How do file permissions work?

Can you explain briefly the main concepts and command line tools used to manage file permissions?


Warning: Changing permissions of files and directories is potentially harmful and may render your system unusuable. When run recursively as root on the wrong path we may come to a point from where we will have to reinstall Ubuntu. It is therefore a good idea to not change permissions outside of HOME directories, and running the commands recursively as root should be avoided whenever possible.

File permissions

Ubuntu has inherited the concept of permissions from Unix when for files or directories there are three tasks we can permit or deny:

  • r (read) file/directory may be opened for read access.
  • w (write) file/directory may be opened for write/edit access.
  • x (execute) file may be executed as a program/directory may be traversed.

(Traversing a directory essentially means using it as part of a path name. See https://unix.stackexchange.com/a/13891 or https://unix.stackexchange.com/questions/21251 for more explanations.)

In addition we have three cases as to whom we grant a permission:

  • u (user) the owner of a file is granted any of the permissions.
  • g (group) group the file belongs to is granted a permission.
  • o (other) all others are granted a permission.

Now to get the combination of these sorted we use a binary system where each bit defines a permission. This can be best shown in the following Table

    Permission | Binary | Octal  | User  | Group | Other |
    ======================================================
      r        |  100   |   4    |       |       |       |
      w        |  010   |   2    |       |       |       |
      x        |  001   |   1    |       |       |       |
    =======================================================
    Number

Now if we want for example

a) the owner of a file (= user) has read, write, and execute permission,
b) the file's group granted read and execute permissions, and
c) all others should only have read access.

Then the resulting file permission will be:

 u   g   o
rwx r-x r--

To get this in the octal numbers, eg. for the chmod command or when we have to understand an error message we need to fill above table as below:

    Permission | Binary | Octal  | User  | Group | Other |
    ======================================================
      r        |  100   |   4    |   4   |   4   |   4   |
      w        |  010   |   2    |   2   |   0   |   0   |
      x        |  001   |   1    |   1   |   1   |   0   |
    ======================================================
    Numbers add to                   7       5       4     

Each permission number needs to be added to sum up for a user (4+2+1=7), group (4+0+1=5), and other (4+0+0=4). The resulting number then is:

 u   g   o
 7   5   4

We now have two options to change the permission bits with chmod:

chmod u+rwx g+rx o+r filename

or much simpler with

chmod 751 filename

Both commands will do the same.

The default permission of a newly created file in our home will be 664 (-rw-rw-r--).

If we want files to be executable as programs we will have to change this permission.

  • Note that we will also have to change the permission of the directory this executable may be in. Only if both, the file's and the directory's executable bit are set we will be allowed to run this file as a program.

  • When copying a file to our home it will lose it's permissions which will be replaced by our own default permissions (unless we copy using advanced options e.g. an archive option).

  • Also note that file may inherit their permission from their mount point, resp. mount options. This is important when mounting Windows formatted drives which do not support Unix permissions.

Users and Groups

We soon realize that this was only half of the story. We also need to sort out belongings. To do this each file or folder has a defined owner, and a defined group membership.

Each time we create a file we will be the owner of a file, and the file's group will also be us. With ls -l we can see permissions, ownership, and group as seen from the following example output:

-rw-rw-r--  1 takkat takkat    4096 Sep 12 20:25 test
  • We are only allowed to change permissions, groups or ownership of a file that is our's.

If we are not the file owner we will get a Permission denied error. Only root can change this for all files. This is why we have to use sudo when editing permission of files that are not ours. There are two commands to do so chown for users and groups and chgrp for groups only.

To change a file ownership from anybody to user takkat and - optionally - the group takkat we may issue this command:

sudo chown takkat[:takkat] testfile

To only change a file's group to takkat we issue

sudo chgrp takkat testfile

Read the manpages of the commands for more details and options. There also is this nice more elaborate guide recommended for further reading:

  • Ubuntu Community Help: File Permissions

Also find some related questions here:

  • Change folder permissions and ownership
  • What is "umask" and how does it work?
  • How can I get octal file permissions from command line?
  • How do I use 'chmod' on an NTFS (or FAT32) partition?
  • 'chmod u+x' versus 'chmod +x'
  • How can I become the owner of a file that origins from another pc / user?

Each file has rights for three different categories:

  • the owner of the file,
  • the group associated with the file, and
  • everybody else.

Rights mean the right to read the file, the right to write to the file, or the right to execute the file in case of a script or program.

On the CLI, you may

  • change the owner with chown, e.g. chown guillermooo
  • change the group with chgrp, e.g. chgrp root
  • change the rights with chmod, e.g. chmod u+w filename.ext (Adds writing permission for the owner of the file filename.ext)

If you'd like to know more about each of these tools, open a terminal and type man [tool], e.g. man chmod.