5. Consider this file:

    $ ls -l /dev/sdb1
    brw-rw---- 1 root disk 8, 17 Dec 21 18:51 /dev/sdb1

    Which type of file is sdb1? Who can write to it?

  6. Consider the following 4 files:

    drwxr-xr-t 2 carol carol 4,0K Dec 20 18:46 Another_Directory
    ----r--r-- 1 carol carol    0 Dec 11 10:55 foo.bar
    -rw-rw-r-- 1 carol carol 1,2G Dec 20 18:22 HugeFile.zip
    drwxr-sr-x 2 carol users  4,0K Jan 18 17:26 Sample_Directory

    Write down the corresponding permissions for each file and directory using octal mode using the 4-digit notation.

    Another_Directory

    foo.bar

    HugeFile.zip

    Sample_Directory

Explorational Exercises

  1. Try this on a terminal: create an empty file called emptyfile with the command touch emptyfile. Now “zero out” the permissions for the file with chmod 000 emptyfile. What will happen if you change the permissions for emptyfile by passing only one value for chmod in octal mode, like chmod 4 emptyfile? And if you use two, as in chmod 44 emptyfile? What can we learn about the way chmod reads the numerical value?

  2. Consider the permissions for the temporary directory on a Linux system, /tmp:

    $ ls -l /tmp
    drwxrwxrwt  19 root root  16K Dec 21 18:58 tmp

    User, group and others have full permissions. But can a regular user delete any files inside this directory? Why is this the case?

  3. A file called test.sh has the following permissions: -rwsr-xr-x, meaning the SUID bit is set. Now, run the following commands:

    $ chmod u-x test.sh
    $ ls -l test.sh
    -rwSr-xr-x 1 carol carol 33 Dec 11 10:36 test.sh

    What did we do? What does the uppercase S mean?

  4. How would you create a directory named Box where all the files are automatically owned by the group users, and can only be deleted by the user who created them?

Summary

In this lesson you have learned how to use ls to get (and decode) information about file permissions, how to control or change who can create, delete or modify a file with chmod, both in octal and symbolic modes, how to change the ownership of files with chown and chgrp and how to query and change the default permissions mask for files and directories with umask

The following commands were discussed in this lesson:

ls

List files, optionally including details such as permissions.

chmod

Change the permissions of a file or directory.

chown

Change the owning user and/or group of a file or directory.

chgrp

Change the owning group of a file or directory.

umask

Query, or set, the default permissions mask for files and directories

Answers to Guided Exercises

  1. Create a directory named emptydir using the command mkdir emptydir. Now, using ls, list the permissions for the directory emptydir.

    Add the -d parameter to ls to see the file attributes of a directory, instead of listing its contents. So, the answer is:

    ls -l -d emptydir

    Bonus points if you merged the two parameters in one, as in ls -ld emptydir.

  2. Create an empty file named emptyfile with the command touch emptyfile. Now, using chmod on symbolic mode, add execute permissions for the owner of the file emptyfile, and remove write and execute permissions for everyone else. Do this using only one chmod command.

    Think about it this way:

    • “For the user who owns the file (u) add (+) execute (x) permissions”, so u+x.

    • “For the group (g) and other users (o), remove (-) write (w) and execute (x) permissions”, so go-wx.

      To combine these two sets of permissions, we add a comma between them. So the final result is:

      chmod u+x,go-wx emptyfile
  3. What would the default permissions be for a file if the umask value is set to 027?

    The permissions would be rw-r-----

  4. Let us assume a file named test.sh is a shell script with the following permissions and ownership:

    -rwxr-sr-x 1 carol root     33 Dec 11 10:36 test.sh
    • What are the permissions for the owner of the file?

      The permissions for the owner (2nd to 4th characters in the output of ls -l) are rwx, so the answer is: “to read, to write to and to execute the file”.

    • Using the octal notation, which should be the syntax of chmod to “unset” the special permission granted to this file?

      We can “unset” the special permissions by passing a 4th digit, 0, to chmod. The current permissions are 755, so the command should be chmod 0755.

  5. Consider this file:

    $ ls -l /dev/sdb1
    brw-rw---- 1 root disk 8, 17 Dec 21 18:51 /dev/sdb1

    Which type of file is sdb1? Who can write to it?

    The first character on the output of ls -l shows the type of file. b is a block device, usually a disk (internal or external), connected to the machine. The owner (root) and any users of the group disk can write to it.

  6. Consider the following 4 files:

    drwxr-xr-t 2 carol carol 4,0K Dec 20 18:46 Another_Directory
    ----r--r-- 1 carol carol    0 Dec 11 10:55 foo.bar
    -rw-rw-r-- 1 carol carol 1,2G Dec 20 18:22 HugeFile.zip
    drwxr-sr-x 2 carol users 4,0K Jan 18 17:26 Sample_Directory

    Write down the corresponding permissions for each file and directory using octal mode using the 4-digit notation.

    The corresponding permissions, in octal mode, are as follows:

    Another_Directory

    1755. 1 for the sticky bit, 755 for the regular permissions (rwx for the user, r-x for group and others).

    foo.bar

    0044. No special permissions (so the first digit is 0), no permissions for the user (---) and just read (r—​r--) for group and others.

    HugeFile.zip

    0664. No special permissions, so the first digit is 0. 6 (rw-) for the user and group, 4 (r--) for the others.

    Sample_Directory

    2755. 2 for the SGID bit, 7 (rwx) for the user, 5 (r-x) for the group and others.

Answers to Explorational Exercises

  1. Try this on a terminal: create an empty file called emptyfile with the command touch emptyfile. Now “zero out” the permissions for the file with chmod 000 emptyfile. What will happen if you change the permissions for emptyfile by passing only one value for chmod in octal mode, like chmod 4 emptyfile? And if you use two, as in chmod 44 emptyfile? What can we learn about the way chmod reads the numerical value?

    Remember that we “zeroed out” the permissions for emptyfile. So, its initial state would be:

    ---------- 1 carol carol    0 Dec 11 10:55 emptyfile

    Now, let us try the first command, chmod 4 emptyfile:

    $ chmod 4 emptyfile
    $ ls -l emptyfile
    -------r-- 1 carol carol 0 Dec 11 10:55 emptyfile

    See? The permissions for others were changed. And what if we try two digits, like in chmod 44 emptyfile?

    $ chmod 44 emptyfile
    $ ls -l emptyfile
    ----r--r-- 1 carol carol 0 Dec 11 10:55 emptyfile

    Now, the permissions for group and others were affected. From this, we can conclude that in octal mode chmod reads the value “backwards”, from the least significant digit (others) to the most significant one (user). If you pass one digit, you modify the permissions for others. With two digits you modify group and others, and with three you modify user, group and others and with four digits you modify user, group, others and the special permissions.

  2. Consider the permissions for the temporary directory on a Linux system, /tmp:

    $ ls -l /tmp
    drwxrwxrwt  19 root root  16K Dec 21 18:58 tmp

    User, group and others have full permissions. But can a regular user delete any files inside this directory? Why is this the case?

    /tmp is what we call a world writeable directory, meaning that any user can write to it. But we don’t want one user messing with files created by others, so the sticky bit is set (as indicated by the t on the permissions for others). This means that a user can delete files on /tmp, but only those created by himself.

  3. A file called test.sh has the following permissions: -rwsr-xr-x, meaning the SUID bit is set. Now, run the following commands:

    $ chmod u-x test.sh
    $ ls -l test.sh
    -rwSr-xr-x 1 carol carol 33 Dec 11 10:36 test.sh

    What did we do? What does the uppercase S mean?

    We removed execute permissions for the user who owns the file. The s (or t) takes the place of the x on the output of ls -l, so the system needs a way to show if the user has execute permissions or not. It does this by changing the case of the special character.

    A lowercase s on the first group of permissions means that the user who owns the file has execute permissions and that the SUID bit is set. An uppercase S means that the user who owns the file lacks (-) execute permissions and that the SUID bit is set.

    The same can be said for SGID, a lowercase s on the second group of permissions means that the group who owns the file has execute permissions and that the SGID bit is set. An uppercase S means that the group who owns the file lacks (-) execute permissions and that the SGID bit is set.

    This is also true for the sticky bit, represented by the t on the third group of permissions. Lowercase t means sticky bit set and that others have execute permissions. Uppercase T means sticky bit set and that others do not have execute permissions.

  4. How would you create a directory named Box where all the files are automatically owned by the group users, and can only be deleted by the user who created them?

    This is a multi-step process. The first step is to create the directory:

    $ mkdir Box

    We want every file created inside this directory to be automatically assigned to the group users. We can do this by setting this group as the owner of the directory, and then by setting the SGID bit on it. We also need to make sure that any member of the group can write to that directory.

    Since we do not care about what the other permissions are, and want to “flip” only the special bits, it makes sense to use the symbolic mode:

    $ chown :users Box/
    $ chmod g+wxs Box/

    Note that if your current user does not belong to the group users, you will have to use the command sudo before the commands above to do the change as root.

    Now for the last part, making sure that only the user who created a file is allowed to delete it. This is done by setting the sticky bit (represented by a t) on the directory. Remember that it is set on the permissions for others (o).

    $ chmod o+t Box/

    The permissions on the directory Box should be as follows:

    drwxrwsr-t 2 carol users  4,0K Jan 18 19:09 Box

    Of course, you can specify SGID and the sticky bit using only one chmod command:

    $ chmod g+wxs,o+t Box/

    Bonus points if you thought of that.

Linux Professional Insitute Inc. All rights reserved. Visit the Learning Materials website: https://learning.lpi.org
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Next Lesson

104.6 Create and change hard and symbolic links (104.6 Lesson 1)

Read next lesson

Linux Professional Insitute Inc. All rights reserved. Visit the Learning Materials website: https://learning.lpi.org
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

LPI is a non-profit organization.

© 2023 Linux Professional Institute (LPI) is the global certification standard and career support organization for open source professionals. With more than 200,000 certification holders, it's the world’s first and largest vendor-neutral Linux and open source certification body. LPI has certified professionals in over 180 countries, delivers exams in multiple languages, and has hundreds of training partners.

Our purpose is to enable economic and creative opportunities for everybody by making open source knowledge and skills certification universally accessible.

  • LinkedIn
  • flogo-RGB-HEX-Blk-58 Facebook
  • Twitter
  • Contact Us
  • Privacy and Cookie Policy

Spot a mistake or want to help improve this page? Please let us know.

© 1999–2023 The Linux Professional Institute Inc. All rights reserved.