Skip to content

Linux: Permissions and Ownership

Basics

How to properly apply and troubleshoot access control.

File and directory permissions.

It is important to make sure the right users have the right access to the right resources in the Linux enviroment.

Files and Directories Permissions

Permissions are access rights assigned to users to enable them to access and modify files and directories. It is best practice to apply the principle of least priviledge. Give users only access to the permissions they need to perform their tasks. No unecessary additional permission should be added.

ls displays the permissions set on files and directories. ls -l will give a long details of the content of a directory. ls has few useful flags:

  • -l to show a long description of the files
  • -a to show all files including hidden files
  • -h to show display a human readable format of the files details

Permission attributes defines the access level users are allowed to do on selected file or directory.

The permission attributes for files are:

  • r to indicate a read permission. It allows the user to read the content of a file.
  • w to indicate a write permission. It allows the user to save changes of a file.
  • x to indicate a execute permission. It allows the user to execute a script or program.

For directories:

  • r to indicate a read permission. It allows the user to list the content of a directory.
  • w to indicate a write permission. It allows the user to create, rename, and delete files in the directory.
  • x to indicate a execute permission. It allows the user to execute scripts from the directory.

Permission attributes on files and directories are applied to one of several contexts or different uses and entities.

Permission context:

  • u owner (user): refers to the owner of the directory
  • g group: refers to the files or directories group
  • o other: refers to other users. These are users that are the owner or member of the group.

chmod

chmod is used to change the permissions of a file or directory. chmod [options] <mode> <file or directory> is the proper syntax for modifying a file or folder permissions

Permission Context Permission Operators Permission Attributes
u/g/o/a +/-/= r/w/x

The + operator grants permission, - removes a permission, and = assigns the permission as provided.

In symbolic mode, use chmod <access context> <operators> <permission attributes> <file or directory>. For example: chmod g+w my_file.txt will assign the write permission of my_file.txt

chmod in absolute mode

We can also use chmod in absolute mode. The absolute mode uses octal numbers to specify permissions:

  • 4 => read permission
  • 2 => write permission
  • 1 => execute permission

Adding them up will give the permission number to assign to a file or folder.

7 equals to wrx permisson because 4+2+1=7. 6=rw because 4+2=6

chmod <number> <file or directory> is the proper syntax to assign permissions in absolute mode.

The permission 724 means:

  • 7 for the owner permission (wrx)
  • 2 for the group permission (w)
  • 4 for the other user permission (r)

umask

the umask (user file-creation mask) command is used to set the default permissions for newly created files and directories. We can set default permissions permanently in the .bashrc file. Just add umask 0022 to the .bashrc file.

umask 0022 command sets the default temporary permission to 666 - 022 = 644 for files and 777 - 022 = 755 to directories if used in bash.

You cannot add permissions with umask.

Files and Directories Ownership

Ownership refers to who can make changes to a file or directory permissions. Only the root user have the permission to change the permission of files and directories of all other users.

Use chwon to change the owner or group of a file or directory. The correct syntax to use chown is chown <username> <file or directorie>. For example chown demo dir1 to change the ownership of dir1/ to demo. This will only change the owner but not the group.

To change the owner and group of the file or directory, use chown <username>:<group-name> <file or directory>. To change the group but not the owner, use chown :<group-name> <file or directory>.

To do recursive change of ownership in a diretory, we can use the -R flag: chown -R <username> <file or directory>.

To chagne a group ownership of a file or directory, use chgrp command: chgrp <group-name> <file or directory>.

Special Permissions and Attributes

Special permissions are used to allow less priviledged user to asume permission of the group or owner of file to perform a task.

There are two special permissions that can be used:

  • Set User ID (SUID): The user allowed to have the same permission as the owner of the file
  • Set Group ID (SGID): The user is allowed to have the same permission as other members of the group

chmod u+s <file> to set the special permission for a file in symbolic mode.

chmod 4### <file> to set the special permission for a file in absolute mode.

chmod g+s <direcotry> to set the special permission for a directory in symbolic mode.

chmod 2### <directory> to set the special permission for a directory in absolute mode.

The Sticky Bit is another special permission. It protects files in directories. It makes sure only the root or owner of the file or directory can delete the file or directory.

chmod +t <direcotry> to set the sticky bit permission for a directory in symbolic mode.

chmod 1### <directory> to set the sticky bit permission for a directory in absolute mode.

The immutable flag protect files and directories from being modified. It is very useful for sensitive files and directories.

lsattr

lsattr command is used to list the attributes of a file or directories. To use it type lsattr [options] <file or directory>. lsattr support the following options among others:

  • -R recursively list the attributes of all files in the directory
  • -a list all files
  • -d list all directories
  • -v list the version number of the files

chattr

chattr is used to change the attributes of a file or directory. To change the attribute of file or directory, use the command chattr [-R] [-v <version>] [+-<attributes>] <file or directory>. The option +i marks the file or directory as immutable. -i will remove the immutable attribute from the file or directory.

Access Control Lists (ACLs)

We can use access control lists to set different level of permission to different groups that need access to the same ressources. One group may need rwx and another only needs rw.

The command getfacl to get the access control lists of a file and directories.

setfacl is used to change the permissions associated with the ACL of a file or directory. The command looks like: setfacl [-br] [-mx <acl specs>] <file or directory>. This command supports the following options:

  • -r recursively sets the ACL of the content of a directory
  • -s sets and replaces the existing ACL of a file or directory
  • -m modifies the existing ACL of a file or directory
  • -x removes the existing ACL of a file or directory
  • -b removes all permissions except the standard permissions

Example: setfacl -R -m g:students:r /assignments modifies the current ACL to give read permissions to the students group the assignments directory.

u:<username>:<permissions> or

g:<username>:<permissions>

By default only one group can be associated with a directory. ACLs allow giving permissions to a directory more groups.

Troubleshooting Permission Issues

Follow the 7 step troubleshooting technic in the CompTIA A+.

  1. Identify the issue
  2. Establish a theory of probable cause
  3. Test the theory to determine the cuase
  4. Establish a plan of actions
  5. Apply the solution
  6. Verify full system functionality
  7. Document findings, actions, and outcomes