The concept of permissions and ownership is crucial in Linux. On a Linux system, each file and directory is assigned access rights for the owner of the file, the members of a group of related users, and everybody else.
- owner – The Owner permissions apply only the owner of the file or directory
- group – The Group permissions apply only to the group that has been assigned to the file or directory
- other users – The other users’ permissions apply to all other users on the system, that are not the owner, nor, part of the group
———- | 0000 | no permissions |
-rwx—— | 0700 | read, write, & execute only for owner |
-rwxrwx— | 0770 | read, write, & execute for owner and group |
-rwxrwxrwx | 0777 | read, write, & execute for owner, group and others |
—x–x–x | 0111 | execute |
–w–w–w- | 0222 | write |
–wx-wx-wx | 0333 | write & execute |
-r–r–r– | 0444 | read |
-r-xr-xr-x | 0555 | read & execute |
-rw-rw-rw- | 0666 | read & write |
-rwxr—– | 0740 | owner can read, write, & execute; group can only read; others have no permissions |
In order to see the permissions of a file/directory, we use ‘ls -l’ linux command
- ls -l
The ‘ls -l’ command also shows other information about the file besides file permissions. The first character indicates the type of each
- d = directory
- – = file
- l = link
Modifying file permissions
chmod
The chmod command is used to change the permissions of a file or directory. There are two ways to specify the permissions.
Method #1
- chmod 744 user_file.txt
- ls -l user_file.txt
In this example we assigned
- read,write,execute -> owner
- read -> group members
- read -> others
Meaning
- rwx = 111 in binary = 7
- rw- = 110 in binary = 6
- r-x = 101 in binary = 5
- r– = 100 in binary = 4
Method #2
- chmod u=rx,g=r,o=rw user_file.txt
- ls -l user_file.txt
In this example we assigned
- read,execute -> owner
- read -> group members
- read,write -> others
Meaning
- rwx rwx rwx = 111 111 111
- rw- rw- rw- = 110 110 110
- rwx — — = 111 000 000
Symbolic mode
you can modify permissions of a specific owner. It makes use of mathematical symbols to modify the file permissions.
- chmod a+x some_file.txt
- chmod g-x some_file.txt
- chmod o+wx some_file.txt
Meaning table
Operator | Description |
+ | Adds a permission to a file or directory |
– | Removes the permission |
= | Sets the permission and overrides the permissions set earlier. |
User Denotations | |
u | user/owner |
g | group |
o | other |
a | all |
Examples
Value | Meaning |
777 | (rwxrwxrwx) No restrictions on permissions. Anybody may do anything. Generally not a desirable setting. |
755 | (rwxr-xr-x) The file’s owner may read, write, and execute the file. All others may read and execute the file. This setting is common for programs that are used by all users. |
700 | (rwx——) The file’s owner may read, write, and execute the file. Nobody else has any rights. This setting is useful for programs that only the owner may use and must be kept private from others. |
666 | (rw-rw-rw-) All users may read and write the file. |
644 | (rw-r–r–) The owner may read and write a file, while all others may only read the file. A common setting for data files that everybody may read, but only the owner may change. |
600 | (rw——-) The owner may read and write a file. All others have no rights. A common setting for data files that the owner wants to keep private. |
Modifying directory permissions
The chmod command can also be used to control the access permissions for directories.
- r – Allows the contents of the directory to be listed if the x attribute is also set.
- w – Allows files within the directory to be created, deleted, or renamed if the x attribute is also set.
- x – Allows a directory to be entered (i.e. cd dir).
chmod
Initial directory permissions example:
In this example we assigned
- read,write,execute -> owner
- read,execute -> group members
- read,execute -> others
Changing permissions
- chmod u=rwx,g=rx,o=wx user_directory
- ls -l
- ls -l user_directory
In this example we changed to
- read,write,execute -> owner
- read,execute -> group members
- write,execute -> others
Examples
Value | Meaning |
777 | (rwxrwxrwx) No restrictions on permissions. Anybody may list files, create new files in the directory and delete files in the directory. Generally not a good setting. |
755 | (rwxr-xr-x) The directory owner has full access. All others may list the directory, but cannot create files nor delete them. This setting is common for directories that you wish to share with other users. |
700 | (rwx——) The directory owner has full access. Nobody else has any rights. This setting is useful for directories that only the owner may use and must be kept private from others. |
Changing File/Directory Ownership
You can change the owner of a file/directory by using the chown command. This requires sudo or root privileges.
File
- ls -l user_file.txt
- sudo chown root user_file.txt
- ls -l user_file.txt
In this example we changed the owner of the file from vry4n to root
Directory
In this example we changed the owner of the directory “user_directory” but notice that the directory inside keeps its original owner
- ls -ld user_directory
- ls -l user_directory
- sudo chown root user_directory
- ls -ld user_directory
- ls -l user_directory
In order to change the owner of the directory/files within use the recursive option
-R = recursive
- sudo -R chown root user_directory
- ls -ld user_directory
- ls -l user_directory
Changing file/directory Group Ownership
The group ownership of a file or directory is changed with chgrp.
chgrp
File
- ls -l user_file.txt
- sudo chgrp www-data user_file.txt
- ls -l user_file.txt
In this example we changed the owner of the file from vry4n to www-data
Directory
In this example we changed the owner group of the directory “user_directory” but notice that the directory inside keeps its original group owner, since we are not the owner, nor, part of the ownergroup we get access denied with vry4n user
- ls -ld user_directory
- ls -l user_directory
- sudo chgrp www-data user_directory
- ls -ld user_directory
- sudo ls -l user_directory
In order to change the owner of the directory/files within use the recursive option
-R = recursive
- sudo -R chown root user_directory
- ls -ld user_directory
- ls -l user_directory
Advanced
Special Permissions
s – This indicated the setuid/setgid permissions. This is not set displayed in the special permission part of the permissions display, but is represented as a s in the read portion of the owner or group permissions.
t – This indicates the sticky bit permissions. This is not set displayed in the special permission part of the permissions display, but is represented as a t in the executable portion of the all users permissions
setuid – s
The setuid/setguid permissions are used to tell the system to run an executable as the owner with the owner’s permissions.
Be careful using setuid/setgid bits in permissions. If you incorrectly assign permissions to a file owned by root with the setuid/setgid bit set, then you can open your system to intrusion.
You can only assign the setuid/setgid bit by explicitly defining permissions. The character for the setuid/setguid bit is s.
- chmod 4777 file_name
- chmod u+s file_name
How to
1. We have an executable file owned by root, can be executed by everyone, this file prints ‘whoami’ output (current user). In this case vry4n
- ls -l /usr/bin/whoami
- /usr/bin/whoami
2. we activate the setuid for user permissions to run as the owner (root)
- sudo chmod u+s /usr/bin/whoami
- ls -l /usr/bin/whoami
3. Run the program without sudo, as we have permissions from the root user to use it as if we were him.and the whoami output changes top root, user running the app
- /usr/bin/whoami
Setguid – s
The setgid affects both files as well as directories. When used on a file, it executes with the privileges of the group of the user who owns it instead of executing with those of the group of the user who executed it.
- chmod 2777 file_name
- chmod u+g file_name
When the bit is set for a directory, the set of files in that directory will have the same group as the group of the parent directory, this is used for file sharing since they can be now modified by all the users who are part of the group of the parent directory.
How to
1. This file is owned by root group, I confirm my user is not part of the root group
- id
2. check the permissions on the file, and, activate SGUID
- ls -ld vk9-test
- sudo chmod g+s vk9-test
- ls -ld vk9-test
3. Since, we have permissions to write on this folder, others permission, we will create a directory and a file
- cd vk9-test
- mkdir new-dir
- touch new-file
4. Listing details of these files, show the owner group is root, even though, our user vry4n is not part of root group
- ls -l
Sticky Bit
A Sticky bit is a permission bit that is set on a file or a directory that lets only the owner of the file/directory or the root user to delete or rename the file. No other user is given privileges to delete the file created by some other user.
- chmod -t vk9-dir
- chmod +t vk9-dir
- chmod 1777 vk9-dir
Sticky bit shows as ‘t’ in file permissions. This technique is most likely done on directories over files.
- sudo chmod +t vk9-dir
- ls -ld vk9-dir
The rest of the users that have (READ,WRITE) permissions will be able to read/modify the directory but not delete it.
How to
1. We create a directory owned by root, with permissions 757
- sudo mkdir directory1
- chmod 757 directory1
- ls -ld directory1
2. We can see that Others have rights to read/write/execute. Users can create files and then delete others files, as long as they have proper rights, we can also modify the contents within the file
vk9-user (Creates a file within directory1)
- touch my_file.txt
- ls -l test
Vry4n (deletes that file)
- ls
- rm -rf test.txt
- ls
3. Now I will set the sticky bit to directory1
- cd ..
- sudo chmod 1757 directory1
- ls -ld directory1
4. We will try the same steps as before
Create a file within directory1 using vk9-user account
Delete directory1 using vry4n account
vk9-user
- touch test.txt
- ls -l test.txt
vry4n
- rm -rf test.txt
- ls -l test.txt
As a result, users can add/modify files within the directory that has sticky bit set, but, only the owner of the file will be able to delete that file.