Skip to content

Latest commit

 

History

History
72 lines (53 loc) · 2.93 KB

File metadata and controls

72 lines (53 loc) · 2.93 KB

List, set, and change standard file permissions

To see user standard (UGO) permissions use ls -l. Permissions are in the 1st column. Each file/directory has an owner and is associated to a group: the former is in the 3rd columns, the latter in the 4th.

The permissions for each file/directory are given for each of this category:

  • owner (u)
  • group (g)
  • others (o) (all other users that are not the owner and are not member of group).

For each category the following permissions can be set:

Name String value Octal Value
read r 4
write w 2
exec x 1

The right that each permission provide are different and depends if target is a file or a directory:

Permission File Directory
read read list
write modify create/delete
exec run cd

Note: When the exec bit is set for other (also said the "world"), the file will be executed with the identity of the user who is executing the command (his user ID and group ID).

There are two modes for declare permissions using chmod command:

  • absolute mode, uses numbers for each permission, that must be added if more than a permission is set:
chmod 760 file
# owner: granted read, write and exec
# group: granted read and write
# other: no permissions set
  • relative mode:
chmod +x file   # adds exec to owner, group and other
chmod g+w file  #adds write to group
chmod o-rw file #remove read and write to others

There are other special permissions that can be granted to file/directories:

Permission File Directory
suid (4, -s/-S) run as user owner subfiles inherit user of parent dir, while subdirs inherit suid
sgid (2, -s/-S) run as group owner subfiles inherit group of parent dir, while subdirs inherit sgid
sticky bit (1, -t/-T) N/A files inside dir can be deleted only by the owner

Note: Since the special bits appear in the third position as exec bit, "-uppercase" means only the special bit is active, whereas "-lowercase" means that both special bit and exec bit are set.

Special bits can be set with:

  • absolute mode:
chmod 4760 file 
  • relative mode:
chmod u+s file  # sets suid
chmod g+s file  # sets guid
chmod +t dir    # sets sticky bit

Note: When a file with setuid is executed, the resulting process will assume the effective user ID given to the owner: if the owner is root, this could represents a potential security risk (privilege escalation). It is a good practice to monitor a system for any suspicious usages of the setuid bits to gain superuser privileges: find / -user root -perm -4000 -exec ls -ldb {} \;

Note: Linux ignores the setuid bit on all interpreted executables for security reasons. If we want our shell script to have the setuid permission, we can use the sudo command to gain privileges of the owner of the script file.