Mohd Ishtikhar Khan

🚀Day 07- Linux File Permission, Umask, and Access Control List(ACL)

Mohd Ishtikhar Khan's photo
Mohd Ishtikhar Khan
·

11 min read

🚀Day 07- Linux File Permission, Umask, and Access Control List(ACL)

Table of contents

What is Linux File Permission and why it is Important?

File permissions are core to the security model used by Linux systems. They determine who can access files and directories on a system.

On Linux, file permissions let you control the level of access users have to files. File ownership is used to determine who has overall jurisdiction over a file. All files in Linux belong to an owner and a group.

Understanding how groups and owners are assigned and used to manage access to files and folders is important. Permissions are rarely determined by assigning individual user accounts to files and folders because it’s too difficult to manage at scale.

How do you view Linux File Permissions?

The ls command along with its -l (for long listing) option will show you metadata about your Linux files, including the permissions set on the file.

$ ls -l
-rw-r--r--. 1 root root  4017 Feb 24  2022 file.txt

Let’s analyze the results of this command

The first character = ‘-‘, which means it’s a file
‘d’, which means it’s a directory.

  1. The next nine characters = (rw-r–r–) show the security

  2. The next column shows the owner of the file. (Here it is root)

  3. The next column shows the group owner of the file. (Here it is root which has special access to these files)

  4. The next column shows the size of the file in bytes.

  5. The next column shows the date and time the file was last modified.

  6. Last Column = File_name or Directory_name. (For example, here are: prac, snap, test, example)

Permission Groups

Each file and directory has three user-based permission groups:

  • owner – The Owner permissions apply only to the owner of the file or directory, they will not impact the actions of other users.

  • group – The Group permissions apply only to the group that has been assigned to the file or directory, they will not affect the actions of other users.

  • all users – The All Users permissions apply to all other users on the system, this is the permission group that you want to watch the most.

Permission Types

Each file or directory has three basic permission types:

  • read – Read permission refers to a user’s capability to read the contents of the file.

  • write – The Write permissions refer to a user’s capability to write or modify a file or directory.

  • execute – Execute permission affects a user’s capability to execute a file or view the contents of a directory.

Explicitly Defining Permissions

To explicitly define permissions you will need to reference the Permission Group and Permission Types.

The Permission Groups used are:

  • u – Owner

  • g – Group

  • o – Others

  • a – All users

The Permission Types that are used are:

  • r – Read

  • w – Write

  • x – Execute

The potential Assignment Operators are + (plus), – (minus), and = (equal). these are used to tell the system whether to add or remove specific permissions.

What are octal values?

When Linux file permissions are represented by numbers, it's called numeric mode. In numeric mode, a three-digit value represents specific file permissions (for example, 744.) These are called octal values. The first digit is for owner permissions, the second digit is for group permissions, and the third is for other users. Each permission has a numeric value assigned to it:

  • r (read): 4

  • w (write): 2

  • x (execute): 1

Permission Table

Changing Permissions

  • To change permissions chmod command is used

  • If you are a user or group owner of a file then no need to use sudo before chmod

Symbolic Mode

+ represents add

- represents remove

= is used to set the permissions

Symbolic Mode Examples:

chmod u+x file --> Add execute permission for the user

chmod g-w file1 file2 --> Remove write permission for group two files

chmod o+wx file --> Add write and execute permission for others

chmod u+r,g-x file --> Add read for a user, Remove execute for group

chmod u+rx-w,g-r+w --> Add read and execute, remove write for user & remove read and add write for group

chmod a+x --> Add execute for all three roles

chmod u=w file --> Remove read and execute, add write for a user

chmod g=r,o=wx file --> Remove write, execute & add read for group and remove read & add write, execute for others

chmod a=rwx file --> Give all permissions to all role

Numeric Mode

4 represents read (r) permission

2 represents write (w) permission

1 represent execute(x) permission

Numeric Mode Examples:

chmod 104 file --> 1 (execute) for the user, 0 (no) for the group, 4 (read) for other

chmod 450 file --> 4 (read) for user, 5 (read & execute) for other, 0 (no) for user

chmod 777 file --> All permissions for all roles

File Ownership

  • To change permissions chown command is used

There are two types of owners for each file and directory

  1. User Owner

  2. Group Owner

Whenever you run ls -l you can see the owner for each file in the 3rd and 4th columns i.e user owner & group owner

Changing Ownership

  • To change ownership chown & chgrp command is used

  1. Change user owner

    chown <username/UID> file --> Change user owner using username or UID

    chown <username/UID> file1 file2 --> Change user owner for multiple files

    e.g sudo chown ubuntu file.txt

  2. Change group owner

    sudo chown :<groupname/GID> file --> Change group owner using group name or GID. Multiple files can be given in the command

    e.g sudo chown :ubuntu file.txt

    sudo chgrp <groupname/GID> file --> Change group owner using group name or GID.Multiple files can be given in the command

    e.g sudo chgrp ubuntu file.txt

  3. Change both Owners

    sudo chown <username/UID>:<groupname/GID> file --> Change both the owners

    Multiple files can be provided in the command. Any combination of ID and name works

    e.g sudo chown ubuntu:ubuntu file.txt

Special File Permissions

1.SUID (set-user-id)

  • In Linux by default when a user executes the file, the file gets executed by the name of the user who executes it

  • If we set SUID on that file, then no matter who executes the file, it always gets executed by the name of the user owner

  • Set SUID

    sudo chmod u+s file --> Set SUID only for user owner

    -rws-r--r--. 1 root root 4017 Feb 24 2022 file.txt

    sudo chmod 4xxx file --> Set SUID along with other permissions for the user owner. In numeric mode, '4' at the beginning represents SUID

    -rwS-r--r--. 1 root root 4017 Feb 24 2022 file.txt

    sudo chmod u-s file --> Remove SUID for user owner

    NOTE:- If a file has both 'x' and SUID then it is represented as 's' otherwise 'S'

2.SGID (set-group-id)

  • In Linux by default when a user creates a file inside the directory, the file gets the group owner same as the user's default group

  • If we set SGID on the directory, then no matter who creates the file inside that directory, it always gets the group owner same as the directory group owner

  • Set SGID

    sudo chmod g+s file --> Set SUID only for the group owner

    -rw-rws--r--. 1 root root 4017 Feb 24 2022 file.txt

    sudo chmod 2xxx file --> Set SGID with other permissions for the group owner

    \==> In numeric mode, '2' at beginning represents SGID

    -rw-rwS--r--. 1 root root 4017 Feb 24 2022 file.txt

    sudo chmod g-s file --> Remove SGID for group owner

    NOTE:- If the file has both 'x' and SGID then it is represented as 's' otherwise 'S'

3.Sticky Bit

The sticky bit is a special permission that can only be set on directories. When the sticky bit is enabled on a directory, it restricts the ability to delete or rename files within that directory to the file owner, the directory owner, and the superuser. It ensures that each user can only remove or modify their files, even if they have write permissions on the directory.

sudo chmod +t directory --> Set sticky bit on the directory

-rw-rw--rwt. 1 root root 4017 Feb 24 2022 folder

sudo chmod 1xxx directory --> Set sticky bit on the directory. The numeric value for the sticky bit is 1.

sudo chmod -t directory --> Remove the sticky bit from the directory

NOTE:- If the file has both 'x' and sticky bit then it is represented as 't' otherwise 'T'

Umask

umask (user file-creation mode) is a Linux command that lets you set up default permissions for newly created files and folders.

A user can choose how to restrict permissions by using a permissions mask. A permission mask interacts with the default system permissions and changes them. The umask the command is used to apply this mask.

Syntax:
umask [-p] [-S] [mask]

Options:
[mask]: The new permissions mask you are applying. By default, 
the mask is presented as a numeric (octal) value.
[-S]: Displays the current mask as a symbolic value.
[-p]: Displays the current mask along with the umask command, 
allowing it to be copied and pasted as a future input.

Explain Octal Umask mode 022 and 002

if the default settings are not changed, files are created with the access mode 666 and directories with 777. In this example:

  1. The default umask 002 is used for normal users. With this mask default directory permissions are 775 and default file permissions are 664.

  2. The default umask for the root user is 022 resulting in default directory permissions being 755 and default file permissions being 644.

  3. For directories, the base permissions are (rwxrwxrwx) 0777, and for files, they are 0666 (rw-rw-rw).

How to Calculate Umask Values

Linux uses the following default mask and permission values:

  • The system default permission values are 777 (rwxrwxrwx) for folders and 666 (rw-rw-rw-) for files.

  • The default mask for a non-root user is 002, changing the folder permissions to 775 (rwxrwxr-x), and file permissions to 664 (rw-rw-r--).

  • The default mask for a root user is 022, so changing the folder permissions to 755 (rwxr-xr-x), and file permissions to 644 (rw-r--r--).

This shows us that the final permission value is the result of subtracting the umask value from the default permission value (777 or 666).

For example, if you want to change the folder permission value from 777 (read, write, and execute for all) to 444 (read for all), you need to apply a umask value of 333, since 777 - 444 = 333

How to Set and Update the Default Umask Value

Use the following syntax to apply a new umask value:

$ umask [mask]

Where: [mask]: The mask you want to apply, as either a symbolic or numeric value.

You can also set up umask in /etc/bashrc or /etc/profile files for all users. By default, most Linux distros set it to 0022 (022) or 0002 (002). Edit the ~/.bashrc file in your HOME directory to override the system defaults:

On all modern Linux distros it is better to create or edit the /etc/profile.d/set-umask-for-all-users.sh file to override the system defaults for ALL USERS:
# vi /etc/profile.d/set-umask-for-all-users.sh
OR edit your personal ~/.bashrc or ~/.bash_profile file:
$ vi ~/.bashrc
Append/modify the following line to set up a new umask on Linux:
umask 022

All UNIX users can override the system umask defaults in their /etc/profile file, ~/.profile (Korn / Bourne shell) ~/.cshrc file (C shells), ~/.bash_profile (Bash shell) or ~/.login file (defines the user’s environment at login).

Access Control Lists (ACLs) in Linux

Access Control Lists (ACLs) provide access control to directories and files. ACLs can set read, write, and execute permissions for the owner, group, and all other system users. An ACL consists of a set of rules that specify how a specific user or group can access ACL-enabled files and directories

Use of ACL :
Think of a scenario in which a particular user is not a member of a group created by you but still, wants to give some read or write access, how can you do it without making the user a member of the group, here comes in picture Access Control Lists, ACL helps us to do this trick.

Basically, ACLs are used to make a flexible permission mechanism in Linux.

ACLs are used to define more fine-grained discretionary access rights for files and directories.

setfacl and getfacl are used for setting up ACL and showing ACL respectively.

Examples of ACL

  1. Check ACL permission for File and Directory - getfacl <file/dir>

    eg. getfacl file.txt

  2. Set ACL permission for the User - setfacl -m "u:<user>:<permissions>" <file/dir>

    eg. setfacl -m "u:testeuser:rwx" file.txt

    If you do ls -l after setting ACL permissions, you can see + at the end of file permissions, which represents ACL permissions that have been added to that file/dir.

  3. Set ACL permission for the Group - setfacl -m "g:<group>:<permissions>" <file/dir>

    eg. setfacl -m "g:testeuser:rwx" file.txt

    You can use -d along with -m to allow all files or directories to inherit ACL entries from the directory it is within

  4. Remove specific User ACL permission - setfacl -x "u:<user>" <file/dir>

    eg. setfacl -x "u:testeuser" file.txt

  5. Remove specific Group ACL permission - setfacl -x "g:<group>" <file/dir>

    eg. setfacl -x "g:testeuser" file.txt

  6. Remove all ACL permissions - setfacl -b <file/dir>

    eg. setfacl -b file.txt

Thank you for reading. I hope you will find this article helpful. if you like it please share it with others

Mohd Ishtikhar Khan : )

LinuxFile permissions Linux Unix ACLs Access Control Lists Security Permissions chmod chown setfacl getfacl Octal notation Symbolic notation User permissions Group permissions Other permissions Fine-grained access control File ownership File system security Command line Operating systemsDevops#90daysofdevopsumask