by: Linux/Unix Raspberry Pi

File (and directory) permissions in Linux and Unix-based systems define what the owner, the group and the others can or can not do with it.

Execute the following command in any directory that contains files and or directories (the command stat can give even more information):

ls -l

It might print an output that resembles the following:

-rw-r--r-- 1 owner owner  310  Oct 31 16:32 fileName
drwxr-xr-x 2 owner group 4096  Apr 26 2021  directoryName

Each line starts with a series of 10 consecutive characters.

Except for the first character, the others can be:

  • r
    • Reading access
  • w
    • Writing access
  • x
    • Executing access
    • No access

They are grouped as:

  • -uuu——
    • Privileges of the user that owns the file
  • —-ggg—
    • Privileges of the group that owns the file
  • ——-ooo
    • Privileges of any other user

Example:

  • -rwx–xr–
    • The owner can Read Write and Execute
    • The group can only Execute
    • The others can only Read

Exclusively the first character can be:

    • Regular file.
  • b
    • Block special file.
  • c
    • Character special file.
  • d
    • Directory
  • l
    • Symbolic link.
  • p
    • FIFO
  • s
    • Socket
  • w
    • Whiteout

What the file is cannot be changed but it is important to know how to identify when it is a directory and a symbolic link. All the others are special usages.

Another notation for representing file privileges is using 3 digit numbers where:

  • 4 = Read
  • 2 = Write
  • 1 = Execute

And they can be combined to provide multiple privileges:

  • 0 = No access
  • 3 = Write + Execute
  • 5 = Read + Execute
  • 6 = Read + Write
  • 7 = Read + Write + Execute

Example:

  • 750
    • The owner can Read, Write, and Execute.
    • The group can Read and Execute.
    • Others have no access at all.

System administrators use the command chmod to change the permission in the files:

  • chmod +x fileName
    • Allow owner, group, and others to execute access.
  • chmod -w fileName
    • Disallow owner, group, and others to write access.
  • chmod g=r fileName
    • Allow the group to only read, removing any other access it already has.
  • chmod o+x -R fileName
    • Allow others to execute and preserve any other access it already has recursively.

Hint: use -v for more verbose output.

The attributed define what can be done with the file, not who.

List the attributes of a file or directory:

lsattr

A series of 22 characters (----------------------) inform all the attributes for each object in the current directory.

The seven most important attributes are:

  • A
    • Do not update access timestamp (atime).
  • S
    • Changes are synchronously updates don’t the disk.
  • a
    • The file’s content can only be appended, not modified.
  • i
    • The fIle becomes immutable, impossible to be modified.
  • j
    • The changes are updated in the ext3 journal prior to changing the file itself.
  • t
    • Do not allow tail-merging.
  • u
    • Then the fil is deleted its data is saved, allowing undeletion

Use the chattr command to change its attributes:

  • sudo chattr +a fileName
    • Activating the attribute that only allows appending content.
  • sudo chattr -i -R fileName
    • Deactivating the immutable attribute if active recursively.
  • sudo chattr =ua fileName
    • Activate only the listed attributes. All the others will be deactivated.

SUID (Set-user Identification) & SGID (Set-group identification)

Whenever the either of the permission flags is set on an executable file it will provide the privileges of the file owner during the execution. In other words, if a regular user is allowed to execute a script that is owned by root, for example, it will be executed with root privileges.

  • 2000
    • SGID is set.
  • 4000
    • SUID is set.
  • 6000
    • SGID + SUID are set.

Another notation is used in the comment that lists the files of an directory that will contain s replacing x as follows:

  • s——
    • SUID is set.
  • ——s
    • SGID is set.

Command to set SUID

chmod u+s fileName

Command to unset SGID

chmod g-s fileName

STICKY BIT

It is primarily used on shared directories, where users can create new files, read and execute files owned by other users, but are not allowed to remove files owned by other users.

  • 1000
    • Sticky bit set.
  • ———t
    • The x from others is replaced by a t when the bit is set.

Command to set the sticky bit on a directory (or file):

chmod +t fileName

BONUS

For security reasons it is highly recommended to identify and unset the SUID and SGID of files. It can easily be abused.

Searching:

find / -perm /2000
find / -perm /4000
find / -user root -perm /6000

OR

find / -perm /g+s
find / -perm /u+s
find / -user root -perm /u+s,g+s

To search and unset on the fly:

for i in `find / -perm +2000` do chmod g-s $i done