Post

Performance Considerations with Permissions

Posted
By Ahmed Aljorani 44 min read

Permission checks happen on every file access, and in high-performance environments, this matters:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

# Accessing files through many nested directories is slower
# Bad: /var/www/site/public/assets/images/products/thumbnails/img.jpg
# Better: Flatten when possible or use symlinks strategically

# Create symbolic links for frequently accessed deep paths
ln -s /var/www/site/public/assets/images /var/www/images
# Now /var/www/images/products/... is faster

# Directory execute permissions are checked for every component
# If you have: /a/b/c/d/e/f/g/file.txt
# Linux checks execute permission on a, b, c, d, e, f, g
# That's 7 permission checks before reaching the file!

# Use find with -prune to avoid expensive traversals
# Search only /var/log, skip other /var subdirectories
find /var -path /var/log -prune -o -type f -name "*.conf" -print

# Cache frequently checked permissions in your application
# Instead of checking permissions on every request:
# Check once, cache the result with a TTL

# Monitor permission check overhead with strace
strace -e trace=access,stat,open ls -la /path 2>&1 | grep -E 'stat|access'
# Shows every permission-related system call

# In container environments, minimize layers
# Each layer adds overhead to permission checks
# Combine RUN commands in Dockerfiles where possible

Permissions in Containerized Environments

Containers add complexity to permission management:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

# Docker user namespace mapping
# Container root (UID 0) maps to host user 100000
# Container user 1000 maps to host user 101000

# Check the mapping
cat /etc/subuid
# username:100000:65536
# This user can map 65536 container UIDs starting at 100000

# When mounting volumes, permissions must align
# Bad: Container expects UID 1000, host file owned by UID 2000
docker run -v /host/data:/container/data myimage
# Container user may not have access!

# Solution 1: Match UIDs between host and container
# Create user with matching UID on host
sudo useradd -u 1000 containeruser
sudo chown -R containeruser:containeruser /host/data

# Solution 2: Use a bootstrap script
# Start container, fix permissions, then run application
# entrypoint.sh:
#!/bin/bash
chown -R appuser:appuser /app/data
exec su-exec appuser "$@"

# Solution 3: Run container with specific user
docker run --user 1000:1000 -v /host/data:/container/data myimage

# Kubernetes security contexts
# pod.yaml:
apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 1000    # Run as this UID
    runAsGroup: 3000   # Primary GID
    fsGroup: 2000      # Volume ownership
    fsGroupChangePolicy: "OnRootMismatch"  # Only change if needed
  containers:
  - name: app
    image: myapp
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
        - ALL              # Drop all capabilities
        add:
        - NET_BIND_SERVICE # Only add what's needed

# Volume permissions in Kubernetes persist after pod deletion
# Pre-create volumes with correct permissions
kubectl apply -f - <<EOF
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: app-data
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
EOF

# Initialize volume permissions with init container
initContainers:
- name: fix-permissions
  image: busybox
  command: ['sh', '-c', 'chmod -R 770 /data && chown -R 1000:2000 /data']
  volumeMounts:
  - name: app-data
    mountPath: /data

Permission Inheritance and Defaults

Understanding how new files get their permissions:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

# Test umask behavior
umask 022
touch file1.txt
mkdir dir1
ls -l
# file1.txt: -rw-r--r-- (644 = 666 - 022)
# dir1: drwxr-xr-x (755 = 777 - 022)

# Change umask temporarily for a command
(umask 077; touch secret.txt)
ls -l secret.txt
# -rw------- (600 = 666 - 077)
# After the subshell, original umask restored

# Different umask for different file types
# In .bashrc or .bash_profile:
if [ "$SHELL" = "/bin/bash" ]; then
    # Regular files get 027 (640)
    umask 027
    
    # But override for scripts
    alias touchscript='umask 022; touch'
fi

# Setgid inheritance demonstration
mkdir /tmp/team
chmod g+s /tmp/team
chgrp developers /tmp/team

# As user alice (primary group: alice)
touch /tmp/team/alice_file.txt
ls -l /tmp/team/alice_file.txt
# -rw-r--r-- 1 alice developers 0 Oct 2 18:00 alice_file.txt
#                    ^ Inherited from directory, not alice's primary group!

# Create a template directory with default ACLs
mkdir /srv/templates/project
setfacl -d -m u::rwx /srv/templates/project
setfacl -d -m g::rx /srv/templates/project
setfacl -d -m o::--- /srv/templates/project

# New files here automatically get these permissions
cd /srv/templates/project
touch newfile
getfacl newfile
# Shows default ACLs were applied automatically

Practical Security Hardening Scenarios

Real-world security implementations:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109

# Scenario 1: Hardening a web server
# Lock down the web root completely
sudo chown -R root:root /var/www/html
sudo find /var/www/html -type f -exec chmod 644 {} \;
sudo find /var/www/html -type d -exec chmod 755 {} \;

# Only the upload directory is writable by Apache
sudo mkdir /var/www/html/uploads
sudo chown www-data:www-data /var/www/html/uploads
sudo chmod 730 /var/www/html/uploads
# 730 means: user rwx, group wx, others nothing
# Apache can write, admins can list/read, users cannot access directly

# Prevent PHP execution in uploads (defense in depth)
# In Apache config or .htaccess:
<Directory /var/www/html/uploads>
    php_flag engine off
    Options -ExecCGI
    AddType text/plain .php .php3 .phtml .pht
</Directory>

# Scenario 2: Securing SSH configuration
# Restrict access to SSH config directory
sudo chmod 700 /etc/ssh
sudo chmod 600 /etc/ssh/sshd_config
sudo chmod 600 /etc/ssh/ssh_host_*_key
sudo chmod 644 /etc/ssh/ssh_host_*_key.pub

# User SSH directories for all users
find /home -type d -name .ssh -exec chmod 700 {} \;
find /home -type f -path '*/.ssh/id_*' ! -name '*.pub' -exec chmod 600 {} \;
find /home -type f -path '*/.ssh/id_*.pub' -exec chmod 644 {} \;
find /home -type f -path '*/.ssh/authorized_keys' -exec chmod 600 {} \;

# Scenario 3: Sensitive data protection
# Create a secure directory for secrets
sudo mkdir -p /opt/secrets
sudo chmod 700 /opt/secrets
sudo chown svcaccount:svcaccount /opt/secrets

# Store database credentials
sudo -u svcaccount tee /opt/secrets/db.conf > /dev/null <<EOF
DB_USER=appuser
DB_PASS=SecurePassword123
DB_HOST=localhost
EOF
sudo chmod 400 /opt/secrets/db.conf
# 400 = read-only for owner, nothing for anyone else
# Even the owner cannot modify it without first changing permissions

# Application reads it like this:
source /opt/secrets/db.conf
mysql -u "$DB_USER" -p"$DB_PASS" -h "$DB_HOST"

# Scenario 4: Multi-tier application with separation of duties
# Application tier - read-only access to code
sudo mkdir -p /opt/myapp/{bin,lib,config,data,logs}
sudo chown -R root:appgroup /opt/myapp/bin /opt/myapp/lib
sudo chmod -R 750 /opt/myapp/bin /opt/myapp/lib

# Config - read-only for app, writable by deploy user
sudo chown -R deploy:appgroup /opt/myapp/config
sudo chmod 640 /opt/myapp/config/*

# Data directory - writable by app
sudo chown -R appuser:appgroup /opt/myapp/data
sudo chmod 770 /opt/myapp/data

# Logs - append-only
sudo chown -R appuser:appgroup /opt/myapp/logs
sudo chmod 750 /opt/myapp/logs
sudo chattr +a /opt/myapp/logs/application.log
# Now app can write logs but cannot delete evidence

# Scenario 5: Preventing privilege escalation
# Find potential privilege escalation vectors
sudo find / -perm -4000 -user root -type f 2>/dev/null
# Lists all setuid root binaries - audit these regularly

# Lock down sudo configuration
sudo visudo
# Add these restrictions:
# Defaults    use_pty                 # Force pseudo-terminal
# Defaults    logfile=/var/log/sudo.log
# Defaults    log_year, log_host, loglinelen=0
# Defaults    passwd_timeout=1        # Password expires quickly
# Defaults    timestamp_timeout=5     # Require password every 5 min
# Defaults    !visiblepw              # Never allow visible passwords

# Restrict which commands users can run
# %developers ALL=(ALL) /usr/bin/systemctl restart webapp, /usr/bin/tail -f /var/log/webapp/*
# Now developers group can only restart webapp and view its logs

# Scenario 6: Quarantine directory for suspicious files
sudo mkdir /quarantine
sudo chmod 333 /quarantine
# 333 = -wx-wx-wx
# Users can add files but cannot list or read directory contents
# Only root can examine files (useful for malware submission)

# User can drop file:
cp suspicious_file.exe /quarantine/
# But cannot see what else is there:
ls /quarantine/
# ls: cannot open directory '/quarantine/': Permission denied

# Root examines safely:
sudo ls -la /quarantine/
sudo file /quarantine/suspicious_file.exe

Troubleshooting Complex Permission Problems

When standard troubleshooting fails, try these advanced techniques:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109

# Problem: User reports "permission denied" but permissions look correct

# Check if SELinux is enforcing
getenforce
# If "Enforcing", check for denials:
sudo ausearch -m AVC -ts recent | grep denied

# Temporarily set SELinux to permissive for testing
sudo setenforce 0
# Try the operation again
# If it works, SELinux was the issue

# Fix SELinux context:
sudo restorecon -Rv /path/to/file
# Or set it permanently:
sudo semanage fcontext -a -t httpd_sys_content_t "/path/to/file"
sudo restorecon -v /path/to/file

# Re-enable enforcing:
sudo setenforce 1

# Problem: NFS mounted directory has permission issues

# NFS squashes root by default (root becomes nobody)
# Check mount options:
mount | grep nfs
# Look for "root_squash" or "all_squash"

# On NFS server, edit /etc/exports:
/shared 192.168.1.0/24(rw,sync,no_root_squash,no_all_squash)
sudo exportfs -ra

# Client-side, ensure UID/GID match between systems:
# User 'bob' must have same UID on both client and server

# Problem: File operations work as root but not as user

# Check parent directory permissions carefully:
ls -ld /path/to
ls -ld /path
ls -ld /

# Use namei to trace the entire path:
namei -l /full/path/to/file
# Look for any directory without execute permission

# Check if user hit resource limits:
sudo -u username bash -c 'ulimit -a'
# Look for "open files" limit

# Increase limits in /etc/security/limits.conf:
username soft nofile 4096
username hard nofile 8192

# Problem: Permission denied on symlink

# Check both symlink and target:
ls -l /path/to/symlink
ls -l "$(readlink -f /path/to/symlink)"

# For symlink access, you need:
# - Read permission on symlink itself
# - Execute permission on all directories in path to target
# - Appropriate permissions on target file

# Problem: Docker volume permissions wrong

# Debug by running shell in container:
docker run -it --rm -v /host/path:/container/path myimage /bin/bash

# Inside container, check:
id  # What UID/GID am I?
ls -ln /container/path  # Show numeric UID/GID

# If UIDs don't match, fix on host:
docker inspect myimage | grep User
# If container runs as UID 1000, set on host:
sudo chown -R 1000:1000 /host/path

# Or use a Dockerfile to match host UID:
ARG HOST_UID=1000
ARG HOST_GID=1000
RUN groupadd -g ${HOST_GID} appgroup && \
    useradd -u ${HOST_UID} -g appgroup appuser

# Build with:
docker build --build-arg HOST_UID=$(id -u) --build-arg HOST_GID=$(id -g) .

# Problem: Script works interactively but fails in cron

# Cron runs with minimal environment
# Check cron job permissions:
sudo crontab -u username -l

# Run the cron command manually:
sudo -u username bash -c 'cd / && env -i /full/path/to/script.sh'
# env -i clears environment like cron does

# Add explicit PATH to cron job:
PATH=/usr/local/bin:/usr/bin:/bin
0 2 * * * /full/path/to/script.sh

# Ensure cron script has proper permissions:
chmod 750 /path/to/script.sh
chown username:username /path/to/script.sh

# Check cron's own permissions:
ls -la /var/spool/cron/crontabs/
# Should be owned by user, mode 600

Permission Automation and Infrastructure as Code

Managing permissions at scale requires automation:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

# Ansible playbook for standardizing permissions
---
- name: Configure web application permissions
  hosts: webservers
  become: yes
  tasks:
    - name: Ensure web root ownership
      file:
        path: /var/www/html
        owner: root
        group: www-data
        recurse: yes
        
    - name: Set permissions on web files
      find:
        paths: /var/www/html
        recurse: yes
        file_type: file
      register: web_files
      
    - name: Apply file permissions
      file:
        path: ""
        mode: '0644'
      loop: ""
      
    - name: Set permissions on directories
      find:
        paths: /var/www/html
        recurse: yes
        file_type: directory
      register: web_dirs
      
    - name: Apply directory permissions
      file:
        path: ""
        mode: '0755'
      loop: ""
      
    - name: Configure uploads directory
      file:
        path: /var/www/html/uploads
        owner: www-data
        group: www-data
        mode: '2775'  # setgid
        state: directory

# Terraform for cloud infrastructure
resource "aws_efs_file_system" "shared_data" {
  creation_token = "shared-data"
  encrypted      = true
}

resource "aws_efs_access_point" "team_access" {
  file_system_id = aws_efs_file_system.shared_data.id
  
  posix_user {
    uid = 1000
    gid = 1000
  }
  
  root_directory {
    path = "/team-data"
    creation_info {
      owner_uid   = 1000
      owner_gid   = 1000
      permissions = "755"
    }
  }
}

# Puppet manifest for permission management
file { '/opt/application':
  ensure => directory,
  owner  => 'appuser',
  group  => 'appgroup',
  mode   => '0755',
}

file { '/opt/application/config':
  ensure  => directory,
  owner   => 'appuser',
  group   => 'appgroup',
  mode    => '0750',
  require => File['/opt/application'],
}

# Git hooks to prevent committing sensitive files
# .git/hooks/pre-commit
#!/bin/bash
# Check for files with dangerous permissions

DANGEROUS_PERMS=$(find . -type f -perm -002 ! -path "./.git/*")
if [ -n "$DANGEROUS_PERMS" ]; then
    echo "Error: World-writable files detected:"
    echo "$DANGEROUS_PERMS"
    echo "Fix with: chmod o-w <file>"
    exit 1
fi

# Check for private keys
if git diff --cached --name-only | grep -E '\.pem$|\.key$|id_rsa|id_ed25519'; then
    echo "Error: Private key files detected in commit!"
    exit 1
fi

exit 0

Performance Monitoring and Optimization

Track permission-related performance:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

# Monitor permission check overhead
# Use perf to profile system calls
sudo perf record -e 'syscalls:sys_enter_*' -a sleep 10
sudo perf report

# Look for frequent:
# - sys_enter_stat
# - sys_enter_access
# - sys_enter_open

# Reduce permission checks with stat caching
# In application code (pseudo):
cache = {}
def check_access(path):
    if path in cache and time.now() - cache[path]['time'] < 60:
        return cache[path]['result']
    result = os.access(path, os.R_OK)
    cache[path] = {'result': result, 'time': time.now()}
    return result

# Use strace to see where time is spent
strace -c -p [PID]
# After some time, Ctrl+C shows summary:
# % time     seconds  usecs/call     calls    errors syscall
# ------     -------  -----------     -----    ------ -------
#  34.23    0.000234           12        19           stat
#  28.91    0.000198           11        18           open
#  15.32    0.000105           10        10           access

# Optimize by reducing stat calls:
# Bad: Check if file exists, then open
if os.path.exists(file):
    f = open(file)
    
# Good: Just try to open, handle error
try:
    f = open(file)
except FileNotFoundError:
    # Handle missing file

# This reduces two syscalls (stat + open) to one (open)

# Monitor permission denials system-wide
sudo auditctl -a exit,always -F arch=b64 -S open -F exit=-EACCES
sudo auditctl -a exit,always -F arch=b64 -S open -F exit=-EPERM

# After some time, analyze:
sudo ausearch -m SYSCALL -sc open | grep denied | wc -l
# High count indicates permission problems

# Find hot spots:
sudo ausearch -m SYSCALL -sc open -i | grep denied | \
  awk '{print $NF}' | sort | uniq -c | sort -rn | head -20

Documentation and Compliance

Maintaining permission documentation for compliance:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

# Generate permission audit report
#!/bin/bash
# audit-permissions.sh

REPORT_DATE=$(date +%Y-%m-%d)
REPORT_FILE="/var/reports/permission-audit-${REPORT_DATE}.txt"

echo "Permission Audit Report - ${REPORT_DATE}" > "$REPORT_FILE"
echo "=========================================" >> "$REPORT_FILE"

# List all setuid/setgid files
echo -e "\n## Setuid/Setgid Files" >> "$REPORT_FILE"
find / -type f \( -perm -4000 -o -perm -2000 \) -ls 2>/dev/null >> "$REPORT_FILE"

# List world-writable files
echo -e "\n## World-Writable Files" >> "$REPORT_FILE"
find / -type f -perm -002 ! -path "/proc/*" ! -path "/sys/*" -ls 2>/dev/null >> "$REPORT_FILE"

# List world-writable directories without sticky bit
echo -e "\n## World-Writable Directories (no sticky bit)" >> "$REPORT_FILE"
find / -type d -perm -002 ! -perm -1000 ! -path "/proc/*" ! -path "/sys/*" -ls 2>/dev/null >> "$REPORT_FILE"

# List files with no owner
echo -e "\n## Orphaned Files" >> "$REPORT_FILE"
find / -nouser -o -nogroup 2>/dev/null >> "$REPORT_FILE"

# List files owned by specific sensitive users
echo -e "\n## Root-Owned Files in User Directories" >> "$REPORT_FILE"
find /home -user root -ls 2>/dev/null >> "$REPORT_FILE"

# Compare with baseline
if [ -f "/var/reports/baseline-permissions.txt" ]; then
    echo -e "\n## Changes from Baseline" >> "$REPORT_FILE"
    diff /var/reports/baseline-permissions.txt "$REPORT_FILE" >> "$REPORT_FILE"
fi

# Email report
mail -s "Permission Audit Report ${REPORT_DATE}" security@example.com < "$REPORT_FILE"

# Create baseline if it doesn't exist
if [ ! -f "/var/reports/baseline-permissions.txt" ]; then
    cp "$REPORT_FILE" /var/reports/baseline-permissions.txt
fi

This comprehensive guide now covers everything from basic permission concepts through advanced enterprise scenarios, security hardening, troubleshooting techniques, automation strategies, and compliance documentation. Each example includes detailed comments explaining the reasoning and implications of the permission settings.— title: “Mastering Linux File Permissions: From Basics to Advanced Scenarios” date: 2025-10-02 14:30:00 +0000 categories: [Linux, System Administration] tags: [linux, permissions, security, chmod, umask, acl, selinux] author: sysadmin toc: true comments: true math: false mermaid: false image: path: /assets/img/linux-permissions.jpg alt: Linux File Permissions Guide —

Understanding Linux file permissions is fundamental to system administration and security. Whether you’re managing production servers, securing web applications, or setting up development environments, mastering permissions ensures your systems remain secure while allowing necessary access. This comprehensive guide takes you from basic concepts through advanced scenarios you’ll encounter in real-world environments.

Understanding the Permission Model

Linux implements a discretionary access control system where every file and directory has three permission levels: read, write, and execute. What makes this elegant is how these permissions mean different things depending on whether you’re dealing with files or directories.

When you run ls -l on any file, you’ll see something like this:

1
2

sysadmin@localhost:~$ ls -l /bin/ls
-rwxr-xr-x 1 root root 133792 Jan 18 2018 /bin/ls

That first string of characters tells an entire story. The first character indicates the file type (a dash for regular files, ‘d’ for directories, ‘l’ for symbolic links). The next nine characters are grouped into three sets of three, showing permissions for the user owner, group owner, and everyone else respectively.

Who Owns What?

File ownership operates on two levels in Linux. Every file has both a user owner and a group owner. By default, when you create a file, you become its owner, and your primary group becomes the group owner. This dual ownership system enables flexible permission schemes for team collaboration.

You can check your current identity with these commands:

1
2
3
4
5
6
7
8
9

# Display comprehensive user and group information
id
# Output: uid=1000(bob) gid=1000(bob) groups=1000(bob),4(adm),27(sudo)

# Quick check of your username
whoami

# See all groups you belong to
groups

Changing ownership requires root privileges. The chown command changes the user owner, while chgrp modifies the group owner:

1
2
3
4
5
6
7
8

# Change user owner to root
sudo chown root important_file.txt

# Change group owner to developers team
sudo chgrp developers shared_project.txt

# Change both at once (user:group format)
sudo chown alice:developers team_document.txt

There’s an interesting command called newgrp that temporarily changes your primary group. This affects the group ownership of files you create:

1
2
3
4
5
6
7

# Switch primary group to 'developers'
newgrp developers

# Now new files inherit 'developers' as group owner
touch new_file.txt
ls -l new_file.txt
# Output: -rw-r--r-- 1 bob developers 0 Oct 2 14:30 new_file.txt

Permission Types Explained

The three basic permissions behave differently for files versus directories, which confuses many newcomers.

Read permission (r):

  • Files: You can view and copy the file’s contents
  • Directories: You can list filenames in the directory, but without execute permission, you won’t see file details or access the files

Write permission (w):

  • Files: You can modify the file’s contents (note: you need read permission too if you want to edit intelligently)
  • Directories: You can create, delete, or rename files within the directory (requires execute permission to be useful)

Execute permission (x):

  • Files: You can run the file as a program or script
  • Directories: You can enter the directory and access its contents (this is often called “search” permission)

Here’s a practical example that demonstrates directory permissions:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

# Create a test directory
mkdir test_perms
chmod 644 test_perms  # Read/write for user, read for others, no execute

# Try to list contents
ls test_perms
# Error: Permission denied

# Try to enter directory
cd test_perms
# Error: Permission denied

# Now add execute permission
chmod 755 test_perms
cd test_perms  # Success!

Changing Permissions with chmod

The chmod command offers two approaches: symbolic and octal notation. Most administrators become comfortable with both because each has situations where it shines.

Symbolic Method

The symbolic method uses letters to represent who (u=user, g=group, o=others, a=all) and what operation (+=add, -=remove, ==set exactly):

1
2
3
4
5
6
7
8
9
10
11
12
13
14

# Add execute permission for user owner
chmod u+x script.sh

# Remove write permission from group
chmod g-w document.txt

# Set exact permissions: user gets read+write, group gets read only
chmod u=rw,g=r,o= secret.txt

# Give everyone read permission
chmod a+r public_notice.txt

# Multiple changes at once
chmod u+x,g-w,o=r mixed_changes.sh

The symbolic method excels when you want to modify existing permissions without knowing what they currently are. For instance, chmod g+w file adds write permission for the group regardless of what permissions already exist.

Octal Method

The octal method uses numbers where each permission has a value: read=4, write=2, execute=1. You add these values for each permission set:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

# 755 means: rwxr-xr-x
# User: 4+2+1=7 (rwx), Group: 4+0+1=5 (r-x), Others: 4+0+1=5 (r-x)
chmod 755 program.sh

# 644 means: rw-r--r--
# User: 4+2+0=6 (rw-), Group: 4+0+0=4 (r--), Others: 4+0+0=4 (r--)
chmod 644 document.txt

# 600 means: rw-------
# Private file, only owner can read/write
chmod 600 private_key.pem

# 777 means: rwxrwxrwx
# Full permissions for everyone (rarely recommended!)
chmod 777 wide_open.txt

The octal method is faster when you know exactly what permissions you want to set. Many administrators memorize common patterns like 755 for executables and 644 for regular files.

Advanced Permissions: Beyond Read, Write, Execute

Linux has three special permission bits that solve specific problems: setuid, setgid, and the sticky bit.

Setuid: Running as the File Owner

When the setuid bit is set on an executable, it runs with the privileges of the file’s owner rather than the user who executed it. The most common example is the passwd command:

1
2

ls -l /usr/bin/passwd
# -rwsr-xr-x 1 root root 59640 Jan 25 2018 /usr/bin/passwd

Notice the ‘s’ where you’d expect ‘x’ in the user permissions? That’s the setuid bit. When you run passwd to change your password, it needs to write to /etc/shadow, which only root can modify. The setuid bit makes this possible.

Setting setuid:

1
2
3
4
5

# Symbolic method
chmod u+s executable_file

# Octal method (4 prefix)
chmod 4755 executable_file

Security Warning: Be extremely cautious with setuid. A setuid root program with vulnerabilities can compromise your entire system. Only use it when absolutely necessary and ensure the program is well-audited.

Setgid: Shared Project Directories

Setgid on directories solves a common collaboration problem. Normally, when you create a file, it gets your primary group as the group owner. But what if multiple team members from different primary groups need to collaborate?

1
2
3
4
5
6
7
8
9
10
11
12
13
14

# Create a shared project directory
sudo mkdir /srv/team_project
sudo chgrp developers /srv/team_project

# Set setgid bit
chmod g+s /srv/team_project
# Or with octal: chmod 2775 /srv/team_project

# Now when any user creates files in this directory,
# they automatically get 'developers' as the group owner
cd /srv/team_project
touch new_file.txt
ls -l new_file.txt
# -rw-r--r-- 1 alice developers 0 Oct 2 15:00 new_file.txt

The directory listing shows setgid with an ‘s’ in the group execute position:

1
2

ls -ld /srv/team_project
# drwxrwsr-x 2 root developers 4096 Oct 2 15:00 /srv/team_project

This is invaluable for team directories where everyone needs to work on shared files.

Sticky Bit: Protecting Files in Shared Directories

The sticky bit solves another collaboration problem: in a shared directory with write permissions for everyone, any user could delete anyone else’s files. The sticky bit prevents this.

1
2

ls -ld /tmp
# drwxrwxrwt 1 root root 4096 Oct 2 15:10 /tmp

That ‘t’ at the end indicates the sticky bit. In /tmp, anyone can create files, but you can only delete your own files (or if you’re root).

Setting the sticky bit:

1
2
3
4

# Create a shared upload directory
mkdir /srv/uploads
chmod 1777 /srv/uploads
# Or: chmod o+t /srv/uploads

Now users can upload files but can’t delete each other’s uploads.

Default Permissions with umask

The umask controls default permissions for new files and directories. It works by subtracting from the maximum default permissions: 666 for files and 777 for directories.

1
2
3
4
5
6
7

# Check current umask
umask
# Output: 0002

# This means:
# New files: 666 - 002 = 664 (rw-rw-r--)
# New directories: 777 - 002 = 775 (rwxrwxr-x)

Common umask values:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

# 022: Default for root
# Files: 666 - 022 = 644 (rw-r--r--)
# Directories: 777 - 022 = 755 (rwxr-xr-x)
umask 022

# 002: Default for regular users
# Files: 666 - 002 = 664 (rw-rw-r--)
# Directories: 777 - 002 = 775 (rwxrwxr-x)
umask 002

# 077: Private files
# Files: 666 - 077 = 600 (rw-------)
# Directories: 777 - 077 = 700 (rwx------)
umask 077

To make umask permanent, add it to your shell configuration file (~/.bashrc or ~/.bash_profile):

1

echo "umask 027" >> ~/.bashrc

Real-World Permission Scenarios

Understanding how permissions interact is crucial for troubleshooting. Let’s work through some scenarios.

Scenario 1: Why can’t I read this file?

1
2
3
4
5
6

ls -l /home/alice/project/data.txt
# -rw-r----- 1 alice developers 1024 Oct 2 16:00 /home/alice/project/data.txt

# User bob (in developers group) tries to read
cat /home/alice/project/data.txt
# Permission denied

The issue? Bob needs execute permission on every directory in the path. Let’s check:

1
2

ls -ld /home/alice
# drwx------ 2 alice alice 4096 Oct 2 16:00 /home/alice

Even though bob has read permission on the file through group ownership, he can’t reach it because he lacks execute permission on /home/alice.

Scenario 2: Deleting files you can’t read

1
2
3
4
5
6

ls -l protected_file.txt
# ---------- 1 bob users 0 Oct 2 16:10 protected_file.txt

# Can bob delete this file he owns with no permissions?
rm protected_file.txt
# Yes! Deletion depends on directory permissions, not file permissions

This surprises many people. File deletion requires write permission on the parent directory, not the file itself.

Scenario 3: Permission precedence

If user bob owns a file and is also in the group that owns the file, which permissions apply?

1
2
3
4
5
6

ls -l test.txt
# -r----rwx 1 bob developers 0 Oct 2 16:15 test.txt

# Can bob write to this file?
# No! User owner permissions take precedence over group permissions
# Bob gets r--, not rwx

The permission check stops at the first matching category: user owner, group owner, or others.

Advanced Topics and Techniques

Access Control Lists (ACLs): Beyond Traditional Permissions

Traditional Unix permissions have a limitation: you can only specify permissions for one user, one group, and everyone else. What if you need to grant specific access to multiple users or groups? ACLs solve this problem.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

# Install ACL tools if not already present
sudo apt-get install acl  # Debian/Ubuntu
sudo yum install acl      # RHEL/CentOS

# Grant specific user 'carol' read and write access
setfacl -m u:carol:rw important_document.txt

# Grant specific group 'auditors' read-only access
setfacl -m g:auditors:r financial_data.csv

# Set default ACLs for a directory
# New files created here will inherit these ACLs
setfacl -d -m g:auditors:r /srv/audit_logs/

# View ACLs on a file
getfacl important_document.txt
# Output shows both traditional permissions and extended ACLs:
# # file: important_document.txt
# # owner: bob
# # group: staff
# user::rw-
# user:carol:rw-
# group::r--
# group:auditors:r--
# mask::rw-
# other::---

# Remove specific ACL entry
setfacl -x u:carol important_document.txt

# Remove all ACLs from a file
setfacl -b important_document.txt

# Copy ACLs from one file to another
getfacl source.txt | setfacl --set-file=- destination.txt

# When viewing with ls -l, files with ACLs show a '+' sign:
ls -l important_document.txt
# -rw-rw----+ 1 bob staff 1024 Oct 2 16:00 important_document.txt
#           ^ This indicates extended ACLs are present

The ACL mask: The mask defines the maximum permissions that can be granted via ACLs. Even if you grant read/write to a user, if the mask is set to read-only, they’ll only get read access.

1
2
3
4
5

# Set the ACL mask to read-only
setfacl -m m::r important_document.txt

# Now all ACL entries are limited to read-only,
# regardless of what permissions they specify

ACLs are particularly useful for shared hosting environments, complex organizational structures, or when you need fine-grained control without creating numerous groups.

Capability-Based Security

Instead of running entire programs as root, Linux capabilities allow you to grant specific privileges:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

# Allow a program to bind to privileged ports (< 1024)
# without running it as root
sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/myserver

# Now myserver can bind to port 80 without sudo
# But it can't do other root-only operations

# View capabilities on a file
getcap /usr/local/bin/myserver
# /usr/local/bin/myserver = cap_net_bind_service+ep

# Remove capabilities
sudo setcap -r /usr/local/bin/myserver

# List all capabilities a process has
getpcaps [PID]

# Common capabilities:
# CAP_NET_BIND_SERVICE - Bind to ports < 1024
# CAP_NET_RAW - Use RAW and PACKET sockets
# CAP_DAC_OVERRIDE - Bypass file permission checks
# CAP_CHOWN - Make arbitrary changes to file ownership
# CAP_SETUID - Manipulate process UIDs

This is more secure than setuid because you grant only the specific privilege needed, not full root access.

Extended Attributes and Immutable Files

Linux supports extended attributes that provide additional security features:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

# Make a file immutable - even root cannot modify or delete it
sudo chattr +i critical_config.conf

# Try to delete it
sudo rm critical_config.conf
# rm: cannot remove 'critical_config.conf': Operation not permitted

# Try to modify it
sudo echo "change" >> critical_config.conf
# bash: critical_config.conf: Operation not permitted

# View file attributes
lsattr critical_config.conf
# ----i--------e----- critical_config.conf

# Remove immutable flag
sudo chattr -i critical_config.conf

# Append-only flag - useful for log files
# Data can be appended but not modified or deleted
sudo chattr +a /var/log/application.log

# Now the application can add to the log
echo "New log entry" >> /var/log/application.log  # Works

# But cannot truncate or modify existing entries
echo "" > /var/log/application.log  # Fails
# bash: /var/log/application.log: Operation not permitted

# This protects against malicious actors trying to hide their tracks
# by deleting log entries

# Other useful attributes:
# +s - Secure deletion (overwrite with zeros when deleted)
# +u - Undeletable (allow recovery after deletion)
# +c - Compressed (automatically compress when written to disk)

SELinux Context and Permissions

In SELinux-enabled systems, traditional permissions are just one layer. SELinux contexts provide an additional mandatory access control layer:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

# View SELinux context
ls -Z /var/www/html/index.html
# -rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 index.html
#                                       ^ SELinux context

# The context has four parts:
# user:role:type:level

# Most important is 'type' - httpd_sys_content_t means
# "content that httpd (Apache) can read"

# Change SELinux context
sudo chcon -t httpd_sys_rw_content_t /var/www/html/uploads/
# Now Apache can write to this directory

# Make context change permanent (survives relabel)
sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/uploads(/.*)?"
sudo restorecon -Rv /var/www/html/uploads/

# Copy SELinux context from another file
sudo chcon --reference=/var/www/html/index.html newfile.html

# Check if SELinux is causing permission denials
sudo ausearch -m avc -ts recent
# or
sudo grep "denied" /var/log/audit/audit.log

# Common scenario: You upload a file to Apache's document root
# It has wrong permissions AND wrong SELinux context
sudo cp ~/myfile.html /var/www/html/
sudo chown apache:apache /var/www/html/myfile.html  # Fix ownership
sudo chmod 644 /var/www/html/myfile.html             # Fix permissions
sudo restorecon /var/www/html/myfile.html            # Fix SELinux context

SELinux adds complexity but provides strong security. Even if an attacker compromises Apache through a vulnerability, SELinux limits what damage they can do based on context restrictions.

File System Mount Options Affecting Permissions

Mount options can enforce or override permissions at the filesystem level:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

# Mount a filesystem read-only
sudo mount -o ro /dev/sdb1 /mnt/readonly
# Now chmod, chown, and writes all fail regardless of permissions

# Mount with noexec - prevents execution of any binaries
sudo mount -o noexec /dev/sdb1 /mnt/data
# Useful for data partitions that should never run code
# Even files with +x permission cannot be executed

# Mount with nosuid - ignore setuid/setgid bits
sudo mount -o nosuid /dev/sdb1 /mnt/untrusted
# Prevents privilege escalation via setuid binaries
# Useful for user-writable spaces like /tmp

# Combine multiple options
sudo mount -o noexec,nosuid,nodev /dev/sdb1 /mnt/secure
# nodev additionally prevents device file access

# Make permanent in /etc/fstab
echo "/dev/sdb1 /mnt/secure ext4 noexec,nosuid,nodev 0 2" | sudo tee -a /etc/fstab

# Check current mount options
mount | grep sdb1
# or
findmnt /mnt/secure

# Remount with different options without unmounting
sudo mount -o remount,ro /mnt/secure

These mount options provide defense in depth - even if file permissions are misconfigured, the mount options provide an additional security layer.

Audit and Monitoring Permissions

Track who accesses or modifies files using the audit system:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

# Install audit daemon
sudo apt-get install auditd

# Watch a specific file for any access
sudo auditctl -w /etc/passwd -p rwxa -k passwd_changes
# -w: watch this file
# -p: permissions to watch (read/write/execute/attribute change)
# -k: key for searching logs

# Watch a directory recursively
sudo auditctl -w /etc/ssh/ -p wa -k ssh_config_changes

# List current audit rules
sudo auditctl -l

# Search audit logs for specific key
sudo ausearch -k passwd_changes

# Search for failed access attempts (permission denied)
sudo ausearch -m USER_AUTH -sv no

# Generate audit report
sudo aureport --summary

# Example output when someone accesses watched file:
# type=PATH msg=audit(1696262400.123:456): item=0 name="/etc/passwd" 
# inode=12345 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00

This is invaluable for security investigations and compliance requirements.

Debugging Permission Issues Systematically

When facing permission problems, use this methodical approach:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

# 1. Check user identity and group memberships
id username
# Verify the user is in expected groups

# 2. Trace the entire path with namei
namei -l /path/to/file
# Shows permissions for every directory in the path
# Example output:
# f: /var/www/html/data/file.txt
# drwxr-xr-x root root /
# drwxr-xr-x root root var
# drwxr-xr-x root root www
# drwxr-x--- www-data www-data html  <- Problem here!
# drwxrwxr-x www-data developers data
# -rw-r--r-- www-data developers file.txt

# 3. Check for ACLs
getfacl /path/to/file

# 4. Check extended attributes
lsattr /path/to/file

# 5. Check SELinux context (if applicable)
ls -Z /path/to/file
# Check for denials
sudo ausearch -m avc -ts recent | grep /path/to/file

# 6. Check mount options
findmnt --target /path/to/file

# 7. Test actual access as the user
sudo -u username cat /path/to/file
# See the actual error message

# 8. Check file descriptor limits
ulimit -n
# If user can't open file, might be hitting limits

# 9. Check for filesystem errors
sudo dmesg | grep -i error
# Corruption can cause unexpected permission errors

# 10. Verify the user's shell and environment
sudo -u username -i
# Log in as user to test in their actual environment

Batch Permission Operations

When managing large directory structures, efficiency matters:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

# Set different permissions for files vs directories
find /var/www/html -type f -exec chmod 644 {} \;
find /var/www/html -type d -exec chmod 755 {} \;

# Change ownership recursively, following symbolic links
sudo chown -RH www-data:www-data /var/www/html/

# Fix permissions based on current ownership
# Files owned by www-data get 664, others get 644
find /var/www -type f -user www-data -exec chmod 664 {} \;
find /var/www -type f ! -user www-data -exec chmod 644 {} \;

# Remove execute bit from all files in a directory tree
# but preserve it on directories
chmod -R a-x,a+X /path/to/dir
# lowercase x: remove execute from all
# uppercase X: add execute only to directories (and files that already have it)

# Find and fix files with overly permissive settings
find /home -type f -perm -002 -ls
# Finds world-writable files - usually a security issue

# Find setuid/setgid files (potential security risk)
find / -type f \( -perm -4000 -o -perm -2000 \) -ls 2>/dev/null
# Review these carefully - should be minimal

# Find files with no user or group (orphaned after user deletion)
find / -nouser -o -nogroup 2>/dev/null
# These should be assigned to appropriate owners

# Replicate permissions from one directory to another
getfacl -R /source/dir > /tmp/permissions.acl
setfacl --restore=/tmp/permissions.acl -R /target/dir

Recursive Permission Changes

When setting up directory structures, you often need to apply permissions recursively:

1
2
3
4
5
6
7

# Make all files in a directory tree readable by group
chmod -R g+r /srv/webdata/

# Set standard permissions on web directory
# Directories: 755, Files: 644
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -type f -exec chmod 644 {} \;

The find approach is more sophisticated because it can differentiate between files and directories.

Troubleshooting Permission Issues

When users report access problems, follow this systematic approach:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

# 1. Check the user's identity and groups
id username

# 2. Trace the full path permissions
namei -l /path/to/problematic/file

# 3. Verify file permissions
ls -l /path/to/problematic/file

# 4. Check for ACLs
getfacl /path/to/problematic/file

# 5. Test as the user
sudo -u username cat /path/to/problematic/file

Best Practices

For production servers:

  • Use 644 for configuration files (640 if they contain secrets)
  • Use 755 for directories and executables
  • Never use 777 unless absolutely necessary (and document why)
  • Set umask to 027 for service accounts to ensure restrictive defaults

For shared development:

  • Create group-owned directories with setgid (2775)
  • Use consistent group ownership across team directories
  • Consider ACLs for complex permission requirements
  • Document permission schemes in your project README

For security-sensitive files:

  • Private keys: 600
  • SSH configuration: 700 for ~/.ssh directory, 600 for private keys, 644 for public keys
  • Password files: 640
  • Database credentials: 640

Common Mistakes to Avoid

Mistake 1: Using 777 to “fix” permission problems

When something doesn’t work, the temptation is to run chmod 777. Don’t. This creates security holes. Instead, understand which specific permission is needed and grant only that.

Mistake 2: Forgetting directory execute permissions

Setting a directory to 666 (rw-rw-rw-) makes it unusable because users can’t enter it. Directories almost always need execute permission.

Mistake 3: Confusing setuid on scripts

Many shells ignore setuid on shell scripts for security reasons. If you need elevated privileges, use sudo or write a compiled wrapper program.

Mistake 4: Not testing permission changes

After changing permissions, test as the affected user using sudo -u username to verify access works as intended.

Complex Real-World Scenarios

Let’s explore some advanced permission scenarios you’ll encounter in production environments.

Scenario 1: Web Application with Multiple Components

Consider a web application where Apache runs as www-data, developers need to upload files, and a backup script runs as a service account:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

# Create the web root structure
sudo mkdir -p /var/www/myapp/{uploads,cache,logs}

# Set ownership - Apache needs to own the directories
sudo chown -R www-data:developers /var/www/myapp

# Enable setgid so new files inherit the developers group
sudo chmod 2775 /var/www/myapp/uploads
sudo chmod 2775 /var/www/myapp/cache

# Logs should be writable by Apache only
sudo chmod 755 /var/www/myapp/logs
sudo chown www-data:www-data /var/www/myapp/logs

# Add developers to www-data group for collaboration
sudo usermod -aG www-data alice
sudo usermod -aG www-data bob

# Now when developers upload files, Apache can read them
# and other developers can modify them thanks to setgid

This setup ensures Apache can serve files, developers can deploy updates, and everyone maintains proper group ownership.

Scenario 2: Database Directory Permissions

Database systems like PostgreSQL are sensitive about permissions:

1
2
3
4
5
6
7
8
9
10
11
12
13

# PostgreSQL data directory must be owned by postgres user
sudo chown -R postgres:postgres /var/lib/postgresql/14/main

# PostgreSQL refuses to start if permissions are too open
# Correct: 700 (drwx------)
sudo chmod 700 /var/lib/postgresql/14/main

# Why? Because database files contain sensitive data
# and only the database process should access them

# Even configuration files need restricted permissions
sudo chmod 600 /etc/postgresql/14/main/pg_hba.conf
# This prevents other users from reading connection rules

The lesson: some applications enforce permission requirements for security. Understanding these requirements prevents frustrating startup failures.

Scenario 3: Multi-User Development Server

Setting up a development server where multiple teams work on different projects:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

# Create project structure
sudo mkdir -p /srv/projects/{team-alpha,team-beta,shared}

# Team Alpha's private space
sudo chown -R :team-alpha /srv/projects/team-alpha
sudo chmod 2770 /srv/projects/team-alpha
# 2770 means: setgid, full access for user/group, none for others

# Team Beta's private space
sudo chown -R :team-beta /srv/projects/team-beta
sudo chmod 2770 /srv/projects/team-beta

# Shared space with sticky bit to prevent deletion wars
sudo chown -R :developers /srv/projects/shared
sudo chmod 3777 /srv/projects/shared
# 3777 means: sticky bit + setgid, everyone can create but only delete their own

# Set restrictive umask for all users in these directories
echo "umask 007" | sudo tee /srv/projects/.profile

This creates isolated team spaces while providing a common ground for collaboration.

Scenario 4: Automated Backup Script with Minimal Privileges

A backup script needs to read files but shouldn’t write to the production directory:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

# Create a dedicated backup user
sudo useradd -r -s /bin/bash backup-service

# Grant read access to critical directories via group membership
sudo usermod -aG www-data backup-service

# Create a backup destination only this user can write to
sudo mkdir /var/backups/myapp
sudo chown backup-service:backup-service /var/backups/myapp
sudo chmod 700 /var/backups/myapp

# The backup script can now read production files
# but cannot accidentally modify them
# Principle of least privilege in action!

Scenario 5: SSH Key Permission Requirements

SSH is notoriously picky about permissions for good security reasons:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

# Home directory - must not be writable by group or others
chmod 755 ~

# .ssh directory - only user should access
chmod 700 ~/.ssh

# Private keys - absolutely private
chmod 600 ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_ed25519

# Public keys - can be more open
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/authorized_keys

# SSH config file - private to prevent info disclosure
chmod 600 ~/.ssh/config

# Why so strict? If others can write to your .ssh directory,
# they could replace authorized_keys and gain access as you
# If they can read your private key, they can impersonate you

SSH will refuse to use keys with incorrect permissions, printing errors like:

1
2
3
4

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/home/user/.ssh/id_rsa' are too open.

This is SSH protecting you from yourself.

Conclusion

Linux file permissions form the foundation of system security. While the basic concepts are straightforward, mastering their interactions and edge cases takes practice. The investment pays off in more secure systems, faster troubleshooting, and the confidence to handle complex access control requirements.

Remember that permissions work together with ownership, mount options, ACLs, and potentially SELinux or AppArmor to create layers of defense. Whether you’re managing a single-user workstation, multi-tenant servers, or complex enterprise infrastructure, understanding these concepts helps you maintain the delicate balance between security and usability.

Start with the basics, practice with real scenarios, and gradually incorporate advanced features like ACLs and capabilities as your needs grow. With time, permission management becomes second nature, and you’ll find yourself diagnosing access issues quickly and implementing secure permission schemes confidently.

The command line may seem intimidating at first, but permissions follow consistent logical patterns. Once you internalize how user, group, and other permissions interact, how special bits modify behavior, and how tools like ACLs extend traditional permissions, you’ll have powerful security tools at your disposal.

Keep experimenting in test environments, document your permission schemes clearly, and always follow the principle of least privilege - grant only the access that’s actually needed, nothing more. Your future self (and your security team) will thank you.

Linux, System Administration
linux permissions security chmod umask acl selinux
This post is licensed under CC BY 4.0 by the author.