Permissions are a mechanism to restrict the access to resources.
Each file has specific permissions, owner, and owner group.
Each process is executed as a user. The process has the same privileges as the user does.
Root user has no permission restrictions.
There are 3 types of permissions:
- Read (r)
- read the content of a file
- list the contents of a directory
- 2^2 = 4
- Write (w)
- change the content of a file
- create or delete files in a directory
- 2^1 = 2
- Execute (x)
- run a file as command
- access the content in a directory
- Directories without x cannot be ‘opened’ (check the content inside a directory)
- 2^0 = 1
Usually permissions are encoded using octal numbers. For a number ‘rwx’, r is the 3rd bit, w is the 2nd bit, x is the 1st bit.
Therefore ‘rw-’ is ‘110’ and thus 6. Same thing for other encodings.
There are 3 parts of permissions for the 9 permission bits:
User Group Other
- Owner of the file: User, the first 3 bits
- Group of the file: Group, the middle 3 bits
- Other users: Other, the last 3 bits
There are also 3 special bits for a file.
$ ls -l drwxr-xr-- 2 some-user some-group 208 Oct 1 13:50 some-directory # UGO | number of links | owner | group | size | time of last modification | name
drwxr-xr-- # d: is directory # rwx : owner permission # r-x : group permission # r-- : other permission
chown some-user some-file chown -R some-user some-directory
Change the owner
-R: recursively change all subdirectories and files
Change the owner group
Same usage as
chmod <new_permission> <some_file> chmod u+rw ./a.out chmod g-x ./a.out chmod go+r ./a.out chmod a-x ./a.out chmod u+x ./a.sh chmod 660 ./a.out # rw-rw---- chmod 775 ./a.out # rwxrwxr-x
Change the permissions
There is something controlling the default permission for a new file created.
- Permission for a newly created file: 666 -
- Permission for a newly created directory: 777 -
Each user has a umask property
There are 4 bits for umask. The first 3 bits are UGO and the last bit is special permission.
umask value by default:
- normal user
- 666 - 002 = 664
- 666 - 022 = 644
It’s actually not subtraction but a bitwise XOR (?)
umask # inspect umask <new_umask_value> # set
What about the ‘extra’ bit, or the 4th bit, of umask?
The real permission in binary is 12bits. UGO uses 9 bits. The last 3 bits, namely the leading bit of umask, is the special permission bit.
Run the command with the access permissions of the owner, not the user executing this command.
$ ls -l /usr/bin/passwd -rwsr-xr-x 1 root root 53K May 16 2017 /usr/bin/passwd*
The ‘x’ bit of U becomes ‘s’.
The user executing this command will potentially gain extra access.
Usually, the file name will be colored and highlighted on a terminal with color support.
chmod u+s xxx
Same as ‘suid’ but uses the permission of the group owner.
The ‘x’ bit of G becomes ‘s’.
Usually set for directories. It is commonly used to inherit the permissions of parent directory.
chmod g+s xxx
Users with write access to a directory can only delete the files owned by this user. They can not delete other files in this directory which are owned by other users.
Used to protect a directory shared by multiple people. Usually within same group.
Usually the directory name will be highlighted using blue color.
chmod o+t xxx
Octal Numbers for Special Permissions¶
suid = 4 sgid = 2 sticky = 1
chmod 4755 xxx