Linux Permissions and Security Cheat Sheet

Linux•Permalink

High-value Linux permissions and security reference covering users, sudo, ACLs, special mode bits, SSH access, SELinux, and AppArmor basics.

View

Standard Detailed Compact

Export

Copy the compact sheet, download it, or print it.

Download

`D` dense toggle · `C` copy all

Accounts Authentication and Access

Audit identities, SSH access, and authentication-related state.

Query passwd database

Resolve user information through NSS.

↗#

bashLINUXgetentuseridentity

bash

getent passwd alice

Useful on systems backed by LDAP or other NSS sources.

Query group database

Resolve group entries through NSS.

↗#

bashLINUXgetentgroupidentity

bash

getent group docker

Useful when group data is not only in local `/etc/group`.

Lock user password

Disable password authentication for a user.

↗#

bashLINUXpasswdlocksecurity

bash

sudo passwd -l deploy

Useful during account offboarding or incident response.

Show password aging info

Inspect account password expiration details.

↗#

bashLINUXchagepasswordsecurity

bash

sudo chage -l alice

Useful for compliance and access reviews.

Safely edit sudoers

Open sudoers with syntax checking and locking.

↗#

bashLINUXsudovisudosecurity

bash

sudo visudo

Always use `visudo` instead of editing sudoers directly.

Test SSH daemon config

Validate SSH daemon configuration for syntax errors.

↗#

bashLINUXsshsshdconfig

bash

sudo sshd -t

Run before restarting SSH to avoid locking yourself out.

Install SSH public key manually

Append a key to authorized_keys.

↗#

bashLINUXsshkeysauth

bash

cat id_ed25519.pub >> ~/.ssh/authorized_keys

Ensure permissions on `~/.ssh` and `authorized_keys` are strict.

Permissions ACLs and Special Bits

Go beyond rwx with ACLs, sticky bit, and setuid/setgid.

Set sticky bit on shared directory

Allow only owners to delete their own files in a shared directory.

↗#

bashLINUXchmodsticky-bitpermissions

bash

chmod +t /shared/tmp

Common on world-writable directories like `/tmp`.

Set setgid on directory

Force new files to inherit the directory group.

↗#

bashLINUXchmodsetgidpermissions

bash

chmod g+s /srv/shared

Useful for team-shared directories.

Find setuid files

Search for files with the setuid bit set.

↗#

bashLINUXfindsetuidsecurity

bash

find / -perm -4000 -type f 2>/dev/null

Useful for security audits and hardening reviews.

Find world-writable paths

Audit files or directories writable by anyone.

↗#

bashLINUXfindpermissionssecurity

bash

find / -xdev -type d -perm -0002 2>/dev/null

Useful for security posture reviews.

Set default ACL on directory

Apply inherited ACL rules to new files and directories.

↗#

bashLINUXacldefaultpermissions

bash

setfacl -d -m g:appteam:rwx shared/

Useful in team collaboration directories.

SELinux and AppArmor Basics

Inspect and work with Linux mandatory access control frameworks.

Show SELinux mode

Print current SELinux mode.

↗#

bashLINUXselinuxsecuritymode

bash

getenforce

Common first step on SELinux-enabled hosts.

Show SELinux status

Display SELinux policy and mode details.

↗#

bashLINUXselinuxsecuritystatus

bash

sestatus

Provides more context than `getenforce`.

Restore SELinux contexts

Reset file labels according to policy.

↗#

bashLINUXselinuxrestoreconsecurity

bash

sudo restorecon -Rv /var/www/html

Very useful when copied files have wrong SELinux labels.

Allow service on custom SELinux port

Add or modify SELinux port context mapping.

↗#

bashLINUXselinuxportssecurity

bash

sudo semanage port -a -t http_port_t -p tcp 8080

Required when services move to nonstandard ports on SELinux systems.

Show AppArmor status

Display loaded AppArmor profiles.

↗#

bashLINUXapparmorsecuritystatus

bash

sudo aa-status

Useful on Ubuntu and other AppArmor-enabled systems.

Inspect recent audit messages

Query audit-related journal entries.

↗#

bashLINUXauditsecurityjournalctl

bash

journalctl -t audit --since '1 hour ago'

Helpful when security policy blocks access and you need clues quickly.

More in Linux

Linux Networking Admin Cheat Sheet

Comprehensive Linux networking administration reference covering iproute2, DNS, HTTP debugging, TLS, SSH tunnels, packet capture, and firewall inspection.

Linux Shell Scripting Cheat Sheet

High-value Linux shell scripting reference covering variables, expansion, conditionals, loops, functions, redirection, pipelines, traps, getopts, and script debugging.

Linux Package Management Cheat Sheet

Comprehensive Linux package management reference for apt, dnf, yum, pacman, zypper, rpm, and dpkg workflows across common distributions.

Linux Command Cheat Sheet

Comprehensive Linux command reference covering navigation, files, text processing, permissions, processes, system information, networking, archives, services, storage, and troubleshooting.

Recommended next

Bash Scripting Patterns and Practical Recipes

BASH

Production-minded Bash script patterns for files, arguments, parsing, temp files, logging, retries, and common automation tasks.

Bash Builtins, Job Control, and Shell Behavior

BASH

Core Bash builtins, shell options, history, aliases, job control, traps, and interactive-shell behavior.

Bash Arrays, Strings, and Text Handling

BASH

Indexed and associative arrays, string handling, read/mapfile, and common Bash text-processing patterns.

Bash Conditionals, Loops, and Functions

BASH

Bash if/elif/case logic, test expressions, loops, functions, return codes, and robust control-flow patterns.

Bash Variables, Quoting, and Expansion

BASH

Bash variables, parameter expansion, quoting rules, command substitution, arithmetic, and shell expansion patterns.

Bash Cheat Sheet

BASH

Comprehensive Bash commands, shell syntax, quoting, variables, redirection, pipelines, and day-to-day scripting patterns.

Browse all sheets →