Understanding Linux Permission Sets
Understanding Permission Sets
It’s all about control. Who gets to do what? In Linux, every file and directory has a set of permissions assigned to it. The permissions identifies “who can do what”. There are three categories of "who" (owner, group, and world). Each of these ownership types is given or denied three permissions. The three permissions are (read, write, and execute).
Read Write Execute
The three permission (read, write, and execute) have slightly different meanings depending on what object they are applied to. The two most common objects are files and directories. Below you can see how the permissions vary when applied to these two objects.
There are three types of ownership:
- Owner - this is the ultimate user. The creator or current owner of the object. Also known as user.
- Group - this is an assigned membership. You need to be a member of the group to get it.
- World - this is everyone else. All the other guys. Also known as other.
Permission Sets provide security to your files and directories. You can either give or not give permissions. Permission Sets are made up of three triplets, each of which contains three characters. These three characters are "r" for read, "w" for write, and "x" for execute. A dash taking the place of any of those characters in the triplet means that the permission is denied. The first set of triplets represents the owner's(user's) permissions. The second set of triplets represents the group's permissions. The third set of triplets dictate the permissions for everyone else.
To find out what permissions are being applied to the current objects, you use the ls -l command.
The first digit in each line of output identifies the type of object. The two most common types are "-" and "d". Type "-" represents a normal data file, like a text file, music file, graphics file, etc. The "d" represents a directory. The next nine characters are the three permission sets.
When the owner (Dude) looks at these permissions, he notices that the World has the "r" permission for his LovePoem. This means the everyone can read his LovePoem. This is not cool, Dude needs to change that permission.
Changing Permissions (Symbolic Method)
The objects permissions can be changed using the chmod command. The symbolic method will be discussed here in basic permissions. There is also an octal method for changing permissions. That method will be discussed later in the advanced permissions. When using the symbolic method you identify which ownership group you want to change (u = Ultimate Owner, g = group, and o = others/world). Next, you use a "+" or "-" to add or remove the permission. Use r,w, or x to indicate which permission you want to add or remove. Lastly, enter the name of the file or directory you want to change.
So, Dude just figured out that the World has permission to read his LovePoem. He wants the World (o) to not have permission (-) to read (r) his LovePoem. So Dude enters the following chmod command to remove the permission.
Next, Dude notices that his LinuxScript doesn't have execute permission. Every first year Linux student knows that scripts need execute permission to work. So, Dude wants all the owners (a) to have permission (+) to execute (x) the LinuxScript.
Totally awesome Dude!
In our current example Dude is both the owner and the group for all the files and directories. In order to allow specific groups to have access to specific things, Dude needs to add some groups and assign those groups to the objects he wants them to have access to. Dude want to add three groups: Teacher, Girlfriend, and Students. He does this with the groupadd command.
Next, Dude adds these groups to his files and directory using the chgrp command.
Dude wants Students (g) to have permission (+) to add music files (w) to the Music directory.
Rock on Dude!
Sticky bit - mainly for directories
Although the Sticky bit has had different uses over time. Currently it is used to protect files from being deleted by non-owners. If the sticky bit is used on a directory the files in that directory can only be deleted by the owner of the file, the owner of the directory, or root.
So Dude has added three friend to the Student Group (Sand, Surf, and Dudette). All three friends have been adding music to the Music directory. But Dudette doesn't like the Beach Boys, so she has been deleting some of Surf's Beach Boy songs. To prevent Dudette from continueing to delete other peoples music. Dude uses the chmod command to add (+) the Sitcky bit (t) to the Music directory.
Notice that a "t" has replaced the "x" at the end of the permission string on the Music directory.
So chill Dudette.
SUID (Set User ID) - Mainly used on scripts
If the SUID bit is set, the script will run with the owner's permissions even when it is run by another user.
Dude wrote the SurfsUpScipt. The SurfsUpSript randomly chooses an excuse from the ExcuseDatabase and sends an ExcuseEmail to all his teachers, explaining why he will miss class today. Dude's girlfriend (Dudette) wants to use the script to send her teachers the ExcuseEmail but it fails with permission errors. The script needs administrative permissions to run. There's no way Dude is going to give Dudette administrative permissions on the system; she would delete Dudette2, 3, and 4 from Dude's database. Dude needs to add (+) SUID permission (s) to the SurfsUpScript. That way, when Dudette runs the SurfUpScipt, the permissions will automatically be at Dude's (the owner's) permission level.
Notice the "rws" has replaced "rwx" in the owners permission set. Now when anyone runs the SurfUpScript, it will run with the owner's permissions.
Surf'n Safari Dude!
SGID (Set Group ID)
If the SGID bit is set, the permissions for a program or script will run at the Groups permission level. This is similar to the SUID but at the group level. If the SGID is set on a directory, any new file created in that directory will inherit the group ownership of that directory.
Dude goes into the music directory and sees that his friends (Surf, Sand, and Dudette) have all added a song in the Music Directory. By default the Group for each song is the same as the owner who created it.
Dude wants the default group to be Students when anyone adds a song to the Music folder. Dude enables the SGID bit to accomplish this. Dude adds (+) the SGID (s) to the Music directory that he is currently in (../Music).
Because Dude is in the Music directory, it shows up as the first line with the name (.). You can see that the group permission has changed from rwx to rws. The (s) indicates that the SGID is enabled. So now when anyone adds a song to the Music folder, the default group will be Students.
Surf, Sand, and Dudette each added a new song to the music folder:
Dude sees that the new songs are getting the group Students but he wants all the existing songs in the folder to have the group Students also. Dude can use the chgrp command with the recursive option (-R) to accomplish this.
Duuuude.... Lets go surf'n now!
Changing Permissions (The Octal Method)
The Octal Method uses numbers to indicate what permissions should be assigned to each ownership type. The Read permission has a numeric value of 4. The Write permission has a numeric value of 2. The Execute permission has a numeric value of 1. If you want all three permission to be available, you add 4+2+1 and get 7. If you want all ownership types (Owner, Group, and World) to have all permissions, you would use 777. Lets look at a few examples.
The octal number can be used to quickly change the permissions for all the owner types.
chmod 777 LovePoem (This would give everyone read, write and execute permission to the LovePoem)
chmod 740 LovePoem (The owner has rwx permission, Group has r-- permission, World has no permission)
It is possible to change the SUID, SGID, and Sticky bit using the octal representation. When changing the SUID, SGID, or Sticky bit, a 4th number is used at the beginning of the octal set.
chmod 1777 Music (This would turn on the sticky bit and everyone would have read, write and execute permission.)
The permission set would look like drwxrwxrwt. The "t" at the end represents the sticky bit. The "d" at the beginning identifies it as a directory.
chmod 6770 Music (This would turn on the SUID and SGID bits. The Owner and Group would have rwx permissions. The World would have no permissions.)
The permission set would look like drwsrws---. The "s" shows the SUID and SGID are on.