Unix Permissions

Adapted, with permission, from the Data Security and Ethics lecture materials by Martin Lester (University of Reading).

Unix/Linux File Permissions

Unix-like systems use a permission model to control access to:

  • Files (text, binaries, scripts)
  • Directories
  • Devices
  • Other system resources

Core principle: - Every access decision based on user identity and permission bits

Three Permission Types

PermissionFilesDirectories
Read (r)Read contentsList filenames
Write (w)Modify contentsCreate/delete files
Execute (x)Run as programAccess contents

Legend: - r = read - w = write/modify - x = execute/traverse - - = permission not granted

Three Classes of Users

  1. Owner (u) - User who created the file - Usually has full control

  2. Group (g) - Users belonging to file's group - Shared permissions for team access

  3. Others (o) - All other users on the system - Most restrictive permissions

Reading Permissions: ls -l

Example output:

-rwxr-xr-- 1 alice staff 1234 Jun 30 10:00 script.sh

Breakdown:

PositionMeaningValue
1File type`-` (regular file)
2-4Owner (alice)`rwx`
5-7Group (staff)`r-x`
8-10Others`r--`

Numeric (Octal) Permissions

Each permission type has numeric value:

PermissionValue
Read (r)4
Write (w)2
Execute (x)1

Sum values for combination: - rwx = 4 + 2 + 1 = 7 - r-x = 4 + 0 + 1 = 5 - r-- = 4 + 0 + 0 = 4

Example: chmod 754 script.sh - Owner: 7 (rwx) - Group: 5 (r-x) - Others: 4 (r--)

Common Permission Setups

CommandResultUse Case
`chmod 644 file``rw-r--r--`Config files, docs
`chmod 755 file``rwxr-xr-x`Public scripts, binaries

Changing Ownership

chown: Change file owner

# Change owner to bob
sudo chown bob file.txt

# Change owner and group
sudo chown bob:developers file.txt

# Recursive (all files in directory)
sudo chown -R bob:developers /project/

Requires appropriate privileges (usually sudo)

Changing Permissions

chmod: Change file mode (permissions)

# Symbolic mode
chmod u+x script.sh      # add execute for owner
chmod g-w file.txt       # remove write for group
chmod o=r file.txt       # set others to read-only
chmod a+r file.txt       # add read for all

# Numeric mode
chmod 755 script.sh      # rwxr-xr-x
chmod 600 key.pem        # rw-------

Special Permissions

Set User ID (SUID) - 4000

chmod u+s program

Program runs with owner's privileges Example: /usr/bin/passwd (needs to modify /etc/shadow)

Set Group ID (SGID) - 2000

chmod g+s directory

New files inherit directory's group Useful for shared directories

Special Permissions: Sticky Bit

chmod +t /tmp
  • Only file owner can delete/rename their files
  • Used on world-writable directories (/tmp, /var/tmp)
  • Prevents users from deleting each other's files

Directory Permissions

Directories require execute permission to access contents:

PermissionEffect
`r--`List filenames (ls)
`r-x`List + access files if name known
`-wx`Access files but no listing
`rwx`Full access

Example:

# Prevent others from listing directory
chmod o-rwx private_dir

Default Permissions (umask)

umask controls default permissions for new files:

# View current umask
umask

# Set umask for current session
umask 077

Default file creation: - Max permissions: 666 for files, 777 for directories - Actual = Max - umask - umask 022: files get 644, dirs get 755

Permission Pitfalls

Common mistakes:

  1. World-writable files - chmod 777 script.sh - Any user can modify

  2. SUID on custom scripts - High privilege escalation risk - Should only be on trusted system binaries

  3. Directory with write + sticky bit missing - Users can delete each other's files in shared dir

  4. Incorrect umask - umask 000: new files readable by everyone

Security Best Practices

  1. Principle of least privilege - Grant minimum permissions needed - 600 for private keys, not 644

  2. Audit permissions regularly

```bash # Find world-writable files find / -perm -o+w -type f 2>/dev/null

# Find SUID/SGID binaries find / -perm -4000 -type f 2>/dev/null

# Find files owned by wrong user find / -nouser -o -nogroup 2>/dev/null ```

  1. Use groups for collaboration
# Create shared group
sudo groupadd developers

# Add users to group
sudo usermod -aG developers alice

# Set directory group ownership
sudo chown :developers /project/
sudo chmod 770 /project/
  1. Avoid running as root - Use sudo only when necessary - Never leave root shell open

Real-World Permission Issues

  • Incorrect permissions on config files
  • /etc/shadow readable by non-root = critical breach
  • Web server config readable = credential exposure

  • World-writable web directories

  • Attackers upload PHP shells
  • Complete server compromise

  • SUID binary exploitation

  • Custom SUID programs = privilege escalation vector
  • Buffer overflow in SUID binary = root access

Permission Auditing Tools

  • ls: basic permission viewing
  • stat: detailed file info including permissions
  • getfacl/setfacl: Access Control Lists (ACLs)
  • Extend beyond owner/group/others
  • Fine-grained per-user permissions

Example ACL:

# Give user bob read access to file
setfacl -m u:bob:r file.txt

# View ACLs
getfacl file.txt

ACLs: Extending Basic Permissions

Access Control Lists add per-user/per-group permissions:

# Set ACL for specific user
setfacl -m u:alice:rw file.txt

# Set ACL for specific group
setfacl -m g:developers:rx /project/

# Set default ACL (inherited by new files)
setfacl -d -m g:developers:rwx /project/

View ACLs:

getfacl file.txt

Unix Permissions in Security Context

  • Defence in depth layer
  • Prevents unauthorised access even if other controls fail
  • Part of system hardening

Key areas: - Web server file permissions - Database file protection - SSH key permissions (chmod 600 ~/.ssh/id_rsa) - Log file permissions (prevent tampering) - Cron job file permissions

Interaction with Other Security Controls

Permissions work with other controls:

ControlRelationship
User authenticationVerified identity
FirewallsNetwork access control
EncryptionData at rest protection
PermissionsResource access control
SELinux/AppArmorMandatory access control

Ethical Considerations

  • System administrators' duty to configure appropriate permissions
  • Developers' responsibility to request least privilege
  • Auditing permissions in shared environments
  • Privacy implications of overly permissive file access
  • Balancing security with usability

Summary

  • Unix permissions: owner, group, others (u,g,o)
  • Three types: read (r), write (w), execute (x)
  • Symbolic and numeric modes
  • Special permissions: SUID, SGID, sticky bit
  • ACLs extend basic model
  • Security: least privilege, regular auditing

Further Reading

  • man chmod, man chown, man umask
  • man getfacl, man setfacl
  • OWASP: Secure Coding Practices
  • CIS Benchmarks for Linux/Unix hardening