File permission and ownership commands


  • u=user (owner), g=groupo=others (world), a=all
  • r=read(4); w=write(2); x=execute(1)
  • 1=x, 2=w, 4=r, 5=rx; 6=rw7=rwx 
  • P.S. For a directory, read and execute (a+rx) permissions need to be granted to a user to list it’s files and cd into it.


  • chmod 755 file              (User-> rwx; Group-> rx; Others-> rx)
  • chmod -R 755 dir         (Apply permission recursively)
  • chmod -R a+rwX  dir   (Apply execute permission to dir only)
  • chmod uo+x,g-w file    (User & Other -> execute; Group -> remove write)
  • chmod a+rx
  • chmod u=r,g=w,o=x file
  • chmod ug=x,o=-x file
  • chmod u+s|4777  file      (setuid bit-> execute as owner)
    • -rwSrwxrwx. 1 user user 0 Oct 26 11:44 file
  • chmod g+s|2777 dir        (setgid bit-> child files/dir get same group ownership)
    • drwxrwsrwx. 1 user user 0 Oct 26 11:44 dir
  • chmod o+t |1777 dir        (sticky bit-> Prevents other users from deleting files)
    • drwxrwxrwt. 1 user user 0 Oct 26 11:44 dir


  • chown   user:grp dir           (Changes user and group ownership)
  • chown   user   file                (Changes user ownership)
  • chown :grp dir                     (Changes group ownership)
  • chown  -R user:grp   dir     (Changes user and group recursively)


  • chgrp   grp  file              (Changes group of a file)
  • chgrp -R grp file            (changes group recursively)

umaks(Get or set the system’s file mode creation mask)

  • umask                (Shows octal value)
  • umask -S           (Shows symbolic value)
  • umask 0022      (Sets umask value)
  • Default value -> 0002
  • Default Permissions:
    • File           -> 0666 (default) – 0002 (umask) = 0664
    • Directory– > 0777 (default) – 0002 (umask) = 0775
  • Change umask persistently for current user:
    • echo “umask 0007” >> .bashrc
  • Change umask for all users persistently in /etc/bashrc and /etc/profile:
    if [ $UID -gt 199 ] && [ “`/usr/bin/id -gn`” = “`/usr/bin/id -un`” ]; then
    umask 0007

setfacl and getfacl: (Add and view ACLs permissions on files and directories)

  • getfacl   file|dir                                     (View ACLs permissions for a file or dir)
  • setfacl  -[d]m  u:usr:rwx file|dir      (Add ACLs permissions for a user; -d: default)
  • setfacl  -[d]m  g:grp:rwx   file|dir    (Add ACLs permissions for a grp)
  • setfacl  -[d]x   u:user  file|dir            (Remove ACLs permissions for user)
  • setfacl  -[d]x   g:grp  file|dir              (Remove ACLs permissions for a grp)
  • setfacl  -k  /dir                                       (Remove all Default ACLs)
  • setfacl  b  -R  file|dir                           (Remove all ACL permissions recursively)
  • tune2fs -l /dev/sdb1 | grep -i “Default mount options:”   (ext4-> user_xatrr acl)

lsattr and chattr(Get and set extended attributes)

  • chattr +|-ia file         (Add/Remove immutable (i) & append-able (a) attributes)
  • lsattr   file

SELinux: (Security-Enhanced Linux)

  • SELinux modes: (/etc/selinux/config OR /etc/sysconfig/selinux)
    • Enforcing:   SELinux security policy is enforced and operative.
    • Permissive: SELinux is enabled but print audits and warnings only.
    • Disabled:     No SELinux policy is loaded.
  • sestatus -v|-b; getenforce
  • setenforce Enforcing (1)|Permissive (0)
  • ls -Z /tmp, ps axZ
  • semanage:  (SELinux Policy Management tool)
    • SELinux File Contexts:
      • semanage fcontext -at  httpd_sys_content_t  “/dir(/.*)?”
        • restorecon -rvF /dir        (Must be run to update context changes)
      • semanage fcontext -l[C]                    (Lists all; -C customized only)
      • semanage fcontext -d “/dir(/.*)?”     (Delete file context rule)
      • semanage fcontext -D                        (Delete all customized contexts)
    • SELinux Boolean Context:
      • semanage boolean -m httpd_enable_homedirs  –on|–off
      • semanage boolean -l [C]  | grep homedir  (List all; -C customized only)
      • semanage boolean –D                        (Delete all customized contexts)
    • SELinux Port Context:
      • semanage port -mt  http_port_t  -p tcp  8888
      • semanage port -l [C]  | grep http    (List all; -C customized only)
      • semanage port -d -p tcp  88             (Delete port context)
      • semanage port –D                        (Delete all customized contexts)
  • chcon:  (Changes file context temporarily, NOT survive restorecon or relabel)
    • chcon -t   httpd_sys_content_t   /var/www/html/file.html 
    • chcon -R –reference=/var/www/html  /http      (Apply file context from ref dir)
  • restorecon:  (Restores SELinux context from /etc/selinux/targated/context/files/*) 
    • restorecon -v file
    • restorecon -rvF dir 
  • getsebool -a  [ssh_chroot_rw_homedirs]
  • setsebool  ssh_chroot_rw_homedirs=on|off   [-P]
  • seinfo   -l | -t                                              (-t-> show all types)  
  • sesearch                                                     (package: setools-console)
  • sealert -l uuid
  • Kernel parameters:
    • selinux=1|0
    • enforcing=1|0
  • Config:
    • /etc/selinux/config
  • Man pages:
    • semanage-fcontext(8),  semanage-boolean(8), semanage-port(8)

About Ishtiaque

I am IBM Certified Infrastructure Systems Architect, Linux Foundation Certified System Administrator, Oracle Certified Programmer in Java and Web Component Developer, and TOGAF 9 certified with over 10 years of support and development experience in IBM middleware software and Java. Additionally, have a sound grip in databases and OpenStack administration. I hold the following certifications: IBM Certified Infrastructure Systems Architect Linux Foundation Certified System Administrator (LFCS) TOGAF 9 Certified Oracle Certified Expert, Java EE6 Web Component Developer Oracle Certified Professional – Java 6 Programmer ITIL v3 Foundation Certified IBM Certified Solution Architect – Cloud Computing Infrastructure V1 IBM Certified System Administrator – WebSphere Portal V8, V7, V6.1, V6 IBM Certified System Administrator – WebSphere Application Server V7, V6.1 IBM Certified System Administrator – AIX V7 IBM Certified System Administrator – WebSphere MQ V7 IBM Certified Deployment Professional – Business Process Manager Advanced V7.5 IBM Certified Solution Advisor – Cloud Computing Architecture V3 IBM Certified Solution Developer – WebSphere Portal V5.1
This entry was posted in LFCE, LFCS, Linux. Bookmark the permalink.