Linux File Permissions, chmod, & umask

Understand how Ubuntu / Linux file permissions and special mode bits work. Learn how to change these permissions using the chmod command. Find out how default permissions for new files are configured via a user's umask value.

Contents

Linux File Permissions

In Ubuntu / Linux everything is a file, so everything will have permissions also.

File permissions define which user or system accounts have permissions to read, write, and execute specific files.

These read, write, and execute permissions are defined for:

user the user that owns the file
group users in the files group
other every other user

There are also three other components when it comes to file mode bits, namely the setuid bit, the setgid bit, and the sticky bit.

As you'll see later, these "special mode bits" can only be used for certain files.

How Read, Write, And Execute Permissions Are Represented

File permissions are identified through file mode bits. These bits represent what actions can be carried out by specific user accounts.

For example, if you run the command ls -l to list the files in the current directory, you'll see something similar to this at the beginning of each line in the results:

-rwxrwxrwx

The repeated rwx sequences represent the notion of read (r), write (w), and execute (x) permissions for user, group, and other (in that order).

Hence the -rwxrwxrwx above indicates that user, group, and other have read, write and execute permissions for that file or in other words: the owner of the file, anyone in the file's group, and everybody else has read, write, and execute permissions for that file).

Note that the leading - you'll see in permissions like -rwxrwxrwx simply indicates that this is a normal file (file type regular).

File Types

The possible file types you may see are depicted by preceding the permissions by one of these:

  • - = Regular File
  • d = Directory
  • l = Symbolic Link
  • b = Block Special Device
  • c = Character Device
  • s = Unix Socket (local domain socket)
  • p = Named Pipe

Here are a few more examples of what you might see:

-rw-rw-r--

A regular file, readable and writeable by user and group, but only readable by everybody else.


drwxr-xr-x

Note that the d above indicates that the permissions are for a directory (i.e. the file's type is a directory).

This directory is readable, writeable, and executable by "user" whilst only readable and executable by "group" and "other".

Also note that for directories, the execute mode bit x indicates access / searchability of that directory for a particular category of user.


-rw-------

The above permissions show that the owner of this regular file has read and write permission but nobody else has any permissions for that file.


If you see a file with permissions like this:

crw--w----

You'll know it refers to a "character device" (such as a tty) where the "user" has read and write permission, the "group" has write permission, and "other" has no permissions.


To recap, the meanings of r, w, and x for each of the three categories "user", "group", and "other" are illustrated in the image below which shows an ls -l command run in a directory which contains filename.txt:

A File's "User" And "Group"

The user name shown in the image above is the name of the user account which owns the file (normally the creator, but this can be changed using chown) whilst the group name is the creator's primary group (this can be changed using chgrp).

By default in Ubuntu, the default primary group is a group with the same name as the user. This is the case above where both the user and group are "tutonics" (for more info about user accounts and groups, please read our post about user account and group management).

To understand how default permissions are determined, skip to section "Umask - Configuring Default File / Directory Permissions" below.

Special Mode Bits

Normal Process Permissions

When a process runs, it takes on the effective permissions of the user who started it. This means the process can only read / write / execute what the user has permissions for.

The same applies to the effective group id of a process, it assumes that of the user, so group permissions of the process mirror that of the user.

This behaviour gets changed when setuid and/or setgid bits are set as you'll see next.

Setuid - Set User ID

When the setuid bit is set for a program, on execution the process's effective user ID gets set to that of the program file itself (rather than that of the user running it).

If a file with permissions -rwxrwxrw- gets its setuid bit set, the permissions will be displayed as -rwsrwxrw-. Note the lower case s where the x was.

If however, the file didn't have the x permissions for the user, and then had the setuid bit set, you'd see -rwSrwxrw- instead.

So to recap, there is a difference between S and s the former indicates just the setuid bit, the latter indicates setuid bit and execute x (for that position) in the permissions is set.

Setgid - Set Group ID

When the setgid bit is set for a program, on execution the process's effective group ID gets set to that of the program file (rather than that of the user's primary group).

Like setuid, the setgid bit is shown as either an S or s.

If a file starts out with -rw-r--r-- (no group x) and has its setgid bit set, you'd see it being displayed as -rw-r-Sr-- whereas if it started out as -rw-r-xr-- it would be displayed as -rw-r-sr-- once the setgid bit is set.

Setuid For Directories

When the setuid bit is set as part of a directory's permissions in Ubuntu, it does nothing, i.e. it has no effect (This is not the case for the setgid bit, as you'll see next).

Setgid For Directories

When the setgid bit is set for a directory, any files created in that directory will have the same group as that directory.

Also, any directories created in that directory will also have their setgid bit set.

Sticky Bit

Nowadays (for linux) the sticky bit is used only in relation to directories.

When a directory has the sticky bit set, only root or the file's owner has permission to change files in that directory.

The letter's T and t are used to indicate that the sticky bit is set. e.g. A directory with permissions drwxr-xr-x having the sticky bit set, would change to drwxr-xr-t whilst a dir with drwxr-xr-- would change to drwxr-xr-T (So t vs T depends on whether the "other" category has x permissions set or not respectively).

Permissions: Octal Representation

Sometimes, you'll see permissions referred to numerically in base 8 octal (i.e. using digits 0-7).

Permissions Symbolic Binary Octal
read, write, and execute rwx 111 7
read and write rw- 110 6
read and execute r-x 101 5
read r-- 100 4
write and execute -wx 011 3
write -w- 010 2
execute --x 001 1
no permissions --- 000 0

So for example, using the table above, we can see that the file permissions -rwxrwxrwx can be represented in octal as 777 (because each rwx translates to an octal digit 7).

Note that the octal number refers to permissions, the file type does not matter.

So, if we wanted to represent the permissions drwxrwxrwx of a directory in octal, the same octal number 777 would also apply.

Other Octal Permission Examples:

User / Group / Other rwx Mode Symbols Octal Equivalent
-rwxr-xr-x
755
-rw-rw-r--
664
-rw-r--r--
644
-rw-------
600

Changing File Permissions - Chmod

The chmod command is used to change the various permission bits of a file or directory.

The command takes the general form:

chmod MODE file

There are two ways to represent the MODE:

  1. Using symbolic modes (letters to indicate the categories and permission)
  2. Using numeric modes (An octal (base 8) number that represents the mode)

Using the "numeric modes" way of setting these permissions is shorter than the symbolic method, but not as flexible because you can't build on top of existing permissions which is possible when using "symbolic modes".

Using Symbolic Modes With Chmod

In order to change the permissions of a file using symbolic permissions, use the command format:

chmod SYMBOLIC-MODE FILENAME

where SYMBOLIC-MODE is the symbolic representation of permissions (which we describe below) that you wish to apply to FILENAME.

The letters for user, group, and other are u, g, and o respectively. The letter a is used to mean all three of these categories.

The MODE above takes the form (as per manpage):

[ugoa...][[+-=][permissions...]...]

So, the operations available are:

  • + (add the permissions to what currently exists).
  • - (remove the permissions from what currently exists).
  • = (set to this value only, replacing existing permissions).

When you combine the above with the permission letters r, w, and x you can run chmod commands like those shown below.

For example, to use chmod to set permissions of file "filename" to -rwxrwxrwx you could run:

chmod a=rwx filename

Breaking this down, the a means all and rwx means set read, write, and execute.

The = means that permissions are to be set to exactly what we specify.(i.e. we overwrite the current permissions).

In this case you can get the same result more explicitly using either:

chmod ugo=rwx filename

or

chmod ugo+=rwx filename

Regarding just the symbolic mode part of the command, here are a few more examples:

To add read permission for all:

a+r

To remove permissions for all:

a-r

To add execute permissions for all:

a+x

To remove execute permissions for all:

a-x

To assign read, write permissions only for user and group:

ug=rw

To add read, write permissions to user and group to the permissions that already exist:

ug+=rw

To remove execute permissions from group and other (i.e from all users except the file's owner):

go-x

To remove permissions to do anything from all users except the owner:

go=

Note in the examples above and in general that there are different combinations that have the same effect.

Changing Special Modes Using Symbols

The setuid bit can be set using:

u+s

The setuid bit can be removed using:

u-s

Similarly, setgid can be set using:

g+s

and removed using:

g-s

The sticky bit can be set by using:

+t

and removed using:

-t

Using Numeric Modes With Chmod

To set the permissions of a file or directory using numeric modes, simply use the format:

chmod OCTAL-MODE FILENAME

where OCTAL-MODE is the octal form of the permissions.

For example, to set the permissions of filename to -rw-r--r-- you could run the command:

chmod 644 filename

or to change permissions to -rwxrwxrwx you could use the command:

chmod 777 filename

Be careful when setting permissions to 777 as this means every single user account can read, write, and execute that file.

Special Mode Bits

The setuid, setgid, and sticky bit can be set using chmod where

  • 1 = sticky bit
  • 2 = setgid
  • 4 = setuid

For example to set the setuid bit along with permissions 766:

chmod 4766 filename

To set the setgid bit along with 776:

chmod 2776 filename

To set sticky bit along with 766:

chmod 1776 fileanme

To set both setuid(2) and setgid(4) along with 766, prepend with 6. i.e. 2+4:

chmod 6766 filename

Umask - Configuring Default File / Directory Permissions

When a user creates a file, how does the system determine that file's initial permissions?

This is done based on the user's umask value.

The umask value specifies which permissions are not to be set.

In Ubuntu, the default umask value for a normal user is 002, while the default for root is 022.

You can find out the current umask value (or set it) using the umask command.

If (as a normal user) you run the command:

umask

You'll see something like 0002 displayed, however octal numbers are preceded by a 0 (in the same way hex would be preceded by 0x), so the umask value itself is actually 002.

This value is an octal (base 8, digits 0-7) value which is subtracted from a base value of 777 for directories, or subtracted from a base value of 666 for files.

A umask of 002 basically means don't remove any permissions from the base value for "user" or "group", but "other" is not allowed write permission (write permission is octal 2, or binary 010 meaning -w-).

So if we create a new file:

touch newfile.txt

The file permissions for this new file will be 666-002 = 664, i.e. rw-rw-r-- (readable and writeable by user and group, but only readable by everyone else).

Similarly, if we create a new directory:

mkdir newDir

The file permissions for the directory newDir will be 777-002 = 775, i.e. drwxrwxr-x (readable, writeable, executable by user and group, but only readable and executable by everyone else).

If you wish to set the umask value to something else, simply use umask command like so:

umask newvalue

where "newvalue" is an octal number representing which permissions you do not want to be set when files are created.

What's Next?

We'll be covering how to change file ownership and group ownership in the next post.