I often see people struggling with Linux permissions (Aka "permissions hell"). But the fact is with a little explanation, Linux permissions are actually rather simple. So I'm going to write a little article to explain how they work.
To demonstrate, I've created a file called "file". We can check it's permissions by using "ls -l file", for example
$ ls -l file
-rwxrwxrwx 1 azelphur azelphur 0 Jun 30 01:14 file
Lets break this apart and explain what this output means, I'm not going to go over the entire thing (That's what the manpages are for), just enough to give you a basic understanding of how the Linux permissions system works.
-rwxrwxrwx 1 azelphur azelphur 0 Jun 30 01:14 file
This is the first group of read, write and execute permissions (r, w and x respectively). They dicate whether the file can be accessed, modified or ran as a program. This group applies to the owner of the file. So with our example, the owner of the file can read, write and execute our test file.
-rwxrwxrwx 1 azelphur azelphur 0 Jun 30 01:14 file
This is the second group, it applies to what group the file is in
-rwxrwxrwx 1 azelphur azelphur 0 Jun 30 01:14 file
This is the third group, it applies to others, as in everybody who isn't the owner, or isn't in the files group.
-rwxrwxrwx 1 azelphur azelphur 0 Jun 30 01:14 file
This is the owner of the file, nice and simple. I own file.
-rwxrwxrwx 1 azelphur azelphur 0 Jun 30 01:14 file
This is the group the file is in, it's in my group.
In order to be as secure as possible, the general premise is that you should try to achieve what you want to do by giving out the least access possible. Now for some example scenarios...
"file" is my bank statement, I obviously don't want anyone but myself to be able to access it, so I'd want to remove the permissions for (g)roup and (o)thers so that only I could read it.
$ chmod g-rwx file
$ chmod o-rwx file
$ ls -l file
-rwx------ 1 azelphur azelphur 0 Jun 30 01:14 file
As you can now see, all of the permissions for the group, and others have been removed. Meaning only I can read the file.
I have an accountant, his username is steve. I want Steve to be able to read my bank statement, but not edit it, and not be able to see any of my other files. A good way of doing is to create a group called "accounting" and put both me and Steve into this group, and then give the group permission to read the file.
$ sudo addgroup accounting
Adding group `accounting' (GID 1001) ...
Done.
$ sudo adduser azelphur accounting
Adding user `azelphur' to group `accounting' ...
Adding user azelphur to group accounting
Done.
$ sudo adduser steve accounting
Adding user `steve' to group `accounting' ...
Adding user steve to group accounting
Done.
$ sudo chgrp accounting file
$ chmod g+r file
$ ls -l file
-rwxr----- 1 azelphur accounting 0 Jun 30 01:14 file
I created the "accounting" group, added me and steve the accountant into it, changed the files group to accounting, and gave the group permission to read the file. The end result is that I can read, write and execute the file, while steve, a member of the accounting group, can only read the file.
Finally, I realised I created the file on the wrong user and that it should actually be owned by my other account, bob.
$ sudo chown bob file
$ ls -l file
-rwxr----- 1 bob accounting 0 Jun 30 01:14 file
As you can see, file is now owned by bob.
That should give you a basic overview of how Linux permissions work, and what they are for. Hopefully this ends your permissions hell! :)