LPE-v1 | Linux Permissions Expert

File Type:

File Directory Symbolic Link

Special Permissions:

SetUID (s) SetGID (s) Sticky Bit (t)

Permission

Owner (u)

Group (g)

Others (o)

Read (4)

Write (2)

Execute (1)

⚠️ Directories require execute (x) permissions to be accessible.

⚠️ SetUID should only be used for executable files.

⚠️ SetGID should only be used for executable files or directories.

⚠️ Sticky Bit should only be used for directories.

⚠️ Note: Symbolic links in Linux always have 777 permissions (lrwxrwxrwx). Changing permissions on a symlink affects the target file, not the link itself.

⚠️ Caution: Using -R (Recursive) with specific permissions like 644/755 can be dangerous if not used carefully (e.g., removing execute from directories).

Symbolic Notation:

Numeric (Octal) Notation:

Show 4-digit notation (0755)

Chmod Command:

chmod 640 file

Recursive Chmod Command:

chmod -R 640 directory

Symbolic Chmod Command:

chmod u=rw,g=r,o= file

Owner (username or UID):

Group (groupname or GID):

Command Type:

Both (chown user:group) User Only (chown user) Group Only (chgrp group)

Recursive (-R flag)

Basic Command:

chown john:developers file

Recursive Command:

chown -R john:developers directory

Entity Type:

Entity Name (leave empty for owner/group/other):

Permission

Read

Write

Execute

ACL Perms

Default ACL (for directories) Recursive (-R flag)

No rules added yet. Add rules above.

setfacl Command:

setfacl -m u:john:r file

getfacl Command:

getfacl file

Remove All ACLs:

setfacl -b file

What is umask?

Umask determines the default permissions for newly created files and directories by subtracting from the maximum permissions (666 for files, 777 for directories).

Umask Value (octal):

Current Umask:

0022

New Files (666 - umask):

644 (rw-r--r--)

New Directories (777 - umask):

755 (rwxr-xr-x)

View Current Umask:

umask

Set Umask (session):

umask 0022

Make Permanent (~/.bashrc):

echo "umask 0022" >> ~/.bashrc

Configure file attributes using chattr. These attributes provide additional protection beyond traditional permissions.

Common Attributes

Immutable (i) - File cannot be modified, deleted, renamed, or linked

Append Only (a) - File can only be opened for appending

No Dump (d) - File will not be backed up by dump command

Secure Delete (s) - File blocks zeroed on deletion

Undeletable (u) - Contents saved for recovery when deleted

No Atime Updates (A) - Access time not updated (performance boost)

Advanced Attributes

Synchronous Updates (S) - Changes written immediately to disk

Compressed (c) - File automatically compressed on disk

Data Journaling (j) - Data written to journal before file (ext3/4)

No Tail-Merging (t) - Disable tail-merging for file

No Copy-on-Write (C) - Disable COW (Btrfs)

Synchronous Directory (D) - Directory changes written immediately

Apply Recursively (-R flag)

Set Attributes Command:

chattr +i file

Remove Attributes Command:

chattr -i file

View Current Attributes:

lsattr file

⚠️ Warning: Immutable files cannot be modified even by root. Make sure to remove the attribute (chattr -i) before editing.

Generate sudoers rules to control which users can run commands as root. Always use visudo to edit /etc/sudoers or add files to /etc/sudoers.d/.

User or Group: Use % prefix for groups (e.g., %sudo, %wheel)

Hosts: Usually ALL for all hosts

Run As (User:Group): Usually ALL:ALL or just root

Options

NOPASSWD - No password required (⚠️ Use with caution!)

SETENV - Allow setting environment variables

Commands: Use ALL for all commands, or specify full paths separated by commas

Sudoers Rule:

john ALL=(ALL:ALL) NOPASSWD: ALL

Edit Command:

sudo visudo -f /etc/sudoers.d/custom

Verify Syntax:

sudo visudo -c

⚠️ Important: Always use visudo to edit sudoers files. It checks syntax before saving to prevent lockouts. Never edit /etc/sudoers directly with a text editor!

📖 Linux Permissions Quick Reference

chmod - Change File Permissions

Syntax: chmod [options] mode file

Common Options:

-R - Recursive (apply to directories and their contents)
-v - Verbose (show files being processed)
--reference=FILE - Use FILE's mode instead of MODE

chmod 755 script.sh

chmod u+x,g-w file.txt

chown - Change File Owner

Syntax: chown [options] owner[:group] file

chown john file.txt

chown john:developers /var/www

chown -R www-data:www-data /var/www/html

chgrp - Change Group Ownership

Syntax: chgrp [options] group file

chgrp developers project/

setfacl - Set File Access Control Lists

Syntax: setfacl [options] acl_spec file

Common Options:

-m - Modify ACL
-x - Remove ACL entry
-b - Remove all ACL entries
-d - Set default ACL (for directories)
-R - Recursive

setfacl -m u:john:rwx file.txt

setfacl -m g:developers:rx directory/

setfacl -d -m u:john:rwx /shared/

getfacl - Display File ACLs

Syntax: getfacl file

getfacl file.txt

umask - Set Default Permissions Mask

Syntax: umask [mask]

umask

umask 0022

chattr - Change File Attributes

Syntax: chattr [options] [+|-|=attributes] file

Common Attributes:

i - Immutable (cannot be modified, deleted, or renamed)
a - Append only (can only append data)
d - No dump (excluded from backup)
s - Secure deletion (overwrite with zeros)

Common Options:

+ - Add attributes
- - Remove attributes
= - Set exact attributes
-R - Recursive

chattr +i important.conf

chattr -i important.conf

lsattr - List File Attributes

Syntax: lsattr [options] file

lsattr important.conf

visudo - Edit Sudoers File Safely

Syntax: visudo [options]

Common Options:

-c - Check syntax without editing
-f FILE - Edit specific file (e.g., /etc/sudoers.d/custom)

sudo visudo

sudo visudo -c

sudo visudo -f /etc/sudoers.d/custom

📊 Permission Tables

Numeric	Symbolic	Description
0	---	No permissions
1	--x	Execute only
2	-w-	Write only
3	-wx	Write and execute
4	r--	Read only
5	r-x	Read and execute
6	rw-	Read and write
7	rwx	All permissions

Common Permission Patterns

Mode	Symbolic	Use Case
644	rw-r--r--	Regular files
755	rwxr-xr-x	Executables, directories
700	rwx------	Private files/dirs
600	rw-------	Private files (SSH keys)
777	rwxrwxrwx	World writable (⚠ dangerous)
775	rwxrwxr-x	Group collaborative dirs
664	rw-rw-r--	Group collaborative files

💡 Real-World Examples

Web Server Setup

chown -R www-data:www-data /var/www/html

find /var/www/html -type d -exec chmod 755 {} \;

find /var/www/html -type f -exec chmod 644 {} \;

Shared Directory with Group Access

mkdir /shared && chmod 2775 /shared

chgrp developers /shared

Secure SSH Key

chmod 600 ~/.ssh/id_rsa

chmod 644 ~/.ssh/id_rsa.pub

Make Script Executable

chmod +x script.sh

LPE-v1 | Linux Permissions Expert -farukguler.com

📖 Linux Permissions Quick Reference

chmod - Change File Permissions

chown - Change File Owner

chgrp - Change Group Ownership

setfacl - Set File Access Control Lists

getfacl - Display File ACLs

umask - Set Default Permissions Mask

chattr - Change File Attributes

lsattr - List File Attributes

visudo - Edit Sudoers File Safely

📊 Permission Tables

Common Permission Patterns

💡 Real-World Examples

Web Server Setup

Shared Directory with Group Access

Secure SSH Key

Make Script Executable