Understanding Users, Groups, and Ownership

Understanding Users, Groups, and Ownership

Every file and directory on Linux has exactly one user owner and one group owner. The permissions (read, write, execute) are evaluated against three categories: the owning user, the owning group, and everyone else. Understanding how ownership interacts with permissions is the foundation of access control on Ubuntu.

UID, GID, and the permission model

-rw-r--r-- 1 irfan  webteam 4096 Jun 01 12:00 report.txt
 ↑↑↑↑↑↑↑↑↑   ↑↑↑↑↑  ↑↑↑↑↑↑↑
 permissions  owner  group

Permission breakdown:
- rw-   = owner (irfan) can read and write
- r--   = group (webteam) can only read
- r--   = everyone else can only read

Linux checks permissions in this order:
1. Is the process running as the file owner? → Use owner bits
2. Is the process in the file's group?       → Use group bits
3. Otherwise                                 → Use other bits

Checks STOP at the first match. A user in the group still gets
owner permissions if they ARE the owner.

Reading file ownership

# Show ownership of files
ls -l /var/www/html/
ls -la /etc/nginx/nginx.conf

# Show numeric UID/GID instead of names
ls -ln /home/irfan/

# Show ownership recursively
ls -lR /var/www/html/ | head -20

# Show which user owns a specific file
stat /etc/nginx/nginx.conf

stat output showing ownership details

  File: /etc/nginx/nginx.conf
  Size: 1490
  Owner: root
  Group: root
  Access: (0644/-rw-r--r--)
  Uid: (0/root)
  Gid: (0/root)

Changing ownership with chown

# Change owner only
sudo chown irfan /var/www/html/index.html

# Change owner and group together
sudo chown irfan:webteam /var/www/html/index.html

# Change only the group (alternative to chgrp)
sudo chown :webteam /var/www/html/index.html

# Change recursively (entire directory tree)
sudo chown -R irfan:webteam /var/www/html/

# Change to match another file's ownership
sudo chown --reference=/etc/nginx/nginx.conf /etc/nginx/conf.d/mysite.conf

# Verify
ls -la /var/www/html/

⚠️ WARNING: chown -R root:root / or similar recursive chown on the wrong path has destroyed servers. Always double-check the path before running recursive chown. Use --dry-run... wait, chown has no dry-run. Use ls -la path/ first to confirm what you are about to change.

Changing group with chgrp

# Change group owner
sudo chgrp webteam /var/www/html/index.html
sudo chgrp -R www-data /var/www/html/

# Common web server ownership pattern:
# Files owned by deploy user, group www-data, readable by web server
sudo chown -R deploy:www-data /var/www/html/
sudo chmod -R 750 /var/www/html/
sudo chmod -R 640 /var/www/html/*.html

umask and default permissions

When you create a new file or directory, the default permissions are determined by umask. The umask subtracts permissions from the maximum possible (666 for files, 777 for directories).

# See current umask
umask
umask -S    # Symbolic output

# Common umask values:
# 0022 → files: 644 (rw-r--r--), dirs: 755 (rwxr-xr-x)  [Ubuntu default]
# 0027 → files: 640 (rw-r-----), dirs: 750 (rwxr-x---)  [more restrictive]
# 0077 → files: 600 (rw-------), dirs: 700 (rwx------)  [private]

# Set umask for the current session
umask 0027

# Set umask permanently (add to ~/.bashrc or /etc/profile)
echo "umask 0027" >> ~/.bashrc

# Test: what permissions will new files get?
umask 0022
touch testfile && ls -l testfile && rm testfile

Real-world ownership scenarios

# Scenario 1: Web application files
# Nginx runs as www-data. App files are deployed by 'deploy' user.
# Nginx needs to read, deploy user needs to write.
sudo chown -R deploy:www-data /var/www/myapp/
sudo chmod -R 755 /var/www/myapp/
sudo chmod -R 644 /var/www/myapp/public/

# Scenario 2: Shared team directory
# Multiple users in 'devteam' group need read/write access
sudo mkdir /data/projects
sudo chown root:devteam /data/projects
sudo chmod 2775 /data/projects    # setgid bit: new files inherit devteam group

# Scenario 3: Log directory for a service account
sudo mkdir /var/log/myapp
sudo chown myapp:myapp /var/log/myapp
sudo chmod 750 /var/log/myapp

Conclusion

Every file on Ubuntu has one owner user and one owner group. Permissions are checked for owner first, then group, then others — and evaluation stops at the first match. Use chown user:group to change both at once. Set umask to 0027 instead of the default 0022 on servers where files should not be world-readable. Use the setgid bit (chmod g+s) on shared directories so new files automatically inherit the directory’s group.