Linux File Permissions

Linux file permissions are based upon three actions:

  • Read – read a file, on directories grants permission to read names of files in the directory (but not find any additional information size owner etc..)
  • Write – modify, delete rename a file, on directories it gives permission to modify entries inside the directory including create, delete and rename files
  • Execute – execute a file, on directories is grants permission to go into the directory and subdirectories it goes not grant read access to the directory

Linux also supports three additional permissions:

  • SUID – Set user ID – when a file with this bit is set and it is executable it will be executed with the effective permissions of the owner.
  • SGID – Set group ID – when a file with this bit is set and it is executable it will be executed with the effective permissions of the group, directories with the SGID new files and directories created under the original directory will inhert it’s group from the SGID group.
  • sticky –  when a file with this bit is set and it is executable it encourages the kernel to  retain the resulting process beyond termination, when set upon a directory it prevents users who are not the owner from renaming, deleting or moving files or subdirectories.

Each file can be owned by a single user, group and everyone else.     Other is everyone who is not the user or a member of the group.  All directories are really just files in linux.   Linux filenames can be up to 256 characters long.  Linux permissions are not inherited except SGID and SUID.  Since the 2.6 Kernel linux also support acl based file permissions giving you better control on your file system.  You can see the permission user and group on a file by performing a long listing of a file:

ls -al

drwxr-xr-x  3 root       root  4096 Nov 10 21:25 .
drwx—— 46 root       root  4096 Nov 10 21:12 ..
drwxr-xr-x  2 jgriffiths users 4096 Nov 10 21:25 cheese
-rw-r–r–  1 root       root     0 Nov 10 21:12 donkey.doc
-rw-r–r–  1 jgriffiths video    0 Nov 10 21:12 myfile.txt

This listing displays hidden files because we issued ls with the -a command line switch.   The sections are divided as follows:

Sample Field Description
drwxr_xr_x Permissions Permissions on the directory or file
2 Directories Amount of links (files and directories) inside the directory including itself
jgriffiths User Owner of this files username
users Group Group this file is owner by
4096 Size Size of file in k-bytes
Nov 10 21:25 Modification time Time of last change
cheese Name Name of directory or file

The permissions field is 11 characters broken down into four sections: type, owner permissions, group permissions and other permissions.

Characters #’s
Section Description
1 type This defines a directory vs a file or special type
2-4 owner permissions This defines users permissions
5-7 group permissions This defines group permissions
8-11 other permissions This defines world permissions

There can be the following types:

Type Description
d Directory
l Symbolic link
s Socket
p Named pipe
Normal file
c Character device or special file
b Block device or special file

Each of the user, group and other permissions files contain either a r,w,x or an -.  They are always displayed in the order of rwx.

Type Description
Not set not allowed to take action
r Read permission
w Write permission
x Execute permission

For example the following listing:

drwxr-xr-x  2 root       root  4096 Nov 10 21:25 cheese

Is a directory (d) with owner (root) read (r), write (w), execute (x), group (root) read (r), no-write (-), execute (x), other, read (r), no-write (-),  and execute (x).

Additional Permissions

The additional permissions show up by replacing the execute bit with a character:

Permission Class Non-Executable Executable
setuid User S s
setgid Group S s
Sticky bit Others T t

Changing Permissions

In Linux you use the chmod command to change permissions of a file or directory.  chmod can be used with an octal set of permissions or individually using characters to represent user (u), group (g), other (o), and an add (+), subtract (-).  I will cover Octal permissions using numbers to represent combination permissions.  When using octal permissions you seperate out permission in the following order user:group:other.  Each permission type adds an amount to zero:

  • Read – Adds 4 to the total
  • Write – Adds 2 to the total
  • Execute – Adds 1 to the total

So permission 744 would be User: read,write, execute; Group read; Other read.  The command to set a file to 744 would be:

chmod 744 filename

Changing Additional Permissions

Additional permissions take the first bit a hidden bit of the permissions:

  • The setuid bit adds 4 to the total.
  • The setgid bit adds 2 to the total.
  • The sticky bit adds 1 to the total.

If I wanted to set the permissions to 744 with the sticky bit set I would run this command:

chmod 1744 filename

Default Permissions – Umask

The umask defines the default permissions assigned to any file created by a user or system.   You can assign your umask at any time by executing:

umask permissions

The permissions on umasks can be tricky.  You need to take the permissions of 777 and subtract the umask.  For example a user has the umask of 022 when he / she creates a file the default permissions are: 644.

Finding Files with Special Permissions

Since special permissions break the authentication method for Linux they can be very dangerous.  There are some simple ways to locate suid and sgid files.

Find all SetGID files on your system:

find / -xdev -type f -perm +g=s -print’

Find all SetUID files on your system:

find / -xdev -type f -perm +u=s -print

Find all world writable files on a system:

find / -xdev -perm +o=w ! \( -type d -perm +o=t \) ! -type l -printtype f -perm +u=s -print

ACL File Permissions on 2.6 Kernel

The 2.6 Linux kernel added ACL’s to file permissions (access control lists)  it allows you to have unlimited number of users with individual permissions on a file.  It also adds a level of complexity to your file system.  Before you can work with ACL’s you need to enable them on a mount point basis.  Enabling ACL’s requires adding the option acl to the /etc/fstab and remounting the mount point.  For example take a look at this root partition:

/dev/hda5            /                    ext3       acl,user_xattr        1 1

This shows acl’s enabled and ready to work.  ACL can only be used on the following file systems: ext2/3, XFS, JFS and ReiserFS.  The primary method for manipulating acl’s is using the getfacl and setfacl commands. getfact allows you to display acl lists on a file or directory.  setfacl allows you to set the current acl on a file or directory.  In order to explain acl’s lets assume that I have a unix system with four users jack,jill,bob and myself (jgriffiths).   I want to create a file called test.txt and give jack and jill read and write permission to this file while bob can only read the file.  I created the file and started with the following permissions:

ls -al test.txt
-rw——- 1 jgriffiths users 0 2007-11-16 23:37 test.txt

The permissions are clearly set to allow jgriffiths as the only person who can manipulate this file in anyway.  setfacl allows you to set permissions for more than one user at a time.  To create my acl permissions I would use the following command:

setfacl -m u:bob:r–,u:jack,jill:rw- tester.txt

I can use the getfacl to view the current effective permissions on the file:

getfacl test.txt
# file: test.txt
# owner: jgriffiths
# group: users
user:jill:rw-
user:jack:rwx

user:bob:r–
group::—
mask::r-x
other::—

So jack and jill can read and write while bob can only read.  Everyone else but jgriffiths cannot do anything with this file.  You will also notice an entry called mask.  The mask sets the effective permissions for all acl groups and users.  This allows you to limit acl’s control maxium on a file or directory.  Assume my mask looks like this in the above entry:  mask::r–  then no one would be able to do more than read this file unless they are the owner.  You can set the mask using:

setfacl -m mask::rw- tester.txt

Viewing the rights of our file now produces an effective rights listing:

getfacl tester.txt
# file: tester.txt
# owner: jgriffiths
# group: users
user::rw-
user:jack:rw-                 #effective:r–
user:bob:r–
group::—
mask::r–
other::—

If we perform an ls -al on the file it produces the following confusing results:

-rw-rw—-+ 1 jgriffiths users 0 2007-11-17 00:01 test.txt

As you can see it seems the users group has read and write access to test.txt when in reality they do not.  Also linux has added a + to the permission list to help us know there is a acl on this file.

ACL’s can be added based upon Linux groups using the same setfacl command:

setfacl -m g:groupname:rw-,g:groupname_two:r test.txt

Removing acl based permission can be done using the -x command line parameter:

setfacl -x u:bob,u:jack tester.txt

Now only Jill can access the tester.txt file.  Or we can removal all acl’s on a file with the –remove-all:

setfacl –remove-all tester.txt

If you would like to recursively assign an acl to a directory and all files add an -R to the command use the following command:

setfacl -R -m g:users:r-x /data/webroot

ACL’s viewed by the getfacl command can be piped into a file and used to generate the same acl on any other file using the setfacl command:

# getfacl -omit tester.txt
# setfacl -M myacl test*
# getfacl -omit test.txt
user:jill:rw-
user:jack:r-x
user:bob:r–
group::—
mask::r-x
other::—

You can also use gid’s and uid’s instead of names as long as you provide the -numeric switch to setfacl.

ACL’s and Directories the Default ACL

ACL’s created inherited permissions that allow subdirectories and file to get the permissions of their parent.  This type of inheritance is easy to manage but can be a security concern make sure to consider carefully how you set acl’s on directories because those same permissions will exist on the lower levels.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.