File Permissions and Ownership: The Linux Security Guard

Linux was built from the ground up as a multi-user operating system. This means it has to be extremely strict about who can see, change, or run certain files. If any user could read the password file or delete the kernel, the internet would stop working in ten minutes.

This security is managed through Permissions (what can be done) and Ownership (who can do it).

In this lesson, we will master the logic of rwx, the math of 777, and the responsibility of chown.

1. Anatomy of a Permission String

When you run ls -l, you see a string like -rwxr-xr--. After the first character (which we learned is the file type), you see 9 characters divided into three groups of three.

graph TD
    String[-rwxr-xr--] --> Type[-]
    String --> User[rwx: Owner]
    String --> Group[r-x: Group]
    String --> Other[r--: Everyone Else]
    
    User --> RU[read]
    User --> WU[write]
    User --> XU[execute]

The Three Actions:

r (Read): Can view the file contents (or list files in a directory).
w (Write): Can change the file contents (or add/delete files in a directory).
x (Execute): Can run the file as a program (or enter/traverse a directory).

2. Changing Permissions with chmod

chmod (Change Mode) is the command used to modify these strings. There are two ways to use it.

I. Symbolic Way (Human-Friendly)

Use u (user), g (group), o (others), and a (all).

# Add (+) execute (x) for everyone (a)
chmod a+x script.sh

# Remove (-) write (w) for others (o)
chmod o-w sensitive_data.txt

II. Octal Way (Professional Standard)

Each permission is represented by a number:

4 = Read
2 = Write
1 = Execute
0 = No permission

You add them up for each group:

7 (4+2+1) = Full access (rwx)
6 (4+2) = Read/Write (rw-)
5 (4+1) = Read/Execute (r-x)

# Give owner full access, group read/exec, others nothing
chmod 750 secure_script.sh
# Result: -rwxr-x---

3. Managing Ownership with chown

Permissions define the gates, but Ownership defines who holds the keys. Every file has an Owner and a Group.

# Change the owner of a file to 'sudeep'
sudo chown sudeep data.txt

# Change both owner and group (using colon)
sudo chown sudeep:developers report.pdf

# Change ownership of a folder and everything inside (Recursive)
sudo chown -R sudeep:www-data /var/www/html

4. The Directory "Tricks"

Permissions work slightly differently for folders than for files:

Read (r): Allows you to ls the folder.
Execute (x): Allows you to cd INTO the folder. You cannot enter a folder without 'x' permission, even if you have 'r'!
Write (w): Allows you to create or delete files inside the folder.

5. Practical: The "Web Server" Permissions Strategy

If you are a web developer, you'll often face this problem: Nginx needs to read your files, but you need to edit them.

The Professional Fix:

Make yourself the owner.
Make www-data (the web server) the group.
Set permissions to 755 (folders) and 644 (files).

sudo chown -R sudeep:www-data /var/www/my-site
find /var/www/my-site -type d -exec chmod 755 {} \;
find /var/www/my-site -type f -exec chmod 644 {} \;

6. Example: A Security Permission Auditor (Python)

If a hacker enters a system, they often try to make a file "World Writable" (777) so they can come back later. Here is a Python script that audits a directory for dangerous 777 permissions.

import os
import stat

def audit_dangerous_permissions(directory):
    """
    Finds files that are writable by everyone (Others write permission).
    """
    dangerous_files = []
    
    for root, dirs, files in os.walk(directory):
        for name in files:
            path = os.path.join(root, name)
            try:
                # Use os.stat to get the permission mode
                mode = os.stat(path).st_mode
                
                # S_IWOTH is the bit for "Others Write"
                if mode & stat.S_IWOTH:
                    # Convert to octal string for better display (e.g., '777')
                    octal_mode = oct(mode)[-3:]
                    dangerous_files.append((path, octal_mode))
            except (PermissionError, OSError):
                continue
                
    return dangerous_files

if __name__ == "__main__":
    target = "/tmp" # tmp is a common place for 777, but we watch for others
    print(f"Auditing security in {target}...")
    
    results = audit_dangerous_permissions(target)
    
    if results:
        print(f"FOUND {len(results)} DANGEROUS FILES!")
        print("-" * 50)
        for path, mode in results[:10]: # Limit to top 10
            print(f"[{mode}] {path}")
    else:
        print("System looks clean. No world-writable files found.")

7. The umask: Designing for the Future

When you create a new file, how does Linux decide its default permissions? It uses the umask. Think of a umask as a "Filter." If you have a umask of 022, it "removes" the write permission for others when a new file is born.

Checking your umask:

umask
# Output: 0022

8. Summary

Permissions are the first line of defense in Linux.

rwx stands for Read, Write, and Execute.
Octal notation (755, 644) is the industry standard for configuration.
chown sets the authority; chmod sets the access.
Always follow the Principle of Least Privilege: only give the minimum permission needed for a task to work.

In the next lesson, we will explore Hard Links and Symbolic Links—the "teleports" of the Linux filesystem.

Quiz Questions

What does the octal permission 600 mean? Who can read it?
If you can ls a directory but cannot cd into it, what permission is missing?
How do you give the group "Write" access to a file without changing any other permissions?

Continue to Lesson 3: Links—Hard Links vs. Symbolic Links.

The Gates of Linux: Permissions and Ownership