Linux File Permissions Cheat Sheet

Basic File Permissions Overview
Permission Categories
Symbolic Representation
Octal Representation
Changing Permissions with chmod
Changing Ownership with chown
Changing Group with chgrp
Default Permissions and umask
Viewing Permissions
Directory Permissions
Understanding File Types
Special Permissions
Recursive Permission Changes
Executable File Permissions
Script Permissions
Symbolic Link Permissions
Hard Link Permissions
Sticky Bit on Directories
Finding Files by Permissions
Access Control Lists Introduction
Setting and Modifying ACLs
Default ACLs on Directories
Removing ACLs
Security Risks
Best Practices
Troubleshooting Permissions
Permissions and System Services
Auditing Permission Changes
Networked File System Permissions
Extended Permissions
Container Permissions
User and Group ID Mapping
Permission Inheritance
Cloud Environment Permissions
Immutable Attributes
Filesystem Mount Options
Effective vs Displayed Permissions
Temporary Permission Changes

Basic File Permissions Overview

Concept	Description	Example
File Permissions	Controls who can read, write, or execute a file	-rwxr-xr-- 1 user group 4096 Jul 28 10:30 script.sh ^ ^^^ ^^^ ^^^ \| \|\|\| \|\|\| \|+- File owner and group \| \|\|\| \|\|\| +-- Number of hard links \| \|\|\| \|\|\| \| \|\|\| \|\|+- Others: read only \| \|\|\| \|+-- Others: no write \| \|\|\| +--- Others: no execute \| \|\|+------ Group: read only \| \|+------- Group: no write \| +-------- Group: execute +---------- User: read, write, execute
Permission Display	10-character string showing type and permissions	-rwxrwxrwx = File with all permissions drwxr-xr-x = Directory with typical permissions -rw-r--r-- = Regular file with typical permissions

Concept

Description

Example

File Permissions

Controls who can read, write, or execute a file

    -rwxr-xr--  1 user group  4096 Jul 28 10:30 script.sh
    ^ ^^^  ^^^  ^^^
    | |||  |||  |+- File owner and group
    | |||  |||  +-- Number of hard links
    | |||  |||  
    | |||  ||+- Others: read only
    | |||  |+-- Others: no write
    | |||  +--- Others: no execute
    | ||+------ Group: read only
    | |+------- Group: no write
    | +-------- Group: execute
    +---------- User: read, write, execute

Permission Display

10-character string showing type and permissions

    -rwxrwxrwx = File with all permissions
    drwxr-xr-x = Directory with typical permissions
    -rw-r--r-- = Regular file with typical permissions

Permission Categories (User, Group, Others)

Category	Description	Example
User (u)	The owner of the file	`chmod u+x script.sh` gives execution permission to the owner
Group (g)	Users who are members of the file’s group	`chmod g+rw data.txt` gives read and write permission to the group
Others (o)	All other users on the system	`chmod o-rwx private.key` removes all permissions for others
All (a)	All three categories above (user, group, others)	`chmod a+r public.txt` gives read permission to everyone

Symbolic Representation (rwx)

Symbol	Description	Effect
r	Read permission	For files: Allows reading content For directories: Allows listing contents
w	Write permission	For files: Allows modifying content For directories: Allows creating/deleting files within
x	Execute permission	For files: Allows running as a program For directories: Allows entering the directory
–	No permission	The permission is not granted for that position

Octal (Numeric) Representation (0-7)

Octal Value	Binary	Permissions	Example
0	000	No permissions (—)	`chmod 000 file.txt` removes all permissions
1	001	Execute only (–x)	`chmod 111 file.sh` sets execute-only for all
2	010	Write only (-w-)	`chmod 222 file.txt` sets write-only for all
3	011	Write and execute (-wx)	`chmod 333 dir` sets write and execute for all
4	100	Read only (r–)	`chmod 444 readme.txt` sets read-only for all
5	101	Read and execute (r-x)	`chmod 555 program` sets read and execute for all
6	110	Read and write (rw-)	`chmod 666 data.txt` sets read and write for all
7	111	Read, write, and execute (rwx)	`chmod 777 script.sh` sets all permissions for all

Changing Permissions with chmod (Symbolic and Numeric)

Command Description Example

Command	Description	Example
`chmod [options] mode file`	Change file permissions	# Numeric mode chmod 755 script.sh # rwxr-xr-x chmod 644 text.txt # rw-r--r-- chmod 600 private.key # rw------- # Symbolic mode chmod u+x script.sh # Add execute to user chmod g-w file.txt # Remove write from group chmod o= file.txt # Clear all permissions for others chmod a+r document.pdf # Add read to all
Operators in symbolic mode	+: Add permission -: Remove permission =: Set exact permission	chmod u+rw,g+r,o-rwx private.txt # Add read/write for user, add read for group, # remove all for others

chmod [options] mode file

Change file permissions

    # Numeric mode
    chmod 755 script.sh    # rwxr-xr-x
    chmod 644 text.txt     # rw-r--r--
    chmod 600 private.key  # rw-------

    # Symbolic mode
    chmod u+x script.sh    # Add execute to user
    chmod g-w file.txt     # Remove write from group
    chmod o= file.txt      # Clear all permissions for others
    chmod a+r document.pdf # Add read to all

Operators in symbolic mode

+: Add permission
-: Remove permission
=: Set exact permission

    chmod u+rw,g+r,o-rwx private.txt
    # Add read/write for user, add read for group,
    # remove all for others

Changing Ownership with chown

Command Description Example

Command	Description	Example
`chown [options] owner[:group] file`	Change the owner and/or group of a file	# Change owner only chown alice file.txt # Change owner and group chown alice:staff file.txt # Change group only chown :developers project/ # Recursively change ownership chown -R www-data:www-data /var/www/

chown [options] owner[:group] file

Change the owner and/or group of a file

    # Change owner only
    chown alice file.txt
    
    # Change owner and group
    chown alice:staff file.txt
    
    # Change group only
    chown :developers project/
    
    # Recursively change ownership
    chown -R www-data:www-data /var/www/

Changing Group with chgrp

Command	Description	Example
`chgrp [options] group file`	Change the group of a file	# Change group of a file chgrp developers project.py # Recursively change group of a directory chgrp -R staff /shared/documents/

Default Permissions and umask

Command/Concept	Description	Example
Default Permissions	Files: 666 (rw-rw-rw-) Directories: 777 (rwxrwxrwx)	These are base permissions before umask is applied
umask	Masks out permissions for newly created files	# Display current umask (typically 022) umask # Set a new umask value umask 027 # This will create files with 640 (rw-r-----) # And directories with 750 (rwxr-x---)
Common umask values	022: rw-r–r– for files 027: rw-r—– for files 077: rw——- for files	Umask is subtracted from default permissions

Viewing Permissions (ls -l)

Command Description Example Output

Command	Description	Example Output
`ls -l`	List files with detailed permissions	$ ls -l -rw-r--r-- 1 user group 5678 Jun 21 13:45 data.txt -rwxr-xr-x 1 user group 2345 Jun 19 10:32 script.sh drwxr-xr-- 2 admin staff 4096 Jun 20 15:22 secure_dir/
`ls -la`	List all files (including hidden) with permissions	$ ls -la drwxr-xr-x 3 user group 4096 Jun 21 14:20 . drwxr-xr-x 7 user group 4096 Jun 10 09:30 .. -rw------- 1 user group 2345 Jun 15 16:42 .bash_history -rw-r--r-- 1 user group 220 Jun 10 09:30 .bashrc -rw-r--r-- 1 user group 5678 Jun 21 13:45 data.txt
`stat file`	Display detailed file information including permissions	$ stat data.txt File: data.txt Size: 5678 Blocks: 16 IO Block: 4096 regular file Device: 801h/2049d Inode: 1234567 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 1000/ user) Gid: ( 1000/ group) Access: 2023-06-22 10:45:12.000000000 +0200 Modify: 2023-06-21 13:45:34.000000000 +0200 Change: 2023-06-21 13:45:34.000000000 +0200 Birth: -

ls -l

List files with detailed permissions

    $ ls -l
    -rw-r--r-- 1 user  group   5678 Jun 21 13:45 data.txt
    -rwxr-xr-x 1 user  group   2345 Jun 19 10:32 script.sh
    drwxr-xr-- 2 admin staff   4096 Jun 20 15:22 secure_dir/

ls -la

List all files (including hidden) with permissions

    $ ls -la
    drwxr-xr-x  3 user  group  4096 Jun 21 14:20 .
    drwxr-xr-x  7 user  group  4096 Jun 10 09:30 ..
    -rw-------  1 user  group  2345 Jun 15 16:42 .bash_history
    -rw-r--r--  1 user  group   220 Jun 10 09:30 .bashrc
    -rw-r--r--  1 user  group  5678 Jun 21 13:45 data.txt

stat file

Display detailed file information including permissions

    $ stat data.txt
      File: data.txt
      Size: 5678      Blocks: 16         IO Block: 4096   regular file
    Device: 801h/2049d  Inode: 1234567    Links: 1
    Access: (0644/-rw-r--r--)  Uid: ( 1000/   user)   Gid: ( 1000/  group)
    Access: 2023-06-22 10:45:12.000000000 +0200
    Modify: 2023-06-21 13:45:34.000000000 +0200
    Change: 2023-06-21 13:45:34.000000000 +0200
     Birth: -

Effect of Permissions on Directories

Permission	Effect on Directories	Example
r (read)	List directory contents (view filenames)	# With read permission $ ls -l dirwithread/ -rw-r--r-- 1 user group 123 Jun 22 15:30 file1.txt -rw-r--r-- 1 user group 456 Jun 22 15:31 file2.txt # Without read permission $ ls -l dirwithoutread/ ls: cannot open directory 'dirwithoutread/': Permission denied
w (write)	Create, delete, or rename files within directory	Requires execute (x) permission as well to be useful
x (execute)	Access files within directory, enter directory	# With execute permission $ cd dirwithexec/ $ cat dirwithexec/file.txt # Works # Without execute permission $ cd dirwithoutexec/ bash: cd: dirwithoutexec/: Permission denied $ cat dirwithoutexec/file.txt cat: dirwithoutexec/file.txt: Permission denied
Common directory permissions	755 (rwxr-xr-x): Normal directory 700 (rwx——): Private directory 750 (rwxr-x—): Group shared directory	The execute bit is usually needed for directories to be useful

Understanding File Types in ls -l (-, d, l)

First Character	Type	Example
–	Regular file	`-rw-r--r-- 1 user group 5678 Jun 21 13:45 data.txt`
d	Directory	`drwxr-xr-x 2 user group 4096 Jun 22 10:30 documents/`
l	Symbolic link	`lrwxrwxrwx 1 user group 12 Jun 22 11:15 link -> target.txt`
c	Character device	`crw--w---- 1 root tty 4, 0 Jun 22 14:30 /dev/tty0`
b	Block device	`brw-rw---- 1 root disk 8, 0 Jun 22 09:20 /dev/sda`
p	Named pipe (FIFO)	`prw-r--r-- 1 user group 0 Jun 22 15:40 mypipe`
s	Socket	`srwxrwxrwx 1 user group 0 Jun 22 16:10 mysocket`

Special Permissions: setuid, setgid, sticky bit

Permission	Description	Example
setuid (SUID)	When set on a file, it executes with the permissions of the file owner rather than the executing user	# Set SUID (numeric) chmod 4755 myprogram # Set SUID (symbolic) chmod u+s myprogram # Display: The 's' replaces 'x' in owner permissions -rwsr-xr-x 1 root root 123456 Jun 25 14:20 myprogram # Example: /usr/bin/passwd has SUID set -rwsr-xr-x 1 root root 68208 Apr 16 15:36 /usr/bin/passwd
setgid (SGID)	For files: Executes with the permissions of the file’s group For directories: New files created in the directory inherit its group	# Set SGID (numeric) chmod 2755 myprog chmod 2770 shared_dir/ # Set SGID (symbolic) chmod g+s myprog chmod g+s shared_dir/ # Display: The 's' replaces 'x' in group permissions -rwxr-sr-x 1 user group 123456 Jun 25 14:30 myprog drwxrws--- 2 user group 4096 Jun 25 14:35 shared_dir/
sticky bit	When set on a directory, files in that directory can only be deleted or renamed by their owner, the directory owner, or root	# Set sticky bit (numeric) chmod 1777 /tmp # Set sticky bit (symbolic) chmod +t /tmp # Display: The 't' replaces 'x' in others permissions drwxrwxrwt 15 root root 4096 Jun 25 15:00 /tmp
Special permission bits (octal)	4 = SUID 2 = SGID 1 = sticky bit	chmod 4755 file # SUID + rwxr-xr-x chmod 2755 file # SGID + rwxr-xr-x chmod 1777 dir # sticky bit + rwxrwxrwx chmod 6755 file # SUID + SGID + rwxr-xr-x

Recursive Permission Changes (chmod -R, chown -R)

Command Description Example

Command	Description	Example
`chmod -R mode directory`	Recursively change permissions for a directory and all its contents	# Give read and execute permissions to everyone for all files in a directory chmod -R a+rx /path/to/website/ # Set permissions to 755 for directories and 644 for files # This requires a more complex approach: find /path/to/dir -type d -exec chmod 755 {} \; find /path/to/dir -type f -exec chmod 644 {} \;
`chown -R user:group directory`	Recursively change ownership for a directory and all its contents	# Change ownership of a web directory and all contents chown -R www-data:www-data /var/www/html/ # Change ownership but preserve file timestamps chown -R --preserve-timestamps user:group directory/

chmod -R mode directory

Recursively change permissions for a directory and all its contents

    # Give read and execute permissions to everyone for all files in a directory
    chmod -R a+rx /path/to/website/
    
    # Set permissions to 755 for directories and 644 for files
    # This requires a more complex approach:
    find /path/to/dir -type d -exec chmod 755 {} \;
    find /path/to/dir -type f -exec chmod 644 {} \;

chown -R user:group directory

Recursively change ownership for a directory and all its contents

    # Change ownership of a web directory and all contents
    chown -R www-data:www-data /var/www/html/
    
    # Change ownership but preserve file timestamps
    chown -R --preserve-timestamps user:group directory/

Understanding Permissions for Executable Files

Concept	Description	Example
Executable bit	Required to run a file as a program	# Make a compiled program executable chmod +x program # Common permission pattern for executables chmod 755 program # rwxr-xr-x
Permissions requirements	In addition to execute permission, binaries typically need read permission to load into memory	# Try to run a program without execute permission $ chmod -x program $ ./program bash: ./program: Permission denied # Try to run a program with execute but no read $ chmod 111 program $ ./program bash: ./program: Permission denied

Concept

Description

Example

Executable bit

Required to run a file as a program

    # Make a compiled program executable
    chmod +x program
    
    # Common permission pattern for executables
    chmod 755 program  # rwxr-xr-x

Permissions requirements

In addition to execute permission, binaries typically need read permission to load into memory

    # Try to run a program without execute permission
    $ chmod -x program
    $ ./program
    bash: ./program: Permission denied
    
    # Try to run a program with execute but no read
    $ chmod 111 program
    $ ./program
    bash: ./program: Permission denied

Understanding Permissions for Scripts

Concept	Description	Example
Basic script permissions	Scripts need both read and execute permissions	# Create a simple script $ echo '#!/bin/bash' > script.sh $ echo 'echo "Hello, World!"' >> script.sh # Make it executable $ chmod +x script.sh $ ./script.sh Hello, World!
Interpreter permissions	The interpreter specified in the shebang line must also be executable	If you’re using `#!/bin/bash`, the bash executable must also have proper permissions
Common script permissions	755 (rwxr-xr-x): Script can be run by anyone 700 (rwx——): Private script	# Private script chmod 700 backup_my_files.sh # Shared script chmod 755 common_utilities.sh

Managing Permissions for Symbolic Links

Concept	Description	Example
Symlink permissions	Permissions on symbolic links are not used; the permissions of the target file are what matter	$ ls -l mylink lrwxrwxrwx 1 user group 7 Jun 25 16:20 mylink -> target # Notice all permissions are set, but they're ignored # Actual access is determined by permissions on "target"
Changing link permissions	Attempting to change permissions on a symlink affects the target, not the link itself	# Create a symbolic link $ ln -s target mylink # Trying to change permissions of the link $ chmod 600 mylink # This actually changes permissions of the target

Concept

Description

Example

Symlink permissions

Permissions on symbolic links are not used; the permissions of the target file are what matter

    $ ls -l mylink
    lrwxrwxrwx 1 user group 7 Jun 25 16:20 mylink -> target
    
    # Notice all permissions are set, but they're ignored
    # Actual access is determined by permissions on "target"

Changing link permissions

Attempting to change permissions on a symlink affects the target, not the link itself

    # Create a symbolic link
    $ ln -s target mylink
    
    # Trying to change permissions of the link
    $ chmod 600 mylink
    
    # This actually changes permissions of the target

Managing Permissions for Hard Links

Concept	Description	Example
Hard link permissions	Hard links share the same inode as the original file, so they always have identical permissions	# Create a file $ echo "content" > original $ chmod 644 original # Create a hard link $ ln original hardlink # Both show the same permissions because they share the same inode $ ls -l original hardlink -rw-r--r-- 2 user group 8 Jun 25 16:30 hardlink -rw-r--r-- 2 user group 8 Jun 25 16:30 original
Changing permissions	Changing permissions on either the original file or the hard link affects all hard links to that inode	# Change permissions on the hard link $ chmod 600 hardlink # Both files now show the new permissions $ ls -l original hardlink -rw------- 2 user group 8 Jun 25 16:30 hardlink -rw------- 2 user group 8 Jun 25 16:30 original

Concept

Description

Example

Hard link permissions

Hard links share the same inode as the original file, so they always have identical permissions

    # Create a file
    $ echo "content" > original
    $ chmod 644 original
    
    # Create a hard link
    $ ln original hardlink
    
    # Both show the same permissions because they share the same inode
    $ ls -l original hardlink
    -rw-r--r-- 2 user group 8 Jun 25 16:30 hardlink
    -rw-r--r-- 2 user group 8 Jun 25 16:30 original

Changing permissions

Changing permissions on either the original file or the hard link affects all hard links to that inode

    # Change permissions on the hard link
    $ chmod 600 hardlink
    
    # Both files now show the new permissions
    $ ls -l original hardlink
    -rw------- 2 user group 8 Jun 25 16:30 hardlink
    -rw------- 2 user group 8 Jun 25 16:30 original

Sticky Bit on Directories (/tmp)

Concept	Description	Example
Purpose	Prevents users from deleting or renaming files they don’t own in shared directories	Commonly used on `/tmp` and other shared directories
Setting sticky bit	Can be set with numeric mode 1xxx or symbolic mode +t	# Set sticky bit with numeric mode chmod 1777 /shared # Set sticky bit with symbolic mode chmod +t /shared
Identifying sticky bit	Appears as “t” in the execute position for others	$ ls -ld /tmp drwxrwxrwt 20 root root 4096 Jun 26 10:15 /tmp ^ \|-- 't' indicates sticky bit is set

Finding Files Based on Permissions (find -perm)

Command	Description	Example
`find path -perm mode`	Find files with exact permissions	# Find files with exactly 644 permissions find /home -perm 644
`find path -perm -mode`	Find files with at least these permissions (all bits in mode must be set)	# Find files where all users have read permission find /home -perm -444
`find path -perm /mode`	Find files with any of these permissions (any bit in mode is set)	# Find files that are world-writable find /home -perm /002
Common permission searches	Finding files with specific security concerns	# Find SUID files find / -perm -4000 -type f # Find world-writable files find / -perm -2 -type f -not -path "/proc/" # Find world-writable directories find / -perm -2 -type d -not -path "/proc/" # Find files not owned by any user find / -nouser

Access Control Lists (ACLs) Introduction

Concept	Description	Example
ACLs purpose	Extend traditional permission model to allow more granular control	Allow specific users or groups access without changing ownership or basic permissions
ACLs vs traditional permissions	Traditional: one owner, one group, and others ACLs: multiple users/groups with different permissions	Useful when standard rwx permissions aren’t flexible enough
Identifying files with ACLs	The “+” symbol after the permission string in ls -l output	$ ls -l file_with_acl -rw-r--r--+ 1 user group 1234 Jun 26 11:30 file_with_acl ^ \|-- The '+' indicates ACLs are set

Setting and Modifying ACLs (setfacl, getfacl)

Command	Description	Example
`getfacl file`	Display ACLs for a file	$ getfacl document.txt # file: document.txt # owner: john # group: staff user::rw- user:mary:r-- group::r-- mask::r-- other::---
`setfacl -m rule file`	Modify ACL for a file	# Give user alice read and write permissions setfacl -m u:alice:rw- document.txt # Give group devs read permission setfacl -m g:devs:r-- document.txt # Multiple rules at once setfacl -m u:bob:r--,g:admins:rwx document.txt
`setfacl -x rule file`	Remove specific ACL entries	# Remove ACL for user alice setfacl -x u:alice document.txt # Remove ACL for group devs setfacl -x g:devs document.txt
`setfacl -R rule directory`	Recursively apply ACLs to a directory	# Recursively give read access to user bob setfacl -R -m u:bob:r-x /shared/projects/

Default ACLs on Directories

Concept	Description	Example
Default ACLs	ACLs automatically applied to new files/directories created within a directory	Specify inheritance of permissions for new items
Setting default ACLs	Use the ‘d:’ prefix with setfacl	# Set default ACL for user alice setfacl -m d:u:alice:rwx /projects/ # Set default ACL for group devs setfacl -m d:g:devs:rx /projects/ # Set multiple default ACLs setfacl -m d:u:bob:rx,d:g:admins:rwx /projects/
Viewing default ACLs	Shown in getfacl output with “default:” prefix	$ getfacl /projects/ # file: /projects/ # owner: admin # group: staff user::rwx group::r-x other::r-x default:user::rwx default:user:alice:rwx default:group::r-x default:group:devs:r-x default:mask::rwx default:other::r-x

Concept

Description

Example

Default ACLs

ACLs automatically applied to new files/directories created within a directory

Specify inheritance of permissions for new items

Setting default ACLs

Use the ‘d:’ prefix with setfacl

    # Set default ACL for user alice
    setfacl -m d:u:alice:rwx /projects/
    
    # Set default ACL for group devs
    setfacl -m d:g:devs:rx /projects/
    
    # Set multiple default ACLs
    setfacl -m d:u:bob:rx,d:g:admins:rwx /projects/

Viewing default ACLs

Shown in getfacl output with “default:” prefix

    $ getfacl /projects/
    # file: /projects/
    # owner: admin
    # group: staff
    user::rwx
    group::r-x
    other::r-x
    default:user::rwx
    default:user:alice:rwx
    default:group::r-x
    default:group:devs:r-x
    default:mask::rwx
    default:other::r-x

Removing ACLs (setfacl -b)

Command	Description	Example
`setfacl -b file`	Remove all ACLs from a file	# Remove all ACLs from a file setfacl -b document.txt
`setfacl -k directory`	Remove default ACLs from a directory	# Remove only default ACLs setfacl -k /projects/
`setfacl -R -b directory`	Recursively remove all ACLs	# Recursively remove all ACLs from directory and contents setfacl -R -b /projects/

Security Risks: Misconfigured Permissions

Risk	Description	Mitigation
World-writable files	Files that anyone can modify (permissions containing o+w)	# Find world-writable files find / -type f -perm -o=w -not -path "/proc/*" -ls # Fix by removing world write permission chmod o-w vulnerable_file
SUID/SGID on scripts	Scripts with setuid/setgid can lead to privilege escalation	# Find SUID/SGID files find / -type f $ -perm -4000 -o -perm -2000 $ -ls # Remove SUID/SGID if not needed chmod u-s,g-s script.sh
Incorrect home directory permissions	Home directories accessible to others can expose sensitive data	# Secure home directory chmod 750 /home/username # Check with: ls -ld /home/*
SSH key permissions	SSH will refuse to use keys with loose permissions	# Correct permissions for SSH private keys chmod 600 ~/.ssh/id_rsa # Correct permissions for SSH directory chmod 700 ~/.ssh

Best Practices for File and Directory Permissions

Practice	Description	Example
Principle of least privilege	Grant only permissions that are necessary for functionality	Use 644 (rw-r–r–) for regular files, not 666 (rw-rw-rw-)
Home directory security	Protect user home directories from other users	# Secure home directory chmod 750 /home/username # Ensure sensitive files are private chmod 600 ~/.bash_history ~/.aws/credentials
Configuration file security	Protect sensitive configuration files that may contain credentials	# Make config files only readable by owner chmod 600 config.ini credentials.txt # System configs readable by specific groups chmod 640 /etc/mysql/my.cnf
Web directory permissions	Balance security with web server requirements	# Web directories find /var/www -type d -exec chmod 755 {} \; # Web files find /var/www -type f -exec chmod 644 {} \; # CGI scripts find /var/www/cgi-bin -type f -exec chmod 755 {} \;

Troubleshooting Permissions Issues

Problem	Common Causes	Solution
“Permission denied” when running a script	Missing execute permission	# Add execute permission chmod +x script.sh
“Permission denied” when accessing a directory	Missing execute permission on the directory or a parent directory	# Add execute permission to directory chmod +x /path/to/directory # Check parent directories too ls -ld / /path /path/to
Cannot modify files in a directory despite write permission	Missing write permission on the directory itself	# Add write permission to directory chmod +w /path/to/directory
Text editor creates a temporary file but fails to save	Write permission on file but not on directory	# Add write permission to directory chmod +w /path/to/directory

Permissions and System Services (Apache, SSH)

Service	Permission Requirements	Example
Apache/Nginx web server	Web server runs as www-data user and needs read access to web files, execute access to directories	# Standard web directory permissions chown -R www-data:www-data /var/www/html find /var/www/html -type d -exec chmod 755 {} \; find /var/www/html -type f -exec chmod 644 {} \; # For writable directories (uploads, cache) chmod 775 /var/www/html/uploads
SSH Server	SSH is sensitive to permissions on key files and config directories	# Server host keys chmod 600 /etc/ssh/ssh_host__key chmod 644 /etc/ssh/ssh_host__key.pub # sshd_config chmod 600 /etc/ssh/sshd_config # User's .ssh directory chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
Database (MySQL/PostgreSQL)	Database files must be owned by the database user	# MySQL data directory chown -R mysql:mysql /var/lib/mysql chmod 750 /var/lib/mysql # MySQL config chmod 640 /etc/mysql/my.cnf

Service

Permission Requirements

Example

Apache/Nginx web server

Web server runs as www-data user and needs read access to web files, execute access to directories

    # Standard web directory permissions
    chown -R www-data:www-data /var/www/html
    find /var/www/html -type d -exec chmod 755 {} \;
    find /var/www/html -type f -exec chmod 644 {} \;
    
    # For writable directories (uploads, cache)
    chmod 775 /var/www/html/uploads

SSH Server

SSH is sensitive to permissions on key files and config directories

    # Server host keys
    chmod 600 /etc/ssh/ssh_host_*_key
    chmod 644 /etc/ssh/ssh_host_*_key.pub
    
    # sshd_config
    chmod 600 /etc/ssh/sshd_config
    
    # User's .ssh directory
    chmod 700 ~/.ssh
    chmod 600 ~/.ssh/authorized_keys

Database (MySQL/PostgreSQL)

Database files must be owned by the database user

    # MySQL data directory
    chown -R mysql:mysql /var/lib/mysql
    chmod 750 /var/lib/mysql
    
    # MySQL config
    chmod 640 /etc/mysql/my.cnf

Auditing and Logging Permission Changes

Method	Description	Example
auditd	Linux audit system to monitor permission changes	# Install auditd apt install auditd # Add audit rule for chmod auditctl -w /bin/chmod -p x -k permission_changes # Add audit rule for chown auditctl -w /bin/chown -p x -k permission_changes # View audit logs ausearch -k permission_changes
File integrity monitoring	Tools that monitor file changes including permissions	# Install AIDE apt install aide # Initialize database aide --init # Check for changes aide --check

Method

Description

Example

auditd

Linux audit system to monitor permission changes

    # Install auditd
    apt install auditd
    
    # Add audit rule for chmod
    auditctl -w /bin/chmod -p x -k permission_changes
    
    # Add audit rule for chown
    auditctl -w /bin/chown -p x -k permission_changes
    
    # View audit logs
    ausearch -k permission_changes

File integrity monitoring

Tools that monitor file changes including permissions

    # Install AIDE
    apt install aide
    
    # Initialize database
    aide --init
    
    # Check for changes
    aide --check

Permissions in Networked File Systems (NFS, SMB)

System	Permission Characteristics	Example
NFS (Network File System)	Maps UIDs/GIDs between systems; can use root_squash to restrict root access	# /etc/exports entry with permission options /shared *(rw,sync,no_root_squash) # Mounting with specific permissions mount -o rw,users server:/shared /mnt/shared
Samba (SMB/CIFS)	Can map to UNIX permissions or use Windows ACLs	# Samba share with permissions in smb.conf [shared] path = /shared valid users = @staff writable = yes create mask = 0644 directory mask = 0755

System

Permission Characteristics

Example

NFS (Network File System)

Maps UIDs/GIDs between systems; can use root_squash to restrict root access

    # /etc/exports entry with permission options
    /shared *(rw,sync,no_root_squash)
    
    # Mounting with specific permissions
    mount -o rw,users server:/shared /mnt/shared

Samba (SMB/CIFS)

Can map to UNIX permissions or use Windows ACLs

    # Samba share with permissions in smb.conf
    [shared]
      path = /shared
      valid users = @staff
      writable = yes
      create mask = 0644
      directory mask = 0755

SELinux/AppArmor and Extended Permissions

System	Description	Example
SELinux	Security Enhancement for Linux providing Mandatory Access Control	# View SELinux context of a file ls -Z /var/www/html/index.html # Change SELinux context chcon -t httpd_sys_content_t /path/to/file # Set default context for web content semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" restorecon -R /web
AppArmor	Application security system that restricts program capabilities	# View AppArmor status aa-status # Put profile in complain mode aa-complain /usr/sbin/apache2 # Put profile in enforce mode aa-enforce /usr/sbin/apache2

System

Description

Example

SELinux

Security Enhancement for Linux providing Mandatory Access Control

    # View SELinux context of a file
    ls -Z /var/www/html/index.html
    
    # Change SELinux context
    chcon -t httpd_sys_content_t /path/to/file
    
    # Set default context for web content
    semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
    restorecon -R /web

AppArmor

Application security system that restricts program capabilities

    # View AppArmor status
    aa-status
    
    # Put profile in complain mode
    aa-complain /usr/sbin/apache2
    
    # Put profile in enforce mode
    aa-enforce /usr/sbin/apache2

Permissions in Docker Containers and Mounted Volumes

Concept	Description	Example
Volume permissions	Container UIDs/GIDs may not match host UIDs/GIDs	# Set explicit ownership on mounted volume docker run -v /host/data:/container/data:rw \ --user 1000:1000 my-image # Use chown when creating volume docker run -v /host/data:/container/data:rw \ my-image chown -R user:group /container/data
Docker security implications	Running containers as root can pose security risks	# Run container as non-root user docker run --user 1000:1000 my-image # In Dockerfile USER appuser

Concept

Description

Example

Volume permissions

Container UIDs/GIDs may not match host UIDs/GIDs

    # Set explicit ownership on mounted volume
    docker run -v /host/data:/container/data:rw \
      --user 1000:1000 my-image
    
    # Use chown when creating volume
    docker run -v /host/data:/container/data:rw \
      my-image chown -R user:group /container/data

Docker security implications

Running containers as root can pose security risks

    # Run container as non-root user
    docker run --user 1000:1000 my-image
    
    # In Dockerfile
    USER appuser

User and Group ID Mapping (UID/GID Concepts)

Concept	Description	Example
UID/GID	Numeric IDs that define users and groups in Linux	# View user and group info id username # View file ownership by ID ls -ln /path/to/file
Orphaned UIDs/GIDs	Files owned by deleted users or groups	# Find files with no valid owner find / -nouser # Find files with no valid group find / -nogroup # Fix orphaned files chown newuser:newgroup /path/to/orphaned/file
Managing system users	System services often use specific UIDs/GIDs	# Create system user useradd -r -s /usr/sbin/nologin serviceuser # Create system group groupadd -r servicegroup

Concept

Description

Example

UID/GID

Numeric IDs that define users and groups in Linux

    # View user and group info
    id username
    
    # View file ownership by ID
    ls -ln /path/to/file

Orphaned UIDs/GIDs

Files owned by deleted users or groups

    # Find files with no valid owner
    find / -nouser
    
    # Find files with no valid group
    find / -nogroup
    
    # Fix orphaned files
    chown newuser:newgroup /path/to/orphaned/file

Managing system users

System services often use specific UIDs/GIDs

    # Create system user
    useradd -r -s /usr/sbin/nologin serviceuser
    
    # Create system group
    groupadd -r servicegroup

Inheriting Permissions in Different Filesystems

Filesystem	Inheritance Behavior	Example/Control
Standard Linux filesystems (ext4, XFS)	New files inherit the group of parent directory if SGID is set; umask affects new file permissions	# Set SGID on directory chmod g+s /shared/project # Files created will inherit the group touch /shared/project/newfile
NFSv4	Supports ACL inheritance	# Set inherited ACLs with NFSv4 nfs4_setfacl -a A:fd:user@domain:rwx /mnt/nfs/dir
ZFS	Can set ACL inheritance flags	# Set ACL inheritance on ZFS chmod A+everyone@:read_data/inherited:allow /tank/data

Filesystem

Inheritance Behavior

Example/Control

Standard Linux filesystems (ext4, XFS)

New files inherit the group of parent directory if SGID is set; umask affects new file permissions

    # Set SGID on directory
    chmod g+s /shared/project
    
    # Files created will inherit the group
    touch /shared/project/newfile

NFSv4

Supports ACL inheritance

    # Set inherited ACLs with NFSv4
    nfs4_setfacl -a A:fd:user@domain:rwx /mnt/nfs/dir

ZFS

Can set ACL inheritance flags

    # Set ACL inheritance on ZFS
    chmod A+everyone@:read_data/inherited:allow /tank/data

Permission Masks in Cloud and Virtualized Environments (AWS, Azure)

Environment	Permission Considerations	Example
AWS EC2	Default umask may differ depending on AMI	# Check current umask umask # Set default umask in /etc/profile or ~/.bashrc umask 022
AWS S3	Object storage uses ACLs instead of UNIX permissions	# AWS CLI S3 command with ACL aws s3 cp file.txt s3://bucket/ --acl public-read
Docker/container environments	Container images may have different default permissions	# In Dockerfile RUN mkdir -p /app && chmod 755 /app COPY --chown=appuser:appgroup app/ /app/

Environment

Permission Considerations

Example

AWS EC2

Default umask may differ depending on AMI

    # Check current umask
    umask
    
    # Set default umask in /etc/profile or ~/.bashrc
    umask 022

AWS S3

Object storage uses ACLs instead of UNIX permissions

    # AWS CLI S3 command with ACL
    aws s3 cp file.txt s3://bucket/ --acl public-read

Docker/container environments

Container images may have different default permissions

    # In Dockerfile
    RUN mkdir -p /app && chmod 755 /app
    COPY --chown=appuser:appgroup app/ /app/

Immutable and Append-Only Attributes (chattr, lsattr)

Command/Attribute Description Example

Command/Attribute	Description	Example
`chattr +i file`	Make a file immutable – cannot be modified, renamed, deleted, or linked	# Make a file immutable chattr +i important.conf # Try to modify an immutable file $ rm important.conf rm: cannot remove 'important.conf': Operation not permitted
`chattr +a file`	Make a file append-only – can only be opened in append mode	# Make a log file append-only chattr +a logfile.log # Can add data: echo "new entry" >> logfile.log # Cannot truncate: $ echo "overwrite" > logfile.log bash: logfile.log: Operation not permitted
`lsattr file`	View file attributes	$ lsattr important.conf ----i--------e-- important.conf $ lsattr logfile.log -----a-------e-- logfile.log

chattr +i file

Make a file immutable – cannot be modified, renamed, deleted, or linked

    # Make a file immutable
    chattr +i important.conf
    
    # Try to modify an immutable file
    $ rm important.conf
    rm: cannot remove 'important.conf': Operation not permitted

chattr +a file

Make a file append-only – can only be opened in append mode

    # Make a log file append-only
    chattr +a logfile.log
    
    # Can add data:
    echo "new entry" >> logfile.log
    
    # Cannot truncate:
    $ echo "overwrite" > logfile.log
    bash: logfile.log: Operation not permitted

lsattr file

View file attributes

    $ lsattr important.conf
    ----i--------e-- important.conf
    
    $ lsattr logfile.log
    -----a-------e-- logfile.log

Filesystem Mount Options and Permissions (noexec, nosuid)

Mount Option	Description	Example
noexec	Prevents execution of binaries on the mounted filesystem	# Mount with noexec mount -o noexec /dev/sdb1 /mnt/data # In /etc/fstab /dev/sdb1 /mnt/data ext4 defaults,noexec 0 0
nosuid	Disables SUID/SGID bits on the mounted filesystem	# Mount with nosuid mount -o nosuid /dev/sdb1 /mnt/data # In /etc/fstab /dev/sdb1 /mnt/data ext4 defaults,nosuid 0 0
nodev	Prevents interpretation of character or block special devices	# Mount with multiple security options mount -o noexec,nosuid,nodev /dev/sdb1 /mnt/data

Mount Option

Description

Example

noexec

Prevents execution of binaries on the mounted filesystem

    # Mount with noexec
    mount -o noexec /dev/sdb1 /mnt/data
    
    # In /etc/fstab
    /dev/sdb1 /mnt/data ext4 defaults,noexec 0 0

nosuid

Disables SUID/SGID bits on the mounted filesystem

    # Mount with nosuid
    mount -o nosuid /dev/sdb1 /mnt/data
    
    # In /etc/fstab
    /dev/sdb1 /mnt/data ext4 defaults,nosuid 0 0

nodev

Prevents interpretation of character or block special devices

    # Mount with multiple security options
    mount -o noexec,nosuid,nodev /dev/sdb1 /mnt/data

Effective Permissions vs Displayed Permissions

Concept	Description	Example/Check
Effective permissions	The actual permissions a user has after considering all factors	A combination of file permissions, ACLs, and extended security frameworks
Primary group vs. supplementary groups	Users can belong to multiple groups but have one primary group	# Check all groups a user belongs to groups username # Check effective group membership id username
Checking effective permissions	Test actual access rather than just viewing permissions	# Test file access as a different user sudo -u otheruser cat /path/to/file # Check access while considering ACLs getfacl /path/to/file

Temporary Permission Changes (umask in scripts)

Technique	Description	Example
Temporary umask	Change umask temporarily for script execution	#!/bin/bash # Save original umask old_umask=$(umask) # Set strict umask umask 077 # Create sensitive file touch sensitive_data.txt echo "secret" > sensitive_data.txt # Restore original umask umask $old_umask
Context-specific permissions	Temporary permission changes for specific operations	# Temporarily open permissions, then restore chmod 644 config.file editor config.file chmod 600 config.file
Temporary group membership	Run commands with temporary group context	# Run a command with a different group sg developers -c "touch /shared/project/newfile" # Run as a different user/group sudo -u webuser -g webgroup command

Technique

Description

Example

Temporary umask

Change umask temporarily for script execution

    #!/bin/bash
    # Save original umask
    old_umask=$(umask)
    
    # Set strict umask
    umask 077
    
    # Create sensitive file
    touch sensitive_data.txt
    echo "secret" > sensitive_data.txt
    
    # Restore original umask
    umask $old_umask

Context-specific permissions

Temporary permission changes for specific operations

    # Temporarily open permissions, then restore
    chmod 644 config.file
    editor config.file
    chmod 600 config.file

Temporary group membership

Run commands with temporary group context

    # Run a command with a different group
    sg developers -c "touch /shared/project/newfile"
    
    # Run as a different user/group
    sudo -u webuser -g webgroup command

Related Posts

Leave a Comment Cancel Reply