Learn how to configure secure Linux file permissions using chmod, set default permissions with umask, and implement proper access control to prevent security vulnerabilities while fixing permission denied errors.
Prerequisites
- Root or sudo access
- Basic command line knowledge
What this solves
Linux file permissions control who can read, write, or execute files and directories on your system. Misconfigured permissions can lead to security vulnerabilities, application failures, or the dreaded "permission denied" errors. This tutorial teaches you how to configure secure default permissions with umask, set proper file and directory permissions with chmod, and implement access control best practices that protect your system without breaking functionality.
Understanding Linux permissions
Linux uses a three-tier permission system: owner (user), group, and others. Each tier has three permission types: read (r/4), write (w/2), and execute (x/1). Permissions are displayed as a 10-character string like -rwxr-xr-- where the first character indicates file type, followed by three groups of rwx permissions.
The numeric notation combines these values: 7 (rwx), 6 (rw-), 5 (r-x), 4 (r--), 3 (-wx), 2 (-w-), 1 (--x), 0 (---). Common secure permissions include 644 for files (owner read/write, group/others read-only) and 755 for directories (owner full access, group/others read/execute).
Step-by-step configuration
Check current umask settings
The umask command sets default permissions for newly created files and directories. Check your current umask value and understand how it affects new file creation.
umask
umask -S
touch test-file
ls -l test-file
mkdir test-dir
ls -ld test-dirThe numeric umask subtracts from the maximum permissions (666 for files, 777 for directories). A umask of 022 creates files with 644 permissions and directories with 755 permissions.
Configure secure system-wide umask
Set a secure default umask for all users by modifying the system login configuration. This ensures new files are created with appropriate permissions.
# Set default umask for new user accounts
UMASK 022
Alternative: more restrictive for security-sensitive environments
UMASK 027
Update the profile configuration to apply umask settings for interactive shells.
# Set secure default umask
umask 022
Export for consistency
export UMASK=022Configure user-specific umask
Individual users can override the system umask in their shell profile. Add umask settings to the user's profile for consistent permission defaults.
# Set personal umask (more restrictive)
umask 027
For shared development environments
umask 002
Apply the changes immediately without logging out.
source ~/.bashrc
umask
echo "Current umask: $(umask)"Set secure file permissions
Configure appropriate permissions for different file types. Never use chmod 777 as it grants full access to all users on the system.
# Regular files - owner read/write, group/others read-only
chmod 644 /path/to/regular-file.txt
Executable files - owner read/write/execute, group/others read/execute
chmod 755 /path/to/script.sh
Configuration files - owner read/write, group read, others no access
chmod 640 /etc/myapp/config.confSet secure directory permissions
Directories require execute permission for access. Configure directory permissions to control who can enter and list contents.
# Standard directories - owner full access, group/others read/execute
chmod 755 /path/to/directory
Private directories - owner full access only
chmod 700 /path/to/private-directory
Shared group directories - owner/group full access, others read/execute
chmod 775 /path/to/shared-directoryConfigure ownership for web applications
Web servers need proper ownership to read files and write logs. Set correct ownership first, then apply minimal permissions.
# Set ownership for web content
sudo chown -R www-data:www-data /var/www/html
sudo chmod -R 755 /var/www/html
sudo find /var/www/html -type f -exec chmod 644 {} \;Configure application log directories
Applications need write access to log directories. Create secure log directories with appropriate ownership and permissions.
# Create log directory with correct permissions
sudo mkdir -p /var/log/myapp
sudo chown myapp:myapp /var/log/myapp
sudo chmod 755 /var/log/myapp
For applications that need group write access
sudo chown myapp:adm /var/log/myapp
sudo chmod 775 /var/log/myappSet SSH key permissions
SSH requires specific permissions for security. Incorrect SSH key permissions will cause authentication failures.
# Set SSH directory permissions
chmod 700 ~/.ssh
Private key - owner read/write only
chmod 600 ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_ed25519
Public key - owner read/write, others read
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/id_ed25519.pub
Authorized keys - owner read/write only
chmod 600 ~/.ssh/authorized_keysConfigure special permissions
Set sticky bit, setuid, and setgid permissions for specific use cases. These special permissions provide additional access control mechanisms.
# Sticky bit on directories - only owner can delete files
sudo chmod 1755 /tmp/shared
sudo chmod +t /tmp/shared
Setgid on directories - new files inherit group ownership
sudo chmod 2755 /var/shared
sudo chmod g+s /var/shared
Combined sticky bit and setgid
sudo chmod 3755 /var/collaborativeImplement access control lists (ACLs)
Use ACLs for fine-grained permission control beyond the basic owner/group/others model. Install ACL support if not already available.
sudo apt update
sudo apt install -y acl# Grant specific user read/write access
setfacl -m u:username:rw /path/to/file
Grant group read/execute access
setfacl -m g:groupname:rx /path/to/directory
Set default ACL for directory
setfacl -d -m u:username:rw /path/to/directory
View ACL settings
getfacl /path/to/fileVerify your setup
Test your permission configuration to ensure it works correctly and securely.
# Check current umask
umask
umask -S
Test file creation with current umask
touch /tmp/test-permissions
ls -l /tmp/test-permissions
Test directory creation
mkdir /tmp/test-dir-permissions
ls -ld /tmp/test-dir-permissions
View file permissions in detail
stat /path/to/important-file
Check ACL settings if configured
getfacl /path/to/file 2>/dev/null || echo "No ACLs set"
Test web server permissions
sudo -u www-data test -r /var/www/html/index.html && echo "Web server can read files" || echo "Permission denied for web server"Common issues
| Symptom | Cause | Fix |
|---|---|---|
| Permission denied reading file | Incorrect ownership or missing read permission | sudo chown user:group file && chmod 644 file |
| Web server can't access files | Files not owned by web server user | sudo chown -R www-data:www-data /var/www && chmod -R 644 files |
| Application can't write logs | Log directory not writable by app user | sudo chown appuser:appuser /var/log/app && chmod 755 /var/log/app |
| SSH authentication fails | Incorrect SSH key permissions | chmod 700 ~/.ssh && chmod 600 ~/.ssh/id_rsa |
| Directory listing permission denied | Missing execute permission on directory | chmod +x directory |
| New files have wrong permissions | Incorrect umask setting | Set umask 022 in shell profile |
| Group members can't access shared files | Files not owned by correct group | chown :groupname files && chmod g+r files |
Next steps
- Configure SSH key authentication and disable password login for secure server access
- Configure Linux firewall rules with fail2ban for SSH brute force protection and intrusion prevention
- Configure Linux user and group management with sudo access control
- Implement Linux file system encryption with LUKS and cryptsetup
- Configure SELinux mandatory access controls for enhanced security