Linux Security Fundamentals

Changing File and Directory Permissions

There are two commands that are used to set file and directory permissions, these commands work in both numeric, and symbolic form.

Symbolic form permissions use the abbreviations [rwx] to represent each set of permissions.

Numeric form permissions use octal numbers that are based on the following table. One important thing to note is that although symbolic permissions are more commonly used, and easier to use, many Linux applications and documentation still refer to the numeric form of permissions, so it is necessary to understand them. Numeric forms of permissions are calculated by adding the value of each permission bit (rwx).

Read: 4

Write: 2

Execute: 1

A permission of [rwx] can be represented numerically as 4+2+1 or 7. A permission string of [-rw-rw-r–] can be represented numerically as 4+2, 4+2, 4 or 664. Consider the table above in numeric format.

-rwxrwxrwd: 777: Everyone can do anything with this file.

-rw-r—–: 640: The owner can read and write to the file, members of the files owning group can read the file; no one else has access to the file.

drwx——: 700: The owner can modify the contents of the directory, and get a listing of the directory; no on else has access to the directory

-rw-rw-rw-: 666: This is a public file that allows anyone to access and change it.

drwxrwxrwx: 777: This is a public directory that allows anyone to add to and delete from it.

To change the permissions that have been assigned to a file or directory, you can use the [chmod] command. To set default permissions you can use the [umask] command.

The chmod command requires two arguments, the permission modification expression and the file that the expression applies to. The permission modification expression will consist of the bits that are being modified, an operator indicating whether or not the permissions are being added, removed or set, and finally the actual permission string.

Consider the following permission expressions;

ugo=rwx: Sets all permission bits.

a-x: Removes all execute bits from the file. [a] means all (ugo).

ug-x,o-wx: Removed execute from the user and group, and removes write and execute from other users.

A+x: Makes a file executable.

Consider the following examples;

chmod a+x script1: Adds the execute bit for all users to script1.

chmod ug+rw,u+r document1: Adds read/write for the owner user and group, and read for other users.

chmod go-w report1: Removes the write permission for the owning group and other users from report1.

chmod u=rwx,g-rw,o=r script2: Sets the permissions to rwxrw-r—for script2.

It is important to note the difference between setting, adding and removing permissions. Any expression that adds or removes permissions bases the results on what the existing permissions sets are, while the [=] expression sets the permissions, regardless of the current permissions.

Permissions can also be set using numeric notation, however this method does not allow you to add or subtract permission bits. Consider the following examples;

chmod 777 file1: Sets all permissions for file1

chmod 640 file2: Sets rw-r—– for file2

chmod 761 file3: Sets rwxrw—x for file3

[umask] is used to set default permissions. When a umask value is set for a directory the default permissions are created by subtracting the umask value from the “full” permission value. For files this value is 666 and for directories 777. The reason that directories have a “full” permission value of 777 is that the execute permission is implied. By subtracting from 777, you guarantee that file permissions and directory permissions will be the same, with directory permissions being greater by having a minimum permission value of 111 (–x–x–x) as opposed to 000 (———). To illustrate this, consider the following command sequence.


Note that the permissions on file1 are 644, which is 666-022. Also note the permission on dir1 are 755, which also is 777-022.

You would normally set the umask value on directories that are shared by groups of users, and in some cases on home directories. The functionality of umask is provided by the “creator owner” group in Windows.