File Permissions and Ownership

Understanding Linux Security: Users, Groups, and Permissions
by nature Linux is a muti-user system
three types of users
  1. User (Owner) : every user is owned by a single user
    usually the one who created the file
  2. Group : users can be organized into groups
    every file is owned by a specific group
  3. Others : everyone else, public
Reading Permission Notation: rwx and Numeric Representation
the command ls -l produces the detailed list about a folder's contents
lines are similar to 
-rwxr-xr-- 1 n4jvp n4jvp 4096 Jan 27 10:00 script.sh
the first 10 characters provides permission data
File Types
the first character provides the object type
  • - : a regular file
  • d : a folder/directory
  • l : symbolic link

Permission Triplets
remaining 9 characters are three sets of three 
rwx r-x r--
  1. permissions for user/owner
    defines what the owner can do
  2. permissions for group
    defines what a group member can do
  3. permissions for others
    what others/public can do
What Do the Letters Mean
  • r (Read)
    • for a file - can open and view contents
    • for a folder/directory - can list contents
  • w (Write)
    • for a file - can modify or delete file
    • for a folder/directory - can create, delete or rename files within the folder
  • x (Execute)
    • for a file - can run as a program
    • for a folder/directory - can enter a folder/directory usng cd
The Three Permission Sets: Owner, Group, and Others
n4jvp is both the file owner and a member of the powerUsers group 
-r--rwx--- 1 n4jvp powerUsers 4096 Jan 27 10:00 script.sh
permissions are 
r--rwx---
permissions are match sequentially until a match is found
when n4jvp is the owner a match has been found with the owner's permission
as the owner n4jvp can only read the file
it doesn't matter that n4jvp is also a member of the powerUsers group

The 'Root' Exception
the root user (or a user running sudo) can read, write, or execute any file on the system, regardless of the permissions
Changing Permissions: chmod with Symbolic and Numeric Modes
use chmod (Change Mode) command to change permissions
two ways to use chmod

Symbolic Mode (Human Readable)
construct a command using three parts
  1. Who are you changing?
    • u for user
    • g for group
    • o for others
    • a for all
  2. What are you doing?
    • + to add
    • - to remove
    • = to set exactly
  3. Which permission? (r, w, x)

to add execute permissions for the owner 
chmod u+x <object name>
to remove write permissions for the group 
chmod g-w <object name>
to add read permissions for everyone 
chmod a+r <object name>
to remove all permissions for others 
chmod o-rwx <object name>
Numeric Mode (Octal System)
faster as it can set all permissions at once
each premission is assigned a number
  • Read (r) =4
  • Write (w) = 2
  • Execute (x) = 1
  • No Permission (-) = 0

add numbers together to create a permission set
  • 7 = 4 + 2 + 1 (rwx)
  • 6 = 4 + 2 + 0 (rw-)
  • 5 = 4 + 0 + 1 (r-x)
  • 4 = 4 + 0 + 0 (r--)
  • 0 = 0 + 0 + 0 (---)

Permission Values
  • 777 (rwxrwxrwx) - everyone can do everything (dangerous)
  • 755 (rwxr-xr-x) - owner can do everything
    e everyone else can read and execute (view and run) but not modify
    standard for programs and directories
  • 644 (rw-r--r--) - owner can read and write
    everyone else can only read
    standard for text files
  • 600 (rw-------) - owner can read and write
    everyone else is locked out
    for private keys and passwords

Changing Ownership: chown and chgrp
Changing Owner (chown)
syntax 
sudo chown <new owner> <object name>
Changing Group (chgrp)
syntax 
sudo chgrp <new group> <object name>
Combining the chown and chgrp
can change both the user and the group at the same time using chown with a colon separator
syntax 
sudo chown <user>:<group> <filename>
example 
sudo chown anna:finance budget.xls
Recursive Ownership
to change ownership of all files in a folder use the Recursive -R flag 
sudo chown -R anna:marketing /opt/marketing_materials
Special Permissions: SUID, SGID, and Sticky Bit
beyond the standard rwx, there are three 'Special' permission bits used for specific security scenarios

SUID (Set User ID)
the SUID bit lets the app execute as the owner and not the user
temporarially executes with root privileges
  • Notation shows up as an s in the User execute spot 
    -rwsr-xr-x
  • Numeric adds 4000 to the permission mode 
    4755

GID (Set Group ID)
used mostly on directories for collaboration
normally when a file is created, it takes the user's default group
setting the SGID bit on a directory makes any file created in the directory inherit the directory's group
  • Notation shows up as an s in the Group execute spot 
    -rwxr-sr-x
  • Numeric adds 2000 to the permission mode 
    2755
The Sticky Bit
used for shared temporary directories
if the user has write permission, anyone can delete any file
sticky bit s adds rule so only the owner can delete the file
  • Notation shows up as an t in the everyone execute spot 
    -rwxrwxrws
  • Numeric adds 1000 to the permission mode 
    1755
Understanding umask and Default Permissions
touch sets default permissions as 644 (rw-r--r--)
is determined by the umask (User File Creation Mode Mask)
numeric block for a file's full permissions is 666
numeric block for a directory's full permissions is 777
umask is a cookie cutter which removes permssions from a nmeric block
default umask in most distributions is 022
subtracting umask from full block yields 644 (rw-r--r--)

Checking the umask Value
enter 'umask' in the terminal
in my Ubuntu install the response was 
0002
others can only read the files in the directory

Changing the umask Value
quote from the text 
If you want all your new files to be private by default, you can set your umask to 077
 666 - 077 = 600 (Read/Write for User, nothing for anyone else)
 You can add the line umask 077 to your shell configuration file (.bashrc) to make this permanent
Practical Permission Scenarios and Security Best Practices
Real World Scenario: The Web Server
website HTML files are in /var/www/html
  • Directories - use 766 (drwxr-xr-x)
    owner can write
    world can enter and list
  • Files - use 644 (-rw-r--r--)
    owner can write
    world can read

Real World Scenario: The Private SSH Key
SSH - Secure SHell protocol
key file is 'id_rsa'
SHH doesn't work because key is 'too open'
SSH requires private keys accessible only by the owner 
chmod 600 id_rsa
Real World Scenario: The Un-runnable Script
pythos script hello.py generates a Permission Denied error
by default files are not executable
explicitly grant execute permission 
chmod +x hello.py
or 
chmod 755 hello.py
Real World Scenario: The Locked Folder
have Read permission but can't Execute (x) on the folder
Execute is the ability to enter
resolve with command 
chmod u+x <folder name>
Security Best Practices
  1. Principle of Least Privilege - always give the minimum permissions necessary
    if a file only needs to be read, do not give it write permission
    if only you need to see it, do not give the group access
  2. Avoid 777 - securitity hole
  3. Audit Regularly - use ls -l regularly
    should not have any root-owned files
    chmown ownership
  4. Keep Groups Clean - only add users if genuinely need access
Summary
covered
  • User, Group, Other
  • Read (4), Write (2), Execute (1)
  • chmod to change permissions, chown to change owners
  • 755 allows public access and 600 ensures privacy
  • SUID, SGID, Sticky Bits

key points
  • ls -lcisplays the 10-character permission string (e.g., -rwxr-xr-x)
  • rwx - Read (4), Write (2), Execute (1)
  • Directory Execute - need x permission on a directory to cd into it
  • chmod - changes permissions
    examples: chmod +x file, chmod 755 file
  • chown - changes ownership
    example: sudo chown user:group file
  • 777 - dangerous
  • root - superuser, ignores all permission checks
index