Permission Symbols

3.2. Permission Symbols#

Permissions control who can do what with files and directories. They’re represented both as symbols and octal numbers, and you control them with chmod and chown.

3.2.1. Reading Permission Symbols#

When you run ls -l, the first 10 characters show file type and permissions:

-rw-r--r-- 1 alice developers 1024 Jan 15 14:30 file.txt
^ ^^^^^^^^
| └─ Permissions (9 characters)
└─ File type (1 character)

3.2.1.1. Breaking Down the Permissions#

rwxrwxrwx
│││││││││
│││││││││
│││├─┤├─┤└─ Others (world)
│││├─┤└────── Group
│││└────────── Owner (user)
└┴┴─ Types: r(read), w(write), x(execute)

3.2.1.2. Permission Types#

Symbol

Number

File

Directory

r (read)

4

Read file contents

List directory contents

w (write)

2

Modify/delete file

Create/delete files in dir

x (execute)

1

Run as program

Enter/access directory

- (none)

0

No permission

No permission

3.2.1.3. Examples#

$ ls -l
-rw-r--r--  owner can read/write, group/others can read only
-rwxr-xr-x  owner has all, group/others can read and execute
-rw-------  owner can read/write, others have no access
drwxr-xr-x  directory: owner full access, group/others can enter and read

3.2.2. Octal Notation#

For quick permission changes, use octal (base-8) notation:

rwx = 4+2+1 = 7  (all permissions)
rw- = 4+2+0 = 6  (read and write)
r-x = 4+0+1 = 5  (read and execute)
r-- = 4+0+0 = 4  (read only)
-w- = 0+2+0 = 2  (write only - rare)
--x = 0+0+1 = 1  (execute only)
--- = 0+0+0 = 0  (no permissions)

3.2.2.1. Three-Digit Octal#

Each digit represents one group:

chmod 755 file.txt
       ││└─ Others:  5 = r-x (read, execute)
       │└── Group:   5 = r-x (read, execute)
       └─── Owner:   7 = rwx (all)

chmod 644 file.txt
       ││└─ Others:  4 = r-- (read only)
       │└── Group:   4 = r-- (read only)
       └─── Owner:   6 = rw- (read, write)

chmod 700 file.txt
       ││└─ Others:  0 = --- (none)
       │└── Group:   0 = --- (none)
       └─── Owner:   7 = rwx (all)

3.2.2.2. Common Permission Patterns#

chmod 755 file.txt   # rwxr-xr-x (executable for all, writable by owner)
chmod 644 file.txt   # rw-r--r-- (readable by all, writable by owner only)
chmod 700 dir/       # rwx------ (owner only, no access for others)
chmod 777 file.txt   # rwxrwxrwx (everyone can do everything - dangerous!)
chmod 000 secret     # --------- (no one can access - also risky)

3.2.3. Using chmod (Change Mode)#

3.2.3.1. Octal Method#

# Set exact permissions
$ chmod 755 script.sh
$ chmod 644 data.txt
$ chmod 700 private_dir/

# Recursive (directory and contents)
$ chmod -R 755 ~/myproject/

# Verbose (show what changed)
$ chmod -v 644 file.txt
mode of 'file.txt' changed from 0600 to 0644 (rw-r--r--)

3.2.3.2. Symbolic Method#

Add/remove specific permissions without affecting others:

# Add permission
$ chmod u+x script.sh   # Add execute for user
$ chmod g+r file.txt    # Add read for group
$ chmod o-w data.txt    # Remove write for others
$ chmod a+r public.txt  # Add read for all

# Multiple changes
$ chmod u+rwx,g+rx,o-rwx script.sh
# User: add all, Group: add read/execute, Others: remove all

# Copy permissions from another file
$ chmod --reference=original.txt copy.txt

3.2.3.3. Symbolic Notation Rules#

chmod [who][operator][permission] file
       │     │         │
       │     │         └─ r(read), w(write), x(execute), s(setuid), t(sticky)
       │     └─ +(add), -(remove), =(set exactly)
       └─ u(user), g(group), o(others), a(all)

Examples:
u+x      Add execute for user
g-w      Remove write for group
o+r      Add read for others
a-wx     Remove write and execute for all
u=rwx    Set user to read, write, execute (remove others)

3.2.3.4. File vs Directory Permissions#

# Regular file: use 644 or 755
$ chmod 644 document.txt  # rw-r--r-- (read/write owner, read others)

# Executable file: use 755
$ chmod 755 script.sh     # rwxr-xr-x (executable by all)

# Directory: use 755 or 700
$ chmod 755 public_dir/   # rwxr-xr-x (enter and list for all)
$ chmod 700 private_dir/  # rwx------ (only owner can access)

# Sensitive file: use 600
$ chmod 600 ~/.ssh/id_rsa # rw------- (read/write owner only)

3.2.4. Special Permissions#

Beyond basic read/write/execute, three special permissions exist:

3.2.4.1. Setuid (Set User ID)#

Allows a program to run as its owner, not the user who launched it:

# Example: passwd command
$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 59976 Feb  3  2020 /usr/bin/passwd
                  s = setuid

# When alice runs passwd, it runs as root (needed to modify /etc/shadow)
$ passwd  # Alice runs this
# Internally runs with root privileges to change /etc/shadow

# Set setuid
$ chmod u+s binary_file
$ chmod 4755 binary_file  # Octal: 4 in position of first digit

Danger: Setuid programs are common attack vectors. Only use when absolutely necessary.

3.2.4.2. Setgid (Set Group ID)#

Program runs with group permissions, or new files inherit directory’s group:

# On a file: runs as the group owner
$ ls -l /usr/bin/crontab
-rwxr-sr-x 1 root crontab 39352 Nov 24  2022 /usr/bin/crontab
                s = setgid

# On a directory: new files inherit the directory's group
$ mkdir shared_project
$ chmod g+s shared_project
$ ls -ld shared_project
drwxrwsr-x 2 alice developers 4096 Jan 15 shared_project
                s = setgid (group-sticky)

# Now files created there belong to 'developers' group automatically
$ touch shared_project/file.txt
$ ls -l shared_project/file.txt
-rw-r--r-- 1 alice developers 0 Jan 15 file.txt  # Inherits group!

# Set setgid
$ chmod g+s directory
$ chmod 2755 directory  # Octal: 2 in first position

3.2.4.3. Sticky Bit#

Files can only be deleted by owner or root, even in world-writable directories:

# Example: /tmp is writable by everyone
$ ls -ld /tmp
drwxrwxrwt 10 root root 4096 Jan 15 14:30 /tmp
              t = sticky bit

# Alice creates file in /tmp
$ touch /tmp/alice_file.txt
$ ls -l /tmp/alice_file.txt
-rw-r--r-- 1 alice alice 0 Jan 15 alice_file.txt

# Bob cannot delete alice's file (sticky bit protects it)
$ rm /tmp/alice_file.txt
rm: remove write-protected regular empty file '/tmp/alice_file.txt'?
# (Denied)

# Without sticky bit, Bob could delete it even though he doesn't own it!

# Set sticky bit
$ chmod o+t directory
$ chmod 1777 directory  # Octal: 1 in first position

3.2.4.4. Summary Table#

Special   Octal  File                    Directory
─────────────────────────────────────────────────────
Setuid     4xxx  Run as file owner       (unusual)
Setgid     2xxx  Run as file group       New files inherit group
Sticky     1xxx  (no effect)             Only owner can delete
Contents