FILE AND DIRECTORY

PERSSIONS
DO ALAKE
2023
• Linux stores files and directory permission within the INODE in a structure called the mode.

The mode contains three sections that describe permission assigned to these three entities:

1. User (the file or directory's owner)

2. Group (the owner’s primary group)

3. Other (everyone else)

You will see these three sets of permission referred to UGO for user, group and other.
 For each of those entities you may assign yes/no indicator for these permissions

permission For files For directories

Read (r) Display the content of file List the contents of the directory,

but not cd(change directory) to it

Write (w) Modify or delete the contents of file Add or delete files from directory

Execute (x) Execute a program or shell scripts Change (cd) to a directory but not

list its contents unless you also

have the r (read permission)

UGO
• Looking at that image, the UGO permission (the mode) are listed first

on each line. The first character in the mode describes the file type that

is (‘-r’ for a normal file, ‘d’ for directory, ‘I’ for a link and so forth).

Elsewhere, a dash indicates that the entity does not have a permission.

The presence of a letter means a permission has been granted.

•U- r-read G- r-read O-
r-read
• w-write w-write w-write
• x-execute x-execute x-execute
U
G O
 VIEWING FILE PERMISSION

1 At the terminal prompt,e ls -l To view the file listing with the mode included

2 Examine the mode for the second sample file

What permission do you have to this file?

What permission do other users have, who are in the group that
owns the file?
What permission do users have who are not in the group that
owns this file?

3 What permission do you have to samplefile and how can you

tell?

4 What is the type bit for the desktop file

CHANGING PERMISSION

• You can change the permissions granted to UGO entities by using the chmod (change

mode) command. The syntax for the chmod command is

• Chmod [-R] permission file_ or _directory

• To make a change you must specify the new permission to alter. You can do so using two

methods

I. Ugo syntax

II. Numeric syntax

Ugo syntax

• You can use UGO syntax with the chmod command. with this style
you specify one or more entities using the letter in the Entity column
in the following table. You specify the operation, such as adding or
removing a permission, using the operators. And you specify the
permission to change.
ENTITY OPERATOR PERMISSION
U(User) + (add) R(read)
G(group) -(remove) W(write)
O(owner) =(set permission explicitly) X(execute)
A(all)
• For example, use the following command to add the write permission for your
primary group to a file named myfile

• Chmod g+w myfile

• You can assign multiple permission in a single statement. For example, use the
following command to add the write permission for yourself, add the read
permission for your primary, group, and others and remove the write permission
for your group and others.

• Chmod u+w,g+r-w, o+r-w myfile

• Rather than adding to or subtracting from permissions you can assign
permissions explicitly. For example, the following command sets a file
to be read only by others(not owner or group)

• Chmod o=r myfile

NUMERIC SYNTAX

• The other perhaps more popular syntax uses a numeric notation to

represent the permissions you want to assign explicitly. This notation
matches the way permissions are stored within the inode. With this
notation, each permission is assigned a number based in increasing
power of 2:
• Read=22 =4

• Write=21 =2

• Execute=20 =1
rw- rw- r—
(4+2) (4+2) (4)
6 6 4

• You add up the values of the permissions to assign. For example to assign
read and write permissions, you would use the number 6(4+2). You
assign permissions to each of the users, group and other permissions with
such numbers. For example, to assign read/write permissions to the
owner and read-only to both the group and others you use this command

• Chmod 644 myfile

FILE

User Group Other User Group Other

•-rwx rwx rwx -rw- r- - r - -

6 4 4
7 7
7
DIRECTORY

User Group Other User Group Other

•-rwx rwx rwx -rw- r- - r - -

7 5 5
7 7
7
• In many instance such as with public web servers you find that files are
assigned the 644 permission set (user has read/write, group and other
have read and access), and directories are assigned 755 permissions (user
has read/write/execute, group and other have read/execute and access).

• Such permissions enable the user to create, edit and delete files and
traverse directories and get directory listings.

• The group and other entities can read files, list directory contents and
traverse the directory tree.
DEFAULT PERMISSION
• When you create a new file or directory, your system must assign default permissions
to it.

• You can control what permissions your system applies by configuring the user mask.

• To start, new files are assigned the 666 permission(all have read/write permission)
and new directories have 777(all have read/write/execute permission). A unmask is a
three-digit number such as 022, which is subtracted from the starting permissions set.
• For example, lets say you create a new file and your systems unmask is
set to be 022, your file ends up with the three permissions
 User=read/write
 Group=read
 Other=read
• If you create a new file, the permissions are
 User=read/write/execute
 Group=read/execute
 Other=read/execute
The umask with new files and new directories

New Files New Directories

Default permission 666 777

umask 022 022

Resulting permissions 644 755

• By default, new files are not given the execute permission. Not all
files should be executable. Granting such a permission by default
could cause security issues. Therefore, you can not create a umask that
adds the execute permission. You must do so with chmod command.
• You can temporarily change umask for your system by using umask
command. You simply enter that command followed by the three digit
mask you want to use. For example
• Umask 027
• You can change the system-wide defaults by editing the etc/profile and
the etc/login.defs files. You must have root access to make such
changes
SPECIAL PERMISSION

• Read, write and execute are regular Linux permissions that you assign
to files and directories. In addition, you can assign 3 additional types
of permissions collectively called the special permissions. They are:

1. SUID(Set User ID)

2. SGID(Set Group ID)

3. Sticky bit
SUID(Set User ID)
• SUID (Set owner User ID is a special type of file permissions given to a file. Normally
in Linux when a program runs, it inherits access permissions from the logged in user.

• SUID is defined as giving temporary permissions to a user to run a program/file with

the permissions of the file owner rather that the user who runs it.

• In simple words, users will get file owners permissions as well as owner UID and GID
when executing a file/program/command.
• This bit is present for files which have executable permissions. The setuid bit simply
indicates that when running the executable, it will set its permissions to that of the user
who created it (owner), instead of setting it to the user who launched it.

• An example of an executable with setuid permission is passwd, as can be seen in the

following output.

• ls -l /etc/passwd

• This returns the following output:

• -rwsr-xr-x root root 2447 Nov 22 2021 /etc/passwd

• As we can observe, the ‘x’ is replaced by an ‘s’ in the user section of the file
permissions.
• When you run a program, it runs under your user ID and has the same
permissions that you have on the system. If the SUID bit is set for a
program when you run it, it runs under the context of the owner of the
program, not you.

• For example, to change your password you run the passwd command. It
must update the /etc/shadow file to save your password, but non-root user
don’t have permission to write that file.
• In this case the passwd command is owned by root which does have
permission to write the shadow file. The SUID bit is set. When you
run passwd command the program runs as if the root user were
running it. Therefore, the program has necessary permissions to update
the file.
SGID(Set Group ID)

• The SGID bit offers functionality similar to that of SUID bit when used
with files. A file with SGID bit set runs in the context of the owner's
group rather than in the group context of the user that ran the program.

• The setgid affects both files as well as directories. When used on a file, it
executes with the privileges of the group of the user who owns it instead
of executing with those of the group of the user who executed it.
• When the bit is set for a directory, the set of files in that directory will
have the same group as the group of the parent directory, and not that
of the user who created those files. This is used for file sharing since
they can be now modified by all the users who are part of the group of
the parent directory.

• To locate the setgid bit, look for an ‘s’ in the group section of the file
permissions, as shown in the example below.

• -rwxrwsr-x root root 1427 Nov 22 2021 sample_file

• To set the setgid bit, use the following command.

• chmod g+s

• To remove the setgid bit, use the following command.

• chmod g-s
 commands
1 Enter touch specialfile We will create an executable file and set special permission on it
2 Enter chmod 777 specialfile To use the normal chmod command to assign read, write and
execute permissions for everyone

3 Enter ls -l The file mode should reveal rwxrwxrwx

4 Enter chmod 4777 specialfile To set SUID bit on the file

Press ls -l The file mode should read rwsrwxrwx

5 Enter chmod g+s specialfile To use the chmod syntax to set the SGID bit on the file

Press ls -l The file mode should read rwsrwsrwx

6 Enter mdir sharedfolder To create a new directory

7 Enter chmod 777 sharedfolder To grant all permissions including the important execute
permission.

Enter ls -l The mode should read rwxrwxrwx

8 Enter chmod o+t sharedfolder

Press ls –l The file mode should read rwxrwxrwt

To remove the setgid bit, use the following chmod g-s sharedfolder
command.
chmod g-s
Security Risks

• The setuid bit is indeed quite useful in various applications, however,

the executable programs supporting this feature should be carefully
designed so as to not compromise on any security risks that follow, such
as buffer overruns and path injection. If a vulnerable program runs with
root privileges, the attacker could gain root access to the system through
it. To dodge such possibilities, some operating systems ignore the setuid
bit for executable shell scripts.
The sticky bit
• The sticky bit was initially introduced to ‘stick’ an executable program’s text segment
in the swap space even after the program has completed execution, to speed up the
subsequent runs of the same program. However, these days the sticky bit means
something entirely different.

• When a directory has the sticky bit set, its files can be deleted or renamed only by the
file owner, directory owner and the root user. The command below shows how the
sticky bit can be set.

• chmod +t
• Simply look for a ‘t’ character in the file permissions to locate the
sticky bit. The snippet below shows how we can set the sticky bit for
some directory “power’, and how it prevents the new user from
deleting a file in the directory.
• To remove the sticky bit, simply use the following command.

• chmod -t

• Since deleting a file is controlled by the write permission of the file, practical

uses of the sticky bit involve world-writable directories such as ‘/tmp’ so that

the delete permissions are reserved only for the owners of the file.
HOW STICKY BIT WORKS
Press ls -l
Make a new directory using mkdir command To do this, create a directory on your system using
mkdir command. Eg mkdir power
ls –l | grep power (directory name)
The command shows how the sticky bit can be set. chmod +t | grep power (directory name)
chmod +t
chmod -t | grep power (directory name)
To remove the sticky bit, simply use the following
command.
chmod -t
NOTE

• All 3 of the special permissions require the execute permission in

order to work properly. For files both SUID and SGID work only on
executable files. SGID on a directory requires the execute permission
because without its users cannot access the directory anyway.