¶ File Access Control
¶ Understanding Linux File System Permissions
When examining files using the ls -l command (for example), it will show you a list of files and directories. Next to these will be a combination of letters. These letter indicate what permissions different types of users have.
Example output:
total 116
drwxrwx--- 3 gordon scientists 4096 Dec 16 09:26 .
drwxr-xr-x 5 gordon scientists 4096 Dec 16 09:57 ..
-rw-rw---- 1 gordon scientists 47541 Dec 16 09:26 rhel.gns3
-rw-r----- 1 gordon scientists 55123 Dec 14 15:57 rhel.gns3.back
drwxrwx--- 7 gordon scientists 4096 Dec 15 16:21 project-files
The output of this command can be broken down as follows:
 -rw-r----- |
 1 |
 gordon |
 scientists |
 47541 |
 Dec 16 09:26 |
 rhel.gns3 |
|---|---|---|---|---|---|---|
| File information and permissions | Link count | Owning user | Owning group | Size on disk (bytes, default) | Last modified time (default) | File name |
Looking at column , the first character of the first column can be one of the following:
-- this means it is a regular filed- this means it is a directoryl- this means it is a soft link- There can be other characters which relate to hardware devices (
bandc) or other special purpose files (pands)
The subsequent 9 characters can be broken down in to groups of three. The first group shows user permissions, next group shows owning group permissions and the final group shows permissions for other users (i.e. users who are not the owning user or a member of the owning group).
In those groups, there can be different characters:
-- meaning no permission granted. This can appear in any of the three positions per group. The the following characters will only be in the same relative positionr- The user in that category has read permissionsw- The user in that category has write permissionsx- The user in that category has execute permissions
|
Oftentimes, users will have both read and execute permissions set on directories. This allows a user to list out its contents. With just read permission set then the user can list the names of the files in said directory. However it should be noted that extra information about the files cannot be seen such as permissions or timestamps and they cannot be accessed. If only execute permission is set on a directory, then the user can access the directory but cannot list the files inside it. If the user knows the name of a file which they have access to, then they can still access it and read the contents by explicitly specifying the file's relative path. |
A file can be removed by anyone who ownership of or write permission to the directory where the file is located regardless of who has ownership or permissions on the file itself. This can be overridden using the sticky bit.
In the example given above:
- User
gordonhas read and write permissions but not execute - Group
scientistsonly has read permissions - Others have no permissions
Permissions are applied in order of most specific. What this means is that if a user (gordon, for example) is a member of a group (scientists, for example) and they have differing permissions, then the 'user' permissions will take piority. So in the case above, user gordon will have read/write access to the file instead of just read access despite being a member of the scientists group.
¶ Special Permissions
There is a fourth type of permission in addition to the basic user, group and other types. These permissions allow additonal access-related above the basic permissions. A summary is displayed below:
| Special Permission | Effect on files | Effect on directories |
|---|---|---|
u+s (suid) |
File executes as the user that owns the file, not the user that ran the file | No effect |
g+s (sgid) |
File executes as the group which owns the file | Files newly created in the directory have their group owner set to the match the group owner of the directory |
o+t (sticky) |
No effect | User with write access to the directory can only remove files that they own; they cannot remove or force saves to files owned by other users |
¶ Deeper explanation
Using a long listing, you can see if there are any special permissions set.
¶ suid
An example of a special permissions being for suid set is the passwd command:
[user@host ~]$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 80800 Oct 30 09:24 /usr/bin/passwd
Where you would normally expect the x for the execute permission for the owning user, there is an s. If this s was to be S (uppercase) instead then it would indicate that the owning user does not have special permissions.
¶ setgid
When we talk in reference to directories, the setgid on a directory means that the files created in that directory will take their group ownership from the directory rather than from the user who created the file. This is often seen in directories used for collobarative efforts. An example of this is the /run/log/journal directory:
[user@host ~]$ ls -ld /run/log/journal
drwxr-sr-x+ 2 root systemd-journal 40 Jan 2 23:52 /run/log/journal
If setgid is applied to a file, then commands run as the group that owns the file instead of the user who executed the command, akin to how setuid works. An example of this is locate command:
[user@host ~]$ ls -ld /usr/bin/locate
-rwxr-sr-x 1 root locate 38832 Apr 21 2021 /usr/bin/locate
In the long listing we can see the setgid permission designated by a lowercase s where we would normally see the x (for group execute). If the group doesn't have execute persmissions, this is a replaced with an uppercase S.
¶ sticky bit
Finally, the sticky bit for a directory adds a special permission which means that only the owner and root can delete files within the directory. For example, the /tmp directory:
[user@host ~]$ ls -ld /tmp
drwxrwxrwt 36 root root 920 Jan 3 14:00 /tmp
In the long listing above, we see the sticky bit denoted by the lower case t where the x (other execute permissions) would be expected. If other does not have permissions, then an uppercase T is seen.
¶ Setting Special Permissions
These can be set using chmod and either:
- Symbollically: setuid =
u+s, setgid =g+s, sticky =o+t - Numerically (fourth preceding digit): setuid = 4, setgid = 2, sticky = 1
Example:
Setgid bit on directory:
[user@host ~]# chmod g+s directory
Setgid bit and adding rwx permissions for user, group with no access for others on directory:
[user@host ~]# chmod 2770 directory
¶ Default File Permissions
As you may expect, when a file or directory is created it is automatically assigned permissions. What these default permissions are depend on two things: Is it a regular file or directory you are creating and what the umask is set to.
When a new directory is created, the operating system will set permissions as 0777 (or drwxrwxrwx). If it is a file being created, then it is assigned 0666 (or -rw-rw-rw-).
The 'execute' permission always has to be added to regular files. This makes it harder for attacker to compromise a network service in a way that would have it create a file and execute it
The shell session will also set a umask to further restrict the permissions which have been initially set by the OS. This octal bitmask is used to clear the permissions of the new files and directories created by a process. If a bit is set in the umask, then the corresponding permission is cleared on new files. For example the umask of 0002 clears the write bit for other users. The leading zeros inidcate the special, user and group permissions are not to be cleared. A umask of 0077 would clear all group and other permissions of new files.
To find out what the current umask is, issue the umask command without any arguments:
[user@host ~]$ umask
0002
Should you wish to change the umask, then enter the command with a single numeric argument. The arguement should be a valid octal value equating to the new umask value (leading zeros can be omitted).
The default umask for Bash shell users are set in the /etc/profile and /etc/bashrc files. These defaults can be overridden by users in their .bash_profile and .bashrc files located in their home directories.
¶ umask Example
With this first example, we can see how the umask affects the permissiosn of both files and directories. With the default umask of 0002, the owner and group have read and write permission on files and other is set to read. The owner and group both have read, write and excute permissions on directories. The only permission for other is read.
[rhel@workstation ~]$ umask
0002
[rhel@workstation ~]$ touch default.txt
[rhel@workstation ~]$ ls -l default.txt
-rw-rw-r--. 1 rhel rhel 0 Jan 3 15:53 default.txt
[rhel@workstation ~]$ mkdir default
[rhel@workstation ~]$ ls -ld default
drwxrwxr-x. 2 rhel rhel 6 Jan 3 15:53 default
Next we will set the unmask to '0', the file permissions other change from read only to read and write. The directory permissions for other changes from read and execute to read, write and execute.
[rhel@workstation ~]$ umask 0
[rhel@workstation ~]$ touch zero.txt
[rhel@workstation ~]$ ls -l zero.txt
-rw-rw-rw-. 1 rhel rhel 0 Jan 3 15:57 zero.txt
[rhel@workstation ~]$ mkdir zero
[rhel@workstation ~]$ ls -ld zero
drwxrwxrwx. 2 rhel rhel 6 Jan 3 15:58 zero
[rhel@workstation ~]$
In order to mask all file and directory permissions for other, set the umask value to 007.
[rhel@workstation ~]$ umask 007
[rhel@workstation ~]$ touch seven.txt
[rhel@workstation ~]$ ls -l seven.txt
-rw-rw----. 1 rhel rhel 0 Jan 3 15:59 seven.txt
[rhel@workstation ~]$ mkdir seven
[rhel@workstation ~]$ ls -ld seven
drwxrwx---. 2 rhel rhel 6 Jan 3 15:59 seven
Setting the umask to 027 ensures that new files have read and write permissions fo ruser and read permission for group. New directories have read and write access for group and no permissions for other.
[rhel@workstation ~]$ umask 027
[rhel@workstation ~]$ touch two-seven.txt
[rhel@workstation ~]$ ls -l two-seven.txt
-rw-r-----. 1 rhel rhel 0 Jan 3 16:00 two-seven.txt
[rhel@workstation ~]$ mkdir two-seven
[rhel@workstation ~]$ ls -ld two-seven
drwxr-x---. 2 rhel rhel 6 Jan 3 16:01 two-seven
The default umask for suers is set by the shell startup scripts. By default, if your account's UID is 200 or more and your username and primary group ar ethe same, a umask of 002 will be assigned else the umask will be 022.
As root, you can change this by adding a shell startup scripted named/etc/profile.d/local-umask.shwhich could look like this:# Overrides default umask configuration if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then umask 007 else umask 022 fiIn this example, a umask of 007 for users with UID greater than 199 and with a user and primary group name which match. 022 would be assigned for everyone else. If you just wanted everyone to be 022, all you would need to put in the
local-umask.shfile isumask 022.
For this to take effect, the shell would need to be reloaded (log out and back in is the easiest way to achive this).
¶ Structure
| Directory | Use |
|---|---|
| / | The root directory. The file system tree starts here. |
| /boot | Contains all files and directories required to boot the Linux kernel |
| /dev | Device files live here. These are used for accessing physical devices. Essential for boot |
| /etc | Configuration files that are used by programs are services on the server. Essential for boot |
| /home | Used for local user home directories |
| /media, /mnt | Contain directories that are used for mounting devices in the file system tree |
| /opt | Used for optional packages that may be installed on the server |
| /proc | Used by the proc file system. This is a file system structure that gives access to kernel information |
| /root | Home directory of the 'root' user |
| /run | Contains process and user-specific information that has been created since the last boot |
| /srv | May be used for data by services such as NFS, FTP and HTTP |
| /sys | Used as an interface to different hardware devices that are managed by the Linux kernel and associated processes |
| /tmp | Contains temporary files that may be deleted without any warning during boot |
| /usr | Contains subdirectories with program files, libraries for these program files and documentation about them |
| /var | Contains files that may change in size dynamically, such as log files, mail boxes and spool files |
¶ inode
Learn about the inode structure here