Permissions and Ownership: Who Reads, Writes, and Executes?
The Linux Permission Model: Read, Write, and Execute
Linux is a multi-user system. On a factory server, operators, engineers, and automated processes all need different access levels. The permission model controls exactly who can do what.
Every file has three permission types: Read (r) to view contents, Write (w) to modify, and Execute (x) to run as a program. These apply to three user categories: Owner (u), Group (g), and Others (o).
In an industrial setting, an operators group might read sensor data but not modify SCADA configs, while engineers have full access.
Reading Permissions: ls -l
ls -l /opt/scada/config/
# -rw-r--r-- 1 admin engineers 2048 Apr 15 08:30 modbus.yaml
# -rwxr-x--- 1 admin operators 4096 Apr 14 12:00 start_gateway.sh
The string -rw-r--r--: position 1 is file type (- file, d directory), positions 2-4 are owner permissions, 5-7 are group, 8-10 are others.
The script -rwxr-x--- means: owner can read/write/execute, group can read/execute, others have no access.
Changing Permissions: chmod With Numbers and Letters
Symbolic Mode
chmod u+x script.sh # Add execute for owner
chmod g+rw data.csv # Add read+write for group
chmod o-rwx secret.yaml # Remove all for others
chmod u=rwx,g=rx,o= script.sh # Set exact permissions
Numeric Mode (r=4, w=2, x=1)
| Number | Permission | Meaning |
|---|---|---|
| 7 | rwx | Full access |
| 6 | rw- | Read and write |
| 5 | r-x | Read and execute |
| 4 | r-- | Read only |
| 0 | --- | No access |
chmod 755 script.sh # rwxr-xr-x
chmod 644 config.yaml # rw-r--r--
chmod 700 private_key.pem # rwx------
chmod -R 750 /opt/scada/ # Recursive (use carefully)
Changing Ownership: chown and chgrp
chown admin config.yaml # Change owner
chown admin:engineers config.yaml # Change owner AND group
chown -R admin:engineers /opt/scada/config/ # Recursive
chgrp operators sensor_data.csv # Change group only
Only root can change file ownership. Check group membership with:
groups # Your groups
groups engineer1 # Another user's groups
Special Permissions: SUID, SGID, and Sticky Bit
SUID (4xxx) — Run as Owner
ls -l /usr/bin/passwd
# -rwsr-xr-x 1 root root 68208 ... /usr/bin/passwd
The s means the program runs with the owner's privileges. Use sparingly and audit regularly.
SGID (2xxx) — Inherit Group on Directories
chmod 2775 /opt/scada/shared_data/
Files created inside inherit the directory's group instead of the creator's — useful for shared team directories.
Sticky Bit (1xxx) — Owner-Only Delete
chmod 1777 /tmp/
Only file owners can delete their own files in the directory, even if others have write permission.
Practical Example: Securing SCADA Configuration Files on the Server
# Create groups
sudo groupadd operators && sudo groupadd engineers
# Add users
sudo usermod -aG engineers admin
sudo usermod -aG operators operator1
# Secure SCADA configs: engineers only
sudo chown -R admin:engineers /opt/scada/config/
sudo chmod -R 750 /opt/scada/config/
# Shared sensor data: operators can read, admin writes
sudo chown -R admin:operators /var/log/sensors/
sudo chmod -R 2755 /var/log/sensors/
# Lock down private keys
sudo chmod 600 /opt/scada/config/plc_auth.key
# Verify
ls -la /opt/scada/config/
ls -la /var/log/sensors/
This follows the principle of least privilege: every user gets exactly the access they need.
Summary
In this lesson you learned how Linux controls access:
- Every file has read, write, and execute permissions for owner, group, and others.
ls -ldisplays permissions;chmodchanges them (symbolic or numeric).chownandchgrpchange ownership; only root can change owners.- SUID, SGID, and sticky bit handle special access control scenarios.
- Group-based permissions enforce the principle of least privilege on industrial servers.
- Always verify paths before recursive permission changes on production systems.
In the next lesson, you will learn pipes and redirection to chain commands into powerful data processing pipelines.