Although there are already a lot of good security features built into Linux-based systems, one very important and potential vulnerability can exist when local access is granted – that is file permission based issues resulting from a user not assigning the correct permissions to files and directories. So based upon the need for proper permissions, I will go over the ways to assign permissions and show you some examples where modification may be necessary.
Basic File Permissions
Every file on your Linux system, including directories, is owned by a specific user and group. Therefore, file permissions are defined separately for users, groups, and others.
Each file and directory has three user based permission groups:
- Owner – The Owner permissions apply only to the owner of the file or directory, they will not impact the actions of other users. By default, the user who creates the file will become its owner.
- Group – The Group permissions apply only to the group that has been assigned to the file or directory, they will not affect the actions of other users. This is useful if, for example, you have a project that requires a bunch of different users to be able to access certain files, while others can’t. In that case, you’ll add all the users into the same group, make sure the required files are owned by that group, and set the file’s group permissions accordingly.
- Other (all users) – A user who isn’t the owner of the file and doesn’t belong in the same group the file does. In other words, if you set permission for the “other” category, it will affect everyone else by default. For this reason, people often talk about setting the “world” permission bit when they mean setting the permissions for “other.” This is the permission group that you want to watch the most.
Each file or directory has three basic permission modes (types):
- Read (r) – The Read permission refers to a user’s capability to read the contents of the file.
- Write (w) – The Write permissions refer to a user’s capability to write or modify a file or directory.
- Execute (x) – The Execute permission affects a user’s capability to execute a file or view the contents of a directory.
However, above three modes or permission have different meaning for file and directory:
Read Mode Permissions
Read access on a file allows you to view file
Read access on a directory allows you to view directory contents with ls command
Write mode permissions
Write access on a file allows you to write to file
Write access on a directory allows you to remove or add new files
Execute mode permissions
Execute access on a file allows to run program or script
Execute access on a directory allows you access file in the directory
Octal numbers and permissions
You can use octal number to represent mode/permission:
Read (r): 4; Write (w): 2; Execute (x): 1
For example, for file owner you can use octal mode as follows. Read, write and execute (full) permission on a file in octal is
0+r+w+x = 0+4+2+1 = 7
Only Read and write permission on a file in octal is
0+r+w+x = 0+4+2+0 = 6
Only read and execute permission on a file in octal is
0+r+w+x = 0+4+0+1 = 5
Use above method to calculate permission for group and others. Let us say you wish to give full permission to owner, read & execute permission to group, and read only permission to others, and then you need to calculate permission as follows:
User = r+w+x = 0+4+2+1 = 7
Group= r+w+x = 0+4+2+0 = 6
Others = r+w+x = 0+0+0+1 = 1
Effective permission is 761.