Last modified: June 11, 2024

This article is written in: 🇺🇸

Understanding File Permissions

File permissions are crucial in any Unix-like operating systems, including Linux, which employ several mechanisms for controlling access to files and directories. These mechanisms include standard permissions, special permissions, and access control lists (ACLs).

Standard Permissions

The primary set of file permissions, commonly known as standard permissions, governs the fundamental access levels for files and directories. These permissions fall into three categories:

Each permission category confers specific capabilities for users, as detailed in the following table:

Permission Effect on Files Effect on Directories
Read (r) Allows viewing and reading the contents of files. Enables the listing of directory contents.
Write (w) Permits modification or deletion of file contents. Allows adding, deleting, or renaming files in the directory.
Execute (x) Enables running the file as a program or script. Grants the ability to enter the directory and execute commands within it, or access files therein.

These permissions can be set for different classes of users, each with varying levels of access:

The arrangement of these permissions is typically presented as follows:

Owner     Group      Others
  r w x     r w x      r w x
  | | |     | | |      | | |
  | | |     | | +--- Execute
  | | |     | +----- Write
  | | |     +------- Read
  | | |
  | | +--------- Execute
  | +----------- Write
  +------------- Read

Symbolic File Permissions

Symbolic permissions use a set of specific symbols to represent different types of permissions, and who they apply to. The symbols used include:

Symbol Meaning
u user (file's owner)
g group (members of the file's owning group)
o others (users not in the file's owning group)
a all (equivalent to ugo)
r read
w write
x execute
+ add the specified permission
- remove the specified permission
= assign the specified permission exactly

For instance, the command chmod u+x file adds execute (+x) permissions to the user (u) who owns the file named file.

Numeric File Permissions

Numeric or octal permissions, on the other hand, use a three-digit numeric representation for each permission type. Each digit (ranging from 0 to 7) corresponds to a unique combination of read (r), write (w), and execute (x) permissions, as outlined in the table below:

Permission Combination Numeric Representation
--- 0
--x 1
-w- 2
-wx 3
r-- 4
r-x 5
rw- 6
rwx 7

The first digit represents permissions for the file's owner (user), the second digit represents permissions for the owning group, and the third digit represents permissions for others.

Here's how it works:

  1. For the user, group, and others, calculate the numeric value of the permissions you want to assign. For example, read, write, and execute permissions correspond to 7 (rwx = 4+2+1 = 7).
  2. Write these values in the order: user, group, others.

For example, the octal permission mode 771 means:

You can assign these permissions using the chmod command as follows:

chmod 771 path/to/file.txt

This command sets the permissions of the file path/to/file.txt to 771, as explained above.

Understanding Default Permissions

In Linux, when you create a new file or directory, it is assigned a set of default permissions. These permissions define what types of access are allowed for the owner of the file, members of the group that owns the file, and all other users.

Default File and Directory Permissions

By default, new files are created with the permissions rw-rw-rw-, equivalent to the numeric value 666. This allows any user to read and write to the file, but not execute it.

New directories, on the other hand, are created with the permissions rwxrwxrwx or 777. This allows any user to read, write, and execute within the directory.

Using Umask to Change Default Permissions

The umask command is used to determine the default permissions for newly created files and directories. It's a three-digit number that specifies which permissions should be removed or "masked" when new files and directories are created.

For example, a umask value of 0022 subtracts write permissions for group and others from the default permissions, resulting in default permissions of rw-r--r-- (644) for new files and rwxr-xr-x (755) for new directories.

To view the current umask value, simply use the umask command:

CODE_BLOCK_PLACEHOLDER To change the umask value, use the umask command followed by the desired octal value:

umask

This will set the umask value to 0022, and new files and directories will be created with the corresponding default permissions. It's important to note that the umask value only affects new files and directories, not existing ones.

Examples of Umask Values and Their Effects

Here are some common umask values and the resulting default permissions for files and directories:

Umask Value Default File Permissions Default Directory Permissions
022 rw-r--r-- rwxr-xr-x
027 rw-r----- rwxr-x---
077 rw------- rwx------

You can also set the umask value symbolically. For instance, if we want to:

The umask command would look like this:

umask 0022

This command configures the umask such that new files and directories will have the permissions specified.

Understanding Special Permissions: setuid, setgid, and the Sticky Bit

In addition to standard permissions, Linux offers special permissions known as setuid, setgid, and the sticky bit. These permissions provide additional control over access to files and directories and can be used to enhance both functionality and security.

umask u-x,g=r,o+w

Setuid

The setuid or 'Set User ID' permission allows a user to execute an executable file with the permissions of the file's owner. This is especially useful for allowing users to run specific programs with elevated privileges, even if they don't have direct access permissions to the file.

To set the setuid bit on a file, use the chmod command with the u+s flag:

Owner   Group   Others
  rws    rws     rwt
  |||    |||     |||
  |||    |||     ||+---- Sticky Bit
  |||    |||     |+----- Execute
  |||    |||     +------ Write
  |||    |||
  |||    ||+------ Set Group ID (setgid)
  |||    |+------- Execute
  |||    +-------- Write
  |||
  ||+-------- Set User ID (setuid)
  |+--------- Execute
  +---------- Read

To remove the setuid bit from a file, use the chmod command with the u-s flag:

chmod u+s /path/to/file

Setgid

The setgid or 'Set Group ID' permission enables an executable file to be run with the permissions of the file's group. This can be useful when you want to share access to a program or a set of files with a group of users without granting them individual access permissions to those files.

To set the setgid bit on a file or directory, use the chmod command with the g+s flag:

chmod u-s /path/to/file

To remove the setgid bit from a file or directory, use the chmod command with the g-s flag:

chmod g+s /path/to/file_or_directory

Sticky Bit

The sticky bit is a permission that can be set on directories. When the sticky bit is set on a directory, only the owner of a file within that directory (or the root user) can delete or rename the file. This is particularly useful for shared directories where you want to prevent users from deleting or altering files they do not own.

To set the sticky bit on a directory, use the chmod command with the +t flag:

chmod g-s /path/to/file_or_directory

To remove the sticky bit from a directory, use the chmod command with the -t flag:

chmod +t /path/to/dir

It's important to handle these special permissions with care. When misused, they can potentially create security risks. For instance, a program with the setuid bit set, if it has a vulnerability, might be exploited to gain unauthorized privileges on the system.

Understanding Access Control Lists (ACLs)

Access Control Lists (ACLs) are an additional layer of discretionary access control provided by many Linux systems. They allow for more fine-grained control over file and directory access, extending beyond the standard user, group, and other permissions.

ACLs are not supported by all tools, but modern 'mke2fs' typically enables ACLs in the default mount options during filesystem creation in enterprise Linux distributions. To utilize ACLs, the filesystem must be mounted with the 'acl' option.

chmod -t /path/to/dir

Setting ACLs with setfacl

The setfacl command is used to manage ACLs on a file or directory. It can set, modify, or remove ACL entries. If no path is provided, it takes file and directory names from the standard input (stdin). Each line of input should contain one path name.

To modify ACLs, use the -m flag followed by the ACL specification. For example, the following command grants read and write permissions to a specific group on a directory:

Type : Entity : Permissions
    |      |         |
    |      |         +---- Read (r), Write (w), Execute (x)
    |      |
    |      +-------------- User name or Group name
    |
    +--------------------- User (u), Group (g), Others (o), Mask (m)

To remove an ACL, use the -x flag followed by the ACL specification to be removed. For example:

setfacl -m g:group_name:rw /opt/test

Viewing ACLs with getfacl

The getfacl command is used to display the ACLs of a file or directory. Use the -l flag to list the ACLs:

setfacl -x g:group_name /opt/test

ACL Specifications

ACL specifications define who has what kind of access to a file or directory. Here are some common examples:

ACLs are applied in conjunction with standard Linux permissions, and they can either override or supplement them. For example, a file with standard permissions of rw-rw-r-- and an ACL entry of g:r-x would grant read and execute permissions to the group, even though the standard permissions do not grant execute permission. Thus, with the proper use of ACLs, you can achieve a higher level of security and flexibility in managing file and directory access.

Challenges

  1. Create a temporary text file named temp.txt in your home directory. Use ls -l to display its permissions, which might look like this:

CODE_BLOCK_PLACEHOLDER The file is owned by "user_name" and belongs to the group "user_group". Both the owner and the group have write permissions, while others can only read the file. Remove write permissions for "user_group" and read permissions for others using chmod.

  1. Copy a file owned by root (e.g., /etc/hosts) to your home directory. Check its permissions with ls -l. Who owns the file now, and what are the implications?
  2. Pick any file and display its umask value. Use the umask command to view the umask in octal form. Can you convert it to symbolic form?
  3. Consider a file owned by a user who does not have read or write permissions on it. Can the user still remove the file? Justify your answer with appropriate commands and explain the results.
  4. Describe the process and impact of removing a group's write permissions and others' read permissions from a file using chmod. How does this change the file's accessibility?
  5. Explain the difference between standard file permissions and ACLs in Linux. What additional capabilities do ACLs provide?
  6. Can a user who is not the owner of a file or directory change its permissions? What about if the user is part of the file or directory's group? Justify your answers with appropriate commands and their outputs.
  7. Discuss when you would use standard permissions versus ACLs to control access to files and directories. Consider various scenarios such as multi-user systems, shared directories, and files with sensitive information.

Table of Contents

  1. Understanding File Permissions
    1. Standard Permissions
    2. Symbolic File Permissions
    3. Numeric File Permissions
  2. Understanding Default Permissions
    1. Default File and Directory Permissions
    2. Using Umask to Change Default Permissions
    3. Examples of Umask Values and Their Effects
  3. Understanding Special Permissions: setuid, setgid, and the Sticky Bit
    1. Setuid
    2. Setgid
    3. Sticky Bit
  4. Understanding Access Control Lists (ACLs)
    1. Setting ACLs with setfacl
    2. Viewing ACLs with getfacl
    3. ACL Specifications
  5. Challenges