Linux Permission Management Commands Guide

Permission Management Commands

Commands for managing file and directory ownership and permissions.

chmod - Change File/Directory Permissions

Changes access permissions for files and directories.

Syntax/Option	Description
chmod [mode] [file]	Change file permissions
-R	Change permissions recursively for directories and their contents
-v	Display verbose information about the process
--reference=[file]	Use the same permissions as the specified file

Numeric Mode (Octal):

chmod 755 file.txt - Give owner read/write/execute, group and others read/execute permissions
chmod 644 file.txt - Give owner read/write, group and others read-only permissions
chmod -R 755 directory - Recursively set permissions for a directory and its contents
chmod 600 id_rsa - Set private key file to be readable/writable only by owner
chmod 440 /etc/sudoers - Set sudoers file to be readable only by root owner and sudo group
find . -type f -name "*.sh" -exec chmod 755 {} \; - Give execute permission to all shell scripts

Symbolic Mode:

chmod u+x file.txt - Add execute permission for owner
chmod g-w file.txt - Remove write permission for group
chmod o=r file.txt - Set read-only permission for others
chmod a+r file.txt - Add read permission for all users
chmod u+x,g+x,o-rwx script.sh - Add execute permission for owner and group, remove all permissions for others
chmod -R g+rX directory/ - Recursively add read permission for group to all files, and execute permission only to directories (capital X applies only to directories or files that already have execute permission)
find . -type d -exec chmod g+s {} \; - Set SGID bit on all directories (new files created will inherit the directory's group)

Numeric Permission Representation:

4 - Read permission (r)
2 - Write permission (w)
1 - Execute permission (x)

These values are combined. For example, 7 (4+2+1) represents read, write, and execute permissions.

The three digits represent permissions for "owner", "group", and "other users" from left to right.

chown - Change File/Directory Owner

Changes the owner and group of files and directories.

Syntax/Option	Description
chown [owner]:[group] [file]	Change both owner and group of a file
chown [owner] [file]	Change only the owner of a file
chown :[group] [file]	Change only the group of a file
-R	Change ownership recursively for directories and their contents
-v	Display verbose information about the process
--reference=[file]	Use the same owner and group as the specified file

Examples:

sudo chown user1 file.txt - Change file owner to user1
sudo chown user1:group1 file.txt - Change file owner to user1 and group to group1
sudo chown :group1 file.txt - Change only the group to group1
sudo chown -R user1:group1 directory - Recursively change owner and group of a directory and its contents
sudo chown --reference=ref_file.txt target_file.txt - Set the same owner and group as the reference file
find /var/www -type f -exec sudo chown www-data:www-data {} \; - Set appropriate ownership for web server files
sudo chown -R $(whoami) ~/.config - Change ownership of config directory to current user
sudo find /home/user -not -user user -exec chown user:user {} \; - Fix ownership of files in user's home directory

chgrp - Change File/Directory Group

Changes the group ownership of files and directories.

Syntax/Option	Description
chgrp [group] [file]	Change the group of a file
-R	Change group recursively for directories and their contents
-v	Display verbose information about the process
--reference=[file]	Use the same group as the specified file

Examples:

sudo chgrp group1 file.txt - Change file group to group1
sudo chgrp -R group1 directory - Recursively change group of a directory and its contents
sudo chgrp --reference=ref_file.txt file.txt - Set the same group as ref_file.txt
find /opt/app -type f -name "*.log" -exec sudo chgrp syslog {} \; - Change group of all log files to syslog
sudo chgrp -R $(id -gn) ~/projects - Change group of projects directory to current user's primary group
sudo find /var/www -type d -exec chgrp www-data {} \; - Set appropriate group for web server directories
sudo chgrp -v developers *.py - Change group of all Python files to developers and show details

umask - Set Default File Creation Permissions

Controls the default permissions for newly created files and directories.

Syntax/Option	Description
umask	Display current umask value
umask [mode]	Set umask value
-S	Display in symbolic mode

Examples:

umask - Display current umask value (e.g., 0022)
umask -S - Display in symbolic mode (e.g., u=rwx,g=rx,o=rx)
umask 022 - Set umask to 022 (new files will be 644, directories 755)
umask 027 - Set umask to 027 (new files will be 640, directories 750)
umask 077 - Set most restrictive umask (new files will be 600, directories 700)
echo "umask 002" >> ~/.bashrc - Automatically set umask to 002 at login (good for group collaboration)
( umask 077 && touch secret.txt ) - Temporarily change umask to create a secure file
umask -p - Display current umask in a format usable in shell scripts

How umask works:

Maximum permissions for files are 666 (rw-rw-rw-), and for directories are 777 (rwxrwxrwx).

The umask value specifies which permissions to "subtract" from these maximums.

For example, with umask 022:

Files: 666 - 022 = 644 (rw-r--r--)
Directories: 777 - 022 = 755 (rwxr-xr-x)

getfacl/setfacl - Manage Access Control Lists

Display and set more detailed Access Control Lists (ACLs).

Command/Option	Description
getfacl [file]	Display ACLs for a file
setfacl -m u:[user]:[permissions] [file]	Set ACL for a specific user
setfacl -m g:[group]:[permissions] [file]	Set ACL for a specific group
setfacl -x u:[user] [file]	Remove ACL for a specific user
setfacl -b [file]	Remove all ACL entries
setfacl -R	Apply recursively to directory and its contents

Examples:

getfacl file.txt - Display ACLs for a file
setfacl -m u:user1:rw file.txt - Grant read/write permissions to user1
setfacl -m g:group1:r file.txt - Grant read permission to group1
setfacl -x u:user1 file.txt - Remove ACL entry for user1
setfacl -b file.txt - Remove all ACL entries
setfacl -R -m u:user1:rx directory/ - Recursively grant read/execute permissions to user1 for directory and contents
getfacl file1.txt | setfacl --set-file=- file2.txt - Copy ACLs from file1.txt to file2.txt
setfacl -d -m g:project:rw directory/ - Set default ACLs for newly created files in directory
setfacl -m m:rx file.txt - Limit effective mask to read/execute only
find /shared -type d -exec setfacl -d -m g:team:rwx {} \; - Set default team ACLs for shared directories

sudo - Execute Command as Privileged User

Execute commands as another user (typically root).

Option	Description
-u [user]	Execute command as specified user (default is root)
-i	Simulate initial login of the target user
-s	Run a shell
-l	List allowed commands for current user
-v	Update timestamp (extend authentication cache)
-k	Invalidate timestamp (require re-authentication next time)

Examples:

sudo apt update - Run apt command as root
sudo -u www-data php script.php - Run PHP script as www-data user
sudo -i - Start a login shell as root
sudo -l - List allowed commands
sudo -s - Start a shell as root while keeping current environment variables
sudo -E apt upgrade - Run command with current user's environment variables
sudo -k - Invalidate sudo authentication cache (require password next time)
sudo !! - Run previous command with sudo
sudo -u postgres psql - Connect to database as postgres user
sudo -g wheel command - Run command with specified group privileges