File Permissions in Linux/Unix

The concept of permissions and ownership is crucial in Linux. On a Linux system, each file and directory is assigned access rights for the owner of the file, the members of a group of related users, and everybody else.

  • owner – The Owner permissions apply only the owner of the file or directory
  • group – The Group permissions apply only to the group that has been assigned to the file or directory
  • other users – The other users’ permissions apply to all other users on the system, that are not the owner, nor, part of the group

The 4 directory permissions in Linux

---------- 0000 no permissions
-rwx------ 0700 read, write, & execute only for owner
-rwxrwx--- 0770 read, write, & execute for owner and group
-rwxrwxrwx 0777 read, write, & execute for owner, group and others
---x--x--x 0111 execute
--w--w--w- 0222 write
--wx-wx-wx 0333 write & execute
-r--r--r-- 0444 read
-r-xr-xr-x 0555 read & execute
-rw-rw-rw- 0666 read & write
-rwxr----- 0740 owner can read, write, & execute; group can only read; others have no permissions

In order to see the permissions of a file/directory, we use ‘ls -l' linux command

  • ls -l

The ‘ls -l' command also shows other information about the file besides file permissions. The first character indicates the type of each

  • d = directory
  • - = file
  • l = link

Resultado de imagen de ls output

Modifying file permissions

chmod

The chmod command is used to change the permissions of a file or directory. There are two ways to specify the permissions.

Method #1

  • chmod 744 user_file.txt
  • ls -l user_file.txt

In this example we assigned

  • read,write,execute -> owner
  • read -> group members
  • read -> others

Meaning

  • rwx = 111 in binary = 7
  • rw- = 110 in binary = 6
  • r-x = 101 in binary = 5
  • r-- = 100 in binary = 4

Method #2

  • chmod u=rx,g=r,o=rw user_file.txt
  • ls -l user_file.txt

In this example we assigned

  • read,execute -> owner
  • read -> group members
  • read,write -> others

Meaning

  • rwx rwx rwx = 111 111 111
  • rw- rw- rw- = 110 110 110
  • rwx --- --- = 111 000 000

Resultado de imagen de chmod permissions

Symbolic mode

you can modify permissions of a specific owner. It makes use of mathematical symbols to modify the file permissions.

  • chmod a+x some_file.txt
  • chmod g-x some_file.txt
  • chmod o+wx some_file.txt

Meaning table

Operator Description
+ Adds a permission to a file or directory
- Removes the permission
= Sets the permission and overrides the permissions set earlier.
User Denotations
u user/owner
g group
o other
a all

Examples

Value Meaning
777 (rwxrwxrwx) No restrictions on permissions. Anybody may do anything. Generally not a desirable setting.
755 (rwxr-xr-x) The file's owner may read, write, and execute the file. All others may read and execute the file. This setting is common for programs that are used by all users.
700 (rwx------) The file's owner may read, write, and execute the file. Nobody else has any rights. This setting is useful for programs that only the owner may use and must be kept private from others.
666 (rw-rw-rw-) All users may read and write the file.
644 (rw-r--r--) The owner may read and write a file, while all others may only read the file. A common setting for data files that everybody may read, but only the owner may change.
600 (rw-------) The owner may read and write a file. All others have no rights. A common setting for data files that the owner wants to keep private.

Modifying directory permissions

The chmod command can also be used to control the access permissions for directories.

  • r - Allows the contents of the directory to be listed if the x attribute is also set.
  • w - Allows files within the directory to be created, deleted, or renamed if the x attribute is also set.
  • x - Allows a directory to be entered (i.e. cd dir).

chmod

Initial directory permissions example:

In this example we assigned

  • read,write,execute -> owner
  • read,execute -> group members
  • read,execute -> others

Changing permissions

  • chmod u=rwx,g=rx,o=wx user_directory
  • ls -l
  • ls -l user_directory

In this example we changed to

  • read,write,execute -> owner
  • read,execute -> group members
  • write,execute -> others

Examples

Value Meaning
777 (rwxrwxrwx) No restrictions on permissions. Anybody may list files, create new files in the directory and delete files in the directory. Generally not a good setting.
755 (rwxr-xr-x) The directory owner has full access. All others may list the directory, but cannot create files nor delete them. This setting is common for directories that you wish to share with other users.
700 (rwx------) The directory owner has full access. Nobody else has any rights. This setting is useful for directories that only the owner may use and must be kept private from others.

Changing File/Directory Ownership

You can change the owner of a file/directory by using the chown command. This requires sudo or root privileges.

File

  • ls -l user_file.txt
  • sudo chown root user_file.txt
  • ls -l user_file.txt

In this example we changed the owner of the file from vry4n to root

Directory

In this example we changed the owner of the directory “user_directory” but notice that the directory inside keeps its original owner

  • ls -ld user_directory
  • ls -l user_directory
  • sudo chown root user_directory
  • ls -ld user_directory
  • ls -l user_directory

In order to change the owner of the directory/files within use the recursive option

-R = recursive

  • sudo -R chown root user_directory
  • ls -ld user_directory
  • ls -l user_directory

Changing file/directory Group Ownership

The group ownership of a file or directory is changed with chgrp.

chgrp

File

  • ls -l user_file.txt
  • sudo chgrp www-data user_file.txt
  • ls -l user_file.txt

In this example we changed the owner of the file from vry4n to www-data

Directory

In this example we changed the owner group of the directory “user_directory” but notice that the directory inside keeps its original group owner, since we are not the owner, nor, part of the ownergroup we get access denied with vry4n user

  • ls -ld user_directory
  • ls -l user_directory
  • sudo chgrp www-data user_directory
  • ls -ld user_directory
  • sudo ls -l user_directory

In order to change the owner of the directory/files within use the recursive option

-R = recursive

  • sudo -R chown root user_directory
  • ls -ld user_directory
  • ls -l user_directory

Advanced

Special Permissions

s – This indicated the setuid/setgid permissions. This is not set displayed in the special permission part of the permissions display, but is represented as a s in the read portion of the owner or group permissions.

t – This indicates the sticky bit permissions. This is not set displayed in the special permission part of the permissions display, but is represented as a t in the executable portion of the all users permissions

setuid - s

The setuid/setguid permissions are used to tell the system to run an executable as the owner with the owner’s permissions.

Be careful using setuid/setgid bits in permissions. If you incorrectly assign permissions to a file owned by root with the setuid/setgid bit set, then you can open your system to intrusion.

You can only assign the setuid/setgid bit by explicitly defining permissions. The character for the setuid/setguid bit is s.

  • chmod 4777 file_name
  • chmod u+s file_name

How to

1. We have an executable file owned by root, can be executed by everyone, this file prints ‘whoami’ output (current user). In this case vry4n

  • ls -l /usr/bin/whoami
  • /usr/bin/whoami

2. we activate the setuid for user permissions to run as the owner (root)

  • sudo chmod u+s /usr/bin/whoami
  • ls -l /usr/bin/whoami

3. Run the program without sudo, as we have permissions from the root user to use it as if we were him.and the whoami output changes top root, user running the app

  • /usr/bin/whoami

Setguid - s

The setgid affects both files as well as directories. When used on a file, it executes with the privileges of the group of the user who owns it instead of executing with those of the group of the user who executed it.

  • chmod 2777 file_name
  • chmod u+g file_name

When the bit is set for a directory, the set of files in that directory will have the same group as the group of the parent directory, this is used for file sharing since they can be now modified by all the users who are part of the group of the parent directory.

How to

1. This file is owned by root group, I confirm my user is not part of the root group

  • id

2. check the permissions on the file, and, activate SGUID

  • ls -ld vk9-test
  • sudo chmod g+s vk9-test
  • ls -ld vk9-test

3. Since, we have permissions to write on this folder, others permission, we will create a directory and a file

  • cd vk9-test
  • mkdir new-dir
  • touch new-file

4. Listing details of these files, show the owner group is root, even though, our user vry4n is not part of root group

  • ls -l

Sticky Bit

A Sticky bit is a permission bit that is set on a file or a directory that lets only the owner of the file/directory or the root user to delete or rename the file. No other user is given privileges to delete the file created by some other user.

  • chmod -t vk9-dir
  • chmod +t vk9-dir
  • chmod 1777 vk9-dir

Sticky bit shows as ‘t’ in file permissions. This technique is most likely done on directories over files.

  • sudo chmod +t vk9-dir
  • ls -ld vk9-dir

The rest of the users that have (READ,WRITE) permissions will be able to read/modify the directory but not delete it.

How to

1. We create a directory owned by root, with permissions 757

  • sudo mkdir directory1
  • chmod 757 directory1
  • ls -ld directory1

2. We can see that Others have rights to read/write/execute. Users can create files and then delete others files, as long as they have proper rights, we can also modify the contents within the file

vk9-user (Creates a file within directory1)

  • touch my_file.txt
  • ls -l test

Vry4n (deletes that file)

  • ls
  • rm -rf test.txt
  • ls

3. Now I will set the sticky bit to directory1

  • cd ..
  • sudo chmod 1757 directory1
  • ls -ld directory1

4. We will try the same steps as before

Create a file within directory1 using vk9-user account

Delete directory1 using vry4n account

vk9-user

  • touch test.txt
  • ls -l test.txt

vry4n

  • rm -rf test.txt
  • ls -l test.txt

As a result, users can add/modify files within the directory that has sticky bit set, but, only the owner of the file will be able to delete that file.