LFCS – File Permissions

Jarret B

Well-Known Member
Staff member
Joined
May 22, 2017
Messages
340
Reaction score
367
Credits
11,754
Learning about file permissions for the LFCS exam is important, but it is also very important to know in everyday use of Linux.

Keep in mind that all of the file permissions are used for every format except the FAT formats such as FAT32.

To start, a Red Hat based system should have the Access Control List (ACL) apps already installed, but other distros need the apps if you will be accessing EXT partitions. To install the ACL apps on a Ubuntu system you can use the following command:

Code:
sudo apt install acl

Permissions- Symbolic

There are basically four different types that will show up in the symbolic permissions listing.
  1. R read
  2. W write
  3. X execute
  4. D directory
NOTE: The ‘D’ permission is a read-only permission which cannot be changed.

The symbolic permissions are listed in a specific order of ‘rwx’. The ‘D’ comes before the others since it is a special permission. There are three groups of symbolic permissions as follows:

-rw-rw-r-- 1 jarret jarret 278931 Sep 22 12:30 LUbuntu2.jpeg

The first space is a dash which shows that the listing is for a file. The next set of three permissions is for the file owner which only has read and write permissions. The next set of three is for the group owner which also has read and write. The last set of three permissions is for other users who only have read permissions. The ‘1’ shows the file has one link. The first ‘jarret’ is the user owner. The second ‘jarret’ is the name of the group owner. The number ‘278931’ is the file size. The date and time is the timestamp on the file. The last item is the file name. The entry was listed using the following command:

Code:
ls -l LUbunt2.jpeg

NOTE: The characters in the command are lower-cased ‘L’ and not a one (1).

If you had a directory which had all permissions enabled for the User and Group Owner as well as others the symbolic permissions would be:

drwxrwxrwx

A simple way to see only the symbolic permissions is to use the command:

Code:
stat -c %A name

NOTE: Replace ‘name’ with the name of the file or folder for which you wish to see the symbolic permissions.

Permissions – Octal

Permissions can also be set by numbers instead of by symbolic characters. Each character has a value. The values are as follows:

  • r – 4
  • w – 2
  • x – 1
So if a file had only the read permission the value would be 4. If a file had the permissions read and write the value would be 6. All permissions would be a 7. Just add the values for the permissions you want to use. The various possibilities are:

  • 7 rwx
  • 6 rw
  • 5 rx
  • 4 r
  • 3 wx
  • 2 w
  • 1 x
  • 0 none
If you use the octal values instead then there will be a set of three numbers. To see the octal value for the permissions of a file or folder use the command:

Code:
stat -c %a name

NOTE: Replace ‘name’ with the name of the file or folder for which you wish to see the symbolic permissions.

Default Permissions

If you create a new file and check its octal or symbolic permissions then you can see what the default permissions are for new files. Use the following commands:

Code:
touch filetest1
stat -c %A filetest1
stat -c %a filetest1

On my Ubuntu system the defaults were ‘-rw-rw-r--’ or 664. So my user account will have read and write permissions to the file. The group ‘jarret’, which is my primary group, has read and write permissions. Other users have only read permissions.

If I wanted to remove values from my default permissions when creating a file I could use the command ‘umask’. The ‘umask’ command will remove permissions from the defaults.

NOTE: The current default permissions are used on any newly created files or folders.

If I wanted to remove any write abilities to a newly created file so it is read-only I would use the command:

Code:
umask 222

Now when I create a file I should only have read ability for my symbolic permissions.
I could remove all permissions for the owner, group and others with the command:

Code:
umask 777

If I create a file and check the permissions it should show no permissions for anyone. Since the creator of the file is the owner the user will have the right to delete the file.

If you want to see the current value of the umask just use the command:

Code:
umask -p

You can set symbolic permissions with the ‘umask’ command to specify what to make the default by using the following guides:

  • u=rwx, removes r,w or x for the user
  • g=rwx, removes r, w or x for the group
  • o=rwx removes r, w or x for others
Say you want to set the default permissions for the user to be everything and nothing for the group and others from the user and everything from the group and others:

Code:
umask u=rwx,g=,o=

or

Code:
umask u=rwx,go=

NOTE: You cannot place an execute permission on a file in this manner, but you can on a folder.

The execute command on a folder allows those with the ability of ‘execute’ to enter the folder.

If you have tried any of the above commands you may have noticed that the ability to change the execute (x) permission does not take to a file. If you want to add the execute permission then you need to use the command ‘chmod’.

CHMOD

The ‘chmod’ command allows you to change the permissions, or mode, of a file or folder. With the ‘chmod’ command you can also set or remove the execute permission.

When using ‘chmod’ you can use either symbolic or octal values.

If you wanted a file, such as ‘file2’, to have the read ability for all users you could use one of the following commands:

Code:
chmod u=r,g=r,o=r file2
chmod ugo=r file2
chmod a=r file2

If the user, group or other will have the same permissions then those modes can be grouped like in the second example. You can group two or three of the modes. When you want the permissions set on all three you can replace them with ‘a’ for ‘all’.

To use octal the command is:

Code:
chmod 444 file2

If the user, group and other all had read, write and execute I could remove all the permissions from group and others with the command:

Code:
chmod go= file2

If you wanted to add or remove permissions from a file or folder then you can use a plus (+) to add or a minus (-) to remove permissions.

Let’s create a file called ‘file5’ by:

Code:
touch file5

Now let’s add read and write permissions for users, groups and others with the command:

Code:
chmod a=rw file5

Now let’s add execute to user, remove write from group and remove read and write from others. The command is:

Code:
chmod u+x,g-w,o-rw file5

Use the plus (+) and minus (-) to change existing settings and an equal sign (=) to remove all existing settings and add the values you specify.


Other Special Permissions

There are two other bits used in permissions.

  • s – SetUID or SetGID for execution
  • t – Sticky Bit for restricted delete
SetUID/SetGID

Let’s say we have a file called ‘file1’ with root as the owner and group owner. The file has read and write permissions for the owner only. Without using sudo you cannot access it even to use ‘cat’ on it.
Let’s assume you have a text editor such as Leafpad (others will work for this example). Find the location of your executable and copy it to a folder with ‘file1’. Leafpad, for example, is located in ‘/usr/bin/leafpad’.
Once you have copied Leafpad to the local folder you can rename it to ‘pad’ to make sure you are not accessing the Leafpad program in the original location. Change the permissions of the ‘pad’ file to ‘sudo chmod u=rwx,g=,o=x pad’. Once this has taken effect yo use the next command ‘sudo chmod u+s pad’ to change the execute to a SetUID. Now if you check the user’s permissions for ‘pad’ it should be ‘rws’.

NOTE: If the letter is a capital ‘S’ then you need to add ‘x’ to the user’s permissions. Try ‘sudo chmod u+x pad’ or whatever the filename may be.

Looking at the program ‘pad’ you have no rights to the file except execute. If you are not Root or in the Root group then you only have the abilities as ‘other’. In this case, you can execute the file. Once you do you are elevated to Root status in the program you are running. The ‘s’ permission promotes you to the same status as the owner (when using SetUID) or the group (when using SetGID).
From the program ‘pad’ you can now open ‘file1’ and make changes to it since you have owner Root privileges while in ‘pad’.
It takes Root permissions to change modify the SetUID or SetGID, but once it is set anyone can run it as long as execute is set for ‘others’. Instead of setting the ‘s’ for the owner (SetUID) you can set ‘s’ for the group (SetGID) and it will work. You will have the same privileges as the current user or group for the file. The user or group does not have to be Root, but can be any user or group available on the system.

NOTE: The SetUID and SetGID will work from a Terminal, but may not work from your Graphical User Interface (GUI).

The bits for SetUID/SetGID can be set with the symbolic ‘s’, but what if you want to do it octally? The bits are as follows:

  • 4 SetUID (user)
  • 2 SetGID (group)
The above values can be set individually or together by adding them. You would use these as the very first place octally before the user. For example, if a file has permissions 755 and we wanted to add the SetUID bit the value would be 4755. If only the SetGID bit were set then it would be 2755. If both SetUID and SetGID bit is on then the value would be 6755.

Sticky Bit

Let’s assume that we have a folder owned by Root with all privileges (777) set on the folder. This would allow all users to perform read write or execute on the containing files (usually by the ‘others’ permission set).
If there are issues of users deleting files in the folder owned by other users, then we have a problem. The issue can be stopped by using the Sticky Bit.
The Sticky Bit will allow only Root, folder owner or file owner to delete a file within the folder.
To show this ability let’s create a folder named ‘Delete’ in your Home folder. Put fill permissions on the folder and change owner to Root with the following commands:

Code:
touch Delete
chmod a+rwx Delete
sudo chown root:root Delete

The folder should be created with all permissions set on for owner, group and others. Go into the folder and add four files:

Code:
cd Delete
touch file1
touch file2
touch file3
touch file4

Now there are four files with your user account and group as the owner. So let’s change the owner of the last two by:

Code:
sudo chown root:root file3
sudo chown root:root file4

Now you are the owner of ‘file1’ and ‘file2’, but root is the owner of ‘file3’ and ‘file4’. You can perform the command ‘ls -l’ to see the owners and privileges for each file.
Before we turn on the Sticky Bit let’s delete two of the files. Perform the following two command:

Code:
rm file1
rm file3

You may be asked to delete the files so press ‘y’ and enter to answer yes. You should be able to delete both files. The first file is simple since you had permission as owner and group to read and write. For ‘file3’ you had only read permissions, but the folder permissions allowed you to have full permissions to all files in the folder with the ‘others’ permissions.

Now let’s set the Sticky Bit with the following commands:

Code:
cd ..
sudo chmod a+t Delete
ls -l

You should see a ‘t’ at the end of the permissions for the Delete folder. Switch back into the Delete folder and perform the following:

Code:
rm file2
rm file4

You should again easily delete ‘file2’, but ‘file4’ should not allow you to delete it.
Only Root can delete it since it is the owner.

The mode was changed with the ‘+t’, but you can change it octally with by adding a ‘1’ before the three octal bits on the folder. The folder’s octal value is 777 and the ‘t’ can be added with 1777.

Conclusion

This article should give you a basic understanding of how to set and view permissions as well as how they work.
Practice with these to be proficient with the use of symbolic and octal permissions. Test the SetUID/SetGID and Sticky Bit to make sure you understand how they work.
 


Top