Linux Permissions Internals: Octal Modes, SUID, and Advanced ACLs

When you run ls -l on a Linux system, you see a string like -rwxr-xr--. While this symbolic representation is human-readable, the Linux kernel does not parse strings when verifying access rights. Instead, permissions are stored in the filesystem inode as a 16-bit integer.

The lowest 9 bits dictate the standard read, write, and execute permissions across three classes: User (Owner), Group, and Others. When a process requests access to a file, the kernel evaluates these bits via hyper-fast bitwise AND operations against the requesting process's UID and GID.

Developers frequently use commands like chmod 755, but why the number 7? It represents the base-8 (octal) numbering system. Because 3 bits map perfectly to one octal digit (from 0 to 7), octal is the perfect shorthand for permission bits.

• Read (r) = 4 (Binary 100)
• Write (w) = 2 (Binary 010)
• Execute (x) = 1 (Binary 001)

By adding these together, we get 7 (4+2+1) for full access, or 5 (4+1) for read/execute. A mode of 755 means: Owner=7 (rwx), Group=5 (r-x), Others=5 (r-x). Never use 777 in production, as it grants global write access, introducing severe security vulnerabilities.

A common source of confusion is the Execute (x) bit applied to directories. You cannot "run" a directory. Instead, for directories, the execution bit grants the "Search" or "Traverse" right.

If you have Read (r) access to a directory but not Execute (x) access, you can list the filenames inside it (via ls), but you cannot cd into it or read any of the files within it, even if those files are globally readable. The kernel blocks path resolution at the directory level.

Standard permissions only govern who can access a file. What about who the file executes as? When you run a script, it runs with your user privileges. But utilities like passwd need root privileges to edit /etc/shadow.

Enter the Set User ID (SUID) bit (represented by an s in the owner field, or the octal prefix 4, e.g., chmod 4755). When a binary with SUID is executed, the kernel spawns the process with the Effective UID of the file's owner (usually root), not the executor. Misconfiguring SUID on custom scripts is a primary vector for privilege escalation attacks in Linux environments.

The Set Group ID (SGID) bit (octal prefix 2) is crucial for shared workspaces. When SGID is set on a directory, any new file created inside that directory automatically inherits the Group ownership of the directory, rather than the primary group of the user who created it.

This ensures that a team of developers sharing a /var/www/html folder can seamlessly edit each other's files without constantly fighting ownership permission denied errors.

The Sticky Bit (octal prefix 1) is commonly seen on the /tmp directory (mode 1777 or drwxrwxrwt). While anyone can write to /tmp, the sticky bit dictates that only the file's owner (or root) can delete or rename the file.

Without this bit, any user could delete temporary files created by other users or critical system daemons, causing systemic instability.

Traditional permissions hit a wall when you need to grant specific access to two different users who don't share a group. Linux Access Control Lists (ACLs) solve this by extending the inode metadata.

Using setfacl and getfacl, administrators can append dozens of specific user and group rules to a single file. When ACLs are active, an + symbol appears at the end of the ls -l output (e.g., -rw-r--r--+). The kernel evaluates the specific ACLs before falling back to the standard octal mask.

Translating between octal (644), symbolic (rw-r--r--), and understanding the exact implications of special bits requires mental gymnastics. A single miscalculated digit can expose sensitive configuration files to the public internet.

Our Chmod Calculator provides an interactive matrix to visually construct permission sets. It instantly translates between octal and symbolic notations and alerts you when dangerous modes like global write or SUID are configured, ensuring your deployment scripts remain secure.