One of the most critical jobs a system administrator has to continuously be dealing with is the permission administration. The most small carelessness with the permissions can lead to a security hole in the system.
This example will show how are changed the permissions, a task for which chmod command is used
For this example, Linux Mint 17.3 has been used.
1. Linux permission system
What makes the Linux permission system so great is its simplicity, specially when it’s compared to others, such us Windows’. In any case, we will see briefly how it works.
There are three main things that have to be understood: the elements the permissions are defined for, the actions that can be performed, and who can perform them.
The elements are two:
- Files.
- Directories.
The actions are three:
- Read
- Write.
- Execute. Apart from for executing scripts and binaries, also corresponds to folders: to create files and other folders inside it.
And who can perform them, other three:
- The user that owns the file.
- The group that the user owning the file belongs to.
- Any other user that is not the owner and does not belong to the group the owner does.
To see how the permissions are organized, we can list the files in the terminal:
ls -l
And we will see something similar to the following:
-rw-r--r-- 1 julen julen 0 Jun 26 14:20 file.txt drwxr-xr-x 2 julen julen 4096 Jun 26 14:22 folder
The first section, 10 characters, are which correspond to permissions. Let’s examine it:
- The first character is for file type.
-means that the file is a regular file, anddmeans that is a directory. - The following nine characters are for read (
r), write (w) and execute (x) permissions for the owner, the group of the owner, and others, respectively.
2. Changing permissions
To change the permissions, the chmod command (contraction of change and mode) is used. The syntax is the following:
chmod permissions file [file 2] [file n]
The specification of the files seems quite obvious, but, how are the permissions specified?
2.1. Octal representation
One of the options is the octal notation.
For example, for setting read and write permissions for the owner, read permissions for its group, and no permission for others, to a file.txt file, we would have to execute:
sudo chmod 640 file.txt
We can try to read the file with a user that is not the owner and does not belong the the owner’s group, to see what happens:
sudo -u other-user more file.txt
And we would receive an error message:
file.txt: Permission denied
But where comes that 640 from?
Each digit of that number represents which permissions will have the owner, its group, and others. And each digit is the octal representation of the permission combination we want to assign. So:
0for no permission.1is for execution permission.2is for write permission.4is for read permission.
So, for assigning read and write permissions, what we have done is 2 + 4 = 6.
The following table shows the permissions that gives each digit:
| Number | Binary | Read? (r) |
Write? (w) |
Execute? (x) |
|---|---|---|---|---|
| 0 | 000 | No | No | No |
| 1 | 001 | No | No | Yes |
| 2 | 010 | No | Yes | No |
| 3 | 011 | No | Yes | Yes |
| 4 | 100 | Yes | No | No |
| 5 | 101 | Yes | No | Yes |
| 6 | 110 | Yes | Yes | No |
| 7 | 111 | Yes | Yes | Yes |
2.2. Symbolic representation
Apart from octal representation, chmod also allows symbolic representation.
In the symbolic representation letters and arithmetic operators are used:
For the users, the symbols are the following:
u: file owner.g: file owner’s group.o: other users.a: all users.
The actions are represented with the same symbols that we have seen before:
r: read.w: write.x: execute.
And the operators to set the permissions are:
=: sets the permissions as specified, overwriting any other previous permissions.+: adds permissions.-: removes permissions.
The syntax for the symbolic representation is the following:
sudo chmod who operator action(s)[,who operator action(s),...]
For example, the previous example (owner: read and write; group: read; others: none) with the symbolic notation, would be the following:
sudo chmod u=rw,g=r,o-rwx file.txt
As you can see, for this example, this notation requires much more verbosity.
But for other cases is more suitable. For example, if we want to maintain the current permissions, but allowing now everybody to write, we would have to type:
sudo chmod a+w file.txt
And the file would pass from these permissions:
-rw-r----- 1 julen julen 0 Jun 26 17:38 file.txt
To these ones:
-rw-rw--w- 1 julen julen 0 Jun 26 17:39 file.txt
3. Special permissions
Apart from those permissions we have seen, there are three more special permissions in Linux: the setuid (user id), the setgid (group id), and the sticky.
3.1. setuid
The setuid bit (set user ID) can be assigned to executable files, which is for, when a file is executed, allow the process acquire that file’s owner’s permissions. This is generally used to allow normal users (those without superuser privileges) to obtain root privileges for some executables.
This can be seen, for example, in common binaries, such us /bin/ping. If we check its permissions, we will see that it has the setuid bit bit assigned:
-rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping*
Which is expressed with a s, in the place for the execution bit for the owner.
If we remove the setuid bit from that executable:
sudo chmod u-s /bin/ping
A normal user won’t be able to use ping, and if it would try to use it:
ping localhost
The following message will be shown:
ping: icmp open socket: Operation not permitted
Of course, an user with sudo permissions could execute the command with root privileges, but, as said before, this bit is though for users that don’t have superuser privileges.
To add the setuid bit again:
sudo chmod u+s /bin/ping
3.2. setgid
If the setuid bit allows the user acquire the permissions of the owner, the setgid (set group id) allows to acquire the permissions of the group.
The bit can be set as follows with the octal notation:
sudo chmod 2777 script.sh
Which is set with the 2.
And with symbolic notation:
sudo chmod g+s script.sh
If the setuid bit was placed in the owner’s execution bit place, in this case, is placed in the group’s execution’s place:
-rwxrwsrwx 1 julen julen 14 Jun 27 19:22 script.sh*
3.3. sticky
The sticky bit is used in directories, when we want a file, or folder writable for several users, but where files and folders inside it can only be deleted by the owner. This bit is used, for example, in /tmp and /var/tmp directories.
The sticky bit can be assigned the following way:
sudo chmod 1777 sticky/
Where the sticky bit is set with the leading 1, and then, the wanted permissions (which usually are 777 for this cases).
And, with symbolic notation:
sudo chmod +t sticky/
The sticky bit is expressed with a t in the place for the execution bit for others:
drwxrwxrwt 2 julen julen 4096 Jun 27 19:22 sticky/
We can see how it works, we can create a file in our sticky/ directory, try to modify it with the owner and other user, and also to delete it:
touch file.txt echo "written with owner" > file.txt sudo -u other-user echo "written with other user" > file.txt
Which would work. But if we try to delete it with the user that is not the owner…
sudo -u other-user rm file.txt
And we would see:
rm: remove write-protected regular file ‘file.txt’?
We can type y to confirm, but…
rm: cannot remove ‘file.txt’: Operation not permitted
But the owner of the file could delete it with no problem.
To remove the sticky bit:
sudo chmod -t sticky/
4. Summary
In this example, we have first seen very briefly how the Linux permission, identifying the main concepts that are involved when dealing with permissions. Then, we have seen how the permissions are changed for the different notations, and, to end up with the example, we have taken a look for the special permissions bits that are available in Linux.
