Explaining Linux File Permissions

Here, file permissions are core to the security model in Linux systems. They determine the accessibility of files and directories on a system (who can access them and how ). This blog provides an overview of Linux file permissions, how they work, and how to change them.

How To View File Permissions in Linux?

The ls command along with its – l (for long listing) option will show you metadata about your Linux files, including the permissions set on the file.

 $ ls -l

 drwxr-xr-x. 4 root root    68 Jun 13 20:25 tuned

 -rw-r–r–. 1 root root  4017 Feb 24, 2022, vimrc

Here are the components of the Vimrc listing:

  • File type:  – (no special type of file)  
  • Permission settings:  rw-r–r–
  • Extended attributes:  dot (.)
  • User owner: root
  • Group owner: root

The tuned listing is for a d, or directory-type file. There are other file types as well, but these two are the most common

Reading file permissions 

This section is about the permission settings on a file. The permissions from the vimrc listing are:

rw-r–r–

This string is actually an expression of three different sets of permissions:

rw- ,  r– , r – –  

  • The first set of permissions:  the owner of the file. 
  • The second set of permissions: the user group that owns the file.
  • The third set of permissions: referred to as “others.” 
  • All Linux files belong to an owner and a group.

Permissions are different for different types of people, accordingly they can interact with a file. Each user gets an expression that includes the three basic types of permissions (read, write, and execute).

 For example, if  the owner of the file is given the following permissions:

rw- 

In the example above, 

  • Read (r) permission and Write (w) permission has been granted on the file. 
  • The execute permission (x) is not granted, which is why there’s a sign in the expression (disabled permission).

Using Octal Values To Specify Permissions

 In numeric mode,  file permissions are represented in numbers. A three-digit value represents specific file permissions (for example, 744.) These are called octal values. The first digit is for owner permissions, the second digit is for group permissions, and the third is for other users. Each permission has a numeric value assigned to it:

  • r (read): 4
  • w (write): 2
  • x (execute): 1

For example, a file might have read, write, and execute permissions for its owner, and only read permission for all other users. That looks like this:

  • Owner: r-x = 4+0+1 = 5
  • Group: r– = 4+0+0 = 4
  • Others: r– = 4+0+0 = 4

The results produce the three-digit value 544.

Role of Linux file permissions (what do they do?)

  • Read (r)

Read permission is used to access the file’s contents. You can use commands like cat or less on the file to display the file contents. You could also use a text editor like Vi or view on the file to display the contents of the file. Read permission is required to make copies of a file, because you need to access the file’s contents to make a duplicate of it.

  • Write (w)

Write permission allows you to modify or change the contents of a file. Write permission also allows you to use the redirect or append operators in the shell (> or >>) to change the contents of a file. Without written permission, changes to the file’s contents are not permitted. Sometimes, pipe ( | ) and tee are also used as commands

  • Execute (x)

Execute permission allows you to execute the contents of a file. Typically, executables would be things like commands or compiled binary applications. However, execute permission also allows someone to run Bash shell scripts and a variety of interpreted languages.

The way to execute the contents of a file without execute permission would be invoking a Bash shell script, where you could use an interpreter that has execute permission to read a file with instructions for the interpreter to execute : 

$ bash script.sh

The executable being run is bash. The script.sh file is read by the Bash interpreter, and its commands are executed.

Modifying file permissions  

You can modify file and directory permissions with the chmod command, which stands for “change mode.” 

  •  To change file permissions in numeric mode, you enter chmod and the octal value you desire, such as 744, alongside the file name. 
  • To change file permissions in symbolic mode, you enter a user class and the permissions you want to grant them next to the file name. For example:

   $ chmod ug+rwx file1.txt

   $ chmod o+r file2.txt

This grants read, write, and execute for the user and group, and only read for others. In symbolic mode, chmod u represents permissions for the user owner, chmod g represents other users in the file’s group, chmod o represents other users not in the file’s group. For all users, use chmod a. Also, chown command and the chgrp command can be used to change the user owner and group ownership of a file respectively.

What are special file permissions?

Special file permissions are a set of permissions that allow a file to be executed with the privileges of the owner or group, regardless of the user who is running the file. There are three types of special file permissions:

  • Set user ID (SUID): When this bit is set, any user who runs the file will be granted the privileges of the file’s owner. This is often used for programs that need to have elevated privileges, such as password hashes or compilers.
  • Set group ID (SGID): When this bit is set, any user who runs the file will be granted the privileges of the file’s group. This is often used for programs that need to access shared resources, such as web servers or file-sharing programs.
  • Sticky bit: When this bit is set on a directory, only the owner of the file or the superuser can delete or rename files in the directory. This is often used for directories that contain temporary files, such as /tmp.

Special file permissions can be set using the chmod command. 

For example, to set the SUID bit on a file, you would use the following command:

chmod u+s filename

To set the SGID bit, you would use the following command:

chmod g+s filename

To set the sticky bit, you would use the following command:

chmod +t filename

How special permissions can be risky?

It is important to note that special file permissions can be a security risk. If a malicious user is able to gain access to a file with SUID or SGID permissions, they could potentially gain elevated privileges on the system. As such, it is important to only use special file permissions when absolutely necessary and to take steps to secure the files that have these permissions set.

Conclusion

In Linux, files and directories have permissions that control who can access them and what they can do with them. There are three types of permissions: read, write, and execute. The owner of the file or directory has the most permissions, followed by the group that owns the file or directory, and then everyone else. Permissions can be changed using the chmod command.


Posted

in

by

Recent Post

Click to Copy