Managing Rights

Each file or directory has specific permissions for three categories of users:

Its owner (symbolized by u, as in User).
Its owner group (symbolized by g, as in Group), representing all the members of the group.
The others (symbolized by o as in Other)

Three types of rights are defined as:

Reading (symbolized by r, as in Read)
Writing (or modifying, symbolized by w as in Write)
Executing (symbolized by x as in eXecute)

setuid and setgid executables

the setgid and setuid rights are particularly relevant to executable files (symbolized with the letter s). These two rights allow any user to execute the program with the rights of the owner or the group, respectively. This mechanism grants access to features requiring higher level permissions than those you would usually have.

Since a setuid root program is systematically run under the super-user identity, it is very important to ensure it is secure and reliable. Any user who manages to subvert a setuid root program to call a command of their choice could then impersonate the root user and have all rights on the system. Penetraion testers regularly search for these type of files when they gain access to a system as a way of escalating their privileges.

A directory is handled differently from a file. Read access gives the rights to consult the list of its contents (files and directories); write access allows creating or deleting files; and execute access allows crossing through the directories to access its contents (for example, with the cd command). Being able to cross through a directory without being able to read it gives the user permission to access the entries therein that are known by name, but not to find them without knowing their exact name.

SECURITY setgid directory and sticky bit

The setgid bit also applies to directories. Any newly-created item in such directories is automatically assigned the owner group of the parent directory, instead of inheriting the creator's main group as usual. Because of this, you don't have to change your main group (with the newgrp command) when working in a file tree shared between several users of the same dedicated group.

The sticky bit (symbolized by the letter "t") is a permission that is only useful in directories. It is especially used for temporary directories where everybody has write access (such as /tmp/): it restricts deletion of files so that only their owner or the owner of the parent directory can delete them. Lacking this, everyone could delete other users' files in /tmp/.

Three commands control the permission associated with a file:

chown user file changes the owner of a file.
chgrp group file changes the owner group.
chmod rights file changes the permissions for the file.

Changing the user and group

Frequently you want to change the group of a file at the same time that you change the owner. The chown command has a special syntax for that: chown user:group file

change rights for eatch category

chmod u=rwc,g+rw,o-r

Gives owner read, write and execute rights, adds read and write rights for the owner group, and removes read rights for other users.

numeric rights representation

4 : read
2 : write
1 : execute

example:

chmod 754 file

grants read,write,execute permissions to the owner

grants read,execute permissions to the group

grants read permissions to anyone else

to represent special rights, you can prefix a fourth digit to this number, where the setuid, setgid, and sticky bits are 4, 2, and 1 respectively.

Example:

chmod 4754 file

associates the setuid bit.

PreviousManaging Processes NextGetting System Information and Logs

Last updated 1 year ago