Master Linux File Permissions & Security: chmod, chown, ACLs & More!
ฝัง
- เผยแพร่เมื่อ 6 ก.พ. 2025
- Filesystem Permissions and Security in Linux
In Linux, filesystem permissions are crucial for securing files and directories. They control who can read, write, or execute files, ensuring data integrity and security in multi-user environments.
1. chmod - Change File Permissions
chmod (change mode) modifies file permissions for owner (u), group (g), and others (o). Permissions include:
r (read) → View file contents
w (write) → Modify file contents
x (execute) → Run the file (for scripts/programs)
Syntax:
bash
chmod [permissions] file_or_directory
Example:
bash
chmod 755 file.txt
Explanation:
7 (rwx) → Owner has read, write, and execute permissions.
5 (r-x) → Group and others have read and execute permissions.
This setup is common for scripts, ensuring execution by anyone but allowing modification only by the owner.
Symbolic Mode Example:
Instead of numbers, permissions can be modified using symbolic notation:
bash
chmod u+x file.sh Give execute permission to the user (owner)
chmod g-w file.txt Remove write permission from the group
chmod o+r file.txt Add read permission for others
2. chown - Change File Owner and Group
chown (change owner) assigns a new user and/or group to a file or directory.
Syntax:
bash
chown [new_owner]:[new_group] file_or_directory
Example:
bash
chown user:group file.txt
Explanation:
Changes ownership to user
Assigns the file to group group
Additional Options:
Change only the owner:
bash
chown user file.txt
Change only the group:
bash
chown :group file.txt
Change ownership recursively:
bash
chown -R user:group directory/
This modifies all files inside directory/.
3. chgrp - Change Group Ownership
chgrp (change group) modifies the group ownership of a file or directory.
Syntax:
bash
chgrp [new_group] file_or_directory
Example:
bash
chgrp developers file.txt
Explanation:
Assigns file.txt to the group developers.
Useful when multiple users in a shared environment need access to specific files.
Recursive Group Change:
To change the group for all files inside a directory:
bash
chgrp -R developers directory/
4. umask - Set Default File Permissions
umask (user file creation mask) defines default permissions for new files and directories.
Syntax:
bash
umask [mask_value]
Example:
bash
umask 022
Explanation:
Default permissions for files become 644 (rw-r--r--)
Default permissions for directories become 755 (rwxr-xr-x)
Ensures group and others can read but not modify new files.
Understanding umask Calculation:
Subtract umask value from the default permissions:
Default permissions for files = 666 (rw-rw-rw-)
Default permissions for directories = 777 (rwxrwxrwx)
Example: umask 022 →
Files: 666 - 022 = 644 (rw-r--r--)
Directories: 777 - 022 = 755 (rwxr-xr-x)
5. setfacl - Set Access Control Lists (ACL) for File Permissions
setfacl (set file ACL) grants fine-grained permissions beyond traditional rwx permissions.
Syntax:
bash
setfacl -m u:[user]:[permissions] file_or_directory
Example:
bash
setfacl -m u:john:rwx file.txt
Explanation:
Grants john read (r), write (w), and execute (x) permissions on file.txt.
Other users keep their original permissions.
Grant Group-Specific Permissions:
bash
setfacl -m g:developers:rw file.txt
Assigns developers group read and write access.
Give Default ACL to a Directory:
bash
setfacl -d -m u:john:rwx directory/
Ensures new files inside directory/ inherit the ACL settings.
Remove ACL:
bash
setfacl -x u:john file.txt
Revokes john's access to file.txt.
6. getfacl - Get Access Control Lists (ACL) for File Permissions
getfacl (get file ACL) displays ACL entries for a file or directory.
Syntax:
bash
getfacl file_or_directory
Example:
bash
getfacl file.txt
Output Example:
file: file.txt
owner: ajay
group: developers
user::rw-
user:john:rwx
group::r--
mask::rwx
other::---
Explanation:
user::rw- → File owner has read/write permissions.
user:john:rwx → john has read/write/execute access.
group::r-- → The developers group has read access.
mask::rwx → Defines the maximum permissions granted.
other::--- → Others have no access.
Best Practices for Filesystem Security
1. Use the Least Privilege Principle - Assign only necessary permissions.
2. Restrict Sensitive Files -
bash
chmod 600 secret.txt Only owner can read/write
3. Monitor Permissions Regularly - Use ls -l and getfacl to check settings.
4. Restrict Root Privileges - Use sudo sparingly to minimize security risks.
5. Audit File Access - Use auditd and log monitoring for security compliance.
6. Use ACLs for Fine-Grained Access Control - Useful for shared environments.
7. Set Proper umask Values - Prevent unintended access to newly created files.
