Understanding File Permissions and Ownership in AlmaLinux

File permissions and ownership form the cornerstone of Linux security. In AlmaLinux, understanding how to properly manage file permissions is essential for maintaining system security, preventing unauthorized access, and ensuring smooth operation of applications and services. This comprehensive guide will teach you everything you need to know about file permissions and ownership in AlmaLinux.

Linux Permission Fundamentals

Linux implements a discretionary access control (DAC) system where every file and directory has an owner and a set of permission rules that determine who can read, write, or execute it.

The Permission Model

Linux uses a three-tier permission model:

1. Owner (User): The user who owns the file
2. Group: The group that owns the file
3. Others: Everyone else on the system

Each tier can have three types of permissions:

1. Read (r): View file contents or list directory contents
2. Write (w): Modify file contents or create/delete files in directory
3. Execute (x): Run file as program or access directory

Viewing Permissions

Use the ls -l command to view permissions:

$ ls -l /home/user/document.txt
-rw-r--r-- 1 john users 1234 Jul 26 10:30 document.txt

Breaking down the output:

• -rw-r--r--: Permission string
• 1: Number of hard links
• john: Owner
• users: Group
• 1234: File size in bytes
• Jul 26 10:30: Last modification time
• document.txt: Filename

Understanding File Ownership

Every file in Linux has two ownership attributes:

1. User Owner: The individual user who owns the file
2. Group Owner: The group that owns the file

Viewing Ownership

# Detailed view with ls
ls -l filename

# Show numeric UIDs and GIDs
ls -ln filename

# Using stat command
stat filename

# Show only ownership
ls -l filename | awk '{print $3, $4}'

How Ownership Works

When a user creates a file:

• The user becomes the owner
• The user’s primary group becomes the group owner
• Permissions are set according to the umask

Permission Types and Notation

Symbolic Notation

The permission string consists of 10 characters:

-rwxrwxrwx
│├─┼─┼─┤├─┼─┼─┤├─┼─┼─┤
│ u   g   o
│ owner group others
│
└─ file type

File type indicators:

• -: Regular file
• d: Directory
• l: Symbolic link
• c: Character device
• b: Block device
• p: Named pipe
• s: Socket

Numeric (Octal) Notation

Permissions can be represented as octal numbers:

• Read (r) = 4
• Write (w) = 2
• Execute (x) = 1

Examples:

• rwx = 4 + 2 + 1 = 7
• rw- = 4 + 2 + 0 = 6
• r-x = 4 + 0 + 1 = 5
• r-- = 4 + 0 + 0 = 4

Common permission sets:

• 755 = rwxr-xr-x (directories, executables)
• 644 = rw-r--r-- (regular files)
• 600 = rw------- (private files)
• 777 = rwxrwxrwx (not recommended)

Working with chmod

The chmod command changes file permissions.

Symbolic Mode

# Add execute permission for owner
chmod u+x filename

# Remove write permission for group
chmod g-w filename

# Set exact permissions for others
chmod o=r filename

# Multiple changes
chmod u+x,g-w,o=r filename

# Add read permission for all
chmod a+r filename

# Remove all permissions for others
chmod o-rwx filename

Numeric Mode

# Set permissions to rwxr-xr-x
chmod 755 filename

# Set permissions to rw-r--r--
chmod 644 filename

# Set permissions to rw-------
chmod 600 filename

# Private directory (rwx------)
chmod 700 directory

Recursive Changes

# Change permissions recursively
chmod -R 755 directory/

# Change only files
find directory -type f -exec chmod 644 {} \;

# Change only directories
find directory -type d -exec chmod 755 {} \;

Special chmod Options

# Preserve root directory
chmod --preserve-root -R 755 /

# Copy permissions from another file
chmod --reference=source_file target_file

# Verbose output
chmod -v 755 filename

# Report only changes
chmod -c 755 filename

Managing Ownership with chown and chgrp

Using chown

# Change owner
sudo chown newuser filename

# Change owner and group
sudo chown newuser:newgroup filename

# Change only group (colon prefix)
sudo chown :newgroup filename

# Recursive ownership change
sudo chown -R newuser:newgroup directory/

# Copy ownership from another file
sudo chown --reference=source_file target_file

Using chgrp

# Change group ownership
sudo chgrp newgroup filename

# Recursive group change
sudo chgrp -R newgroup directory/

# Verbose output
sudo chgrp -v newgroup filename

Practical Examples

# Change ownership of web files
sudo chown -R apache:apache /var/www/html/

# Set user home directory ownership
sudo chown -R username:username /home/username/

# Fix ownership after copying files
sudo chown --reference=/home/user/original.txt /home/user/copy.txt

Special Permissions

Linux has three special permission bits that provide additional functionality:

SUID (Set User ID)

When set on an executable file, it runs with the privileges of the file owner.

# Set SUID
chmod u+s filename
chmod 4755 filename  # 4 in the first position

# Remove SUID
chmod u-s filename

# Find SUID files
find / -perm -4000 -type f 2>/dev/null

Common SUID programs:

• /usr/bin/passwd
• /usr/bin/su
• /usr/bin/sudo

SGID (Set Group ID)

On files: Executes with the privileges of the group owner On directories: New files inherit the directory’s group

# Set SGID
chmod g+s filename
chmod 2755 directory  # 2 in the first position

# Remove SGID
chmod g-s filename

# Find SGID files
find / -perm -2000 -type f 2>/dev/null

Sticky Bit

On directories: Only file owner can delete their files

# Set sticky bit
chmod +t directory
chmod 1755 directory  # 1 in the first position

# Remove sticky bit
chmod -t directory

# Find directories with sticky bit
find / -perm -1000 -type d 2>/dev/null

Common sticky bit usage:

• /tmp directory
• /var/tmp directory

Combined Special Permissions

# SUID + SGID + Sticky
chmod 7755 directory  # Not common

# SUID + SGID
chmod 6755 filename

# View special permissions
ls -l filename
# -rwsr-sr-t  (all special bits set)

Default Permissions and umask

Understanding umask

The umask determines default permissions for new files and directories:

# View current umask
umask

# View umask in symbolic form
umask -S

# Set umask (temporary)
umask 022

# Set umask (permanent) - add to ~/.bashrc
echo "umask 022" >> ~/.bashrc

How umask Works

Default permissions before umask:

• Files: 666 (rw-rw-rw-)
• Directories: 777 (rwxrwxrwx)

Umask subtracts from these defaults:

# umask 022
# Files: 666 - 022 = 644 (rw-r--r--)
# Dirs:  777 - 022 = 755 (rwxr-xr-x)

# umask 077
# Files: 666 - 077 = 600 (rw-------)
# Dirs:  777 - 077 = 700 (rwx------)

System-wide umask

# Edit system-wide umask
sudo nano /etc/profile
# or
sudo nano /etc/bashrc

# For specific users
echo "umask 077" >> /home/username/.bashrc

Access Control Lists (ACLs)

ACLs provide more fine-grained permission control beyond the traditional model.

Installing ACL Support

# Install ACL utilities
sudo dnf install acl

# Check if filesystem supports ACLs
mount | grep acl

Working with ACLs

# View ACLs
getfacl filename

# Set ACL for specific user
setfacl -m u:username:rwx filename

# Set ACL for specific group
setfacl -m g:groupname:rx filename

# Remove specific ACL
setfacl -x u:username filename

# Remove all ACLs
setfacl -b filename

# Set default ACL for directory
setfacl -d -m u:username:rwx directory/

# Copy ACLs from one file to another
getfacl file1 | setfacl --set-file=- file2

ACL Examples

# Grant read access to specific user
setfacl -m u:john:r-- document.txt

# Grant different permissions to multiple users
setfacl -m u:alice:rw-,u:bob:r-- file.txt

# Set default ACLs for new files in directory
setfacl -d -m g:developers:rwx /project/

# Recursive ACL application
setfacl -R -m g:webteam:rx /var/www/

# Backup and restore ACLs
getfacl -R /directory > acl_backup.txt
setfacl --restore=acl_backup.txt

File Attributes

Extended attributes provide additional file properties.

Using chattr and lsattr

# View attributes
lsattr filename

# Make file immutable (not even root can modify)
sudo chattr +i filename

# Remove immutable attribute
sudo chattr -i filename

# Make file append-only
sudo chattr +a logfile

# Set multiple attributes
sudo chattr +iA filename

Common Attributes

• i: Immutable - file cannot be modified
• a: Append only - data can only be appended
• d: No dump - file is skipped by dump program
• A: No atime updates - access time is not updated
• S: Synchronous updates - changes are written immediately
• u: Undeletable - file can be recovered after deletion

Security Best Practices

1. Principle of Least Privilege

# Web files - readable by web server, writable by owner only
sudo chown -R developer:apache /var/www/html/
sudo find /var/www/html -type f -exec chmod 640 {} \;
sudo find /var/www/html -type d -exec chmod 750 {} \;

2. Secure Sensitive Files

# Private SSH keys
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 700 ~/.ssh/

# Configuration files with passwords
chmod 600 /etc/myapp/config.conf
chown appuser:appuser /etc/myapp/config.conf

3. Regularly Audit Permissions

# Find world-writable files
find / -perm -002 -type f 2>/dev/null

# Find world-writable directories
find / -perm -002 -type d 2>/dev/null

# Find SUID/SGID files
find / -perm /6000 -type f 2>/dev/null

# Find files with no owner
find / -nouser -o -nogroup 2>/dev/null

4. Secure Script Practices

#!/bin/bash
# Script to set secure permissions

# Set secure umask
umask 077

# Create files with restricted permissions
touch sensitive_file
chmod 600 sensitive_file

# Create directories with restricted access
mkdir -m 700 private_directory

Troubleshooting Permission Issues

Common Problems and Solutions

1. Permission Denied Errors

# Check current permissions
ls -l problematic_file

# Check effective user
whoami
id

# Test access
test -r filename && echo "Can read" || echo "Cannot read"
test -w filename && echo "Can write" || echo "Cannot write"
test -x filename && echo "Can execute" || echo "Cannot execute"

2. Web Server Permission Issues

# Fix web directory permissions
sudo chown -R apache:apache /var/www/html/
sudo find /var/www/html -type d -exec chmod 755 {} \;
sudo find /var/www/html -type f -exec chmod 644 {} \;

# For upload directories
sudo chmod 775 /var/www/html/uploads/
sudo chown apache:developers /var/www/html/uploads/

3. Script Execution Problems

# Make script executable
chmod +x script.sh

# Check shebang line
head -1 script.sh

# Check script interpreter
which bash

4. Shared Directory Issues

# Create shared directory with SGID
sudo mkdir /shared
sudo chgrp projectteam /shared
sudo chmod 2775 /shared

# Ensure proper umask for group collaboration
echo "umask 002" >> /etc/profile.d/shared.sh

Diagnostic Commands

# Detailed file information
stat filename

# Check process permissions
ps aux | grep process_name

# Check effective permissions
su - username -c "test -r /path/to/file && echo 'Can read'"

# Trace permission issues
strace -e open,access command 2>&1 | grep -i "permission denied"

Advanced Topics

SELinux Contexts

AlmaLinux uses SELinux for additional security:

# View SELinux context
ls -Z filename

# Restore default SELinux context
sudo restorecon -v filename

# Recursively restore contexts
sudo restorecon -Rv /directory/

# Change SELinux context
sudo chcon -t httpd_sys_content_t /var/www/html/index.html

Capabilities

Linux capabilities provide fine-grained privileges:

# View file capabilities
getcap filename

# Set capability
sudo setcap cap_net_bind_service=+ep /usr/bin/program

# Remove capabilities
sudo setcap -r filename

# List all capabilities
man capabilities

Extended Attributes

# View extended attributes
getfattr -d filename

# Set extended attribute
setfattr -n user.comment -v "Important file" filename

# Remove extended attribute
setfattr -x user.comment filename

Bind Mounts with Different Permissions

# Create read-only bind mount
sudo mount --bind -o ro /source /destination

# Remount with different permissions
sudo mount -o remount,ro /destination

Scripts and Automation

Permission Audit Script

#!/bin/bash
# permission_audit.sh - Audit file permissions

echo "=== Permission Audit Report ==="
echo "Date: $(date)"
echo

echo "=== World-writable files ==="
find / -xdev -perm -002 -type f 2>/dev/null | head -20

echo -e "\n=== SUID files ==="
find / -xdev -perm -4000 -type f 2>/dev/null | head -20

echo -e "\n=== SGID files ==="
find / -xdev -perm -2000 -type f 2>/dev/null | head -20

echo -e "\n=== Files with no owner ==="
find / -xdev -nouser -o -nogroup 2>/dev/null | head -20

Bulk Permission Fix Script

#!/bin/bash
# fix_permissions.sh - Fix common permission issues

# Fix home directories
for user_home in /home/*; do
    if [ -d "$user_home" ]; then
        username=$(basename "$user_home")
        echo "Fixing permissions for $username"
        sudo chown -R "$username:$username" "$user_home"
        sudo chmod 755 "$user_home"
        sudo chmod 700 "$user_home/.ssh" 2>/dev/null
        sudo chmod 600 "$user_home/.ssh/id_rsa" 2>/dev/null
    fi
done

# Fix web directories
if [ -d /var/www ]; then
    echo "Fixing web directory permissions"
    sudo chown -R apache:apache /var/www/html
    sudo find /var/www/html -type d -exec chmod 755 {} \;
    sudo find /var/www/html -type f -exec chmod 644 {} \;
fi

Conclusion

Understanding file permissions and ownership is fundamental to Linux system administration. Proper permission management ensures:

• System security
• Data privacy
• Application functionality
• Multi-user collaboration

Key takeaways:

• Always follow the principle of least privilege
• Regularly audit file permissions
• Use ACLs for complex permission requirements
• Understand special permissions and their implications
• Test permission changes before applying broadly
• Document permission schemes for critical systems

Remember that permissions are your first line of defense against unauthorized access. Take time to understand and properly implement them in your AlmaLinux environment.