Unix Permissions
Adapted, with permission, from the Data Security and Ethics lecture materials by Martin Lester (University of Reading).
Unix/Linux File Permissions
Unix-like systems use a permission model to control access to:
- Files (text, binaries, scripts)
- Directories
- Devices
- Other system resources
Core principle: - Every access decision based on user identity and permission bits
Three Permission Types
| Permission | Files | Directories |
|---|---|---|
| Read (r) | Read contents | List filenames |
| Write (w) | Modify contents | Create/delete files |
| Execute (x) | Run as program | Access contents |
Legend:
- r = read
- w = write/modify
- x = execute/traverse
- - = permission not granted
Three Classes of Users
-
Owner (u) - User who created the file - Usually has full control
-
Group (g) - Users belonging to file's group - Shared permissions for team access
-
Others (o) - All other users on the system - Most restrictive permissions
Reading Permissions: ls -l
Example output:
-rwxr-xr-- 1 alice staff 1234 Jun 30 10:00 script.sh
Breakdown:
| Position | Meaning | Value |
|---|---|---|
| 1 | File type | `-` (regular file) |
| 2-4 | Owner (alice) | `rwx` |
| 5-7 | Group (staff) | `r-x` |
| 8-10 | Others | `r--` |
Numeric (Octal) Permissions
Each permission type has numeric value:
| Permission | Value |
|---|---|
| Read (r) | 4 |
| Write (w) | 2 |
| Execute (x) | 1 |
Sum values for combination:
- rwx = 4 + 2 + 1 = 7
- r-x = 4 + 0 + 1 = 5
- r-- = 4 + 0 + 0 = 4
Example: chmod 754 script.sh
- Owner: 7 (rwx)
- Group: 5 (r-x)
- Others: 4 (r--)
Common Permission Setups
| Command | Result | Use Case |
|---|---|---|
| `chmod 644 file` | `rw-r--r--` | Config files, docs |
| `chmod 755 file` | `rwxr-xr-x` | Public scripts, binaries |
Changing Ownership
chown: Change file owner
# Change owner to bob
sudo chown bob file.txt
# Change owner and group
sudo chown bob:developers file.txt
# Recursive (all files in directory)
sudo chown -R bob:developers /project/
Requires appropriate privileges (usually sudo)
Changing Permissions
chmod: Change file mode (permissions)
# Symbolic mode
chmod u+x script.sh # add execute for owner
chmod g-w file.txt # remove write for group
chmod o=r file.txt # set others to read-only
chmod a+r file.txt # add read for all
# Numeric mode
chmod 755 script.sh # rwxr-xr-x
chmod 600 key.pem # rw-------
Special Permissions
Set User ID (SUID) - 4000
chmod u+s program
Program runs with owner's privileges
Example: /usr/bin/passwd (needs to modify /etc/shadow)
Set Group ID (SGID) - 2000
chmod g+s directory
New files inherit directory's group Useful for shared directories
Special Permissions: Sticky Bit
chmod +t /tmp
- Only file owner can delete/rename their files
- Used on world-writable directories (
/tmp,/var/tmp) - Prevents users from deleting each other's files
Directory Permissions
Directories require execute permission to access contents:
| Permission | Effect |
|---|---|
| `r--` | List filenames (ls) |
| `r-x` | List + access files if name known |
| `-wx` | Access files but no listing |
| `rwx` | Full access |
Example:
# Prevent others from listing directory
chmod o-rwx private_dir
Default Permissions (umask)
umask controls default permissions for new files:
# View current umask
umask
# Set umask for current session
umask 077
Default file creation:
- Max permissions: 666 for files, 777 for directories
- Actual = Max - umask
- umask 022: files get 644, dirs get 755
Permission Pitfalls
Common mistakes:
-
World-writable files -
chmod 777 script.sh- Any user can modify -
SUID on custom scripts - High privilege escalation risk - Should only be on trusted system binaries
-
Directory with write + sticky bit missing - Users can delete each other's files in shared dir
-
Incorrect
umask-umask 000: new files readable by everyone
Security Best Practices
-
Principle of least privilege - Grant minimum permissions needed -
600for private keys, not644 -
Audit permissions regularly
```bash # Find world-writable files find / -perm -o+w -type f 2>/dev/null
# Find SUID/SGID binaries find / -perm -4000 -type f 2>/dev/null
# Find files owned by wrong user find / -nouser -o -nogroup 2>/dev/null ```
- Use groups for collaboration
# Create shared group
sudo groupadd developers
# Add users to group
sudo usermod -aG developers alice
# Set directory group ownership
sudo chown :developers /project/
sudo chmod 770 /project/
- Avoid running as root
- Use
sudoonly when necessary - Never leave root shell open
Real-World Permission Issues
- Incorrect permissions on config files
/etc/shadowreadable by non-root = critical breach-
Web server config readable = credential exposure
-
World-writable web directories
- Attackers upload PHP shells
-
Complete server compromise
-
SUID binary exploitation
- Custom SUID programs = privilege escalation vector
- Buffer overflow in SUID binary = root access
Permission Auditing Tools
- ls: basic permission viewing
- stat: detailed file info including permissions
- getfacl/setfacl: Access Control Lists (ACLs)
- Extend beyond owner/group/others
- Fine-grained per-user permissions
Example ACL:
# Give user bob read access to file
setfacl -m u:bob:r file.txt
# View ACLs
getfacl file.txt
ACLs: Extending Basic Permissions
Access Control Lists add per-user/per-group permissions:
# Set ACL for specific user
setfacl -m u:alice:rw file.txt
# Set ACL for specific group
setfacl -m g:developers:rx /project/
# Set default ACL (inherited by new files)
setfacl -d -m g:developers:rwx /project/
View ACLs:
getfacl file.txt
Unix Permissions in Security Context
- Defence in depth layer
- Prevents unauthorised access even if other controls fail
- Part of system hardening
Key areas:
- Web server file permissions
- Database file protection
- SSH key permissions (chmod 600 ~/.ssh/id_rsa)
- Log file permissions (prevent tampering)
- Cron job file permissions
Interaction with Other Security Controls
Permissions work with other controls:
| Control | Relationship |
|---|---|
| User authentication | Verified identity |
| Firewalls | Network access control |
| Encryption | Data at rest protection |
| Permissions | Resource access control |
| SELinux/AppArmor | Mandatory access control |
Ethical Considerations
- System administrators' duty to configure appropriate permissions
- Developers' responsibility to request least privilege
- Auditing permissions in shared environments
- Privacy implications of overly permissive file access
- Balancing security with usability
Summary
- Unix permissions: owner, group, others (u,g,o)
- Three types: read (r), write (w), execute (x)
- Symbolic and numeric modes
- Special permissions: SUID, SGID, sticky bit
- ACLs extend basic model
- Security: least privilege, regular auditing
Further Reading
man chmod,man chown,man umaskman getfacl,man setfacl- OWASP: Secure Coding Practices
- CIS Benchmarks for Linux/Unix hardening