www.redhat.com Open in urlscan Pro
2a02:26f0:3500:58a::d44  Public Scan

Form analysis
2 forms found in the DOM

GET /sysadmin/search

<form id="site-search" class="form-inline m-2" action="/sysadmin/search" accept-charset="UTF-8" method="get">
  <div class="input-group flex-fill">
    <input class="form-control" type="search" name="search" id="search" value="" placeholder="Search this site…" aria-label="Search this site…">
    <div class="input-group-append">
      <button class="btn btn-secondary font-weight-bold" type="submit">Search</button>
    </div>
  </div>
</form>

GET /sysadmin/search

<form id="site-search" class="form-inline m-2" action="/sysadmin/search" accept-charset="UTF-8" method="get">
  <div class="input-group flex-fill">
    <input class="form-control" type="search" name="search" id="search" value="" placeholder="Search this site…" aria-label="Search this site…">
    <div class="input-group-append">
      <button class="btn btn-secondary font-weight-bold" type="submit">GO</button>
    </div>
  </div>
</form>

Text Content

Skip to main content
Search
Search
Enable Sysadmin  
 * Articles
   Automation Career Cloud Containers Kubernetes Linux Programming Security

Enable Sysadmin  
 * Articles
   Automation Career Cloud Containers Kubernetes Linux Programming Security

Subscribe to our RSS feed or Email newsletter Subscribe to our RSS feed or Email
newsletter.
GO


LINUX FILE PERMISSIONS EXPLAINED

Understanding Linux file permissions (how to find them, read them, and change
them) is an important part of maintaining and securing your systems.

Posted: January 10, 2023 | %t min read | by Scott McBrien (Red Hat)

Image


Photo by Eliobed Suarez on Unsplash

File permissions are core to the security model used by Linux systems. They
determine who can access files and directories on a system and how. This article
provides an overview of Linux file permissions, how they work, and how to change
them.




HOW DO YOU VIEW LINUX FILE PERMISSIONS?

The ls command along with its -l (for long listing) option will show you
metadata about your Linux files, including the permissions set on the file.

$ ls -l

drwxr-xr-x. 4 root root    68 Jun 13 20:25 tuned
-rw-r--r--. 1 root root  4017 Feb 24  2022 vimrc


In this example, you see two different listings. The first field of the ls -l
output is a group of metadata that includes the permissions on each file. Here
are the components of the vimrc listing:

 * File type: -
 * Permission settings: rw-r--r--
 * Extended attributes: dot (.)
 * User owner: root
 * Group owner: root

The fields "File type" and "Extended attributes" are outside the scope of this
article, but in the featured output above, the vimrc file is a normal file,
which is file type - (that is, no special type).

The tuned listing is for a d, or directory, type file. There are other file
types as well, but these two are the most common. Available attributes are
dependent on the filesystem format that the files are stored on. For Red Hat
Enterprise Linux 7, 8, and 9, the default filesystem format is XFS.



Skip to bottom of list
Skip to the bottom of list


GREAT LINUX RESOURCES

 * Advanced Linux commands cheat sheet
 * Download RHEL 9 at no charge through the Red Hat Developer program
 * A guide to installing applications on Linux
 * Linux system administration skills assessment
 * How well do you know Linux? Take a quiz and get a badge


HOW DO YOU READ FILE PERMISSIONS?

This article is about the permission settings on a file. The interesting
permissions from the vimrc listing are:

rw-r--r–

This string is actually an expression of three different sets of permissions:

 * rw-
 * r--
 * r--

The first set of permissions applies to the owner of the file. The second set of
permissions applies to the user group that owns the file. The third set of
permissions is generally referred to as "others." All Linux files belong to an
owner and a group.

When permissions and users are represented by letters, that is called symbolic
mode. For users, u stands for user owner, g for group owner, and o for others.
For permissions, r stands for read, w for write, and x for execute.

[ Learn how to manage your Linux environment for success. ]

When the system is looking at a file's permissions to determine what information
to provide you when you interact with a file, it runs through a series of
checks:

 1. It first checks to see whether you are the user that owns the file. If so,
    then you are granted the user owner's permissions, and no further checks
    will be completed.
 2. If you are not the user that owns the file, next your group membership is
    validated to see whether you belong to the group that matches the group
    owner of the file. If so, then you're covered under the group owner field of
    permissions, and no further checks will be made.
 3. "Others" permissions are applied when the account interacting with the file
    is neither the user owner nor in the group that owns the files. Or, to put
    it another way, the three fields are mutually exclusive: You can not be
    covered under more than one of the fields of permission settings on a file.

Permissions go beyond the different types of people that can interact with a
file. Each user gets an expression that includes the three basic types of
permissions. In the example above, the owner of the file is given the following
permissions:

rw-

Each character in the expression indicates whether a specific permission is
granted or not. In the example above, read (r) permission and write (w)
permission have been granted on the file. However, the execute permission (x) is
not granted, which is why there's a - sign in the expression. The permission in
this field is disabled.

Consider the group owner's permissions in this example:

r--

The read (r) permission is granted to members of the group, but write and
execute have both been disabled.

[ Keep your most commonly used commands handy with the Linux commands cheat
sheet. ]


WHAT ARE OCTAL VALUES?

When Linux file permissions are represented by numbers, it's called numeric
mode. In numeric mode, a three-digit value represents specific file permissions
(for example, 744.) These are called octal values. The first digit is for owner
permissions, the second digit is for group permissions, and the third is for
other users. Each permission has a numeric value assigned to it:

 * r (read): 4
 * w (write): 2
 * x (execute): 1

In the permission value 744, the first digit corresponds to the user, the second
digit to the group, and the third digit to others. By adding up the value of
each user classification, you can find the file permissions.

For example, a file might have read, write, and execute permissions for its
owner, and only read permission for all other users. That looks like this:

 * Owner: rwx = 4+2+1 = 7
 * Group: r-- = 4+0+0 = 4
 * Others: r-- = 4+0+0 = 4

The results produce the three-digit value 744.



Skip to bottom of list
Skip to the bottom of list


LINUX SECURITY

 * What is security automation?
 * Red Hat OpenShift Service on AWS security FAQ
 * Enhance security with automation
 * Implementing DevSecOps guide
 * Red Hat CVE checker


WHAT DO LINUX FILE PERMISSIONS ACTUALLY DO?

I've talked about how to view file permissions, who they apply to, and how to
read what permissions are enabled or disabled. But what do these permissions
actually do in practice?


READ (R)

Read permission is used to access the file's contents. You can use a tool like
cat or less on the file to display the file contents. You could also use a text
editor like Vi or view on the file to display the contents of the file. Read
permission is required to make copies of a file, because you need to access the
file's contents to make a duplicate of it.


WRITE (W)

Write permission allows you to modify or change the contents of a file. Write
permission also allows you to use the redirect or append operators in the shell
(> or >>) to change the contents of a file. Without write permission, changes to
the file's contents are not permitted.


EXECUTE (X)

Execute permission allows you to execute the contents of a file. Typically,
executables would be things like commands or compiled binary applications.
However, execute permission also allows someone to run Bash shell scripts,
Python programs, and a variety of interpreted languages.

[ Download now: A sysadmin's guide to Bash scripting. ]

There are other ways to execute the contents of a file without execute
permission. For example, you could use an interpreter that has execute
permission to read a file with instructions for the interpreter to execute. An
example would be invoking a Bash shell script:

$ bash script.sh

The executable being run is bash. The script.sh file is read by the Bash
interpreter, and its commands are executed. The content in this article is
general purpose, but in Linux, there are often additional ways to accomplish
tasks.

Skip to the bottom of list
Image




Download now


HOW DO DIRECTORY PERMISSIONS WORK?

Directory file types are indicated with d. Conceptually, permissions operate the
same way, but directories interpret these operations differently.


READ (R)

Like regular files, this permission allows you to read the contents of the
directory. However, that means that you can view the contents (or files) stored
within the directory. This permission is required to have things like the ls
command work.


WRITE (W)

As with regular files, this allows someone to modify the contents of the
directory. When you are changing the contents of the directory, you are either
adding files to the directory or removing files from the directory. As such, you
must have write permission on a directory to move (mv) or remove (rm) files from
it. You also need write permission to create new files (using touch or a
file-redirect operator) or copy (cp) files into the directory.


EXECUTE (X)

This permission is very different on directories compared to files. Essentially,
you can think of it as providing access to the directory. Having execute
permission on a directory authorizes you to look at extended information on
files in the directory (using ls -l, for instance) but also allows you to change
your working directory (using cd) or pass through this directory on your way to
a subdirectory underneath.

Lacking execute permission on a directory can limit the other permissions in
interesting ways. For example, how can you add a new file to a directory (by
leveraging the write permission) if you can't access the directory's metadata to
store the information for a new, additional file? You cannot. It is for this
reason that directory-type files generally offer execute permission to one or
more of the user owner, group owner, or others.

[ Want to test your sysadmin skills? Take a skills assessment today. ]


HOW DO YOU MODIFY LINUX FILE PERMISSIONS?

You can modify file and directory permissions with the chmod command, which
stands for "change mode." To change file permissions in numeric mode, you enter
chmod and the octal value you desire, such as 744, alongside the file name. To
change file permissions in symbolic mode, you enter a user class and the
permissions you want to grant them next to the file name. For example:

$ chmod ug+rwx example.txt
$ chmod o+r example2.txt

This grants read, write, and execute for the user and group, and only read for
others. In symbolic mode, chmod u represents permissions for the user owner,
chmod g represents other users in the file's group, chmod o represents other
users not in the file's group. For all users, use chmod a.

Maybe you want to change the user owner itself. You can do that with the chown
command. Similarly, the chgrp command can be used to change the group ownership
of a file.



Skip to bottom of list
Skip to the bottom of list


CAREER ADVICE

 * Take a sysadmin skills assessment
 * Explore training and certification options
 * Red Hat Certification remote exams FAQ
 * 10 resources to make you a better communicator
 * How to explain modern software development in plain English
 * Learning path: Getting started with Red Hat OpenShift Service on AWS (ROSA)


WHAT ARE SPECIAL FILE PERMISSIONS?

Special permissions are available for files and directories and provide
additional privileges over the standard permission sets that have been covered.

 * SUID is the special permission for the user access level and always executes
   as the user who owns the file, no matter who is passing the command.
 * SGID allows a file to be executed as the group owner of the file; a file
   created in the directory has its group ownership set to the directory owner.
   This is helpful for directories used collaboratively among different members
   of a group because all members can access and execute new files.

The "sticky bit" is a directory-level special permission that restricts file
deletion, meaning only the file owner can remove a file within the directory.

Want to take a deeper dive into special permissions? Read Linux permissions:
SUID, SGID, and sticky bit.


WRAPPING UP

Understanding Linux file permissions (how to find them, read them, and change
them) is an important part of maintaining and securing your systems. You can
learn more about file permissions for Red Hat Enterprise Linux by checking out
the documentation or by practicing with a self-paced lab on using file
permissions.

[ Cheat sheet: Get a list of Linux utilities and commands for managing servers
and networks. ]


CHECK OUT THESE RELATED ARTICLES ON ENABLE SYSADMIN

Image

Linux permissions: SUID, SGID, and sticky bit
Getting permissions in Linux can sometimes be a 'sticky' situation. Learn how to
set the appropriate permissions, even in special circumstances.
Posted: October 15, 2020
Author: Tyler Carrigan (Editorial Team, Red Hat)
Image

Four semanage commands to keep SELinux in enforcing mode
Are you avoiding SELinux entirely, or leaving large portions of your systems in
permissive mode? Read on to learn how to use the SELinux targeted policy to lock
things down but maintain flexibility for custom applications.
Posted: September 16, 2019
Author: Susan Lauber
Image

How to change your hostname in Linux
What's in a name, you ask? Everything. It's how other systems, services, and
users "see" your system.
Posted: March 3, 2020
Author: Tyler Carrigan (Editorial Team, Red Hat)
Topics:   Linux administration   Security  


SCOTT MCBRIEN

Scott McBrien has worked as a systems administrator, consultant, instructor,
content author, and general geek off and on for Red Hat since July 2001. More
about me




TRY RED HAT ENTERPRISE LINUX

DOWNLOAD IT AT NO CHARGE FROM THE RED HAT DEVELOPER PROGRAM.

Download now


RELATED CONTENT

Image

Storing sensitive data using Podman secrets: Which method should you use?
Podman supports two ways for storing sensitive data: using raw Podman secrets or
creating Kubernetes secrets using Podman.
Posted: March 17, 2023
Author: Ygal Blum (Red Hat)
Image

Create a libvirt network with Open vSwitch
libvirt's default Linux bridge imposes limitations with some advanced network
features. Try using OVS to implement libvirt networks instead.
Posted: March 16, 2023
Author: David Silva (Red Hat)
Image

Build a golden image for your RHEL homelab with Image Builder
Create customized templates for your Red Hat Enterprise Linux (RHEL)-based
homelab that you can deploy repeatedly with automated upkeep.
Posted: March 20, 2023
Author: Eric "IT Guy" Hendricks (Red Hat)



The opinions expressed on this website are those of each author, not of the
author's employer or of Red Hat. The content published on this site are
community contributions and are for informational purpose only AND ARE NOT, AND
ARE NOT INTENDED TO BE, RED HAT DOCUMENTATION, SUPPORT, OR ADVICE.

Red Hat and the Red Hat logo are trademarks of Red Hat, Inc., registered in the
United States and other countries.


RED HAT LEGAL AND PRIVACY LINKS

 * About Red Hat
 * Jobs
 * Events
 * Locations
 * Contact Red Hat
 * Red Hat Blog
 * Diversity, equity, and inclusion
 * Cool Stuff Store
 * Red Hat Summit

© 2023 Red Hat, Inc.


RED HAT LEGAL AND PRIVACY LINKS

 * Privacy statement
 * Terms of use
 * All policies and guidelines
 * Digital accessibility
 * Cookie-präferenzen