Deep Thought

Linux Users Groups and Permissions

6 min read

Linux Permissions

Users and Groups

Linux file and directory permissions are based on users and groups. A Linux user is an account on a Linux operation system that allows an individual or entity to log in and interact with the system. There are two types of user accounts - regular and system users. Regular users are for personal use by an individual and system users are meant to be used for system services.

User management

Add a new user

sudo useradd -m username
  • -m creates a home directory (e.g. /home/username).
  • After creating, set a password:
sudo passwd username

Delete a user

sudo userdel -r username
  • -r removes the home directory and mail spool.

Modify a user

sudo usermod options username
  • Example: change login name:
sudo usermod -l newname oldname
  • Example: change home directory:
sudo usermod -d /new/home username

Group management

A Linux group organizes users. A group can contain multiple users and a user can be part of multiple groups. However groups are not hierarchical, meaning you can’t add a group inside another group. Groups are important for managing permissions. Instead of allowing/forbidding access to directories/files for every single user, you can set permissions on a group level that affect multiple users.

Add a group

sudo groupadd groupname
sudo groupdel groupname

Add a user to a group

sudo usermod -aG groupname username
  • -aG append user to supplementary group(s) (don’t drop existing ones).

Change a user’s primary group

sudo usermod -g groupname username
  • Every user has one primary group and can belong to multiple supplementary groups.

Check which groups a user is in

groups username

or

id username

Useful Files (wher this info lives)

  • /etc/passwd user accounts
  • /etc/shadow passwords (hashed, only root can read)
  • etc/group group definitions and memberships

Linux File and Directory Permissions

1. Viewing Permissions with ls -l

When you run:

ls -l

You might see output like this:

-rw-r--r--  1 alice students  1234 Sep  7 12:00 notes.txt
drwxr-x---  2 bob   teachers  4096 Sep  7 11:30 projects

Breakdown of columns:

  1. File type & permissions

    • -rw-r--r-- file type (- = regular file) and permissions.
    • d at the start means directory.

  2. Links number of hard links.

  3. Owner (user) who owns the file (alice).

  4. Group group ownership (students).

  5. Size file size in bytes.

  6. Date/Time last modification.

  7. Name filename.

2. Understanding Permissions (r, w, x)

Permissions are shown in three groups:

-rw-r--r--
 u  g  o
  • User (owner) first 3 characters (rw-)
  • Group next 3 characters (r--)
  • Others last 3 characters (r--)

What r, w, x mean:

  • For files:

    • r can read the file’s contents.
    • w can modify or delete the file.
    • x can execute the file (if it’s a program or script).

  • For directories:

    • r can list directory contents (ls).
    • w can create/delete files in the directory.
    • x can enter (cd) into the directory.

3. Setting Permissions

Symbolic Syntax

chmod u+x file.txt
  • u = user, g = group, o = others, a = all
  • + = add, - = remove, = = set exactly

Examples:

chmod g+w file.txt    # give group write access
chmod o-r file.txt    # remove read permission for others
chmod a=r file.txt    # set read-only for everyone

Octal Syntax

Permissions can also be expressed as numbers. You can convert one permission group (r/w/x) to a number by first representing it in binary form. If the permission is set, use letter 1, if it’s not set use letter 0.

  • r-x = 101
  • -w- = 010
  • rwx = 111
  • --- = 000

If you read the binary number on the right side as octal number (in this case it’s the same as decimal, because the highest number is 7), you can express the permissions for one group in the form of one letter (0-7)

  • r-x = 101 = 5
  • -w- = 010 = 2
  • rwx = 111 = 7
  • --- = 000 = 0

You can then use three octal letters to set the permissions for user, group and others in one go.

Examples:

  • 644 rw-r--r-- (owner can read/write, group and others read-only)
  • 755 rwxr-xr-x (owner full, group and others can read/execute)
  • 700 rwx------ (only owner can access)

Command:

chmod 755 script.sh

4. Recursive Permissions

Apply changes to all files and subdirectories inside a directory:

chmod -R 755 myfolder

Be careful! This changes everything inside.

5. Changing Group Ownership with chgrp

Each file/directory has an owner and a group.

  • Change the group:
chgrp teachers notes.txt
  • Recursive (apply to folder and everything inside):
chgrp -R teachers projects/

6. Changing File Ownership with chown

Each file/directory has an owner and a group.

  • Change the owner:
chown alice notes.txt
  • Change both owner and group:
chown alice:teachers notes.txt
  • Recursive (apply to folder and everything inside):
chown -R alice:teachers projects/

7. Default Permissions with umask

When a new file or directory is created, it gets default permissions.
The umask command controls which permission bits are turned off by default.

  • Show current umask value:
umask
  • Example: If umask is 0022
    • New files will get 644 (rw-r--r--)
    • New directories will get 755 (rwxr-xr-x)

💡 How it works:

  1. Start with base permissions:
    • Files: 666 (rw-rw-rw-) → no execute by default
    • Directories: 777 (rwxrwxrwx)
  2. Subtract the umask value (bitwise) to get the final permissions.
  • Temporarily change umask (only for current shell session):
umask 0007

This would make:

  • New files → 660 (rw-rw----)
  • New directories → 770 (rwxrwx---)

Question

Why does umask have four digits, when we learned that permissions only consist of three groups (user/group/others)?

In reality, there’s also a fourth “special” set of bits at the front, which is why the umask is often displayed as four octal digits.

Permissions are stored as a 16-bit value, but we usually represent the important 12 bits:

[ special | user | group | others ]

Special bits (first octal digit):

  • setuid (4xxx) – Run file with owner’s privileges.
  • setgid (2xxx) – Run file with group’s privileges / directories inherit group.
  • sticky bit (1xxx) – On directories, restricts file deletion.

So for example:

-rwsr-xr-x  -> 4755
Umask in this context

The umask works as a “mask” that removes permission bits from the default.
It applies to all four parts (special | user | group | others).

  • Most of the time, the first digit of umask is 0, since you usually don’t want to mask out setuid/setgid/sticky defaults.

Summary Table

SymbolMeaning (File)Meaning (Directory)
rRead contentsList files (ls)
wModify fileAdd/remove files
xRun as programEnter (cd)
  • Use chmod to change permissions.
  • Use octal (755) or symbolic (u+r).
  • Add -R for recursive changes.
  • Use chgrp to change group ownership.

Graph View

Backlinks