מבוא

מערכת לינוקס היא מערכת רב-משתמשית, ולכן היא צריכה אמצעי למעקב אחר בעלות על כל קובץ והאם למשתמש יש הרשאה לבצע פעולות על קובץ זה. זה נועד להבטיח את פרטיות המשתמשים שיכולים לשמור על תוכן הקבצים שלהם בסודיות, כמו גם לאפשר שיתוף פעולה על ידי הפיכת קבצים מסוימים לנגישים למספר משתמשים.

מערכת הרשאות זו פועלת בשלוש רמות: כל קובץ בדיסק שייך למשתמש ולחברה (קבוצה) של משתמשים, והוא כולל שלושה סטים של הרשאות: אחד לבעל הקובץ, אחד לקבוצה המחזיקה בקובץ ואחד לשאר המשתמשים. בשיעור זה תלמד כיצד לשאול מידע על הרשאות של קובץ וכיצד לשנות אותן.

שאילת מידע על קבצים ותיקיות

הפקודה ls משמשת להצגת תוכן של כל תיקייה. בצורה הבסיסית שלה, היא מציגה רק את שמות הקבצים:

$ ls
Another_Directory picture.jpg text.txt

עם זאת, יש הרבה יותר מידע שניתן לקבל עבור כל קובץ, כולל סוג, גודל, בעלות ועוד. כדי לראות מידע זה יש לבקש מ-ls להציג “רשימה מפורטת” באמצעות הפרמטר -l:

$ ls -l
total 536
drwxrwxr-x 2 carol carol 4096 Dec 10 15:57 Another_Directory
-rw------- 1 carol carol 539663 Dec 10 10:43 picture.jpg
-rw-rw-r-- 1 carol carol 1881 Dec 10 15:57 text.txt

כל עמודה בפלט הנ”ל מייצגת משמעות מסוימת:

• העמודה הראשונה מראה את סוג הקובץ וההרשאות שלו.
  • התו הראשון, d, מציין את סוג הקובץ.
  • שלושת התווים הבאים, rwx, מציינים את ההרשאות של בעל הקובץ.
  • שלושת התווים הבאים, rwx, מציינים את ההרשאות של הקבוצה המחזיקה בקובץ.
  • שלושת התווים האחרונים, r-x, מציינים את ההרשאות של כל שאר המשתמשים.
• העמודה השנייה מציינת את מספר הקישורים הקשיחים לקובץ.
• העמודה השלישית והרביעית מראות את בעלות הקובץ: המשתמש והקבוצה שמחזיקים בקובץ.
• העמודה החמישית מציגה את גודל הקובץ בבתים.
• העמודה השישית מציגה את התאריך והשעה המדויקים שבהם הקובץ שונה לאחרונה.
• העמודה השביעית והאחרונה מציגה את שם הקובץ.

אם תרצה לראות את גודל הקבצים בפורמט “קריא לאדם”, ניתן להוסיף את הפרמטר -h:

$ ls -lh
total 1,2G
drwxrwxr-x 2 carol carol 4,0K Dec 10 17:59 Another_Directory
-rw------- 1 carol carol 528K Dec 10 10:43 picture.jpg
---xr-xr-x 1 carol carol 33 Dec 11 10:36 test.sh

לראות מידע רק על קבצים מסוימים ניתן להוסיף את שמות הקבצים לפקודה:

$ ls -lh HugeFile.zip test.sh
total 1,2G
-rw-rw-r-- 1 carol carol 1,2G Dec 20 18:22 HugeFile.zip
---xr-xr-x 1 carol carol 33 Dec 11 10:36 test.sh

מה לגבי תיקיות?

אם תנסה לשאול מידע על תיקייה באמצעות ls -l, היא תציג לך את תוכן התיקייה במקום מידע על התיקייה עצמה:

$ ls -l Another_Directory/
total 0
-rw-r--r-- 1 carol carol 0 Dec 10 17:59 another_file.txt

כדי לראות מידע על התיקייה עצמה יש להוסיף את הפרמטר -d:

$ ls -l -d Another_Directory/
drwxrwxr-x 2 carol carol 4096 Dec 10 17:59 Another_Directory/

הצגת קבצים מוסתרים

בפלט הקודם של ls -l ישנם שלושה קבצים מוסתרים שלא מוצגים. קבצים בלינוקס ששמם מתחיל בנקודה (.) מוסתרים אוטומטית. כדי לראותם יש להוסיף את הפרמטר -a:

$ ls -l -a
total 544
drwxrwxr-x 3 carol carol 4096 Dec 10 16:01 .
drwxrwxr-x 4 carol carol 4096 Dec 10 15:56 ..
drwxrwxr-x 2 carol carol 4096 Dec 10 17:59 Another_Directory
-rw------- 1 carol carol 539663 Dec 10 10:43 picture.jpg
-rw-rw-r-- 1 carol carol 1881 Dec 10 15:57 text.txt
-rw-r--r-- 1 carol carol 0 Dec 10 16:01 .thisIsHidden

קובץ .thisIsHidden מוסתר כי שמו מתחיל בנקודה.

התיקיות . ו-.. הן מיוחדות. . הוא מצביע לתיקייה הנוכחית ו-.. מצביע לתיקיית האב.

טיפ: ניתן לשלב פרמטרים לפקודה ls (ולפקודות רבות אחרות). לדוגמה, ls -l -a ניתן

$ ls -ld Another_Directory/
d--xr-xr-x 2 carol carol 4,0K Dec 20 18:46 Another_Directory

-rwxr-xr-x 1 carol carol 33 Dec 20 18:46 hello.sh

$ ls -l Another_Directory/
ls: cannot open directory 'Another_Directory/': Permission denied

$ sh Another_Directory/hello.sh
Hello LPI World!

$ chmod ug+rw-x,o-rwx text.txt
$ chmod 660 text.txt

-rw-rw---- 1 carol carol 765 Dec 20 21:25 text.txt

$ ls -l text.txt
-rw-r--r-- 1 carol carol 765 Dec 20 21:25 text.txt

$ chmod g+w text.txt

$ ls -l text.txt
-rw-rw-r-- 1 carol carol 765 Dec 20 21:25 text.txt

$ chmod u-r text.txt
$ ls -l text.txt
--w-rw-r-- 1 carol carol 765 Dec 20 21:25 text.txt

$ chmod a=rw- text.txt
$ ls -l text.txt
-rw-rw-rw- 1 carol carol 765 Dec 20 21:25 text.txt

$ chmod u+rwx,g-x text.txt
$ ls -lh text.txt
-rwxrw-rw- 1 carol carol 765 Dec 20 21:25 text.txt

$ chmod -R u+rwx Another_Directory/

$ chmod 660 text.txt
$ ls -l text.txt
-rw-rw---- 1 carol carol 765 Dec 20 21:25 text.txt

chown username:groupname filename

$ ls -l text.txt
-rw-rw---- 1 carol carol 1881 Dec 10 15:57 text.txt

$ chown carol:students text.txt
$ ls -l text.txt
-rw-rw---- 1 carol students 1881 Dec 10 15:57 text.txt

$ groups
carol students cdrom sudo dip plugdev lpadmin sambashare

$ groups carol
carol : carol students cdrom sudo dip plugdev lpadmin sambashare

$ sudo groupmems -g cdrom -l
carol

$ ls -ld Sample_Directory/
drwxr-xr-t 2 carol carol 4096 Dec 20 18:46 Sample_Directory/

$ chmod 1755 Another_Directory
$ ls -ld Another_Directory
drwxr-xr-t 2 carol carol 4,0K Dec 20 18:46 Another_Directory

$ ls -l test.sh
-rwxr-sr-x 1 carol carol 33 Dec 11 10:36 test.sh

$ chmod g+s test.sh
$ ls -l test.sh
-rwxr-sr-x 1 carol root 33 Dec 11 10:36 test.sh

$ ls -ldh Sample_Directory/
drwxr-xr-x 2 carol users 4,0K Jan 18 17:06 Sample_Directory/

$ cd Sample_Directory/
$ touch newfile
$ ls -lh newfile
-rw-r--r-- 1 carol carol 0 Jan 18 17:11 newfile

$ sudo chmod g+s Sample_Directory/
$ ls -ldh Sample_Directory/
drwxr-sr-x 2 carol users 4,0K Jan 18 17:17 Sample_Directory/

$ cd Sample_Directory/
$ touch emptyfile
$ ls -lh emptyfile
-rw-r--r-- 1 carol users 0 Jan 18 17:20 emptyfile

$ ls -ld test.sh
-rwsr-xr-x 1 carol carol 33 Dec 11 10:36 test.sh

$ chmod 6755 test.sh

$ ls -lh test.sh
-rwsr-sr-x 1 carol carol 66 Jan 18 17:29 test.sh

Introduction
Being a multi-user system, Linux needs some way to track who owns each file and whether or not a
user is allowed to perform actions on that file. This is to ensure the privacy of users who might want
to keep the content of their files confidential, as well as to ensure collaboration by making certain
files accessible to multiple users.
This is done through a three-level permissions system: every file on disk is owned by a user and a
user group and has three sets of permissions: one for its owner, one the group who owns the file and
one for everyone else. In this lesson, you will learn how to query the permissions for a file and how
to manipulate them.
Querying Information about Files and Directories
The command ls is used to get a listing of the contents of any directory. In this basic form, all you
get are the filenames:
$ ls
Another_Directory picture.jpg text.txt
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
392 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
But there is much more information available for each file, including type, size, ownership and more.
To see this information you must ask ls for a “long form” listing, using the -l parameter:
$ ls -l
total 536
drwxrwxr-x 2 carol carol 4096 Dec 10 15:57 Another_Directory
-rw——- 1 carol carol 539663 Dec 10 10:43 picture.jpg
-rw-rw-r– 1 carol carol 1881 Dec 10 15:57 text.txt
Each column on the output above has a meaning:
• The first column on the listing shows the file type and permissions.
For example, on drwxrwxr-x:
◦ The first character, d, indicates the file type.
◦ The next three characters, rwx, indicate the permissions for the owner of the file, also
referred to as user or u.
◦ The next three characters, rwx, indicate the permissions of the group owning the file, also
referred to as g.
◦ The last three characters, r-x, indicate the permissions for anyone else, also known as others
or o.
• The second column indicates the number of hard links pointing to that file. For a directory, this
means the number of subdirectories, plus a link to itself (.) and the parent directory (..).
• The third and fourth columns show ownership information: respectively the user and group that
own the file.
• The fifth column shows the filesize, in bytes.
• The sixth column shows the precise date and time, or timestamp, when the file was last modified.
• The seventh and last column shows the file name.
If you wish to see the filesizes in “human readable” format, add the -h parameter to ls. Files less
than one kilobyte in size will have the size shown in bytes. Files with more than one kilobyte and
less than one megabyte will have a K added after the size, indicating the size is in kilobytes. The
same follows for filesizes in the megabyte (M) and gigabyte (G) ranges:
Linux Essentials (Version 1.6) | 5.3 Managing File Permissions and Ownership
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 393
$ ls -lh
total 1,2G
drwxrwxr-x 2 carol carol 4,0K Dec 10 17:59 Another_Directory
—-r–r– 1 carol carol 0 Dec 11 10:55 foo.bar
-rw-rw-r– 1 carol carol 1,2G Dec 20 18:22 HugeFile.zip
-rw——- 1 carol carol 528K Dec 10 10:43 picture.jpg
—xr-xr-x 1 carol carol 33 Dec 11 10:36 test.sh
-rwxr–r– 1 carol carol 1,9K Dec 20 18:13 text.txt
-rw-rw-r– 1 carol carol 2,6M Dec 11 22:14 Zipped.zip
To only show information on a specific set of files, add the names of these files to ls:
$ ls -lh HugeFile.zip test.sh
total 1,2G
-rw-rw-r– 1 carol carol 1,2G Dec 20 18:22 HugeFile.zip
—xr-xr-x 1 carol carol 33 Dec 11 10:36 test.sh
What about Directories?
If you try to query information about a directory using ls -l, it will show you a listing of the
directory contents instead:
$ ls -l Another_Directory/
total 0
-rw-r–r– 1 carol carol 0 Dec 10 17:59 another_file.txt
To avoid this and query information about the directory itself, add the -d parameter to ls:
$ ls -l -d Another_Directory/
drwxrwxr-x 2 carol carol 4096 Dec 10 17:59 Another_Directory/
Seeing Hidden Files
The directory listing we have retrieved using ls -l before is incomplete:
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
394 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
$ ls -l
total 544
drwxrwxr-x 2 carol carol 4096 Dec 10 17:59 Another_Directory
-rw——- 1 carol carol 539663 Dec 10 10:43 picture.jpg
-rw-rw-r– 1 carol carol 1881 Dec 10 15:57 text.txt
There are three other files in that directory, but they are hidden. On Linux, files whose name starts
with a period (.) are automatically hidden. To see them we need to add the -a parameter to ls:
$ ls -l -a
total 544
drwxrwxr-x 3 carol carol 4096 Dec 10 16:01 .
drwxrwxr-x 4 carol carol 4096 Dec 10 15:56 ..
drwxrwxr-x 2 carol carol 4096 Dec 10 17:59 Another_Directory
-rw——- 1 carol carol 539663 Dec 10 10:43 picture.jpg
-rw-rw-r– 1 carol carol 1881 Dec 10 15:57 text.txt
-rw-r–r– 1 carol carol 0 Dec 10 16:01 .thisIsHidden
The file .thisIsHidden is simply hidden because its name starts with ..
The directories . and .. however are special. . is a pointer to the current directory, while .. is a
pointer to the parent directory (the directory which contains the current directory). In Linux, every
directory contains at least these two special directories.
TIP You can combine multiple parameters for ls (and many other Linux commands). ls
-l -a can, for example, be written as ls -la.

Understanding Filetypes
We have already mentioned that the first letter in each output of ls -l describes the type of the file.
The three most common file types are:
– (normal file)
A file can contain data of any kind. Files can be modified, moved, copied and deleted.
d (directory)
A directory contains other files or directories and helps to organize the file system. Technically,
directories are a special kind of file.
Linux Essentials (Version 1.6) | 5.3 Managing File Permissions and Ownership
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 395
l (soft link)
This “file” is a pointer to another file or directory elsewhere in the filesystem.
In addition to those, there are three other file types that you should at least know about, but are out
of scope for this lesson:
b (block device)
This file stands for a virtual or physical device, usually disks or other kinds of storage devices.
For example, the first hard disk in the system might be represented by /dev/sda.
c (character device)
This file stands for a virtual or physical device. Terminals (like the main terminal on /dev/ttyS0)
and serial ports are common examples of character devices.
s (socket)
Sockets serve as “conduits” passing information between two programs.
WARNING
Do not alter any of the permissions on block devices, character devices or
sockets, unless you know what you’re doing. This may prevent your system
from working!
Understanding Permissions
In the output of ls -l the file permissions are shown right after the filetype, as three groups of three
characters each, in the order r, w and x. Here is what they mean. Keep in mind that a dash –
represents the lack of a particular permission.
Permissions on Files
r
Stands for read and has an octal value of 4 (don’t worry, we will discuss octals shortly). This
means permission to open a file and read its contents.
w
Stands for write and has an octal value of 2. This means permission to edit or delete a file.
x
Stands for execute and has an octal value of 1. This means that the file can be run as an
executable or script.
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
396 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
So, for example, a file with permissions rw- can be read and written to, but cannot be executed.
Permissions on Directories
r
Stands for read and has an octal value of 4. This means permission to read the directory’s
contents, like filenames. But it does not imply permission to read the files themselves.
w
Stands for write and has an octal value of 2. This means permission to create or delete files in a
directory, or change their names, permissions and owners. If a user has the write permission on a
directory, the user can change permissions of any file in the directory, even if the user has no
permissions on the file or if the file is owned by another user.
x
Stands for execute and has an octal value of 1. This means permission to enter a directory, but not
to list its files (for that, the r permission is needed).
The last bit about directories may sound a bit confusing. Let’s imagine, for example, that you have a
directory named Another_Directory, with the following permissions:
$ ls -ld Another_Directory/
d–xr-xr-x 2 carol carol 4,0K Dec 20 18:46 Another_Directory
Also imagine that inside this directory you have a shell script called hello.sh with the following
permissions:
-rwxr-xr-x 1 carol carol 33 Dec 20 18:46 hello.sh
If you are the user carol and try to list the contents of Another_Directory, you will get an error
message, as your user lacks read permission for that directory:
$ ls -l Another_Directory/
ls: cannot open directory ‘Another_Directory/’: Permission denied
However, the user carol does have execute permissions, which means that she can enter the
directory. Therefore, the user carol can access files inside the directory, as long as she has the
correct permissions for the respective file. In this example, the user has full permissions for the script
Linux Essentials (Version 1.6) | 5.3 Managing File Permissions and Ownership
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 397
hello.sh, so she can run the script, even if she can’t read the contents of the directory containing it.
All that is needed is the complete filename.
$ sh Another_Directory/hello.sh
Hello LPI World!
As we said before, permissions are specified in sequence: first for the owner of the file, then for the
owning group, and then for other users. Whenever someone tries to perform an action on the file,
the permissions are checked in the same fashion. First the system checks if the current user owns the
file, and if this is true it applies the first set of permissions only. Otherwise, it checks if the current
user belongs to the group owning the file. In that case, it applies the second set of permissions only.
In any other case, the system will apply the third set of permissions. This means that if the current
user is the owner of the file, only the owner permissions are effective, even if the group or other
permissions are more permissive than the owner’s permissions.

Modifying File Permissions
The command chmod is used to modify the permissions for a file, and takes at least two parameters:
the first one describes which permissions to change, and the second one points to the file or
directory where the change will be made. However, the permissions to change can be described in
two different ways, or “modes”.
The first one, called symbolic mode offers fine grained control, allowing you to add or revoke a single
permission without modifying others on the set. The other mode, called numeric mode, is easier to
remember and quicker to use if you wish to set all permission values at once.
Both modes will lead to the same end result. So, for example, the commands:
$ chmod ug+rw-x,o-rwx text.txt
and
$ chmod 660 text.txt
will produce exactly the same output, a file with the permissions set:
-rw-rw—- 1 carol carol 765 Dec 20 21:25 text.txt
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
398 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
Now, let’s understand how each mode works.
Symbolic Mode
When describing which permissions to change in symbolic mode the first character(s) indicate(s)
whose permissions you will alter: the ones for the user (u), for the group (g), for others (o) and/or for
all the three together (a).
Then you need to tell the command what to do: you can grant a permission (+), revoke a permission
(-), or set it to a specific value (=).
Lastly, you specify which permission you wish to affect: read (r), write (w), or execute (x).
For example, imagine we have a file called text.txt with the following permission set:
$ ls -l text.txt
-rw-r–r– 1 carol carol 765 Dec 20 21:25 text.txt
If you wish to grant write permissions to members of the group owning the file, you would use the
g+w parameter. It is easier if you think about it this way: “For the group (g), grant (+) write
permissions (w)”. So, the command would be:
$ chmod g+w text.txt
Let’s check the result with ls:
$ ls -l text.txt
-rw-rw-r– 1 carol carol 765 Dec 20 21:25 text.txt
If you want to remove read permissions for the owner of the same file, think about it as: “For the
user (u) revoke (-), read permissions (r)”. So the parameter is u-r, like so:
$ chmod u-r text.txt
$ ls -l text.txt
–w-rw-r– 1 carol carol 765 Dec 20 21:25 text.txt
What if we want to set the permissions exactly as rw- for everyone? Then think of it as: “For all (a),
set exactly (=), read (r), write (w), and no execute (-)”. So:
Linux Essentials (Version 1.6) | 5.3 Managing File Permissions and Ownership
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 399
$ chmod a=rw- text.txt
$ ls -l text.txt
-rw-rw-rw- 1 carol carol 765 Dec 20 21:25 text.txt
Of course, it is possible to modify multiple permissions at the same time. In this case, separate them
with a comma (,):
$ chmod u+rwx,g-x text.txt
$ ls -lh text.txt
-rwxrw-rw- 1 carol carol 765 Dec 20 21:25 text.txt
The example above can be read as: “For the user (u), grant (+) read, write and execute (rwx)
permissions, for the group (g) revoke (-), execute permissions (x)”.
When run on a directory, chmod modifies only the directory’s permissions. chmod has a recursive
mode, useful when you want to change the permissions for “all files inside a directory and its
subdirectories”. To use this, add the parameter -R after the command name and before the
permissions to change, like so:
$ chmod -R u+rwx Another_Directory/
This command can be read as: “Recursively (-R), for the user (u), grant (+) read, write and execute
(rwx) permissions”.
WARNING
Be careful and think twice before using the -R switch, as it is easy to change
permissions on files and directories which you do not want to change,
especially on directories with a large number of files and sub-directories. Modifying File Permissions
The command chmod is used to modify the permissions for a file, and takes at least two parameters:
the first one describes which permissions to change, and the second one points to the file or
directory where the change will be made. However, the permissions to change can be described in
two different ways, or “modes”.
The first one, called symbolic mode offers fine grained control, allowing you to add or revoke a single
permission without modifying others on the set. The other mode, called numeric mode, is easier to
remember and quicker to use if you wish to set all permission values at once.
Both modes will lead to the same end result. So, for example, the commands:
$ chmod ug+rw-x,o-rwx text.txt
and
$ chmod 660 text.txt
will produce exactly the same output, a file with the permissions set:
-rw-rw—- 1 carol carol 765 Dec 20 21:25 text.txt
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
398 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
Now, let’s understand how each mode works.
Symbolic Mode
When describing which permissions to change in symbolic mode the first character(s) indicate(s)
whose permissions you will alter: the ones for the user (u), for the group (g), for others (o) and/or for
all the three together (a).
Then you need to tell the command what to do: you can grant a permission (+), revoke a permission
(-), or set it to a specific value (=).
Lastly, you specify which permission you wish to affect: read (r), write (w), or execute (x).
For example, imagine we have a file called text.txt with the following permission set:
$ ls -l text.txt
-rw-r–r– 1 carol carol 765 Dec 20 21:25 text.txt
If you wish to grant write permissions to members of the group owning the file, you would use the
g+w parameter. It is easier if you think about it this way: “For the group (g), grant (+) write
permissions (w)”. So, the command would be:
$ chmod g+w text.txt
Let’s check the result with ls:
$ ls -l text.txt
-rw-rw-r– 1 carol carol 765 Dec 20 21:25 text.txt
If you want to remove read permissions for the owner of the same file, think about it as: “For the
user (u) revoke (-), read permissions (r)”. So the parameter is u-r, like so:
$ chmod u-r text.txt
$ ls -l text.txt
–w-rw-r– 1 carol carol 765 Dec 20 21:25 text.txt
What if we want to set the permissions exactly as rw- for everyone? Then think of it as: “For all (a),
set exactly (=), read (r), write (w), and no execute (-)”. So:
Linux Essentials (Version 1.6) | 5.3 Managing File Permissions and Ownership
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 399
$ chmod a=rw- text.txt
$ ls -l text.txt
-rw-rw-rw- 1 carol carol 765 Dec 20 21:25 text.txt
Of course, it is possible to modify multiple permissions at the same time. In this case, separate them
with a comma (,):
$ chmod u+rwx,g-x text.txt
$ ls -lh text.txt
-rwxrw-rw- 1 carol carol 765 Dec 20 21:25 text.txt
The example above can be read as: “For the user (u), grant (+) read, write and execute (rwx)
permissions, for the group (g) revoke (-), execute permissions (x)”.
When run on a directory, chmod modifies only the directory’s permissions. chmod has a recursive
mode, useful when you want to change the permissions for “all files inside a directory and its
subdirectories”. To use this, add the parameter -R after the command name and before the
permissions to change, like so:
$ chmod -R u+rwx Another_Directory/
This command can be read as: “Recursively (-R), for the user (u), grant (+) read, write and execute
(rwx) permissions”.
WARNING
Be careful and think twice before using the -R switch, as it is easy to change
permissions on files and directories which you do not want to change,
especially on directories with a large number of files and sub-directories. Modifying File Permissions
The command chmod is used to modify the permissions for a file, and takes at least two parameters:
the first one describes which permissions to change, and the second one points to the file or
directory where the change will be made. However, the permissions to change can be described in
two different ways, or “modes”.
The first one, called symbolic mode offers fine grained control, allowing you to add or revoke a single
permission without modifying others on the set. The other mode, called numeric mode, is easier to
remember and quicker to use if you wish to set all permission values at once.
Both modes will lead to the same end result. So, for example, the commands:
$ chmod ug+rw-x,o-rwx text.txt
and
$ chmod 660 text.txt
will produce exactly the same output, a file with the permissions set:
-rw-rw—- 1 carol carol 765 Dec 20 21:25 text.txt
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
398 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
Now, let’s understand how each mode works.
Symbolic Mode
When describing which permissions to change in symbolic mode the first character(s) indicate(s)
whose permissions you will alter: the ones for the user (u), for the group (g), for others (o) and/or for
all the three together (a).
Then you need to tell the command what to do: you can grant a permission (+), revoke a permission
(-), or set it to a specific value (=).
Lastly, you specify which permission you wish to affect: read (r), write (w), or execute (x).
For example, imagine we have a file called text.txt with the following permission set:
$ ls -l text.txt
-rw-r–r– 1 carol carol 765 Dec 20 21:25 text.txt
If you wish to grant write permissions to members of the group owning the file, you would use the
g+w parameter. It is easier if you think about it this way: “For the group (g), grant (+) write
permissions (w)”. So, the command would be:
$ chmod g+w text.txt
Let’s check the result with ls:
$ ls -l text.txt
-rw-rw-r– 1 carol carol 765 Dec 20 21:25 text.txt
If you want to remove read permissions for the owner of the same file, think about it as: “For the
user (u) revoke (-), read permissions (r)”. So the parameter is u-r, like so:
$ chmod u-r text.txt
$ ls -l text.txt
–w-rw-r– 1 carol carol 765 Dec 20 21:25 text.txt
What if we want to set the permissions exactly as rw- for everyone? Then think of it as: “For all (a),
set exactly (=), read (r), write (w), and no execute (-)”. So:
Linux Essentials (Version 1.6) | 5.3 Managing File Permissions and Ownership
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 399
$ chmod a=rw- text.txt
$ ls -l text.txt
-rw-rw-rw- 1 carol carol 765 Dec 20 21:25 text.txt
Of course, it is possible to modify multiple permissions at the same time. In this case, separate them
with a comma (,):
$ chmod u+rwx,g-x text.txt
$ ls -lh text.txt
-rwxrw-rw- 1 carol carol 765 Dec 20 21:25 text.txt
The example above can be read as: “For the user (u), grant (+) read, write and execute (rwx)
permissions, for the group (g) revoke (-), execute permissions (x)”.
When run on a directory, chmod modifies only the directory’s permissions. chmod has a recursive
mode, useful when you want to change the permissions for “all files inside a directory and its
subdirectories”. To use this, add the parameter -R after the command name and before the
permissions to change, like so:
$ chmod -R u+rwx Another_Directory/
This command can be read as: “Recursively (-R), for the user (u), grant (+) read, write and execute
(rwx) permissions”.
WARNING
Be careful and think twice before using the -R switch, as it is easy to change
permissions on files and directories which you do not want to change,
especially on directories with a large number of files and sub-directories. 

Numeric Mode
In numeric mode, the permissions are specified in a different way: as a three-digit numeric value on
octal notation, a base-8 numeric system.
Each permission has a corresponding value, and they are specified in the following order: first comes
read (r), which is 4, then write (w), which is 2 and last is execute (x), represented by 1. If there is no
permission, use the value zero (0). So, a permission of rwx would be 7 (4+2+1) and r-x would be 5
(4+0+1).
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
400 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
The first of the three digits on the permission set represents the permissions for the user (u), the
second for the group (g) and the third for the other (o). If we wanted to set the permissions for a file
to rw-rw—-, the octal value would be 660:
$ chmod 660 text.txt
$ ls -l text.txt
-rw-rw—- 1 carol carol 765 Dec 20 21:25 text.txt
Besides this, the syntax in numeric mode is the same as in symbolic mode, the first parameter
represents the permissions you wish to change, and the second one points to the file or directory
where the change will be made.
TIP If a permission value is odd, the file surely is executable!
Which syntax to use? The numeric mode is recommended if you want to change the permissions to a
specific value, for example 640 (rw- r– —).
The symbolic mode is more useful if you want to flip just a specific value, regardless of the current
permissions for the file. For example, I can add execute permissions for the user using just chmod u+x
script.sh without regard to, or even touching, the current permissions for the group and others.
Modifying File Ownership
The command chown is used to modify the ownership of a file or directory. The syntax is quite
simple:
chown username:groupname filename
For example, let’s check a file called text.txt:
$ ls -l text.txt
-rw-rw—- 1 carol carol 1881 Dec 10 15:57 text.txt
The user who owns the file is carol, and the group is also carol. Now, let’s modify the group
owning the file to some other group, like students:
Linux Essentials (Version 1.6) | 5.3 Managing File Permissions and Ownership
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 401
$ chown carol:students text.txt
$ ls -l text.txt
-rw-rw—- 1 carol students 1881 Dec 10 15:57 text.txt
Keep in mind that the user who owns a file does not need to belong to the group who owns a file. In
the example above, the user carol does not need to be a member of the students group. However,
she does have to member of the group in order to transfer the file’s group ownership to that group.
User or group can be omitted if you do not wish to change them. So, to change just the group
owning a file you would use chown :students text.txt. To change just the user, the command
would be chown carol text.txt. Alternatively, you could use the command chgrp students
text.txt to change only the group.
Unless you are the system administrator (root), you cannot change ownership of a file owned by
another user or a group that you don’t belong to. If you try to do this, you will get the error message
Operation not permitted.
Querying Groups
Before changing the ownership of a file, it might be useful to know which groups exist on the
system, which users are members of a group and to which groups a user belongs. Those tasks can be
accomplished with two commands, groups and groupmems.
To see which groups exist on your system, simply type groups:
$ groups
carol students cdrom sudo dip plugdev lpadmin sambashare
And if you want to know to which groups a user belongs, add the username as a parameter:
$ groups carol
carol : carol students cdrom sudo dip plugdev lpadmin sambashare
To do the reverse, displaying which users belong to a group, use groupmems. The parameter -g
specifies the group, and -l will list all of its members:
$ sudo groupmems -g cdrom -l
carol
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
402 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
TIP groupmems can only be run as root, the system administrator. If you are not currently
logged in as root, add sudo before the command.

Special Permissions
Besides the read, write and execute permissions for user, group and others, each file can have three
other special permissions which can alter the way a directory works or how a program runs. They
can be specified either in symbolic or numeric mode, and are as follows:
Sticky Bit
The sticky bit, also called the restricted deletion flag, has the octal value 1 and in symbolic mode is
represented by a t within the other’s permissions. This applies only to directories, and on Linux it
prevents users from removing or renaming a file in a directory unless they own that file or directory.
Directories with the sticky bit set show a t replacing the x on the permissions for others on the
output of ls -l:
$ ls -ld Sample_Directory/
drwxr-xr-t 2 carol carol 4096 Dec 20 18:46 Sample_Directory/
In numeric mode, the special permissions are specified using a “4-digit notation”, with the first digit
representing the special permission to act upon. For example, to set the sticky bit (value 1) for the
directory Another_Directory in numeric mode, with permissions 755, the command would be:
$ chmod 1755 Another_Directory
$ ls -ld Another_Directory
drwxr-xr-t 2 carol carol 4,0K Dec 20 18:46 Another_Directory
Set GID
Set GID, also known as SGID or Set Group ID bit, has the octal value 2 and in symbolic mode is
represented by an s on the group permissions. This can be applied to executable files or directories.
On executable files, it will grant the process resulting from executing the file access to the privileges
of the group who owns the file. When applied to directories, it will make every file or directory
created under it inherit the group from the parent directory.
Files and directories with SGID bit show an s replacing the x on the permissions for the group on the
output of ls -l:
Linux Essentials (Version 1.6) | 5.3 Managing File Permissions and Ownership
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 403
$ ls -l test.sh
-rwxr-sr-x 1 carol carol 33 Dec 11 10:36 test.sh
To add SGID permissions to a file in symbolic mode, the command would be:
$ chmod g+s test.sh
$ ls -l test.sh
-rwxr-sr-x 1 carol root 33 Dec 11 10:36 test.sh
The following example will make you better understand the effects of SGID on a directory. Suppose
we have a directory called Sample_Directory, owned by the user carol and the group users, with
the following permission structure:
$ ls -ldh Sample_Directory/
drwxr-xr-x 2 carol users 4,0K Jan 18 17:06 Sample_Directory/
Now, let’s change to this directory and, using the command touch, create an empty file inside it. The
result would be:
$ cd Sample_Directory/
$ touch newfile
$ ls -lh newfile
-rw-r–r– 1 carol carol 0 Jan 18 17:11 newfile
As we can see, the file is owned by the user carol and group carol. But, if the directory had the
SGID permission set, the result would be different. First, let’s add the SGID bit to the
Sample_Directory and check the results:
$ sudo chmod g+s Sample_Directory/
$ ls -ldh Sample_Directory/
drwxr-sr-x 2 carol users 4,0K Jan 18 17:17 Sample_Directory/
The s on the group permissions indicates that the SGID bit is set. Now, let’s change to this directory
and, again, create an empty file with the touch command:
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
404 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
$ cd Sample_Directory/
$ touch emptyfile
$ ls -lh emptyfile
-rw-r–r– 1 carol users 0 Jan 18 17:20 emptyfile
As we can see, the group who owns the file is users. This is because the SGID bit made the file
inherit the group owner of its parent directory, which is users.

Set UID
SUID, also known as Set User ID, has the octal value 4 and is represented by an s on the user
permissions in symbolic mode. It only applies to files and its behavior is similar to the SGID bit, but
the process will run with the privileges of the user who owns the file. Files with the SUID bit show
an s replacing the x on the permissions for the user on the output of ls -l:
$ ls -ld test.sh
-rwsr-xr-x 1 carol carol 33 Dec 11 10:36 test.sh
You can combine multiple special permissions in one parameter by adding them together. So, to set
SGID (value 2) and SUID (value 4) in numeric mode for the script test.sh with permissions 755, you
would type:
$ chmod 6755 test.sh
And the result would be:
$ ls -lh test.sh
-rwsr-sr-x 1 carol carol 66 Jan 18 17:29 test.sh
TIP
If your terminal supports color, and these days most of them do, you can quickly see
if these special permissions are set by glancing at the output of ls -l. For the sticky
bit, the directory name might be shown in a black font with blue background. The
same applies for files with the SGID (yellow background) and SUID (red background)
bits. Colors may be different depending on which Linux distribution and terminal
settings you use.
Linux Essentials (Version 1.6) | 5.3 Managing File Permissions and Ownership
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 405
Guided Exercises
1. Create a directory named emptydir using the command mkdir emptydir. Now, using ls, list the
permissions for the directory emptydir.
2. Create an empty file named emptyfile with the command touch emptyfile. Now, using chmod
with symbolic notation, add execute permissions for the owner of the file emptyfile, and
remove write and execute permissions for everyone else. Do this using only one chmod
command.
3. What will be the permissions for a file called text.txt after you use the command chmod 754
text.txt?
4. Let’s assume a file named test.sh is a shell script with the following permissions and
ownership:
-rwxr-sr-x 1 carol root 33 Dec 11 10:36 test.sh
◦ What are the permissions for the owner of the file?
◦ If the user john runs this script, under which user’s privileges will it be run?
◦ Using the numeric notation, which should be the syntax of chmod to “unset” the special
permission granted to this file?
5. Consider this file:
$ ls -l /dev/sdb1
brw-rw—- 1 root disk 8, 17 Dec 21 18:51 /dev/sdb1
Which kind of file is sdb1? And who can write to it?
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
406 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
6. Consider the following 4 files:
drwxr-xr-t 2 carol carol 4,0K Dec 20 18:46 Another_Directory
—-r–r– 1 carol carol 0 Dec 11 10:55 foo.bar
-rw-rw-r– 1 carol carol 1,2G Dec 20 18:22 HugeFile.zip
drwxr-sr-x 2 carol users 4,0K Jan 18 17:26 Sample_Directory
Write down the corresponding permissions for each file and directory using numeric 4-digit
notation.
Another_Directory
foo.bar
HugeFile.zip
Sample_Directory
Linux Essentials (Version 1.6) | 5.3 Managing File Permissions and Ownership
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 407
Explorational Exercises
1. Try this on a terminal: create an empty file called emptyfile with the command touch
emptyfile. Now “zero out” the permissions for the file with chmod 000 emptyfile. What will
happen if you change the permissions for emptyfile by passing only one value for chmod in
numeric mode, such as chmod 4 emptyfile? What if we use two, such as chmod 44 emptyfile?
What can we learn about the way chmod reads the numerical value?
2. Can you execute a file for which you have execute, but not read permissions (–x)? Why or why
not?
3. Consider the permissions for the temporary directory on a Linux system, /tmp:
$ ls -l /tmp
drwxrwxrwt 19 root root 16K Dec 21 18:58 tmp
User, group and others have full permissions. But can a regular user delete any files inside this
directory? Why is this?
4. A file called test.sh has the following permissions: -rwsr-xr-x, meaning the SUID bit is set.
Now, run the following commands:
$ chmod u-x test.sh
$ ls -l test.sh
-rwSr-xr-x 1 carol carol 33 Dec 11 10:36 test.sh
What did we do? What does the uppercase S mean?
5. How would you create a directory named Box where all the files are automatically owned by the
group users, and can only be deleted by the user who created them?
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
408 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
Summary
As a multi-user system, Linux needs a way to track who owns and who can access each file. This is
done through a three-level permissions system, and in this lesson we learned all about how this
system works.
In this lesson you have learned how use ls to get information about file permissions, how to control
or change who can create, delete or modify a file with chmod, both in numeric and symbolic notation
and how to change the ownership of files with chown and chgrp.
The following commands were discussed in this lesson:
ls
List files, optionally including details such as permissions.
chmod
Change the permissions of a file or directory.
chown
Change the owning user and/or group of a file or directory.
chgrp
Change the owning group of a file or directory.

Answers to Guided Exercises
1. Create a directory named emptydir using the command mkdir emptydir. Now, using ls, list the
permissions for the directory emptydir.
Add the -d parameter to ls to see the file attributes of a directory, instead of listing its contents.
Therefore the answer is:
ls -l -d emptydir
Bonus points if you merged the two parameters in one, as in ls -ld emptydir.
2. Create an empty file named emptyfile with the command touch emptyfile. Now, using chmod
in symbolic notation, add execute permissions for the owner of the file emptyfile, and remove
write and execute permissions for everyone else. Do this using only one chmod command.
Think about it this way:
◦ “For the user who owns the file (u) add (+) execute (x) permissions”, so u+x.
◦ “For the group (g) and other users (o), remove (-) write (w) and execute (x) permissions”, so
go-wx.
To combine these two sets of permissions, we add a comma between them. So the final
result is:
chmod u+x,go-wx emptyfile
3. What will be the permissions of a file called text.txt after I use the command chmod 754
text.txt?
Remember that in numeric notation each digit represents a set of three permissions, each one
with a respective value: read is 4, write is 2, execute is 1 and no permission is 0. We get the value
for a digit by adding the corresponding values for each permission. 7 is 4+2+1, or rwx, 5 is 4+0+1,
so r-x and 4 is just read, or r–. The permissions for text.txt would be
rwxr-xr–
4. Let’s assume a file named test.sh is a shell script with the following permissions and
ownership:
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
410 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
-rwxr-sr-x 1 carol root 33 Dec 11 10:36 test.sh
◦ What are the permissions for the owner of the file?
The permissions for the owner (2nd to 4th characters in the output of ls -l) are rwx, so the
answer is: “to read, to write to and to execute the file”.
◦ If the user john runs this script, under which user’s privileges will it be run?
Pay attention to the permissions for the group. They are r-s, which means the SGID bit is
set. The group who owns this file is root, so the script, even when started by a regular user,
will be run with root privileges.
◦ Using the numeric notation, which should be the syntax of chmod to “unset” the special
permission granted to this file?
We can “unset” the special permissions by passing a 4th digit, 0, to chmod. The current
permissions are 755, so the command should be chmod 0755.
5. Consider this file:
$ ls -l /dev/sdb1
brw-rw—- 1 root disk 8, 17 Dec 21 18:51 /dev/sdb1
Which kind of file is sdb1? And who can write to it?
The first character of the output from ls -l shows the kind of file. b is a block device, usually a
disk (internal or external), connected to the machine. The owner (root) and any users of the
group disk can write to it.
6. Consider the following 4 files:
drwxr-xr-t 2 carol carol 4,0K Dec 20 18:46 Another_Directory
—-r–r– 1 carol carol 0 Dec 11 10:55 foo.bar
-rw-rw-r– 1 carol carol 1,2G Dec 20 18:22 HugeFile.zip
drwxr-sr-x 2 carol users 4,0K Jan 18 17:26 Sample_Directory
Write down the corresponding permissions for each file and directory using 4-digit numeric
notation.
Linux Essentials (Version 1.6) | 5.3 Managing File Permissions and Ownership
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 411
The corresponding permissions, in numeric notation, are as follows:
Another_Directory
Answer: 1755
1 for the sticky bit, 755 for the regular permissions (rwx for the user, r-x for group and
others).
foo.bar
Answer: 0044
No special permissions (so the first digit is 0), no permissions for the user (—) and just read
(r—r–) for group and others.
HugeFile.zip
Answer: 0664
No special permissions, so the first digit is 0. 6 (rw-) for the user and group, 4 (r–) for the
others.
Sample_Directory
Answer: 2755
2 for the SGID bit, 7 (rwx) for the user, 5 (r-x) for the group and others.
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
412 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
Answers to Explorational Exercises
1. Try this on a terminal: create an empty file called emptyfile with the command touch
emptyfile. Now “zero out” the permissions for the file with chmod 000 emptyfile. What will
happen if you change the permissions for emptyfile by passing only one value for chmod in
numeric notation, such as chmod 4 emptyfile? What if we use two, such as chmod 44
emptyfile? What can we learn about the way chmod reads the numerical value?
Remember that we “zeroed out” the permissions for emptyfile. So, its initial state would be:
———- 1 carol carol 0 Dec 11 10:55 emptyfile
Now, let’s try the first command, chmod 4 emptyfile:
$ chmod 4 emptyfile
$ ls -l emptyfile
——-r– 1 carol carol 0 Dec 11 10:55 emptyfile
The permissions for others were changed. And what if we try two digits, such as chmod 44
emptyfile?
$ chmod 44 emptyfile
$ ls -l emptyfile
—-r–r– 1 carol carol 0 Dec 11 10:55 emptyfile
Now, the permissions for group and others were affected. From this, we can conclude that in
numeric notation chmod reads the value “backwards”, from the least significant digit (others) to
the most significant one (user). If you pass one digit, you modify the permissions for others. With
two digits you modify group and others, and with three you modify user, group and others and
with four digits you modify user, group, others and the special permissions.
2. Can you execute a file for which you have execute, but not read permissions (–x)? Why or why
not?
At first, the answer seems obvious: If you have execute permission, the file should run. This
applies to programs in binary format that are executed directly by the kernel. However, there
are programs (e.g. shell scripts) that must first be read and interpreted, so in these cases the read
permission (r) must also be set.
Linux Essentials (Version 1.6) | 5.3 Managing File Permissions and Ownership
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 413
3. Consider the permissions for the temporary directory on a Linux system, /tmp:
$ ls -l /tmp
drwxrwxrwt 19 root root 16K Dec 21 18:58 tmp
User, group and others have full permissions. But can a regular user delete any files inside this
directory? Why is this?
/tmp is what we call a world writeable directory, meaning that any user can write to it. But we
don’t want one user modifying files created by others, so the sticky bit_ is set (as indicated by
the t on the permissions for others). This means that a user can delete files in /tmp, but only if
they created that file.
4. A file called test.sh has the following permissions: -rwsr-xr-x, meaning the SUID bit is set.
Now, run the following commands:
$ chmod u-x test.sh
$ ls -l test.sh
-rwSr-xr-x 1 carol carol 33 Dec 11 10:36 test.sh
What did we do? What does the uppercase S mean?
We removed execute permissions for the user who owns the file. The s (or t) takes the place of
the x on the output of ls -l, so the system needs a way to show if the user has execute
permissions or not. It does this by changing the case of the special character.
A lowercase s on the first group of permissions means that the user who owns the file has
execute permissions and that the SUID bit is set. An uppercase S means that the user who owns
the file lacks (-) execute permissions and that the SUID bit is set.
The same can be said for SGID. A lowercase s on the second group of permissions means that
the group who owns the file has execute permissions and that the SGID bit is set. An uppercase
S means that the group who owns the file lacks (-) execute permissions and that the SGID bit is
set.
This is also true for the sticky bit, represented by the t in the third group of permissions.
Lowercase t means the sticky bit is set and that others have execute permissions. Uppercase T
means the sticky bit is set and that others do not have execute permissions.
5. How would you create a directory named Box where all the files are automatically owned by the
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
414 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
group users, and can only be deleted by the user who created them?
This is a multi-step process. The first step is to create the directory:
$ mkdir Box
We want every file created inside this directory to be automatically assigned to the group users.
We can do this by setting this group as the owner of the directory, and then by setting the SGID
bit on it. We also need to make sure that any member of the group can write to that directory.
Since we do not care about what the other permissions are, and want to “flip” only the special
bits, it makes sense to use the symbolic mode:
$ chown :users Box/
$ chmod g+wxs Box/
Note that if you current user does not belong to the group users, you will have to use the
command sudo before the commands above to do the change as root.
Now for the last part, making sure that only the user who created a file is allowed to delete it.
This is done by setting the sticky bit (represented by a t) on the directory. Remember that it is
set on the permissions for others (o).
$ chmod o+t Box/
The permissions on the directory Box should appear as follows:
drwxrwsr-t 2 carol users 4,0K Jan 18 19:09 Box
Of course, you can specify SGID and the sticky bit using only one chmod command:
$ chmod g+wxs,o+t Box/
Bonus points if you thought of that.