Linux Permission Management Advanced
After mastering the basics of permission management, let's tackle advanced techniques. In this advanced edition, you'll learn owner changes, practical group management, default permission settings, and special permissions in detail. Acquire advanced permission management techniques essential for real-world work.
Table of Contents
1. chown/chgrp - Changing Owners
chown - Changing Owner and Group
Change Owner Only
$ chown newuser file.txt
Change Both Owner and Group
$ chown newuser:newgroup file.txt
Change Group Only
$ chown :newgroup file.txt
Recursive Change
$ chown -R webuser:www-data /var/www/html/
chgrp - Changing Group
$ chgrp developers project/
🛠️ Practical chown Applications
Web Server File Ownership
Purpose: Configure Apache/Nginx to read and write files properly
# Files owned by www-data, same group $ sudo chown -R www-data:www-data /var/www/html/ # Config files only owned by root $ sudo chown root:root /etc/apache2/sites-available/*
Log File Permissions
Purpose: Service user writes application logs, admin can read
# Log owned by app user, managed by admin group $ sudo chown app-user:admin /var/log/application.log $ sudo chmod 664 /var/log/application.log
Backup Script Permissions
Purpose: Script executable only by backup user
# Backup script executable only by backup user $ sudo chown backup:backup /usr/local/bin/backup.sh $ sudo chmod 700 /usr/local/bin/backup.sh
⚠️ chown Usage Precautions
Never Change System Files
Dangerous Examples:
$ sudo chown user:user /etc/passwd # NEVER DO THIS! $ sudo chown user:user /bin/bash # SYSTEM DESTRUCTION!
Changing ownership of system files may prevent system startup.
Recursive Change Caution
Recommended Pattern:
# First verify targets $ ls -la /path/to/directory/ # Change gradually $ sudo chown user:group /path/to/directory/ $ sudo chown -R user:group /path/to/directory/*
2. groups - Practical Group Management
In Linux, you can efficiently manage access permissions by categorizing users into groups. Use the groups command to check group information and apply it to actual permission management.
🔍 Basic Group Concepts
Groups are a mechanism for managing multiple users collectively. You can set permissions on files and directories by group rather than individually per user.
Primary Group
- Default group for files created by user
- Usually same name as username
- Defined in
/etc/passwd
Secondary Groups
- Additional groups user belongs to
- Can belong to multiple secondary groups
- Defined in
/etc/group
📋 Basic groups Command Usage
Check Current User's Groups
$ groups
alice alice sudo developers www-data
Explanation: Belongs to alice (primary), sudo, developers, www-data (secondary)
Check Specific User's Groups
$ groups username
bob : bob developers marketing
Check Detailed Group Information
$ id
uid=1001(alice) gid=1001(alice) groups=1001(alice),27(sudo),1002(developers),33(www-data)
Explanation: Shows UID, primary GID, and GIDs of all groups
Check Group Members
$ getent group developers
developers:x:1002:alice,bob,charlie
Explanation: Shows member list of developers group
🛠️ Practical Group Usage Scenarios
Scenario 1: Web Development Team Permission Management
Challenge: All developers want to collaborate in /var/www/project directory
✅ Solution Steps
- Create development group
$ sudo groupadd webdevs
- Add users to group
$ sudo usermod -a -G webdevs alice $ sudo usermod -a -G webdevs bob $ sudo usermod -a -G webdevs charlie
- Set project directory owner
$ sudo chown -R :webdevs /var/www/project $ sudo chmod -R 775 /var/www/project
- Set default group for new files
$ sudo chmod g+s /var/www/project
(SGID setting makes new files automatically belong to webdevs group)
🎯 Result
- All webdevs group members can read and write
- Newly created files automatically get group permissions
- Other users can only read and execute
Scenario 2: Database Administrator Group
Challenge: Make MySQL config files accessible only to DBAs (Database Administrators)
✅ Solution Steps
- Create DBA group
$ sudo groupadd dba
- Add DBA users
$ sudo usermod -a -G dba alice $ sudo usermod -a -G dba bob
- Set MySQL config file permissions
$ sudo chown mysql:dba /etc/mysql/mysql.conf.d/ $ sudo chmod 750 /etc/mysql/mysql.conf.d/ $ sudo chmod 640 /etc/mysql/mysql.conf.d/*.cnf
🎯 Result
- Only DBA group members can edit config files
- MySQL process can always access
- Other users have no access
💡 Group Management Best Practices
🎯 Appropriate Group Design
- Role-based: developers, admins, users
- Project-based: project-a, project-b
- Function-based: www-data, mysql, ssh-users
Create groups with clear purpose
🔒 Security Considerations
- Principle of Least Privilege: Add only minimum necessary groups
- Regular Audits: Remove unnecessary group memberships
- Restrict sudo Access: Manage sudo group carefully
📋 Operational Notes
- After Group Change: Logout/login required
- Naming Rules: Adopt consistent group naming convention
- Documentation: Document group purposes and permissions
🔧 Common Group-Related Problems and Solutions
❌ Problem: Added to Group but Can't Access
Symptom: Permission error even after usermod -a -G group user
✅ Solution
- Re-login to reflect new group permissions
- Or use newgrp command:
$ newgrp groupname
- Verify current groups:
$ groups
❌ Problem: Cannot Delete Group
Symptom: groupdel: cannot remove the primary group of user
✅ Solution
- Check users using the group:
$ getent group groupname
- Change if used as primary group:
$ sudo usermod -g newgroup username
- Remove from secondary group:
$ sudo gpasswd -d username groupname
📚 Group Management Command Reference
| Command | Purpose | Example | Description |
|---|---|---|---|
groups [user] |
Check Groups | groups alice |
Display user's group memberships |
id [user] |
Detailed Info | id alice |
Show UID, GID, and group list |
getent group |
Group Info | getent group developers |
Group details and members |
newgrp group |
Switch Group | newgrp developers |
Temporarily change primary group |
groupadd group |
Create Group | sudo groupadd webdevs |
Create new group |
usermod -a -G |
Add to Group | sudo usermod -a -G group user |
Add user to group |
gpasswd -d |
Remove from Group | sudo gpasswd -d user group |
Remove user from group |
3. umask - Default Permission Settings
umask controls default permissions for newly created files and directories.
Check Current umask Value
$ umask
0022
How umask Calculation Works
Actual permission = default permission - umask value:
- File: 666 - umask = actual permission
- Directory: 777 - umask = actual permission
Example: umask 022
- File: 666 - 022 = 644 (rw-r--r--)
- Directory: 777 - 022 = 755 (rwxr-xr-x)
Changing umask
$ umask 077 # More restrictive (file 600, directory 700)
🛠️ Practical umask Applications
General Users (umask 022)
- File: 644 (others can read)
- Directory: 755 (others can execute)
- Use case: General work environment
Secure Environment (umask 077)
- File: 600 (owner-only access)
- Directory: 700 (owner-only access)
- Use case: Confidential data, personal environment
Group-Shared Environment (umask 002)
- File: 664 (group can write)
- Directory: 775 (group can write)
- Use case: Team development, shared projects
Persistent umask Settings
# Add to ~/.bashrc echo "umask 077" >> ~/.bashrc # System-wide setting sudo echo "umask 022" >> /etc/profile
4. Special Permissions
Besides normal permissions, there are 3 special permission bits.
🔍 Practical Special Permission Examples
SUID Application Example
passwd Command
$ ls -l /usr/bin/passwd -rwsr-xr-x 1 root root 68208 Jan 11 10:00 /usr/bin/passwd
Regular users can change passwords with root privileges
SGID Application Example
Shared Directory
$ chmod g+s /shared/project/
Newly created files automatically belong to project group
Sticky Bit Application Example
/tmp Directory
$ ls -ld /tmp drwxrwxrwt 15 root root 4096 Jan 11 10:00 /tmp
Anyone can write, but can't delete others' files
⚠️ Special Permission Security Notes
SUID Risks
- Attackers may gain root privileges
- Regular audits required
- Remove unnecessary SUID files
# Search for SUID files $ find / -perm -4000 -type f 2>/dev/null
Proper Usage Policy
- Use only in minimum necessary locations
- Consider alternative methods
- Monitor security logs
🔐 Permission Management Series
- Basics Edition - Permission mechanisms, risk avoidance, chmod basics
- Advanced Edition (This Article) - chown, group management, umask, special permissions
- Practical Edition - Real-world scenarios, troubleshooting, security
This site participates in the Amazon Associates Program, an affiliate advertising program designed to provide means for sites to earn advertising fees by advertising and linking to Amazon.co.jp. Product prices are not affected.
📚 Recommended Books for Permission Management & Security
Carefully selected books to efficiently master advanced Linux permission management techniques. Learn chown, group management, umask, and special permissions in depth.
📚 The New Linux Textbook
Target Level: Beginner to Intermediate
Comprehensive Linux textbook with advanced permission management techniques. Learn practical permission settings from chown, group management, and umask basics. Rich explanations of special permissions (SUID, SGID, Sticky bit), perfect for understanding the complete picture of permission management.
📚 Linux Security Standard Textbook
Target Level: Beginner to Intermediate (Security Basics)
Official LPI security textbook. Comprehensive coverage of security aspects of chown, group management, and special permissions (SUID, SGID). Systematically understand security best practices like "proper ownership settings" and "practical group permissions" learned in this article. Well-structured for beginners.
📚 Linux Server Security Complete Guide
Target Level: Intermediate to Advanced (Security Practice)
Practical server security book. Deep dive into detailed permission settings, group policy management, security auditing. Highly recommended for those wanting to learn practical security measures and permission management after mastering basic chown and umask. Explains SUID file audit methods too.
📚 Linux Server Construction & Operation Guide from Zero 2nd Edition
Target Level: Intermediate to Advanced
Practical book using permission management in real work. After mastering chown, umask, and special permissions, learn systematically how to use them in actual server construction and operation. Perfect for those wanting to learn practical permission settings like web server permissions, log file management, and group-based access control.
🎉 Master Permission Management Through Practice
After acquiring advanced knowledge from books, solidify your learning by hands-on practice with Penguin Gym Linux exercises. Use chown, group management, umask, and special permissions in practice to reliably improve your skills.