File (and directory) permissions in Linux and Unix-based systems define what the owner, the group and the others can or can not do with it.
Execute the following command in any directory that contains files and or directories (the command stat
can give even more information):
ls -l
It might print an output that resembles the following:
-rw-r--r-- 1 owner owner 310 Oct 31 16:32 fileName drwxr-xr-x 2 owner group 4096 Apr 26 2021 directoryName
Each line starts with a series of 10 consecutive characters.
Except for the first character, the others can be:
- r
- Reading access
- w
- Writing access
- x
- Executing access
- –
- No access
They are grouped as:
- -uuu——
- Privileges of the user that owns the file
- —-ggg—
- Privileges of the group that owns the file
- ——-ooo
- Privileges of any other user
Example:
- -rwx–xr–
- The owner can Read Write and Execute
- The group can only Execute
- The others can only Read
Exclusively the first character can be:
- –
- Regular file.
- b
- Block special file.
- c
- Character special file.
- d
- Directory
- l
- Symbolic link.
- p
- FIFO
- s
- Socket
- w
- Whiteout
What the file is cannot be changed but it is important to know how to identify when it is a directory and a symbolic link. All the others are special usages.
Another notation for representing file privileges is using 3 digit numbers where:
- 4 = Read
- 2 = Write
- 1 = Execute
And they can be combined to provide multiple privileges:
- 0 = No access
- 3 = Write + Execute
- 5 = Read + Execute
- 6 = Read + Write
- 7 = Read + Write + Execute
Example:
- 750
- The owner can Read, Write, and Execute.
- The group can Read and Execute.
- Others have no access at all.
System administrators use the command chmod
to change the permission in the files:
- chmod +x fileName
- Allow owner, group, and others to execute access.
- chmod -w fileName
- Disallow owner, group, and others to write access.
- chmod g=r fileName
- Allow the group to only read, removing any other access it already has.
- chmod o+x -R fileName
- Allow others to execute and preserve any other access it already has recursively.
Hint: use -v
for more verbose output.
The attributed define what can be done with the file, not who.
List the attributes of a file or directory:
lsattr
A series of 22 characters (----------------------
) inform all the attributes for each object in the current directory.
The seven most important attributes are:
- A
- Do not update access timestamp (
atime
).
- Do not update access timestamp (
- S
- Changes are synchronously updates don’t the disk.
- a
- The file’s content can only be appended, not modified.
- i
- The fIle becomes immutable, impossible to be modified.
- j
- The changes are updated in the ext3 journal prior to changing the file itself.
- t
- Do not allow tail-merging.
- u
- Then the fil is deleted its data is saved, allowing undeletion
Use the chattr
command to change its attributes:
- sudo chattr +a fileName
- Activating the attribute that only allows appending content.
- sudo chattr -i -R fileName
- Deactivating the immutable attribute if active recursively.
- sudo chattr =ua fileName
- Activate only the listed attributes. All the others will be deactivated.
SUID (Set-user Identification) & SGID (Set-group identification)
Whenever the either of the permission flags is set on an executable file it will provide the privileges of the file owner during the execution. In other words, if a regular user is allowed to execute a script that is owned by root, for example, it will be executed with root privileges.
- 2000
- SGID is set.
- 4000
- SUID is set.
- 6000
- SGID + SUID are set.
Another notation is used in the comment that lists the files of an directory that will contain s replacing x as follows:
- —s——
- SUID is set.
- ——s—
- SGID is set.
Command to set SUID
chmod u+s fileName
Command to unset SGID
chmod g-s fileName
STICKY BIT
It is primarily used on shared directories, where users can create new files, read and execute files owned by other users, but are not allowed to remove files owned by other users.
- 1000
- Sticky bit set.
- ———t
- The x from others is replaced by a t when the bit is set.
Command to set the sticky bit on a directory (or file):
chmod +t fileName
BONUS
For security reasons it is highly recommended to identify and unset the SUID and SGID of files. It can easily be abused.
Searching:
find / -perm /2000 find / -perm /4000 find / -user root -perm /6000
OR
find / -perm /g+s find / -perm /u+s find / -user root -perm /u+s,g+s
To search and unset on the fly:
for i in `find / -perm +2000` do chmod g-s $i done