Permissions & ACL

Linux permission system: chmod (mode bits), chown (ownership), umask (default permissions), setfacl/getfacl (fine-grained ACL for multiple users and groups).

chmod

Octal mode

Command	Symbolic	Meaning
chmod 755 file	rwxr-xr-x	Owner full, others read+execute
chmod 644 file	rw-r--r--	Owner read+write, others read
chmod 600 file	rw-------	Owner only (private key, secret file)
chmod 700 dir	rwx------	Owner only (private directory)
chmod 664 file	rw-rw-r--	Owner + group write, others read
chmod 777 file	rwxrwxrwx	Everyone full — avoid unless intentional

Symbolic mode

Command	Description
chmod u+x file	Add execute for owner (u)
chmod g-w file	Remove write for group (g)
chmod o= file	Remove all permissions for others (o)
chmod a+r file	Add read for all (a = u+g+o)
chmod ug+rw file	Owner and group read+write
chmod -R 755 /var/www	Recursive — dangerous if mixed files/dirs
find /var/www -type f -exec chmod 644 {} +	Safer: set 644 on files only
find /var/www -type d -exec chmod 755 {} +	Set 755 on directories only

Special bits

Command	Octal	Effect
chmod u+s /usr/bin/ping	4755	SUID — runs as file owner (root for ping)
chmod g+s /shared/dir	2755	SGID — new files in dir inherit the group
chmod +t /tmp	1777	Sticky — only file owner can delete (shared dirs)
chmod 4755 file	4755	SUID + rwxr-xr-x in one octal

Permission bits reference

Octal	Binary	Symbolic
7	111	rwx
6	110	rw-
5	101	r-x
4	100	r--
3	011	-wx
2	010	-w-
1	001	--x
0	000	---

chown

chown commands

Command	Description
chown alice file	Change owner to alice
chown alice:staff file	Change owner and group
chown :staff file	Change group only
chgrp staff file	Change group only (alternative)
chown -R alice:alice /home/alice	Recursive ownership change
chown --reference=ref_file target	Copy ownership from another file

umask

umask — default permissions

umask	New files	New dirs	Use case
022	644 (rw-r--r--)	755 (rwxr-xr-x)	Default — others can read
027	640 (rw-r-----)	750 (rwxr-x---)	Group read, no others
077	600 (rw-------)	700 (rwx------)	Private — owner only
002	664 (rw-rw-r--)	775 (rwxrwxr-x)	Collaborative — group can write

umask subtracts from maximum: files start at 666, dirs at 777. umask 022 → 666 - 022 = 644 for files, 777 - 022 = 755 for dirs.

umask          # show current umask
umask 027      # set for current shell
umask -S       # symbolic form: u=rwx,g=rx,o=

Set system-wide default in /etc/login.defs (LOGIN_UMASK) or /etc/profile.

setfacl / getfacl

ACL — extended permissions

Command	Description
getfacl file	Show all ACL entries for a file
setfacl -m u:alice:rw file	Give alice read+write
setfacl -m u:bob:r-- file	Give bob read-only
setfacl -m u:carol:--- file	Explicitly deny carol
setfacl -m g:devs:rwx dir	Give group devs full access
setfacl -m o::r-- file	Set other ACL entry
setfacl -x u:alice file	Remove alice's ACL entry
setfacl -b file	Remove all ACL entries (reset to standard)
setfacl -R -m u:alice:rX dir	Recursive: read + conditional execute (X = dirs only)
setfacl -d -m u:alice:rw dir	Default ACL — inherited by new files in dir
setfacl -d -m g:devs:rwx dir	Default ACL for group
setfacl -k dir	Remove only default ACL
getfacl dir1 \| setfacl --set-file=- dir2	Copy ACL from one dir to another
getfacl -R /data > acl_backup.txt	Backup ACLs recursively
setfacl --restore=acl_backup.txt	Restore backed up ACLs

ACL entry format

Entry	Meaning
u::rwx	Owner permissions
u:alice:rw-	Named user alice
g::r-x	Owning group permissions
g:devs:rwx	Named group devs
m::rwx	Effective rights mask (limits named users/groups)
o::r--	Other (everyone else)
d:u:alice:rw-	Default ACL entry (prefix d:)

A + at the end of ls -l output means ACL is present. The mask (m) limits the effective permissions of named users and groups — getfacl shows both the entry and #effective: if the mask reduces it.

Requirements: filesystem must be mounted with ACL support. On ext4 it’s enabled by default. Check: tune2fs -l /dev/sda1 | grep "Default mount".