Linux file permission
Traditional file permission
ls command witl -al option to view the permissions (or file mode) set for the contents of a directory
$ ls -al /
total 2098648
drwxr-xr-x 20 root root 4096 May 25 08:40 .
drwxr-xr-x 20 root root 4096 May 25 08:40 ..
lrwxrwxrwx 1 root root 7 Aug 31 2022 bin -> usr/bin
drwxr-xr-x 4 root root 4096 May 25 09:40 boot
drwxr-xr-x 20 root root 4820 May 25 08:37 dev
drwxr-xr-x 130 root root 12288 May 25 09:42 etc
drwxr-xr-x 6 root root 4096 May 15 10:36 home
lrwxrwxrwx 1 root root 7 Aug 31 2022 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Aug 31 2022 lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 Aug 31 2022 lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 Aug 31 2022 libx32 -> usr/libx32
drwx------ 2 root root 16384 Aug 31 2022 lost+found
drwxr-xr-x 3 root root 4096 Aug 31 2022 media
drwxr-xr-x 5 root root 4096 Dec 13 10:03 mnt
drwxr-xr-x 10 root root 4096 Apr 9 12:37 opt
dr-xr-xr-x 1264 root root 0 May 25 08:36 proc
drwxr-xr-x 35 root root 1160 May 25 09:26 run
lrwxrwxrwx 1 root root 8 Aug 31 2022 sbin -> usr/sbin
drwxr-xr-x 2 root root 0 May 25 08:37 server
drwxr-xr-x 2 root root 4096 May 18 16:03 srv
-rw------- 1 root root 2147483648 Aug 31 2022 swapfile
dr-xr-xr-x 13 root root 0 May 25 08:36 sys
drwxrwxrwt 10 root root 1441792 May 25 09:40 tmp
drwxr-xr-x 15 root root 4096 May 18 15:36 usr
drwxr-xr-x 13 root root 4096 Dec 5 17:31 var
Following table explains what is the meaning of character you should focus
| d | rwx | rwx | rwx | + |
| The file type, technically not part of its permissions | The permissions that the owner has over the file, explained below. | The permissions that the group has over the file, explained below. | The permissions that all the other users have over the file, explained below. | A single character that specifies whether an alternate access method applies to the file. When this character is a space, there is no alternate access method. A . character indicates a file with a security context, but no other alternate access method. A file with any other combination of alternate access methods is marked with a + character, for example in the case of Access Control Lists.
|
Each of rwx(s) permission meaning are
| rwx(s/S) | Owner ship | Character | Effect on files | Effect on directories | |
|---|---|---|---|---|---|
| Read permission (first character) | owner | -
|
The file cannot be read. | The directory's contents cannot be shown. | |
r
|
4 | The file can be read. | The directory's contents can be shown. | ||
| Write permission (second character) | group | -
|
The file cannot be modified. | The directory's contents cannot be modified. | |
w
|
2 | The file can be modified. | The directory's contents can be modified (create new files or directories; rename or delete existing files or directories); requires the execute permission to be also set, otherwise this permission has no effect. | ||
| Execute permission (third character) | the other | -
|
The file cannot be executed. | The directory cannot be accessed with cd. | |
x
|
1 | The file can be executed. | The directory can be accessed with cd; this is the only permission bit that in practice can be considered to be "inherited" from the ancestor directories, in fact if any directory in the path does not have the x bit set, the final file or directory cannot be accessed either, regardless of its permissions; see path_resolution(7) for more information.
| ||
| SUID/GUID | s
|
4/2 | The setuid bit when found in the user triad; the setgid bit when found in the group triad; it is not found in the others triad; it also implies that x is set.
| ||
S
|
Same as s, but x is not set; rare on regular files, and useless on directories.
| ||||
| Sticky | t
|
1 | The sticky bit; it can only be found in the others triad; it also implies that x is set.
| ||
T
|
Same as t, but x is not set; rare on regular files.
| ||||
| + | "+" to indicate that there is an extended ACL for this item | ||||
SUID, GUID, and Sticky
SUID and GUID mean that for executable commands, they run as user and group respectively.
The sticky bit - originally implemented in UNIX meant a program stayed in RAM after running- Under linux, it means that anyone can create folders or files in the directory, but they can only be removed by that user.
Umask
The umask utility is used to control the file-creation mode mask, which determines the initial value of file permission bits for newly created files since all new file permission calculated by
new file permission = default permission & (~mask)
- default permission on Linux - the default creation permissions are
777for directories and only666for files. - only the file permission bits of the mask are used - see umask(2). The suid, sgid and sticky bits of the mask are ignored.
assume that the file-creation mode mask is 027
0stands for the user permission bits not set on a newly created file2stands for the group permission bits not set on a newly created file7stands for the other permission bits not set on a newly created file
To display the current mask, simply invoke umask without specifying any arguments
$ umask
0027
#When the -S option, standardized by POSIX
$ umask -S
u=rwx,g=rx,o=
To set the umask value through the umask command
System-wide umask value can be set in /etc/profile or in the default shell configuration files (e.g. /etc/bash.bashrc) in most Linux distributions.
User specific umask value can be set in ~/.bashrc to only change your umask, however these changes will only take effect after the next login
under GUI environment like KDE, The umask value can be set via pam_umask.so or a systemd
/etc/systemd/system/user@.service.d/override.conf
[Service]
UMask=0002
pam_umask.so allows to set the system-wide umask value for both, text console and graphical environment.
pam_umask.so needs to be enabled in a configuration file that is included by both, /etc/pam.d/login and /etc/pam.d/systemd-user. Add the following line to /etc/pam.d/system-login:
# session optional pam_umask.so umask=022
Permission change
| Text method | Octal method | Result | Meaning |
|---|---|---|---|
| $ chmod g= fileordir
$ chmod o= fileordir |
$chmod 700 fileordir | drwx------
|
just = means deny permission |
| $ chmod g=rx fileordir
$ chmod o=rx fileordir or $chmod go=rx fileordir |
$chmod 755 fileordir | drwxr-xr-x
|
set group to rx
set others to rx |
Extended ACL
Extended ACLs allow us to apply a more specific set of permissions to a file or directory without (necessarily) changing the base ownership and permissions. Default permissions can be set only for one owner, one group and Other users. So different permissions cannot be configured for different users and groups.
we can manage the ACL with "getfacl" and "setfacl" on the command line
# getfacl /accounting
getfacl: Removing leading '/' from absolute path names
# file: accounting
# owner: accounting
# group: accounting
user::rwx
group::rwx
other::---
#The first three output lines display the name, owner, and owning group of the directory. The next three lines contain the three ACL entries
Setting an Extened ACL
The syntax for setting an ACL is
$setfacl [action] <what>:<user/group>:<permissions>
| action | what:suer/group:permissions | notes | |||
|---|---|---|---|---|---|
| options | -m (set/modify)
|
u (user)
g (group) o (others) m (mask) |
mask associated with an ACL limits the set of permissions that can be assigned on the file for the the named groups and users and for the group owner, but has no effect on the permissions for the file owner and the other permission group
|
||
-x (delete)
|
|||||
-d (defaults)
|
default is a specific type of permission assigned to a directory, that doesn’t change the permissions of the directory itself, but makes it so that the specified ACLs are set by default on all the files created inside of it. | ||||
| -b (remove all) | with -b option, you can erase all the ACLs set[1] |
# setfacl -d -m accounting:rwx /accounting
## modify user2 be rwx, group admin rwx for myfolder
# setfacl -m "u:user2:rwx,g:admin:rwx" myfolder
Following example show how mask is mapping to user and group[2]
# file: myfolder
# owner: user1
# group: [[test]]
user::rwx
user:user2:rwx # effective: r-x due to mask
group::r-x
group:admin:rwx # effective: r-x due to mask
mask::r-x # mask effective to user and group
other::---
File Attributes
Apart from the file mode bits that control user and group read, write and execute permissions, several file systems support file attributes that enable further customization of file operations.
Extended attributes can be changed with chattr and listing them with lsattr which is included in e2fsprogs package
These are a few useful attributes. Not all filesystems support every attribute.
a- append only: File can only be opened for appending.c- compressed: Enable filesystem-level compression for the file.i- immutable: Cannot be modified, deleted, renamed, linked to. Can only be set by root.j- data journaling: Use the journal for file data writes as well as metadata.m- no compression: Disable filesystem-level compression for the file.A- no atime update: The file's atime will not be modified.C- no copy on write: Disable copy-on-write, for filesystems that support it.
if root user cannot delete or modify some file, that file should have a and i file attributes. some virus or malware use this attributes to execute process under Linux.
Extended Attributes
xattr - Extended attributes are name:value pairs associated permanently with files and directories defines four extended attribute classes: security, system, trusted and user.
archlinux provides great information about xattr and capability