Linux Permissions and Security Cheat Sheet

Linux•Permalink

High-value Linux permissions and security reference covering users, sudo, ACLs, special mode bits, SSH access, SELinux, and AppArmor basics.

View

Standard Detailed Compact

Export

Copy the compact sheet, download it, or print it.

Download

`D` dense toggle · `C` copy all

Accounts Authentication and Access

Audit identities, SSH access, and authentication-related state.

Query passwd database

Resolve user information through NSS.

bashLINUXgetentuseridentity

↗#

bash

getent passwd alice

Notes

Useful on systems backed by LDAP or other NSS sources.

Query group database

Resolve group entries through NSS.

bashLINUXgetentgroupidentity

↗#

bash

getent group docker

Notes

Useful when group data is not only in local `/etc/group`.

Lock user password

Disable password authentication for a user.

bashLINUXpasswdlocksecurity

↗#

bash

sudo passwd -l deploy

Notes

Useful during account offboarding or incident response.

Show password aging info

Inspect account password expiration details.

bashLINUXchagepasswordsecurity

↗#

bash

sudo chage -l alice

Notes

Useful for compliance and access reviews.

Safely edit sudoers

Open sudoers with syntax checking and locking.

bashLINUXsudovisudosecurity

↗#

bash

sudo visudo

Notes

Always use `visudo` instead of editing sudoers directly.

Test SSH daemon config

Validate SSH daemon configuration for syntax errors.

bashLINUXsshsshdconfig

↗#

bash

sudo sshd -t

Notes

Run before restarting SSH to avoid locking yourself out.

Install SSH public key manually

Append a key to authorized_keys.

bashLINUXsshkeysauth

↗#

bash

cat id_ed25519.pub >> ~/.ssh/authorized_keys

Notes

Ensure permissions on `~/.ssh` and `authorized_keys` are strict.

Permissions ACLs and Special Bits

Go beyond rwx with ACLs, sticky bit, and setuid/setgid.

Set sticky bit on shared directory

Allow only owners to delete their own files in a shared directory.

bashLINUXchmodsticky-bitpermissions

↗#

bash

chmod +t /shared/tmp

Notes

Common on world-writable directories like `/tmp`.

Set setgid on directory

Force new files to inherit the directory group.

bashLINUXchmodsetgidpermissions

↗#

bash

chmod g+s /srv/shared

Notes

Useful for team-shared directories.

Find setuid files

Search for files with the setuid bit set.

bashLINUXfindsetuidsecurity

↗#

bash

find / -perm -4000 -type f 2>/dev/null

Notes

Useful for security audits and hardening reviews.

Find world-writable paths

Audit files or directories writable by anyone.

bashLINUXfindpermissionssecurity

↗#

bash

find / -xdev -type d -perm -0002 2>/dev/null

Notes

Useful for security posture reviews.

Set default ACL on directory

Apply inherited ACL rules to new files and directories.

bashLINUXacldefaultpermissions

↗#

bash

setfacl -d -m g:appteam:rwx shared/

Notes

Useful in team collaboration directories.

SELinux and AppArmor Basics

Inspect and work with Linux mandatory access control frameworks.

Show SELinux mode

Print current SELinux mode.

bashLINUXselinuxsecuritymode

↗#

bash

getenforce

Notes

Common first step on SELinux-enabled hosts.

Show SELinux status

Display SELinux policy and mode details.

bashLINUXselinuxsecuritystatus

↗#

bash

sestatus

Notes

Provides more context than `getenforce`.

Restore SELinux contexts

Reset file labels according to policy.

bashLINUXselinuxrestoreconsecurity

↗#

bash

sudo restorecon -Rv /var/www/html

Notes

Very useful when copied files have wrong SELinux labels.

Allow service on custom SELinux port

Add or modify SELinux port context mapping.

bashLINUXselinuxportssecurity

↗#

bash

sudo semanage port -a -t http_port_t -p tcp 8080

Notes

Required when services move to nonstandard ports on SELinux systems.

Show AppArmor status

Display loaded AppArmor profiles.

bashLINUXapparmorsecuritystatus

↗#

bash

sudo aa-status

Notes

Useful on Ubuntu and other AppArmor-enabled systems.

Inspect recent audit messages

Query audit-related journal entries.

bashLINUXauditsecurityjournalctl

↗#

bash

journalctl -t audit --since '1 hour ago'

Notes

Helpful when security policy blocks access and you need clues quickly.

More in Linux

Linux Networking Admin Cheat Sheet

Comprehensive Linux networking administration reference covering iproute2, DNS, HTTP debugging, TLS, SSH tunnels, packet capture, and firewall inspection.

Linux Shell Scripting Cheat Sheet

High-value Linux shell scripting reference covering variables, expansion, conditionals, loops, functions, redirection, pipelines, traps, getopts, and script debugging.

Linux Package Management Cheat Sheet

Comprehensive Linux package management reference for apt, dnf, yum, pacman, zypper, rpm, and dpkg workflows across common distributions.

Linux Command Cheat Sheet

Comprehensive Linux command reference covering navigation, files, text processing, permissions, processes, system information, networking, archives, services, storage, and troubleshooting.

Recommended next

Bash Scripting Patterns and Practical Recipes

BASH

Production-minded Bash script patterns for files, arguments, parsing, temp files, logging, retries, and common automation tasks.

Bash Builtins, Job Control, and Shell Behavior

BASH

Core Bash builtins, shell options, history, aliases, job control, traps, and interactive-shell behavior.

Bash Arrays, Strings, and Text Handling

BASH

Indexed and associative arrays, string handling, read/mapfile, and common Bash text-processing patterns.

Bash Conditionals, Loops, and Functions

BASH

Bash if/elif/case logic, test expressions, loops, functions, return codes, and robust control-flow patterns.

Bash Variables, Quoting, and Expansion

BASH

Bash variables, parameter expansion, quoting rules, command substitution, arithmetic, and shell expansion patterns.

Bash Cheat Sheet

BASH

Comprehensive Bash commands, shell syntax, quoting, variables, redirection, pipelines, and day-to-day scripting patterns.

Browse all sheets →