Tutorial : Linux permissions Tricks

السلام عليكم و رحمة الله و بركاته

[LEFT] This topic I posted on ssteam months ago and I’d like to share with you; comments and questions are welcomed.

we are going to know :
1- Difference between Files and Directories permissions.
2- chmod command “symbolic-mode” vs “absolute-mode”.
3- How SUID, SGID, and Sticky Bit works.
4- Change creation mode using umask.
so let’s get started

1- Difference between Files and Directories permissions:
Regarding linux files, the read(r) permission means you can view the content of the file (i.e, using cat command). the write(w) permission means you can edit the content (i.e, using editor like vi). the execute(x) permission means you can execute the file (i.e, the file is a shell script). But for linux directories, the read(r) permission means you can list the content of the directory (i.e, using ls command). the write(w) permission means you can create or remove files inside this directory “even if you are NOT the owner of the file” the execute(x) permission means you can access the directory (i.e, using cd command).
Note(1): Execute-only permission on a directory allows a user to view files inside that directory if the user knows the name of the file and he/she has a read(r) permission on the files, also he/she has the ability to run programs or scripts inside that directory if he has the execute permission but it will run with his privileges.
for example, priv8 directory permissions are :
drwx–x–x 2 root root 4096 2010-06-20 01:06 priv8/
listing permissions on priv8 directory contents output :
-rw-r–r-- 1 root root 15 2010-06-20 01:08 Text
-rwxr-xr-x 1 root root 19 2010-06-20 01:10 Script
thus, any user “who knows that Text and Script are existing inside priv8” can read priv8/Text and execute"with their privilege" priv8/Script.
Note(2): Write permission on a directory allow a user to change the directory contents that does not belong to him, even he has read-only permission on the content.
for example, securi7y directory permissions are :
drwx-wx-wx 2 root root 4096 2010-06-20 01:15 securi7y/
listing permissions on securi7y directory contents output :
-r–r–r-- 1 root root 0 2010-06-20 01:17 file.txt
thus, any user can change file.txt content (i.e, create new file then rename to file.txt) as long as he/she has write permission on the parent directory.

2- chmod command “symbolic-mode” vs “absolute-mode” :
chmod comةand is used to change files and directories modes “permissions”. in two ways:
A- “Absolute-mode” where we use the numeric permissions like 755 that represents rwxr-xr-x in “symbolic-mode”. it’s a quiet simple mode to use.
B- “Symbolic-mode”, where we use letters (u) for the user, (g) for the file group, (o) for others, or (a) for all. with (+), (-), or (=) signs to allow, prevent or set permissions respectively. this method is tricky:
Trick(1): denying or granting read(r) or execute(x) will affect all users. write(w) permission will be applied to the user only.
for example, listing Text permissions shows :
-rw-r–r-- 1 root root 15 2010-06-20 01:08 Text
changing mode using “chmod -rx” will deny read and execute from all, results :
–w------- 1 root root 15 2010-06-20 01:08 Text
now run “chmod 666 Text” to grant (rw) for all.
then, running “chmod -w Text”, will change the permissions to r–rw-rw- NOT r–r–r–.
Trick(2): chmod options executed in order, which means “chmod a=r,u+x” doen NOT equal “chmod u+x,a=r”
and it’s quiet easy to understand, the first command grant read permission for all then grant execute for user only. The latter grant execute for the user, then set the permissions to read-only for all “r–r–r–”.

3- How SUID, SGID, and Sticky Bit works.
SUID: stands for Set User ID. setting SUID on an executable file(i.e, script) will affect the way the script runs in such a way that the script will run with the “owner” privileges NOT the privilege of the user who run the script.
for example(never try!), “chmod 4755 /bin/cat” will give the root privilege to users running cat command (i.e, limited user can view shadow by running cat /etc/shadow). so it’s so important not to use “chmod +s” on scripts that may grant access to system files. BTW setting SUID on a non-executable files will replace user execute permission with the capital “S”, not small letter “s” as in executable files.
SGID: stands for Set Group ID. similar to SUID, But this time the user who run the executable file will have the file group privilege not the user privilege . Also, SGID may be set on a directory in a work group environment. setting SGID on a directory will force the group ownership of any file inside the directory to be the directory group not the primary group of the user who create the file. to set SGID run “chmod g+s dir_name” or “chmod 2755 dir_name”
Note: to set SUID as well as SGID on file, use the prefix 6 with chmod.
for example, “chmod 6755 script.sh” will set SUID and SGID on the shell script script.sh
To reset SUID or SGID, use the prefix 0 with chmod.
for example, “chmod 0755 script.sh” will reset SUID and SGID bits.
Sticky Bit: for directories only. when set, a letter “t” will replace the others executable permissions.
this will prevent users from deleting others’ files. the most well known example is /tmp directory which is world writable. the sticky bit is set by default on /tmp to prevent users from deleting others files. to set Sticky Bit on a directory use “chmod +t dir_name” or “chmod 1755 dir_name”, again to reset the Sticky bit use “chmod 0755 dir_name” or simply “chmod -t dir_name”.

4- Change creation mode using umask.
Running umask with no options, will print the octal complement of the current user. the value affects the default creation mode of the user files and directories. also, umask value exists in /etc/profile file, try “tail /etc/profile”. the file creation mode is “666 - umask value” and directory creation mode is “777 - umask value” so that the default creation modes are 644 for files and 755 for directories. To change file creation mode, use umask followed by the proper octal complement. for example, to set the default creation mode to 664 for files run “umask 002” this will also set the directory creation mode to 775. Note this will be applied for the current session only, if you restart your session, the creation mode will be set back to 022. you’ve to change umask in “/etc/profile” to make it permanent, but this will affect all users. To apply umask for a certain user in your system, just create ~/.bashrc for this user and append the new umask value to .bashrc file.

References :

nice &easy thanx mate :slight_smile:

glad you like it brother

Thats usefull thanx bro

good job man ^^ it’s amazing tutorial