Do not forget that all permissions are related to user ID and group ID, not name.

A user can delete a file on which he isn't the owner, if he is the owner of the directory and rights on this folder allows him to write it

Ex:

manu@manu-opensuse:~> ls -ld /home/manu
drwx------ 45 manu users 4096 Aug 17 11:01 /home/manu
manu@manu-opensuse:~> ls -l test*
-rw-r--r-- 1 root root    0 Aug 17 12:01 test
-rw-r--r-- 1 manu users   0 Aug 17 12:02 test1
manu@manu-opensuse:~> rm test
rm: remove write-protected regular empty file 'test'? y
manu@opensuse:~> ls -l test*
-rw-r--r-- 1 manu users   0 Aug 17 12:01 test1

3 commands that can be used to change permissions…

chmod 644 <file>
chmod {ugo}{+,-,=}{rwx} <file>
chmod <user>{.:}<group> <file>
chgoup <group> <file>

Set user ID on a file

chmod u+s <file>

This file 'll be executed as file owner, even if my owner is not the same.

Ex: /usr/bin/passwd this will access the file /etc/shadow which requires root permissions

List all SUID files

find / -perm /4000 -ls

Set group ID on a file or directory

chmod g+s <file>

If you set GUID on a folder, all newly created files will inherit from group of the parent foder

List all GUID files

find / -perm /2000 -ls

Sticky bit: only user of the file or directory is authorized to remove the files inside the folder. It's used in conjuction with GUID

# chmod +t mydir/
# ls -l 
drwxrwsr-t  2 manu users     6 Aug 17 15:50 aaa

Now it can be useful to remove read access to others

# chmod o-rx mydir
# ls -l 
drwxrws--T  2 manu users     6 Aug 17 15:50 aaa

ACL are enable on most latest newly created filesystems by default, you can check using tune2fs -l <logical_vol_name>

manu-opensuse:~ # tune2fs -l /dev/mapper/libraryvg-uncryptlv
tune2fs 1.43.8 (1-Jan-2018)
...
Default mount options:    user_xattr acl

manu@opensuse:~> umask
0022

New files will be created with permissions: 0777-0022=0755 (rwxr-xr-x)

First bit is for special permissions

List ACL on file or folder

manu@opensuse:~> getfacl aaa
# file: aaa
# owner: manu
# group: users
# flags: --t
user::rwx
group::r-x
other::r-x

When are ACL used ?

manu@opensuse:~> setfacl -R -m g:qemu:rx aaa

manu@opensuse:~> ls -l 
drwxr-xr-t+  2 manu users     6 Aug 17 15:50 aaa

If you see the + at end of permissions, use getfacl, because ls -l doesn't knows ACL

manu@opensuse:~> getfacl aaa
# file: aaa
# owner: manu
# group: users
# flags: --t
user::rwx
group::r-x
group:qemu:r-x
mask::r-x
other::r-x

If you use an X instead of x, execute applies only to directories, not for files

New files doesn't inherit ACL from foder, so add also a default policy d:

manu@opensuse:~> setfacl -R -m d:g:qemu:rx aaa
manu@opensuse:~> getfacl aaa
# file: aaa
# owner: manu
# group: users
# flags: --t
user::rwx
group::r-x
group:qemu:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:qemu:r-x
default:mask::r-x
default:other::r-x

If extended user attribute is enable on a file or folder, you 'll see a dot (.) at end of file proterties

  -rw-r-----. 1 root root     32 Oct 15  2018 secret.key

lsattr <file>

You can change a file to secure delete, immutable… check chattr command