This is an old revision of the document!
Table of Contents
UNIX/Linux base file permissions
UNIX/Linux File Permissions
When listing a file or folder on UNIX, using detailed view you 'll see the permissions and owner…
[root@aix01]/root# ls -lsa 0 drwxr-x--- 2 root system 256 Aug 16 16:56 bar
The table below gives numbers for all permission types of a File/Directory.
| Number | Octal Permission Representation | Symbol |
|---|---|---|
| 0 | No Permission | — |
| 1 | Execute | -–x |
| 2 | Write | -w- |
| 3 | Execute and write permission: 1(execute)+2(write)=3 | -wx |
| 4 | Read | r–- |
| 5 | Read and execute permission: 4(read)+1(execute)=5 | r-x |
| 6 | Read and write permission: 4(read)+2(write)=6 | rw- |
| 7 | All permissions: 4(read)+2(write)+1(execute)=7 | rwx |
2 ways to change unix permissions:
Adding or remove rights
$ chmod u-x,g=rx,o+wx testfile $ ls -l testfile -rw-r-xrwx 1 user01 users 1024 Nov 2 00:10 testfile
Using absolute permissions (octal)
$ chmod 647 testfile $ ls -l testfile -rw-r-xrwx 1 user01 users 1024 Nov 2 00:10 testfile
Special permission: setuid, setgid, and the Sticky Bit
Setuid, setgid, and the sticky bit can be tough for new and aspiring Linux admins to understand. It's easy enough to do a web search for the basic definitions:
- setuid: a bit that makes an executable run with the privileges of the owner of the file
- setgid: a bit that makes an executable run with the privileges of the group of the file
- sticky bit: a bit set on directories that allows only the owner or root can delete files and subdirectories
user +s
setuid example
A non-root user is not able to edit the passwd file, but every user can change his own password. This is due to the sticky bit positionned on the executable command **passwd**, Which 'll execute the passwd command as root, because the sticky bit is positionned on the program
[root@srvadm01]/root# ll /etc/security/passwd 4 -rw------- 1 root system 1505 Jun 06 13:42 /etc/security/passwd [root@srvadm01]/root# ll /usr/bin/passwd 44 -r-sr-xr-x 1 root security 44959 Feb 25 2022 /usr/bin/passwd
group +s
this special permission has a couple of functions:
- If set on a file, it allows the file to be executed as the group that owns the file (similar to SUID)
- If set on a directory, any files created in the directory will have their group ownership set to that of the directory owner
other + t (sticky)
This permission does not affect individual files. However, at the directory level, it restricts file deletion. Only the owner (and root) of a file can remove the file within that directory.
Setting special permissions
2 ways to set special permissions:
- To do this using the symbolic method, we do the following:
[root@srvadm01]/root# chmod g+s community_content/
- Using the numerical method, we need to pass a fourth, preceding digit in our chmod command. The digit used is calculated similarly to the standard permission digits:
Start at 0 SUID = 4 SGID = 2 Sticky = 1
The syntax is:
chmod X### file | directory
Where X is the special permissions digit.
Here is the command to set SGID on community_content using the numerical method:
[root@srvadm01]/root# chmod 2770 community_content/ [root@srvadm01]/root# ls -ld community_content/ drwxrws---. 2 user01 staff 113 Apr 7 11:32 community_content/
Listing all files with the setuid or setgid bit set
[root@srvadm01]/root# find / -perm /6000 -type f
[root@srvadm01]/root# find / -type d -perm -1000 -exec ls -ld {} \; drwxrwxrwt 1 root system 7 Aug 16 15:06 /aha drwxrwxrwt 1 root system 3 Aug 16 15:06 /aha/mem drwxr----t 3 oracle dba 256 Apr 11 2022 /opt/admindev/oracle/product/19.5.0.0.191015-171/suptools/release/diag/tfa/tfactl drwxr----T 2 oracle dba 256 Apr 11 2022 /opt/admindev/oracle/product/19.5.0.0.191015-171/suptools/release/diag/tfa/tfactl/user_oracle/alert
