- Basic File Permissions Overview
- Permission Categories
- Symbolic Representation
- Octal Representation
- Changing Permissions with chmod
- Changing Ownership with chown
- Changing Group with chgrp
- Default Permissions and umask
- Viewing Permissions
- Directory Permissions
- Understanding File Types
- Special Permissions
- Recursive Permission Changes
- Executable File Permissions
- Script Permissions
- Symbolic Link Permissions
- Hard Link Permissions
- Sticky Bit on Directories
- Finding Files by Permissions
- Access Control Lists Introduction
- Setting and Modifying ACLs
- Default ACLs on Directories
- Removing ACLs
- Security Risks
- Best Practices
- Troubleshooting Permissions
- Permissions and System Services
- Auditing Permission Changes
- Networked File System Permissions
- Extended Permissions
- Container Permissions
- User and Group ID Mapping
- Permission Inheritance
- Cloud Environment Permissions
- Immutable Attributes
- Filesystem Mount Options
- Effective vs Displayed Permissions
- Temporary Permission Changes
Basic File Permissions Overview
| Concept | Description | Example |
|---|---|---|
| File Permissions | Controls who can read, write, or execute a file |
-rwxr-xr-- 1 user group 4096 Jul 28 10:30 script.sh
^ ^^^ ^^^ ^^^
| ||| ||| |+- File owner and group
| ||| ||| +-- Number of hard links
| ||| |||
| ||| ||+- Others: read only
| ||| |+-- Others: no write
| ||| +--- Others: no execute
| ||+------ Group: read only
| |+------- Group: no write
| +-------- Group: execute
+---------- User: read, write, execute
|
| Permission Display | 10-character string showing type and permissions |
-rwxrwxrwx = File with all permissions
drwxr-xr-x = Directory with typical permissions
-rw-r--r-- = Regular file with typical permissions
|
Permission Categories (User, Group, Others)
| Category | Description | Example |
|---|---|---|
| User (u) | The owner of the file | chmod u+x script.sh gives execution permission to the owner |
| Group (g) | Users who are members of the file’s group | chmod g+rw data.txt gives read and write permission to the group |
| Others (o) | All other users on the system | chmod o-rwx private.key removes all permissions for others |
| All (a) | All three categories above (user, group, others) | chmod a+r public.txt gives read permission to everyone |
Symbolic Representation (rwx)
| Symbol | Description | Effect |
|---|---|---|
| r | Read permission | For files: Allows reading content For directories: Allows listing contents |
| w | Write permission | For files: Allows modifying content For directories: Allows creating/deleting files within |
| x | Execute permission | For files: Allows running as a program For directories: Allows entering the directory |
| – | No permission | The permission is not granted for that position |
Octal (Numeric) Representation (0-7)
| Octal Value | Binary | Permissions | Example |
|---|---|---|---|
| 0 | 000 | No permissions (—) | chmod 000 file.txt removes all permissions |
| 1 | 001 | Execute only (–x) | chmod 111 file.sh sets execute-only for all |
| 2 | 010 | Write only (-w-) | chmod 222 file.txt sets write-only for all |
| 3 | 011 | Write and execute (-wx) | chmod 333 dir sets write and execute for all |
| 4 | 100 | Read only (r–) | chmod 444 readme.txt sets read-only for all |
| 5 | 101 | Read and execute (r-x) | chmod 555 program sets read and execute for all |
| 6 | 110 | Read and write (rw-) | chmod 666 data.txt sets read and write for all |
| 7 | 111 | Read, write, and execute (rwx) | chmod 777 script.sh sets all permissions for all |
Changing Permissions with chmod (Symbolic and Numeric)
| Command | Description | Example |
|---|---|---|
chmod [options] mode file | Change file permissions |
# Numeric mode
chmod 755 script.sh # rwxr-xr-x
chmod 644 text.txt # rw-r--r--
chmod 600 private.key # rw-------
# Symbolic mode
chmod u+x script.sh # Add execute to user
chmod g-w file.txt # Remove write from group
chmod o= file.txt # Clear all permissions for others
chmod a+r document.pdf # Add read to all
|
| Operators in symbolic mode | +: Add permission -: Remove permission =: Set exact permission |
chmod u+rw,g+r,o-rwx private.txt
# Add read/write for user, add read for group,
# remove all for others
|
Changing Ownership with chown
| Command | Description | Example |
|---|---|---|
chown [options] owner[:group] file | Change the owner and/or group of a file |
# Change owner only
chown alice file.txt
# Change owner and group
chown alice:staff file.txt
# Change group only
chown :developers project/
# Recursively change ownership
chown -R www-data:www-data /var/www/
|
Changing Group with chgrp
| Command | Description | Example |
|---|---|---|
chgrp [options] group file | Change the group of a file |
# Change group of a file
chgrp developers project.py
# Recursively change group of a directory
chgrp -R staff /shared/documents/
|
Default Permissions and umask
| Command/Concept | Description | Example |
|---|---|---|
| Default Permissions | Files: 666 (rw-rw-rw-) Directories: 777 (rwxrwxrwx) | These are base permissions before umask is applied |
| umask | Masks out permissions for newly created files |
# Display current umask (typically 022)
umask
# Set a new umask value
umask 027
# This will create files with 640 (rw-r-----)
# And directories with 750 (rwxr-x---)
|
| Common umask values | 022: rw-r–r– for files 027: rw-r—– for files 077: rw——- for files | Umask is subtracted from default permissions |
Viewing Permissions (ls -l)
| Command | Description | Example Output |
|---|---|---|
ls -l | List files with detailed permissions |
$ ls -l
-rw-r--r-- 1 user group 5678 Jun 21 13:45 data.txt
-rwxr-xr-x 1 user group 2345 Jun 19 10:32 script.sh
drwxr-xr-- 2 admin staff 4096 Jun 20 15:22 secure_dir/
|
ls -la | List all files (including hidden) with permissions |
$ ls -la
drwxr-xr-x 3 user group 4096 Jun 21 14:20 .
drwxr-xr-x 7 user group 4096 Jun 10 09:30 ..
-rw------- 1 user group 2345 Jun 15 16:42 .bash_history
-rw-r--r-- 1 user group 220 Jun 10 09:30 .bashrc
-rw-r--r-- 1 user group 5678 Jun 21 13:45 data.txt
|
stat file | Display detailed file information including permissions |
$ stat data.txt
File: data.txt
Size: 5678 Blocks: 16 IO Block: 4096 regular file
Device: 801h/2049d Inode: 1234567 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1000/ user) Gid: ( 1000/ group)
Access: 2023-06-22 10:45:12.000000000 +0200
Modify: 2023-06-21 13:45:34.000000000 +0200
Change: 2023-06-21 13:45:34.000000000 +0200
Birth: -
|
Effect of Permissions on Directories
| Permission | Effect on Directories | Example |
|---|---|---|
| r (read) | List directory contents (view filenames) |
# With read permission
$ ls -l dirwithread/
-rw-r--r-- 1 user group 123 Jun 22 15:30 file1.txt
-rw-r--r-- 1 user group 456 Jun 22 15:31 file2.txt
# Without read permission
$ ls -l dirwithoutread/
ls: cannot open directory 'dirwithoutread/': Permission denied
|
| w (write) | Create, delete, or rename files within directory | Requires execute (x) permission as well to be useful |
| x (execute) | Access files within directory, enter directory |
# With execute permission
$ cd dirwithexec/
$ cat dirwithexec/file.txt # Works
# Without execute permission
$ cd dirwithoutexec/
bash: cd: dirwithoutexec/: Permission denied
$ cat dirwithoutexec/file.txt
cat: dirwithoutexec/file.txt: Permission denied
|
| Common directory permissions | 755 (rwxr-xr-x): Normal directory 700 (rwx——): Private directory 750 (rwxr-x—): Group shared directory | The execute bit is usually needed for directories to be useful |
Understanding File Types in ls -l (-, d, l)
| First Character | Type | Example |
|---|---|---|
| – | Regular file | -rw-r--r-- 1 user group 5678 Jun 21 13:45 data.txt |
| d | Directory | drwxr-xr-x 2 user group 4096 Jun 22 10:30 documents/ |
| l | Symbolic link | lrwxrwxrwx 1 user group 12 Jun 22 11:15 link -> target.txt |
| c | Character device | crw--w---- 1 root tty 4, 0 Jun 22 14:30 /dev/tty0 |
| b | Block device | brw-rw---- 1 root disk 8, 0 Jun 22 09:20 /dev/sda |
| p | Named pipe (FIFO) | prw-r--r-- 1 user group 0 Jun 22 15:40 mypipe |
| s | Socket | srwxrwxrwx 1 user group 0 Jun 22 16:10 mysocket |
Special Permissions: setuid, setgid, sticky bit
| Permission | Description | Example |
|---|---|---|
| setuid (SUID) | When set on a file, it executes with the permissions of the file owner rather than the executing user |
# Set SUID (numeric)
chmod 4755 myprogram
# Set SUID (symbolic)
chmod u+s myprogram
# Display: The 's' replaces 'x' in owner permissions
-rwsr-xr-x 1 root root 123456 Jun 25 14:20 myprogram
# Example: /usr/bin/passwd has SUID set
-rwsr-xr-x 1 root root 68208 Apr 16 15:36 /usr/bin/passwd
|
| setgid (SGID) | For files: Executes with the permissions of the file’s group For directories: New files created in the directory inherit its group |
# Set SGID (numeric)
chmod 2755 myprog
chmod 2770 shared_dir/
# Set SGID (symbolic)
chmod g+s myprog
chmod g+s shared_dir/
# Display: The 's' replaces 'x' in group permissions
-rwxr-sr-x 1 user group 123456 Jun 25 14:30 myprog
drwxrws--- 2 user group 4096 Jun 25 14:35 shared_dir/
|
| sticky bit | When set on a directory, files in that directory can only be deleted or renamed by their owner, the directory owner, or root |
# Set sticky bit (numeric)
chmod 1777 /tmp
# Set sticky bit (symbolic)
chmod +t /tmp
# Display: The 't' replaces 'x' in others permissions
drwxrwxrwt 15 root root 4096 Jun 25 15:00 /tmp
|
| Special permission bits (octal) | 4 = SUID 2 = SGID 1 = sticky bit |
chmod 4755 file # SUID + rwxr-xr-x
chmod 2755 file # SGID + rwxr-xr-x
chmod 1777 dir # sticky bit + rwxrwxrwx
chmod 6755 file # SUID + SGID + rwxr-xr-x
|
Recursive Permission Changes (chmod -R, chown -R)
| Command | Description | Example |
|---|---|---|
chmod -R mode directory | Recursively change permissions for a directory and all its contents |
# Give read and execute permissions to everyone for all files in a directory
chmod -R a+rx /path/to/website/
# Set permissions to 755 for directories and 644 for files
# This requires a more complex approach:
find /path/to/dir -type d -exec chmod 755 {} \;
find /path/to/dir -type f -exec chmod 644 {} \;
|
chown -R user:group directory | Recursively change ownership for a directory and all its contents |
# Change ownership of a web directory and all contents
chown -R www-data:www-data /var/www/html/
# Change ownership but preserve file timestamps
chown -R --preserve-timestamps user:group directory/
|
Understanding Permissions for Executable Files
| Concept | Description | Example |
|---|---|---|
| Executable bit | Required to run a file as a program |
# Make a compiled program executable
chmod +x program
# Common permission pattern for executables
chmod 755 program # rwxr-xr-x
|
| Permissions requirements | In addition to execute permission, binaries typically need read permission to load into memory |
# Try to run a program without execute permission
$ chmod -x program
$ ./program
bash: ./program: Permission denied
# Try to run a program with execute but no read
$ chmod 111 program
$ ./program
bash: ./program: Permission denied
|
Understanding Permissions for Scripts
| Concept | Description | Example |
|---|---|---|
| Basic script permissions | Scripts need both read and execute permissions |
# Create a simple script
$ echo '#!/bin/bash' > script.sh
$ echo 'echo "Hello, World!"' >> script.sh
# Make it executable
$ chmod +x script.sh
$ ./script.sh
Hello, World!
|
| Interpreter permissions | The interpreter specified in the shebang line must also be executable | If you’re using #!/bin/bash, the bash executable must also have proper permissions |
| Common script permissions | 755 (rwxr-xr-x): Script can be run by anyone 700 (rwx——): Private script |
# Private script
chmod 700 backup_my_files.sh
# Shared script
chmod 755 common_utilities.sh
|
Managing Permissions for Symbolic Links
| Concept | Description | Example |
|---|---|---|
| Symlink permissions | Permissions on symbolic links are not used; the permissions of the target file are what matter |
$ ls -l mylink
lrwxrwxrwx 1 user group 7 Jun 25 16:20 mylink -> target
# Notice all permissions are set, but they're ignored
# Actual access is determined by permissions on "target"
|
| Changing link permissions | Attempting to change permissions on a symlink affects the target, not the link itself |
# Create a symbolic link
$ ln -s target mylink
# Trying to change permissions of the link
$ chmod 600 mylink
# This actually changes permissions of the target
|
Managing Permissions for Hard Links
| Concept | Description | Example |
|---|---|---|
| Hard link permissions | Hard links share the same inode as the original file, so they always have identical permissions |
# Create a file
$ echo "content" > original
$ chmod 644 original
# Create a hard link
$ ln original hardlink
# Both show the same permissions because they share the same inode
$ ls -l original hardlink
-rw-r--r-- 2 user group 8 Jun 25 16:30 hardlink
-rw-r--r-- 2 user group 8 Jun 25 16:30 original
|
| Changing permissions | Changing permissions on either the original file or the hard link affects all hard links to that inode |
# Change permissions on the hard link
$ chmod 600 hardlink
# Both files now show the new permissions
$ ls -l original hardlink
-rw------- 2 user group 8 Jun 25 16:30 hardlink
-rw------- 2 user group 8 Jun 25 16:30 original
|
Sticky Bit on Directories (/tmp)
| Concept | Description | Example |
|---|---|---|
| Purpose | Prevents users from deleting or renaming files they don’t own in shared directories | Commonly used on /tmp and other shared directories |
| Setting sticky bit | Can be set with numeric mode 1xxx or symbolic mode +t |
# Set sticky bit with numeric mode
chmod 1777 /shared
# Set sticky bit with symbolic mode
chmod +t /shared
|
| Identifying sticky bit | Appears as “t” in the execute position for others |
$ ls -ld /tmp
drwxrwxrwt 20 root root 4096 Jun 26 10:15 /tmp
^
|-- 't' indicates sticky bit is set
|
Finding Files Based on Permissions (find -perm)
| Command | Description | Example |
|---|---|---|
find path -perm mode | Find files with exact permissions |
# Find files with exactly 644 permissions
find /home -perm 644
|
find path -perm -mode | Find files with at least these permissions (all bits in mode must be set) |
# Find files where all users have read permission
find /home -perm -444
|
find path -perm /mode | Find files with any of these permissions (any bit in mode is set) |
# Find files that are world-writable
find /home -perm /002
|
| Common permission searches | Finding files with specific security concerns |
# Find SUID files
find / -perm -4000 -type f
# Find world-writable files
find / -perm -2 -type f -not -path "/proc/*"
# Find world-writable directories
find / -perm -2 -type d -not -path "/proc/*"
# Find files not owned by any user
find / -nouser
|
Access Control Lists (ACLs) Introduction
| Concept | Description | Example |
|---|---|---|
| ACLs purpose | Extend traditional permission model to allow more granular control | Allow specific users or groups access without changing ownership or basic permissions |
| ACLs vs traditional permissions | Traditional: one owner, one group, and others ACLs: multiple users/groups with different permissions | Useful when standard rwx permissions aren’t flexible enough |
| Identifying files with ACLs | The “+” symbol after the permission string in ls -l output |
$ ls -l file_with_acl
-rw-r--r--+ 1 user group 1234 Jun 26 11:30 file_with_acl
^
|-- The '+' indicates ACLs are set
|
Setting and Modifying ACLs (setfacl, getfacl)
| Command | Description | Example |
|---|---|---|
getfacl file | Display ACLs for a file |
$ getfacl document.txt
# file: document.txt
# owner: john
# group: staff
user::rw-
user:mary:r--
group::r--
mask::r--
other::---
|
setfacl -m rule file | Modify ACL for a file |
# Give user alice read and write permissions
setfacl -m u:alice:rw- document.txt
# Give group devs read permission
setfacl -m g:devs:r-- document.txt
# Multiple rules at once
setfacl -m u:bob:r--,g:admins:rwx document.txt
|
setfacl -x rule file | Remove specific ACL entries |
# Remove ACL for user alice
setfacl -x u:alice document.txt
# Remove ACL for group devs
setfacl -x g:devs document.txt
|
setfacl -R rule directory | Recursively apply ACLs to a directory |
# Recursively give read access to user bob
setfacl -R -m u:bob:r-x /shared/projects/
|
Default ACLs on Directories
| Concept | Description | Example |
|---|---|---|
| Default ACLs | ACLs automatically applied to new files/directories created within a directory | Specify inheritance of permissions for new items |
| Setting default ACLs | Use the ‘d:’ prefix with setfacl |
# Set default ACL for user alice
setfacl -m d:u:alice:rwx /projects/
# Set default ACL for group devs
setfacl -m d:g:devs:rx /projects/
# Set multiple default ACLs
setfacl -m d:u:bob:rx,d:g:admins:rwx /projects/
|
| Viewing default ACLs | Shown in getfacl output with “default:” prefix |
$ getfacl /projects/
# file: /projects/
# owner: admin
# group: staff
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:alice:rwx
default:group::r-x
default:group:devs:r-x
default:mask::rwx
default:other::r-x
|
Removing ACLs (setfacl -b)
| Command | Description | Example |
|---|---|---|
setfacl -b file | Remove all ACLs from a file |
# Remove all ACLs from a file
setfacl -b document.txt
|
setfacl -k directory | Remove default ACLs from a directory |
# Remove only default ACLs
setfacl -k /projects/
|
setfacl -R -b directory | Recursively remove all ACLs |
# Recursively remove all ACLs from directory and contents
setfacl -R -b /projects/
|
Security Risks: Misconfigured Permissions
| Risk | Description | Mitigation |
|---|---|---|
| World-writable files | Files that anyone can modify (permissions containing o+w) |
# Find world-writable files
find / -type f -perm -o=w -not -path "/proc/*" -ls
# Fix by removing world write permission
chmod o-w vulnerable_file
|
| SUID/SGID on scripts | Scripts with setuid/setgid can lead to privilege escalation |
# Find SUID/SGID files
find / -type f \( -perm -4000 -o -perm -2000 \) -ls
# Remove SUID/SGID if not needed
chmod u-s,g-s script.sh
|
| Incorrect home directory permissions | Home directories accessible to others can expose sensitive data |
# Secure home directory
chmod 750 /home/username
# Check with:
ls -ld /home/*
|
| SSH key permissions | SSH will refuse to use keys with loose permissions |
# Correct permissions for SSH private keys
chmod 600 ~/.ssh/id_rsa
# Correct permissions for SSH directory
chmod 700 ~/.ssh
|
Best Practices for File and Directory Permissions
| Practice | Description | Example |
|---|---|---|
| Principle of least privilege | Grant only permissions that are necessary for functionality | Use 644 (rw-r–r–) for regular files, not 666 (rw-rw-rw-) |
| Home directory security | Protect user home directories from other users |
# Secure home directory
chmod 750 /home/username
# Ensure sensitive files are private
chmod 600 ~/.bash_history ~/.aws/credentials
|
| Configuration file security | Protect sensitive configuration files that may contain credentials |
# Make config files only readable by owner
chmod 600 config.ini credentials.txt
# System configs readable by specific groups
chmod 640 /etc/mysql/my.cnf
|
| Web directory permissions | Balance security with web server requirements |
# Web directories
find /var/www -type d -exec chmod 755 {} \;
# Web files
find /var/www -type f -exec chmod 644 {} \;
# CGI scripts
find /var/www/cgi-bin -type f -exec chmod 755 {} \;
|
Troubleshooting Permissions Issues
| Problem | Common Causes | Solution |
|---|---|---|
| “Permission denied” when running a script | Missing execute permission |
# Add execute permission
chmod +x script.sh
|
| “Permission denied” when accessing a directory | Missing execute permission on the directory or a parent directory |
# Add execute permission to directory
chmod +x /path/to/directory
# Check parent directories too
ls -ld / /path /path/to
|
| Cannot modify files in a directory despite write permission | Missing write permission on the directory itself |
# Add write permission to directory
chmod +w /path/to/directory
|
| Text editor creates a temporary file but fails to save | Write permission on file but not on directory |
# Add write permission to directory
chmod +w /path/to/directory
|
Permissions and System Services (Apache, SSH)
| Service | Permission Requirements | Example |
|---|---|---|
| Apache/Nginx web server | Web server runs as www-data user and needs read access to web files, execute access to directories |
# Standard web directory permissions
chown -R www-data:www-data /var/www/html
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -type f -exec chmod 644 {} \;
# For writable directories (uploads, cache)
chmod 775 /var/www/html/uploads
|
| SSH Server | SSH is sensitive to permissions on key files and config directories |
# Server host keys
chmod 600 /etc/ssh/ssh_host_*_key
chmod 644 /etc/ssh/ssh_host_*_key.pub
# sshd_config
chmod 600 /etc/ssh/sshd_config
# User's .ssh directory
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
|
| Database (MySQL/PostgreSQL) | Database files must be owned by the database user |
# MySQL data directory
chown -R mysql:mysql /var/lib/mysql
chmod 750 /var/lib/mysql
# MySQL config
chmod 640 /etc/mysql/my.cnf
|
Auditing and Logging Permission Changes
| Method | Description | Example |
|---|---|---|
| auditd | Linux audit system to monitor permission changes |
# Install auditd
apt install auditd
# Add audit rule for chmod
auditctl -w /bin/chmod -p x -k permission_changes
# Add audit rule for chown
auditctl -w /bin/chown -p x -k permission_changes
# View audit logs
ausearch -k permission_changes
|
| File integrity monitoring | Tools that monitor file changes including permissions |
# Install AIDE
apt install aide
# Initialize database
aide --init
# Check for changes
aide --check
|
Permissions in Networked File Systems (NFS, SMB)
| System | Permission Characteristics | Example |
|---|---|---|
| NFS (Network File System) | Maps UIDs/GIDs between systems; can use root_squash to restrict root access |
# /etc/exports entry with permission options
/shared *(rw,sync,no_root_squash)
# Mounting with specific permissions
mount -o rw,users server:/shared /mnt/shared
|
| Samba (SMB/CIFS) | Can map to UNIX permissions or use Windows ACLs |
# Samba share with permissions in smb.conf
[shared]
path = /shared
valid users = @staff
writable = yes
create mask = 0644
directory mask = 0755
|
SELinux/AppArmor and Extended Permissions
| System | Description | Example |
|---|---|---|
| SELinux | Security Enhancement for Linux providing Mandatory Access Control |
# View SELinux context of a file
ls -Z /var/www/html/index.html
# Change SELinux context
chcon -t httpd_sys_content_t /path/to/file
# Set default context for web content
semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
restorecon -R /web
|
| AppArmor | Application security system that restricts program capabilities |
# View AppArmor status
aa-status
# Put profile in complain mode
aa-complain /usr/sbin/apache2
# Put profile in enforce mode
aa-enforce /usr/sbin/apache2
|
Permissions in Docker Containers and Mounted Volumes
| Concept | Description | Example |
|---|---|---|
| Volume permissions | Container UIDs/GIDs may not match host UIDs/GIDs |
# Set explicit ownership on mounted volume
docker run -v /host/data:/container/data:rw \
--user 1000:1000 my-image
# Use chown when creating volume
docker run -v /host/data:/container/data:rw \
my-image chown -R user:group /container/data
|
| Docker security implications | Running containers as root can pose security risks |
# Run container as non-root user
docker run --user 1000:1000 my-image
# In Dockerfile
USER appuser
|
User and Group ID Mapping (UID/GID Concepts)
| Concept | Description | Example |
|---|---|---|
| UID/GID | Numeric IDs that define users and groups in Linux |
# View user and group info
id username
# View file ownership by ID
ls -ln /path/to/file
|
| Orphaned UIDs/GIDs | Files owned by deleted users or groups |
# Find files with no valid owner
find / -nouser
# Find files with no valid group
find / -nogroup
# Fix orphaned files
chown newuser:newgroup /path/to/orphaned/file
|
| Managing system users | System services often use specific UIDs/GIDs |
# Create system user
useradd -r -s /usr/sbin/nologin serviceuser
# Create system group
groupadd -r servicegroup
|
Inheriting Permissions in Different Filesystems
| Filesystem | Inheritance Behavior | Example/Control |
|---|---|---|
| Standard Linux filesystems (ext4, XFS) | New files inherit the group of parent directory if SGID is set; umask affects new file permissions |
# Set SGID on directory
chmod g+s /shared/project
# Files created will inherit the group
touch /shared/project/newfile
|
| NFSv4 | Supports ACL inheritance |
# Set inherited ACLs with NFSv4
nfs4_setfacl -a A:fd:user@domain:rwx /mnt/nfs/dir
|
| ZFS | Can set ACL inheritance flags |
# Set ACL inheritance on ZFS
chmod A+everyone@:read_data/inherited:allow /tank/data
|
Permission Masks in Cloud and Virtualized Environments (AWS, Azure)
| Environment | Permission Considerations | Example |
|---|---|---|
| AWS EC2 | Default umask may differ depending on AMI |
# Check current umask
umask
# Set default umask in /etc/profile or ~/.bashrc
umask 022
|
| AWS S3 | Object storage uses ACLs instead of UNIX permissions |
# AWS CLI S3 command with ACL
aws s3 cp file.txt s3://bucket/ --acl public-read
|
| Docker/container environments | Container images may have different default permissions |
# In Dockerfile
RUN mkdir -p /app && chmod 755 /app
COPY --chown=appuser:appgroup app/ /app/
|
Immutable and Append-Only Attributes (chattr, lsattr)
| Command/Attribute | Description | Example |
|---|---|---|
chattr +i file | Make a file immutable – cannot be modified, renamed, deleted, or linked |
# Make a file immutable
chattr +i important.conf
# Try to modify an immutable file
$ rm important.conf
rm: cannot remove 'important.conf': Operation not permitted
|
chattr +a file | Make a file append-only – can only be opened in append mode |
# Make a log file append-only
chattr +a logfile.log
# Can add data:
echo "new entry" >> logfile.log
# Cannot truncate:
$ echo "overwrite" > logfile.log
bash: logfile.log: Operation not permitted
|
lsattr file | View file attributes |
$ lsattr important.conf
----i--------e-- important.conf
$ lsattr logfile.log
-----a-------e-- logfile.log
|
Filesystem Mount Options and Permissions (noexec, nosuid)
| Mount Option | Description | Example |
|---|---|---|
| noexec | Prevents execution of binaries on the mounted filesystem |
# Mount with noexec
mount -o noexec /dev/sdb1 /mnt/data
# In /etc/fstab
/dev/sdb1 /mnt/data ext4 defaults,noexec 0 0
|
| nosuid | Disables SUID/SGID bits on the mounted filesystem |
# Mount with nosuid
mount -o nosuid /dev/sdb1 /mnt/data
# In /etc/fstab
/dev/sdb1 /mnt/data ext4 defaults,nosuid 0 0
|
| nodev | Prevents interpretation of character or block special devices |
# Mount with multiple security options
mount -o noexec,nosuid,nodev /dev/sdb1 /mnt/data
|
Effective Permissions vs Displayed Permissions
| Concept | Description | Example/Check |
|---|---|---|
| Effective permissions | The actual permissions a user has after considering all factors | A combination of file permissions, ACLs, and extended security frameworks |
| Primary group vs. supplementary groups | Users can belong to multiple groups but have one primary group |
# Check all groups a user belongs to
groups username
# Check effective group membership
id username
|
| Checking effective permissions | Test actual access rather than just viewing permissions |
# Test file access as a different user
sudo -u otheruser cat /path/to/file
# Check access while considering ACLs
getfacl /path/to/file
|
Temporary Permission Changes (umask in scripts)
| Technique | Description | Example |
|---|---|---|
| Temporary umask | Change umask temporarily for script execution |
#!/bin/bash
# Save original umask
old_umask=$(umask)
# Set strict umask
umask 077
# Create sensitive file
touch sensitive_data.txt
echo "secret" > sensitive_data.txt
# Restore original umask
umask $old_umask
|
| Context-specific permissions | Temporary permission changes for specific operations |
# Temporarily open permissions, then restore
chmod 644 config.file
editor config.file
chmod 600 config.file
|
| Temporary group membership | Run commands with temporary group context |
# Run a command with a different group
sg developers -c "touch /shared/project/newfile"
# Run as a different user/group
sudo -u webuser -g webgroup command
|
