Linux is a powerful and versatile operating system that offers robust security features, one of which is its permission system. Understanding how to control access levels within Linux is crucial for anyone who wants to manage a secure and well-functioning system, whether it’s a personal computer, a server, or a larger network. In this blog post, we’ll explore Linux permissions, how they work, and how you can effectively assign permissions to control access levels on your system.

What Are Permissions in Linux?

Permissions in Linux define what actions users can perform on files and directories. These actions typically fall into three categories:

1. Read (r): Allows the user to view the contents of a file or list the contents of a directory.
2. Write (w): Allows the user to modify the contents of a file or create, delete, and rename files within a directory.
3. Execute (x): Allows the user to run a file (if it’s a script or binary) or access a directory and its contents.

Each file and directory in Linux has an associated set of permissions that determine who can read, write, or execute it. These permissions are assigned to three types of users:

• Owner: The user who created the file or directory.
• Group: A set of users who share access to the file or directory.
• Others: All other users on the system who are not the owner or part of the group.

The Structure of Linux Permissions

Linux permissions are displayed as a string of 10 characters when you use the ls -l command to list files and directories.

For example: -rwxr-xr–

This string can be broken down as follows:

• The first character indicates the file type (- for a regular file, d for a directory, l for a symbolic link, etc.).
• The next three characters (rwx) represent the owner’s permissions (read, write, execute).
• The middle three characters (r-x) represent the group’s permissions.
• The last three characters (r--) represent the permissions for others.

In this example:

• The owner can read, write, and execute the file.
• The group can read and execute the file but not write to it.
• Others can only read the file.

Changing Permissions with chmod

The chmod command is used to change the permissions of files and directories. There are two ways to use chmod: symbolic mode and numeric mode.

Symbolic Mode

In symbolic mode, you can change permissions using letters and symbols. The syntax is: chmod [who][operator][permission] file_name

• Who: u (user/owner), g (group), o (others), a (all).
• Operator: + (add permission), - (remove permission), = (set permission).
• Permission: r (read), w (write), x (execute).

For example:

• chmod u+x file_name adds execute permission for the owner.
• chmod g-w file_name removes write permission from the group.
• chmod o=r file_name sets read-only permission for others.

Numeric Mode

In numeric mode, you assign permissions using a three-digit octal number. Each digit corresponds to a permission set for the owner, group, and others. The numbers are as follows:

• 4 = Read (r)
• 2 = Write (w)
• 1 = Execute (x)
• 0 = No permission

You add the numbers together to form the desired permissions. For example:

• 7 = 4 (read) + 2 (write) + 1 (execute) = rwx
• 5 = 4 (read) + 1 (execute) = r-x
• 6 = 4 (read) + 2 (write) = rw-

So, to give the owner full permissions (7), the group read and execute permissions (5), and others read-only permission (4), you would use: chmod 754 file_name

Understanding Ownership with chown

In Linux, every file and directory has an owner. The chown command is used to change the ownership of files and directories. This is important when managing permissions because only the owner (or a user with superuser privileges) can change a file’s permissions.

The basic syntax for chown is: chown [owner][:group] file_name

• To change the owner of a file: chown new_owner file_name
• To change the owner and the group: chown new_owner:new_group file_name
• To change only the group: chown :new_group file_name

For example, if you want to change the owner of myfile.txt to john and the group to users, you would use: chown john:users myfile.txt

If you only want to change the group:chown :users myfile.txt

Special Permissions: SUID, SGID, and Sticky Bit

In addition to the basic read, write, and execute permissions, Linux supports special permissions that provide additional security and functionality. These are the SUID (Set User ID), SGID (Set Group ID), and Sticky Bit.

SUID (Set User ID)

The SUID permission allows users to execute a file with the permissions of the file’s owner rather than their own. This is commonly used for programs that require elevated privileges to run.

For example, the passwd command, which allows users to change their password, has the SUID bit set, so it runs with root privileges, even if a regular user executes it.

To set the SUID bit, you use:

• Symbolic: chmod u+s file_name
• Numeric: Add 4 to the owner’s permission. For example, chmod 4755 file_name.

SGID (Set Group ID)

The SGID permission works similarly to SUID but for group permissions. When applied to a file, it allows users to execute the file with the permissions of the file’s group. When applied to a directory, it ensures that new files and directories created within inherit the group of the parent directory rather than the user’s default group.

To set the SGID bit, you use:

• Symbolic: chmod g+s file_name
• Numeric: Add 2 to the group’s permission. For example, chmod 2755 file_name.

Sticky Bit

The Sticky Bit is primarily used on directories. When the Sticky Bit is set on a directory, only the owner of a file within that directory (or root) can delete or rename the file, even if others have write permissions to the directory. This is commonly used in directories like /tmp, where many users have write access, but each user should only be able to delete their own files.

To set the Sticky Bit, you use:

• Symbolic: chmod +t directory_name
• Numeric: Add 1 to the others’ permission. For example, chmod 1755 directory_name.

Practical Examples of Permissions Assignment

Let’s walk through some practical examples to reinforce these concepts.

Example 1: Securing a Script

Suppose you have written a script, backup.sh, that you want to keep secure. You want to be the only user who can modify or execute it, but you want others to be able to read it.

1. Set the owner’s permissions to rwx (7), group permissions to r-- (4), and others to r-- (4):

• chmod 744 backup.sh

This ensures that you can read, write, and execute the script, while others can only read it.

Example 2: Collaborative Directory

You’re managing a project where multiple users need to collaborate by adding and editing files in a directory, but they shouldn’t be able to delete each other’s files.

1. Set the directory’s permissions to rwxrwxr-x (775) to allow the group to read, write, and execute files.
2. Set the SGID bit so that new files inherit the group ownership.
3. Set the Sticky Bit to prevent users from deleting each other’s files.

• chmod 2775 project_directory
  chmod +t project_directory

Now, all users in the group can collaborate without worrying about accidental file deletions.

Example 3: Restricting Access to Sensitive Files

Suppose you have a directory containing sensitive information that only you and a specific group should access. You want to ensure that no one else can even list the files in the directory.

1. Set the directory’s permissions to rwxr-x--- (750).

• chmod 750 sensitive_directory

This ensures that only you and members of the group can access the directory, while others are completely blocked.

Best Practices for Managing Permissions

When assigning permissions, it’s important to follow best practices to maintain a secure and manageable system:

1. Principle of Least Privilege: Only grant the minimum permissions necessary for users to perform their tasks. This reduces the risk of accidental or malicious changes.

2. Regularly Review Permissions: Periodically check the permissions on files and directories to ensure they are still appropriate. Over time, users’ roles and responsibilities can change, necessitating updates to their access levels.

3. Use Groups Wisely: Organize users into groups based on their roles and assign permissions at the group level.