Linux permissions help

• 1. What are file permissions

• 2. File permissions notation
• 2.1. Textual representation like "-rwxr--r--"
• 2.1.1. Examples
• 2.2. Numeric (octal) representation like "644"
• 2.2.1. Examples
• 2.2.2. Why there is a leading zero?
• 2.2.3. Four meaningful digits like "4755"
• 3. Difference in access permissions for files and folders
• 4. Permissions required for web server
• 5. Permissions set for FTP-uploaded files
• 6. Set user ID, set group ID, sticky bit
• 6.1. Numeric representation
• 6.2. Textual representation
• 7. Links

1. What are file permissions

Every file or folder in Linux has access permissions. There are three types of permissions (what
allowed to do with a file):
• read access
• write access
• execute access
Permissions are defined for three types of users:
• the owner of the file
• the group that the owner belongs to
• other users
Thus, Linux file permissions are nine bits of information (3 types x 3 type of users), each of them may
have just one of two values: allowed or denied.
Simply put, for each file it can be specified who can read or write from/to the file. For programs or
scripts it also can be set if they are allowed to be executed.

2. File permissions notation

2.1. Textual representation like "-rwxr--r--"
It is used in Linux long directory listings. It consists of 10 characters. The first character shows the file
type. Next 9 characters are permissions, consisting of three groups: owner, group, others. Each group
consists of three symbols: rwx (in this order), if some permission is denied, then a dash "-" is used
instead. Example:
-rwxr--r--
0123456789

• Symbol in the position 0 ("-")is the type of the file. It is either "d" if the item is a directory, or
"l" if it is a link, or "-" if the item is a regular file.
• Symbols in positions 1 to 3 ("rwx") are permissions for the owner of the file.
• Symbols in positions 4 to 6 ("r--") are permissions for the group.
• Symbols in positions 7 to 9 ("r--") are permissions for others.
r Read access is allowed
w Write access is allowed
x Execute access is allowed
- Replaces "r", "w" or "x" if according access type is denied

2.1.1. Examples
File,
owner has read, write, execute permissions,
-rwxr-xr-x
group: only read and execute permissions,
others: only read and execute permissions.
Directory,
dr-x------ owner has read and execute access,
group and others have no access

2.2. Numeric (octal) representation like "644"

If a numeric representation is used (like in chmod command, for example), then it is in the octal format
(with the base of 8), and digits involved are 0 to 7. Octal format is used for the simplicity of
understanding: every octal digit combines read, write and execute permissions together. Respective
access rights for owner, group and others (in this order) are the last three digits of the numeric file
permissions representation. Example: "0644". Here the second digit ("6" in the example) stands for
rights of the owner, the third digit ("4" in the example) stands for rights of the group, the fourth digit
("4" in the example) stands for rights of others.
This table shows what numeric values mean:
Octal digit Text equivalent Binary value Meaning
0 --- 000 All types of access are denied
1 --x 001 Execute access is allowed only
2 -w- 010 Write access is allowed only
3 -wx 011 Write and execute access are allowed
4 r-- 100 Read access is allowed only
5 r-x 101 Read and execute access are allowed
6 rw- 110 Read and write access are allowed
7 rwx 111 Everything is allowed
We see that "1" stands for execute only, "2" stands for write only, "4" stands for read only. To combine
the permissions you can simply add 1, 2 and 4 to get a needed combination. For instance, to get read
and write permissions, you add 4 (read) and 2 (write), thus getting 6 (read and write). To get read and
execute permissions, you add 4 (read) and 1 (execute), thus getting 5 (read and execute).

2.2.1. Examples
owner: read and write permissions,
644 group: only read permissions,
others: only read permissions.
owner: read, write and execute permissions,
755 group: read and execute permissions,
others: read and execute permissions.

2.2.2. Why there is a leading zero?

In programming, for instance, in C language, leading zero means that the value is in the octal format.
Basically, it can be omitted. Owner, group and others rights are the last three digits of the permissions.

2.2.3. Four meaningful digits like "4755"

There are cases when you may come across four non-zero digits, in this case the first meaningful (non-
zero) digit combines the following bits (in this order, high to low): SUID, SGID, sticky bit. We also
know that the last three are for owner, group and others.
See this table for more information about SUID and so on.

3. Difference in access permissions for files and folders

Access permissions for files and folders mean different things from the user standpoint. The table
below shows the difference.
Access
File Folder
type
Read If the file contents can be read If the directory listing can be obtained
If user or process can change directory contents somehow:
If user or process can write to
Write create new or delete existing files in the directory or rename
the file (change its contents)
files.
If user or process can access the directory, that is, go to it
Execute If the file can be executed
(make it to be the current working directory)

4. Permissions required for web server

Web server assigns the rights of the web-server-specific user, typically user "nobody", to the connected
web client, as if "nobody" is connected to the web server. "Nobody" doesn't belong to your group and
thus it inherits permissions that "others" have to your files.
• For generic files such as html or images, etc you usually need to set 644 permissions. It is
because "nobody" needs to read the file, and thus the file should be readable by others, hence 4
(read only) permissions for both group and others. For yourself you need a right to read and
write (hence 6) to the file.
• For scripts you need 755 rights. The script should be executable by "nobody". The script file
should also be readable by "nobody", as the file is interpreted by an interpreter such as Perl and
 therefore must be readable. Thus it must combine read and execute permissions for "others", as
"nobody" belongs to "others" group. For yourself you need to have also write access, getting
755 as a result.

5. Permissions set for FTP-uploaded files

When you upload files to your web hosting accounts, you become the owner of the files. Usually, by
default files get 644 permissions, and depending on provider's FTP server configuration they may get
different permissions in different situations. You also can change the file permissions with FTP client or
by executing a chmod command in telnet.

6. Set user ID, set group ID, sticky bit

In addition to the basic permissions discussed above, there are also three bits of information defined for
files in Linux:
• SUID or setuid: change user ID on execution. If setuid bit is set, when the file will be
executed by a user, the process will have the same rights as the owner of the file being executed.
• SGID or setgid: change group ID on execution. Same as above, but inherits rights of the
group of the owner of the file on execution. For directories it also may mean that when a new
file is created in the directory it will inherit the group of the directory (and not of the user who
created the file).
• Sticky bit. It was used to trigger process to "stick" in memory after it is finished, now this usage
is obsolete. Currently its use is system dependant and it is mostly used to suppress deletion of
the files that belong to other users in the folder where you have "write" access to.

6.1. Numeric representation

Octal digit Binary value Meaning
0 000 setuid, setgid, sticky bits are cleared
1 001 sticky bit is set
2 010 setgid bit is set
3 011 setgid and sticky bits are set
4 100 setuid bit is set
5 101 setuid and sticky bits are set
6 110 setuid and setgid bits are set
7 111 setuid, setgid, sticky bits are set

6.2. Textual representation

If set, then replaces "x" in the owner permissions to "s", if owner has execute permissions, or to
"S" otherwise. Examples:
SUID
-rws------ both owner execute and SUID are set
-r-S------ SUID is set, but owner execute is not set
SGID If set, then replaces "x" in the group permissions to "s", if group has execute permissions, or to
"S" otherwise. Examples:
-rwxrws--- both group execute and SGID are set
 -rwxr-S--- SGID is set, but group execute is not set
If set, then replaces "x" in the others permissions to "t", if others have execute permissions, or
to "T" otherwise. Examples:
Sticky
-rwxrwxrwt both others execute and sticky bit are set
-rwxrwxr-T sticky bit is set, but others execute is not set

7. Links
• Chmod command help and syntax