In the realm of Linux, security is a foundational principle, and at the heart of this security model lies file and directory permissions. Linux permissions dictate who can access, modify, or execute files and directories, serving as a critical barrier against unauthorized access, data breaches, and malicious activity. Whether you’re a system administrator, developer, or casual Linux user, understanding how permissions work is essential to safeguarding your system and data. This blog will demystify Linux permissions, starting with fundamental concepts, moving through practical usage, and concluding with best practices to harden your system. By the end, you’ll be equipped to configure permissions effectively and mitigate common security risks.
Table of Contents
- Fundamental Concepts: Users, Groups, and Permission Types
- Understanding Permission Notation
- Changing Permissions:
chmod,chown, andchgrp - Special Permissions: SUID, SGID, and Sticky Bit
- Common Scenarios and Practical Usage
- Best Practices for Enhanced Security
- Conclusion
- References
1. Fundamental Concepts: Users, Groups, and Permission Types
Linux is a multi-user operating system, so permissions are granularly assigned based on users and groups. Before diving into permissions, let’s clarify these core entities:
Users and Groups
- User: An individual account on the system (e.g.,
alice,bob). Therootuser (UID 0) has unrestricted access. - Group: A collection of users (e.g.,
developers,admins). Groups simplify permission management for teams. - Others: Any user not the owner or in the group of the file/directory.
Permission Types
Linux defines three basic permissions, each applicable to users, groups, and others:
| Permission | Symbol | Description for Files | Description for Directories |
|---|---|---|---|
| Read | r | View file content | List directory contents (e.g., ls) |
| Write | w | Modify/delete the file | Add/remove files in the directory |
| Execute | x | Run the file as a program/script | Access the directory (e.g., cd) |
2. Understanding Permission Notation
Permissions are displayed in two formats: symbolic (human-readable) and numeric (octal, for scripting/automation). Let’s break them down.
Symbolic Notation
When you run ls -l (list files with details), you’ll see a 10-character string representing permissions. For example:
-rwxr-xr-- 1 alice developers 4096 Jun 1 12:00 project.txt The 10-character string (-rwxr-xr--) is structured as:
| Position | Meaning |
|---|---|
| 1 | File type: - (regular file), d (directory), l (symlink), etc. |
| 2-4 | Permissions for the owner (user) |
| 5-7 | Permissions for the group |
| 8-10 | Permissions for others (all other users) |
In the example above:
- Owner (
alice) hasrwx(read, write, execute). - Group (
developers) hasr-x(read, execute). - Others have
r--(read only).
Numeric (Octal) Notation
Numeric notation converts symbolic permissions into a 3- or 4-digit number (octal, base-8). Each permission is assigned a value:
r= 4,w= 2,x= 1.
For each triplet (owner, group, others), sum the values. For example:
rwx= 4+2+1 = 7r-x= 4+0+1 = 5r--= 4+0+0 = 4
Thus, rwxr-xr-- translates to 754 in numeric notation.
3. Changing Permissions: chmod, chown, and chgrp
To modify permissions, Linux provides three key commands: chmod (change mode), chown (change owner), and chgrp (change group).
chmod: Modify Read/Write/Execute Permissions
chmod adjusts the r, w, x permissions for owner, group, or others. It supports both symbolic and numeric notation.
Symbolic Syntax:
chmod [who][operator][permissions] file/directory who:u(owner),g(group),o(others),a(all).operator:+(add),-(remove),=(set exactly).permissions:r,w,x.
Examples:
# Add execute permission for the owner of script.sh
chmod u+x script.sh
# Remove write permission for others from data.txt
chmod o-w data.txt
# Set group permissions to read/write for docs/
chmod g=rw docs/ Numeric Syntax:
chmod [numeric_permissions] file/directory Examples:
# Set owner: rwx, group: r-x, others: --- (750)
chmod 750 project/
# Make a file readable by all (644: rw-r--r--)
chmod 644 report.pdf chown: Change Owner/Group
chown modifies the owner and/or group of a file/directory. Only root or users with CAP_CHOWN capability can use this.
Syntax:
chown [new_owner]:[new_group] file/directory Examples:
# Change owner of logs/ to "sysadmin"
chown sysadmin logs/
# Change owner to "bob" and group to "team" for app.py
chown bob:team app.py chgrp: Change Group Only
chgrp is a shorthand for changing just the group (equivalent to chown :new_group).
Example:
# Change group of assets/ to "designers"
chgrp designers assets/ 4. Special Permissions: SUID, SGID, and Sticky Bit
Beyond r, w, x, Linux supports three special permissions that enhance security or enable shared workflows: SUID, SGID, and Sticky Bit.
SUID (Set User ID)
- Effect: When a file with SUID is executed, it runs with the owner’s privileges (not the executor’s).
- Symbolic Notation:
sin the owner’s execute position (e.g.,rwsr-xr-x). - Numeric Notation: Prefix the regular numeric permissions with
4(e.g.,4755).
Example: The passwd command (/bin/passwd) has SUID so users can modify their password (stored in /etc/shadow, which is owned by root):
ls -l /bin/passwd
# Output: -rwsr-xr-x 1 root root 68208 Jun 1 2023 /bin/passwd Security Note: SUID is risky—malicious users could exploit SUID binaries to escalate privileges. Audit SUID files with:
find / -perm -4000 2>/dev/null SGID (Set Group ID)
- Effect on Files: Executable files run with the group’s privileges.
- Effect on Directories: New files created in the directory inherit the directory’s group (instead of the creator’s primary group).
- Symbolic Notation:
sin the group’s execute position (e.g.,rwxr-sr-x). - Numeric Notation: Prefix with
2(e.g.,2755).
Example: A shared directory where all new files belong to the devteam group:
# Set SGID on shared_dev/ and set group to devteam
chmod 2770 shared_dev/
chgrp devteam shared_dev/ Sticky Bit
- Effect: On directories, prevents users from deleting/renaming files they don’t own (even if they have write access to the directory).
- Symbolic Notation:
tin the others’ execute position (e.g.,rwxrwxrwt). - Numeric Notation: Prefix with
1(e.g.,1777).
Example: The /tmp directory uses the Sticky Bit to ensure users can’t delete each other’s temporary files:
ls -ld /tmp
# Output: drwxrwxrwt 10 root root 4096 Jun 1 12:00 /tmp 5. Common Scenarios and Practical Usage
Let’s apply permissions to real-world scenarios.
Scenario 1: Troubleshooting “Permission Denied”
If you see permission denied when accessing a file, check permissions with ls -l and adjust with chmod/chown.
Example:
# Error: cannot open 'data.log' (Permission denied)
ls -l data.log
# Output: -rw------- 1 root root 1024 Jun 1 12:00 data.log
# Fix: Allow group read access
chmod g+r data.log Scenario 2: Shared Team Directory
Create a directory where:
- Team members can read/write files.
- New files inherit the team group.
- Users can’t delete others’ files.
# Create directory and set SGID + Sticky Bit
mkdir team_shared
chmod 1770 team_shared # 1=Sticky, 7=owner rwx, 7=group rwx, 0=others ---
chgrp dev_team team_shared 6. Best Practices for Enhanced Security
To minimize risk, follow these best practices:
1. Principle of Least Privilege
Assign the minimum permissions required for a user/group to perform their task. For example:
- Avoid
777(world-writable) files/directories. - Use
600for sensitive files (e.g.,~/.ssh/id_rsa).
2. Audit Permissions Regularly
Use tools like find to identify risky permissions:
# Find world-writable files
find / -type f -perm -0002 2>/dev/null
# Find SUID/SGID files
find / -perm -4000 -o -perm -2000 2>/dev/null 3. Secure Sensitive Directories
/etc: Critical configs (e.g.,passwd,sudoers) should be644(read-only for non-root)./home: User directories should be700(no access for others).
4. Restrict SUID/SGID
Only use SUID/SGID for essential tools (e.g., passwd, sudo). Remove SUID from unused binaries:
# Remove SUID from an unnecessary binary
chmod u-s /usr/bin/unused-tool 5. Use Groups for Collaboration
Instead of making files world-readable, create a shared group and restrict access to that group (e.g., chmod 750 + chgrp shared_group).
6. Monitor Permission Changes
Use auditd or inotifywait to log changes to critical files (e.g., /etc/passwd):
# Example auditd rule to monitor /etc/passwd
auditctl -w /etc/passwd -p wa -k passwd_changes 7. Conclusion
Linux permissions are a cornerstone of system security, providing granular control over who can access and modify resources. By mastering symbolic/numeric notation, chmod/chown, and special permissions like SUID/SGID, you can prevent unauthorized access and reduce attack surfaces.
Remember: permissions should be tight by default—start with the least privilege and only grant more access when necessary. Regular audits and adherence to best practices will ensure your Linux system remains secure against evolving threats.