Permission and Ownership in Linux

Posted: May 2, 2013 in General linux

Every file on our Linux system, including directories, is owned by a specific user and group. Therefore, file permissions are defined separately for users, groups, and others.

User: The username of the person who owns the file. By default, the user who creates the file will become its owner.

Group: The usergroup that owns the file. All users who belong into the group that owns the file will have the same access permissions to the file. This is useful if, for example, we have a project that requires a bunch of different users to be able to access certain files, while others can’t. In that case, we’ll add all the users into the same group, make sure the required files are owned by that group, and set the file’s group permissions accordingly.

Other: A user who isn’t the owner of the file and doesn’t belong in the same group the file does. In other words, if we set a permission for the “other” category, it will affect everyone else by default. For this reason, people often talk about setting the “world” permission bit when they mean setting the permissions for “other.”

There are three types of access permissions on Linux: read, write, and execute. These permissions are defined separately for the file’s owner, group and all other users.

Read permission. On a regular file, the read permission bit means the file can be opened and read. On a directory, the read permission means we can list the contents of the directory.

Write permission. On a regular file, this means we can modify the file, aka write new data to the file. In the case of a directory, the write permission means we can add, remove, and rename files in the directory. This means that if a file has the write permission bit, we are allowed to modify the file’s contents, but we’re allowed to rename or delete the file only if the permissions of the file’s directory allow us to do so.

Execute permission. In the case of a regular file, this means we can execute the file as a program or a shell script. On a directory, the execute permission (also called the “search bit”) allows us to access files in the directory and enter it, with the cd command, for example. However, note that although the execute bit lets us enter the directory, we’re not allowed to list its contents, unless we also have the read permissions to that directory.

We can view the access permissions of a file by doing the long directory listing with the ls -l command. This is what a long directory listing might look like:$ ls -l
total 457
-rw-r–r– 1 pivusers 14737 2012-09-15 08:57 Analysed Tickets.txt~
-rw-r–r– 1 pivusers 8839 2012-11-12 22:38 Assignment
-rw-r–r– 1 pivusers 10988 2012-11-13 18:54 Assignment – Apache

The very first column, shows the file type and permissions. The second column shows the number of links (directory entries that refer to the file), the third one shows the owner of the file, and the fourth one shows the group the file belongs to. The other columns show the file’s size in bytes, date and time of last modification, and the filename.

The first column, the one that shows the file’s permissions, is organized into four separate groups.

The first group consists of only one character, and it shows the file’s type. For example, d means a directory and – means a normal file.

The first character can be any of these:

d = directory
– = regular file
l = symbolic link
s = Unix domain socket
p = named pipe
c = character device file
b = block device file

The next nine characters show the file’s permissions, divided into three groups, each consisting of three characters. The first group of three characters shows the read, write, and execute permissions for user, the owner of the file. The next group shows the read, write, and execute permissions for the group of the file. Similarly, the last group of three characters shows the permissions for other, everyone else. In each group, the first character means the read permission, the second one write permission, and the third one execute permission.

The characters are pretty easy to remember.

r = read permission
w = write permission
x = execute permission
– = no permission


We can set file permissions with the chmod command. Both the root user and the file’s owner can set file permissions. chmod has two modes, symbolic and numeric.

The symbolic mode is pretty easy to remember. First, we decide if we set permissions for the user (u), the group (g), others (o), or all of the three (a). Then, we either add a permission (+), remove it (-), or wipe out the previous permissions and add a new one (=). Next, we decide if we set the read permission (r), write permission (w), or execute permission (x). Last, we’ll tell chmod which file’s permissions we want to change.

Let’s have a couple of examples. Suppose we have a regular file called testfile, and the file has full access permissions for all the groups (long directory listing would show -rwxrwxrwx as the file’s permissions).

Wipe out all the permissions but add read permission for everybody:
$ chmod a=r testfile
After the command, the file’s permissions would be -r–r–r–

Add execute permissions for group:
$ chmod g+x testfile
Now, the file’s permissions would be -r–r-xr–

Add both write and execute permissions for the file’s owner. Note how we can set more than one permission at the same time:
$ chmod u+wx testfile
After this, the file permissions will be -rwxr-xr–

Remove the execute permission from both the file’s owner and group. Note, again, how we can set them both at once:
$ chmod ug-x testfile
Now, the permissions are -rw-r–r–

The other mode in which chmod can be used is the numeric mode. In the numeric mode, the file permissions aren’t represented by characters. Instead, they are represented by a three-digit octal number.

4 = read (r)
2 = write (w)
1 = execute (x)
0 = no permission (-)

To get the permission bits we want, we add up the numbers accordingly. For example, the rwx permissions would be 4+2+1=7, rx would be 4+1=5, and rw would be 4+2=6. Because we set separate permissions for the owner, group, and others, we’ll need a three-digit number representing the permissions of all these groups.

Let’s have an example.
$ chmod 755 testfile
This would change the testfile’s permissions to -rwxr-xr-x. The owner would have full read, write, and execute permissions (7=4+2+1), the group would have read and execute permissions (5=4+1), and the world would have the read and execute permissions as well.

Let’s have another example:
$ chmod 640 testfile
In this case, testfile’s permissions would be -rw-r—–. The owner would have read and write permissions (6=4+2), the group would have read permissions only (4), and the others wouldn’t have any access permissions (0).

The numeric mode may not be as straightforward as the symbolic mode, but with the numeric mode, we can more quickly and efficiently set the file permissions.


we can change the owner and group of a file or a directory with the chown command. Please, keep in mind we can do this only if we are the root user or the owner of the file.

Set the file’s owner:
$ chown username somefile
After giving this command, the new owner of a file called somefile will be the user username. The file’s group owner will not change. Instead of a user name, we can also give the user’s numeric ID here if we want.

we can also set the file’s group at the same time. If the user name is followed by a colon and a group name, the file’s group will be changed as well.
$ chown username:usergroup somefile
After giving this command, somefile’s new owner would be user username and the group usergroup.

we can set the owner of a directory exactly the same way we set the owner of a file:
$ chown username somedir
Note that after giving this command, only the owner of the directory will change. The owner of the files inside of the directory won’t change.

In order to set the ownership of a directory and all the files in that directory, we’ll need the -R option:
$ chown -R username somedir
Here, R stands for recursive because this command will recursively change the ownership of directories and their contents. After issuing this example command, the user username will be the owner of the directory somedir, as well as every file in that directory.

Tell what happens:

$ chown -v username somefile
changed ownership of ‘somefile’ to username

Here, v stands for verbose. If we use the -v option, chown will list what it did (or didn’t do) to the file.

The verbose mode is especially useful if we change the ownership of several files at once. For example, this could happen when we do it recursively:

$ chown -Rv username somedir
changed ownership of ‘somedir/’ to username
changed ownership of ‘somedir/boringfile’ to username
changed ownership of ‘somedir/somefile’ to username

As we can see, chown nicely reports to we what it did to each file.


In addition to chown, we can also use the chgrp command to change the group of a file or a directory. we must, again, be either the root user or the owner of the file in order to change the group ownership.

chgrp works pretty much the same way as chown does, except it changes the file’s user group instead of the owner, of course.
$ chgrp usergroup somefile
After issuing this command, the file somefile will be owned by a user group usergroup. Although the file’s group has changed to usergroup, the file’s owner will still be the same.

The options of using chgrp are the same as using chown. So, for example, the -R and -v options will work with it just like they worked with chown:

$ chgrp -Rv usergroup somedir
changed group of ‘somedir/’ to usergroup
changed group of ‘somedir/boringfile’ to usergroup
changed group of ‘somedir/somefile’ to usergroup

chown nicely reports to we what it did to each file.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s