Understanding file permissions and ownership is a core skill for any Red Hat Enterprise Linux (RHEL) administrator. This lesson covers the basics of permission types, how to change file ownership, and how to manage access using commands like chmod, chown, and chgrp. By mastering these concepts, administrators can ensure secure and efficient system operations.
Managing file permissions and ownership in Red Hat Enterprise Linux (RHEL) is essential for system security and proper access control. Every file and directory in Linux has specific rules that determine who can read, write, or execute it. This lesson will walk through standard permissions, ownership, special permission bits, and advanced Access Control Lists (ACLs).
By the end, you should be able to interpret permissions, modify them, and apply special controls to meet real-world security needs.
Reviewing Permissions and Their Meaning
When you list files and folders with ls -l, you’ll see permissions displayed like this:
-rwxr-x--- 1 root root 1234 Aug 20 example.txt
- The first character ( – ) indicates the file type
- – = file
- d = directory
- 1 = symlink
- The next nine characters are grouped in three sets:
- User (owner) → rwx
- The user who owns the file/folder.
- Group → r-x
- The group who is placed on the file/folder.
- Other → —
- All others who are not listed in the user or group section.
- User (owner) → rwx
Meaning of each letter:
- r → Read Permission
- w → Write Permission
- x → Execute Permission
- – → No Permission
Numerical Equivalents
Permissions also map to the following numbers:
- r = 4
- w = 2
- x = 1
- 0 = No permissions
For example:
- rwxr-x-r– = 754
- rw-r—– = 640
Setting File Permissions
Permissions are changed with the chmod command.
Symbolic Mode
chmod u+x script.sh #Add execute for user/owner
chmod g-w file.txt #Remove write for group
chmod o-r file.txt #Remove read for others
Numeric Mode
chmod 755 script.sh # owner=rwx, group=rx, others=rx
chmod 640 file.txt # owner=rw, group=r, others=none
Tip: Use ls -l or ll for short to verify your changes after setting permissions. The use of -R will recursively affect all files and folders when running chmod.
File Ownership Managemnet
Each file has a user owner and a group owner. Multiple users or groups cannot be set by default in Linux and must be done through the use of extended ACL’s (discussed later).
Changing File Owner
chown jdoe file.txt # Changes owner to jdoe
Changing Group Ownership
chgrp developers file.txt # Changes group to developers
Combined Example
chown jdoe:developers file.txt # Changes owner to jdoe and group to developers
Tip: Use ls -l or ll for short to verify your changes after setting ownership. The use of -R will recursively affect all files and folders when running chown and chgrp.
Special Permissions: Setuid, Setgid, and Sticky Bit
Special permission bits give extra control:
Setuid (s on user)
Files with execute bit set will run with the file owner’s permissions instead of the user’s.
chmod u+s script.sh
Setgid (s on group)
On files: executes with the group’s permissions. On directories: new files will inherit the directory’s group instead of the user’s default group.
chmod g+s directory/
Sticky Bit (t on others)
On directories, the sticky bit will prevent users from deleting files they don’t own. Commonly used on the tmp directory.
chmod +t /shared/folder
Extended ACLs and Inheritance
Access Control Lists (ACLs) provide finer-grained access beyond standard owner/group/other permissions.
Viewing Current ACLs
getfacl file.txt
Setting ACLs
setfacl -m u:jdoe:rx script.sh # Grants jdoe read-execute of script.sh
setfacl -Rm g:admins:rw dir/ # Grants admins read/write recursively of dir/
Default (Inherited) ACLs on Directories
The following example will ensure that all new files and folders in the directory will automatically inherit the user or group permissions.
setfacl -d -Rm u:jdoe:r folder/ # Grants jdoe read recursively over folder/
setfacl -d -m g:admins:rwx dir/ # Grants rwx to admins group over dir/, not recursively.
setfacl -d -m g::rwx dir/ # Ensures default group has rwx for all new files/folders
Practice Exercises
Try the following in a test environment to reinforce your knowledge:
- Create a test file and give it rw-r–r– permissions. Verify with
ls -l. - Add write access for group and users using both symbolic and numeric
chmod. - Create a directory shared/ and apply the sticky bit. Test by trying to delete a file as another user.
- Use
chownto transfer ownership of a file to another user. - Create a directory with a default ACL that ensures all new files are group-writable. Assign a secondary group with read-execute permissions.