Understanding Linux users, groups, and permissions

Topic: Servers linux

Understand how Linux file and process permissions work: owner, group, and others; read, write, execute; numeric modes and chmod/chown. Use this to fix permission denied errors and to grant least privilege to services and users without using chmod 777.

Intent: How-to

Quick answer

  • Every file has an owner (user) and a group; permissions are read (4), write (2), execute (1) for owner, group, and others.
  • Use chmod to set permissions (e.g. 640 for rw-r-----) and chown/chgrp to change owner and group; never use 777 for production.
  • Services should run as a dedicated user; put files in a group that user is in and set group write only where needed.

Prerequisites

Steps

  1. Inspect current owner and permissions

    Run ls -la on the file or directory; read the first column (e.g. rwxr-xr-x) and the user/group columns to see who owns it and what each class can do.

  2. Set file permissions with chmod

    Use chmod with octal (e.g. chmod 640 file) or u/g/o and r/w/x; 640 = owner rw, group r, others none. Use 755 for dirs that must be traversable.

  3. Change owner and group with chown

    Run chown user:group file or chown user file; use chgrp group file to change only group. Require root or sudo.

  4. Apply to directories and new files

    Directories need execute (x) to be entered; new files inherit umask. Set setgid on a directory (chmod g+s) so new files keep the directory group.

Summary

You will understand Linux permission model: owner, group, others, and read/write/execute bits; how to read them with ls and change them with chmod and chown. Use this to fix “permission denied” safely and to give services and users only the access they need.

Prerequisites

  • Shell access to the server (SSH or console).
  • Basic familiarity with the command line.

Steps

Step 1: Inspect current owner and permissions

ls -la /path/to/file

First column: e.g. rwxr-xr-x — owner rwx, group r-x, others r-x. Next columns: owner user, owner group. Interpret: r=4, w=2, x=1; sum for each class (e.g. rwx = 7).

Step 2: Set file permissions with chmod

chmod 640 /path/to/file    # owner rw, group r, others none
chmod 755 /path/to/script  # owner rwx, group/others r-x (executable)
chmod u+x,g-w file         # add execute for owner, remove write for group

Use 640 or 644 for config and data; 750 or 755 for executables and dirs that must be traversable. Avoid 777.

Step 3: Change owner and group with chown

sudo chown appuser:appgroup /var/app/data
sudo chgrp appgroup /var/app/config

Only root (or sudo) can change owner. Ensure the service user is in the right group so group permissions apply.

Step 4: Apply to directories and new files

  • Directories need execute (x) for others/group to cd into them and read names.
  • New file permissions are (0666 & ~umask); new dirs (0777 & ~umask). Set umask in profile or service unit if needed.
  • For shared dirs: chmod g+s /shared/dir so new files inherit the directory’s group.

Verification

  • ls -la shows intended owner, group, and permission bits; the service or user can read/write only what you intended and gets “permission denied” elsewhere.

Troubleshooting

Permission denied after chmod — Check the user is in the file’s group (groups) or is the owner; check directory execute bits on the full path; check SELinux/AppArmor if enabled.

Service cannot write to directory — Ensure the process runs as the user you chown’d to and that the directory has group (or other) write and execute; avoid 777, use a dedicated group.

New files wrong group — Set setgid on the parent directory and ensure the creating process is in the right group; or set default ACLs with setfacl.

Next steps

Continue to