File Permissions & Ownership
File permission modes, ownership management, access control lists, and special permission bits.
Numeric (Octal) Permissions
Set read/write for owner, read for group, nothing for others
chmod 640 /etc/myapp.confCommon permission sets
755 rwxr-xr-x Executables, directories 644 rw-r--r-- Regular files, configs 600 rw------- Private keys, secrets 700 rwx------ Private directories, .ssh/ 750 rwxr-x--- Group-shared executables 664 rw-rw-r-- Group-collaborative files
Recursive — apply to directory tree
chmod -R 755 /var/www/html/
-R 755 makes all files executable. For web directories, set directories to 755 and files to 644 separately.
|
Set directories to 755 and files to 644 — the correct recursive approach
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -type f -exec chmod 644 {} \;Symbolic Permissions
Add execute for owner
chmod u+x script.shRemove write from group and others
chmod go-w /etc/important.confSet exact permissions — equals sign replaces, doesn’t add
chmod u=rwx,g=rx,o= /opt/app/Add read for all (user, group, others)
chmod a+r /tmp/shared-fileOwnership
Change owner
sudo chown jdoe /opt/app/config.ymlChange owner and group simultaneously
sudo chown jdoe:developers /opt/app/Change only group
sudo chgrp developers /opt/app/Recursive ownership change
sudo chown -R jdoe:developers /opt/app/Umask
View current umask — shows what permissions are REMOVED from new files
umaskOutput
0022
Default file creation: 666 - 022 = 644 (rw-r—r--). Default directory: 777 - 022 = 755 (rwxr-xr-x).
Set umask for current session — restrictive, no group/other access
umask 077Verify umask effect
umask 027
touch /tmp/test-umask
ls -l /tmp/test-umaskOutput
-rw-r----- 1 evan evan 0 Apr 10 10:00 /tmp/test-umask
Persistent umask: set in ~/.bashrc (per-user) or /etc/profile.d/umask.sh (system-wide).
Special Permissions
SUID — file executes as the file owner, not the caller
chmod u+s /usr/local/bin/special-app
chmod 4755 /usr/local/bin/special-apppasswd uses SUID to write to /etc/shadow as root. SUID on a directory has no effect.
SGID on a file — executes as the group owner
chmod g+s /usr/local/bin/group-app
chmod 2755 /usr/local/bin/group-appSGID on a directory — new files inherit the directory’s group
chmod g+s /opt/shared-project/This is the RHCSA-critical one. Without SGID, new files get the creator’s primary group. With SGID, they inherit the directory’s group — essential for team collaboration.
Sticky bit — only file owner (or root) can delete files in this directory
chmod +t /opt/shared-drop/
chmod 1777 /opt/shared-drop//tmp has the sticky bit. Without it, any user could delete any other user’s temp files.
Verify special permissions — look for s, S, t, T in ls output
ls -ld /tmp /usr/bin/passwdOutput
drwxrwxrwt 24 root root 4096 Apr 10 10:00 /tmp -rwsr-xr-x 1 root root 59976 Apr 10 10:00 /usr/bin/passwd
Lowercase s/t = special + execute. Uppercase S/T = special without execute (usually a mistake).
Find all SUID files on the system
find / -type f -perm -4000 -ls 2>/dev/nullFind all SGID files
find / -type f -perm -2000 -ls 2>/dev/nullACLs — Access Control Lists
Standard permissions only allow one owner and one group. ACLs let you grant access to additional users and groups.
View ACLs on a file
getfacl /opt/shared/report.txtOutput
# file: opt/shared/report.txt # owner: jdoe # group: developers user::rw- user:analyst:r-- group::rw- group:auditors:r-- mask::rw- other::---
Grant a specific user read access
setfacl -m u:analyst:r /opt/shared/report.txtGrant a specific group read-write access
setfacl -m g:auditors:rw /opt/shared/report.txtRemove a specific ACL entry
setfacl -x u:analyst /opt/shared/report.txtRemove all ACLs — return to standard permissions
setfacl -b /opt/shared/report.txtSet default ACL on a directory — new files inherit these ACLs
setfacl -m d:g:developers:rwx /opt/shared/Recursive ACL — apply to existing files and directories
setfacl -R -m g:developers:rwx /opt/shared/The
+ sign in ls -l output indicates ACLs are presentls -l /opt/shared/report.txtOutput
-rw-rw----+ 1 jdoe developers 1024 Apr 10 10:00 /opt/shared/report.txt
RHCSA Collaboration Directory Pattern
This combines SGID, default ACLs, and group ownership — a common exam scenario.
Create a shared directory where all files belong to the team
# Create directory owned by the team group
sudo mkdir /opt/team-project
sudo chown :developers /opt/team-project
# SGID — new files inherit group
sudo chmod 2770 /opt/team-project
# Default ACL — new files are group-writable
sudo setfacl -m d:g:developers:rwx /opt/team-project
# Verify
ls -ld /opt/team-project
getfacl /opt/team-project