A
AiTechWorlds
AiTechWorlds
chmod, chown, umask, SUID/SGID/sticky bits, user/group management, sudoers, and ACLs explained with commands.
ls -la /etc/passwd
# -rw-r--r-- 1 root root 2847 Jan 15 10:23 /etc/passwd
# βββββββββ
# ββββββββββ other: r-- (4)
# ββββββββββ group: r-- (4)
# ββββββββββ owner: rw- (6)
# ββββββββββ sticky/SGID/SUID bits
# ββββββββββ directory (d), file (-), link (l), etc.
# ββββββββββ number of hard links
# ββββββββββ owner (root)
# ββββββββββ group (root)| Symbol | Octal | Meaning for Files | Meaning for Directories |
|---|---|---|---|
r | 4 | Read file content | List directory contents (ls) |
w | 2 | Modify file content | Create/delete files in directory |
x | 1 | Execute file | Enter directory (cd) |
- | 0 | Permission denied | Permission denied |
rwxrwxrwx = 777 (owner=7, group=7, others=7)
rw-r--r-- = 644 (owner=6, group=4, others=4)
rwxr-xr-x = 755 (owner=7, group=5, others=5)
rw------- = 600 (owner=6, group=0, others=0)# Octal notation (most common)
chmod 755 script.sh # rwxr-xr-x
chmod 644 config.txt # rw-r--r--
chmod 600 ~/.ssh/id_rsa # rw------- (private key β must be this)
chmod 700 ~/.ssh # rwx------ (SSH dir)
# Symbolic notation
chmod u+x script.sh # add execute for owner (user)
chmod g-w file.txt # remove write from group
chmod o= file.txt # remove ALL permissions from others
chmod a+r file.txt # add read for all (a = u+g+o)
chmod u=rwx,g=rx,o= dir/ # set exact permissions symbolically
# Recursive
chmod -R 755 public/ # apply recursively to directory# Change owner
chown alice file.txt
# Change owner and group
chown alice:developers file.txt
# Change group only
chgrp developers file.txt
# Recursive
chown -R www-data:www-data /var/www/html/| Bit | Octal | How to Set | Effect |
|---|---|---|---|
| SUID (Set User ID) | 4xxx | chmod u+s file or chmod 4755 file | File runs as owner, not executor |
| SGID (Set Group ID) | 2xxx | chmod g+s dir | New files in dir inherit group |
| Sticky bit | 1xxx | chmod +t dir or chmod 1777 dir | Only file owner can delete in dir |
# SUID example β passwd runs as root
ls -la /usr/bin/passwd
# -rwsr-xr-x (the 's' in owner = SUID)
# Sticky bit example β /tmp is world-writable but protected
ls -la /
# drwxrwxrwt tmp (the 't' = sticky bit)umask # show current umask (e.g., 022)
umask 027 # set new umask for session
# umask subtracts from maximum:
# Files max: 666 - 022 = 644
# Dirs max: 777 - 022 = 755
# Secure umask
umask 027 # files: 640, dirs: 750# Add user
useradd -m -s /bin/bash alice # -m creates home dir
adduser alice # interactive (Debian/Ubuntu)
# Set password
passwd alice
# Modify user
usermod -aG sudo alice # add to sudo group
usermod -aG docker,developers alice # add to multiple groups
usermod -s /bin/zsh alice # change shell
usermod -l newname alice # rename user
# Delete user
userdel alice # keep home dir
userdel -r alice # remove home dir too
# Lock/unlock account
passwd -l alice # lock (prepends ! to password hash)
passwd -u alice # unlock
usermod -e 2025-12-31 alice # set expiry date# Create group
groupadd developers
# Delete group
groupdel developers
# Add user to group
usermod -aG developers alice # -a = append (don't remove existing)
gpasswd -a alice developers
# Remove user from group
gpasswd -d alice developers
# Show user's groups
groups alice
id alice# /etc/passwd β user accounts (world-readable)
# username:x:UID:GID:comment:home_dir:shell
cat /etc/passwd | grep alice
# alice:x:1001:1001:Alice Smith:/home/alice:/bin/bash
# /etc/shadow β password hashes (root only)
# username:hash:last_change:min:max:warn:inactive:expire
sudo cat /etc/shadow | grep alice
# /etc/group β group definitions
# group_name:x:GID:member_list
cat /etc/group | grep developers
# developers:x:1002:alice,bob# Run single command as root
sudo apt update
sudo -u postgres psql # run as specific user
# Switch to root shell
sudo -i # login shell
sudo su - # same
# Switch to another user
su - alice # login shell as alice
su alice # non-login shell
# /etc/sudoers β grant sudo privileges
visudo # safe way to edit sudoers
# alice ALL=(ALL:ALL) ALL # full sudo access
# alice ALL=(ALL) NOPASSWD: /bin/systemctl restart nginx # no-password specific commandFor permissions beyond owner/group/others:
# View ACL
getfacl file.txt
# Grant alice read+write to a file you own
setfacl -m u:alice:rw file.txt
# Grant developers group execute
setfacl -m g:developers:rx script.sh
# Remove ACL entry
setfacl -x u:alice file.txt
# Remove all ACL entries
setfacl -b file.txt~/.ssh/id_rsa) to 644 instead of 600 β SSH refuses to use world-readable keyschmod -R 777 for "quick fixes" β opens everything to all users including web server exploits-a flag in usermod -G β overwrites all existing group memberships instead of appendingvisudo to edit /etc/sudoers β syntax errors lock everyone out of sudoAdvertisement
Get more notes like this daily on Telegram!
Free study notes, cheat sheets & AI tips
Last reviewed on June 13, 2026 by the AiTechWorlds Notes Team. Free cheat sheet β no signup required.
Advertisement
Join AiTechWorlds on Telegram and get daily AI tips, prompt engineering templates, coding resources, and exclusive content β 100% free!
No spam. Leave anytime.