Lesson: Who Can Do What

What you'll learn

• The difference between users, groups, and the all-powerful root account.
• Why you use sudo instead of logging in as root.
• How to read the rwx permission string that ls -l shows you.
• How to change permissions with chmod (both numeric and symbolic) and ownership with chown.
• Why permissions are the backbone of Linux security.

Skill gained: the ability to read and fix "permission denied" errors instead of fearing them.

The lesson

Linux is a multi-user system: many people (and many programs) share one machine. Permissions are how Linux keeps them from stepping on each other and from breaking the system. Practise on the Jumpbox (10.100.100.254, user ubuntu, which has passwordless sudo).

1. Users and groups

Every account on the system is a user, identified by a name and a numeric UID (user ID). Users are organized into groups (each with a GID) so you can grant access to several people at once.

ubuntu@Jumpbox:~$ whoami        # who am I logged in as?
ubuntu
ubuntu@Jumpbox:~$ id            # my UID, GID, and group memberships
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),27(sudo)

That 27(sudo) group membership is what lets ubuntu run administrative commands. User accounts are listed in /etc/passwd and groups in /etc/group — both plain text you can cat.

2. Root: the superuser

root (UID 0) is the superuser. Root bypasses all permission checks — it can read, change, or delete anything. That power is also the danger: a careless command as root can wipe the machine. The golden rule:

Log in as a normal user. Become root only for the moment you need it, using sudo.

3. sudo: borrowing root for one command

sudo ("superuser do") runs a single command with root privileges, if your account is allowed to. It's the safe, auditable way to do admin work — every sudo use is logged (and on this lab those logs ship to the central Loki server at 10.100.100.5).

ubuntu@Jumpbox:~$ cat /etc/shadow            # password hashes — protected
cat: /etc/shadow: Permission denied
ubuntu@Jumpbox:~$ sudo cat /etc/shadow       # run it as root
root:!:19700:...

On a normal machine sudo asks for your password (not root's). On the Jumpbox sudo is passwordless for convenience, but the habit is the same: prefix the one command that needs power with sudo — don't go become root for a whole session unless you must.

4. Reading permissions: ls -l

Run ls -l and look at the first column:

ubuntu@Jumpbox:~$ ls -l notes.txt
-rw-r--r-- 1 ubuntu ubuntu 42 Jun 1 10:00 notes.txt

That -rw-r--r-- is the permission string. Break it into pieces:

   -    rw-      r--      r--
   ^     ^        ^        ^
  type  OWNER   GROUP    OTHERS
        (ubuntu)(ubuntu) (everyone else)

• First character = type: - regular file, d directory, l symbolic link.
• Then three groups of three: permissions for the owner, the group, and others (everyone else).
• In each group: r = read, w = write, x = execute. A - means that permission is off.

So -rw-r--r-- means: owner can read & write; group can read; others can read. Nobody can execute it (it's data, not a program).

What r/w/x mean differs slightly for directories:

• r = list the directory's contents.
• w = create/delete files inside it.
• x = enter (cd into) the directory.

5. chmod, numeric style

chmod ("change mode") sets permissions. The numeric (octal) style encodes each rwx triple as one digit:

   r = 4     w = 2     x = 1     (add them up)
   rwx = 4+2+1 = 7
   rw- = 4+2   = 6
   r-x = 4+1   = 5
   r-- = 4     = 4

Three digits = owner, group, others:

ubuntu@Jumpbox:~$ chmod 644 notes.txt    # rw-r--r--  (owner rw, others r) — typical data file
ubuntu@Jumpbox:~$ chmod 600 secret.txt   # rw-------  (only owner) — private file
ubuntu@Jumpbox:~$ chmod 755 deploy.sh    # rwxr-xr-x  — a script everyone may run
ubuntu@Jumpbox:~$ chmod 700 scripts/     # rwx------  — private directory

Memorize three: 644 (normal files), 755 (programs & directories), 600 (private files).

6. chmod, symbolic style

Sometimes you want to add or remove one permission without recalculating. Symbolic style uses user, group, other, all plus +/-/=:

ubuntu@Jumpbox:~$ chmod +x deploy.sh        # make it executable for everyone
ubuntu@Jumpbox:~$ chmod u+x deploy.sh        # executable for the owner only
ubuntu@Jumpbox:~$ chmod g-w notes.txt        # remove write from the group
ubuntu@Jumpbox:~$ chmod o= secret.txt        # remove ALL permissions from others

chmod +x script.sh is one of the most common commands you'll type — Linux won't run a script as a program until it has the execute bit.

7. chown: changing ownership

Every file has an owner (a user) and an owning group. chown ("change owner") sets them. Because changing ownership can give power away, it usually needs sudo.

ubuntu@Jumpbox:~$ sudo chown ubuntu file.txt          # set owner to ubuntu
ubuntu@Jumpbox:~$ sudo chown ubuntu:ubuntu file.txt   # owner AND group (user:group)
ubuntu@Jumpbox:~$ sudo chown -R ubuntu:ubuntu app/    # -R: recurse into a directory

A very common real-world fix: a service can't write to its data directory because the files are owned by root. The cure is to chown -R the directory to the service's user.

8. Why permissions matter

        +---------------------------------------------------+
        |  file: /etc/shadow  owner=root  mode=640          |
        |                                                   |
        |  root      -> read & write   (it's the owner)     |
        |  shadow grp-> read           (group can read)     |
        |  ubuntu    -> DENIED         (not owner, not grp) |
        +---------------------------------------------------+

Permissions are why a normal user can't read everyone's passwords, can't edit system config, and can't delete another user's files. When you see "Permission denied," don't panic — it's the system working. Ask three questions:

1. Who am I? (whoami, id)
2. Who owns the file and what are its permissions? (ls -l)
3. Do I genuinely need elevated rights? (then sudo the one command) or should I fix ownership/mode? (chown / chmod)

That diagnostic loop will resolve the vast majority of access problems you hit as a DevOps engineer.

9. A quick practice run

ubuntu@Jumpbox:~$ echo 'echo hello' > hi.sh
ubuntu@Jumpbox:~$ ./hi.sh
bash: ./hi.sh: Permission denied        # no execute bit yet
ubuntu@Jumpbox:~$ chmod +x hi.sh
ubuntu@Jumpbox:~$ ./hi.sh
hello
ubuntu@Jumpbox:~$ ls -l hi.sh
-rwxr-xr-x 1 ubuntu ubuntu 11 Jun 1 10:00 hi.sh

You just hit a permission error and fixed it deliberately. That's the whole game.

Dig deeper

• Linux permissions explained (Red Hat sysadmin)
• chmod man page
• Understanding Linux file permissions (DigitalOcean)
• sudo man page
• Users and groups (Ubuntu Server docs)

Search terms

• linux file permissions rwx explained
• chmod numeric vs symbolic
• chown user group recursive
• why use sudo instead of root
• linux permission denied how to fix

Check yourself

1. What does -rw-r--r-- mean for owner, group, and others?
2. Why is it safer to use sudo than to log in as root?
3. What numeric mode makes a file readable/writable by its owner and unreadable by everyone else?
4. What does the execute (x) bit mean for a directory, versus a file?
5. A service can't write to its data folder owned by root. Which command fixes it, and how?