OS Notes
Linux file permissions and security — rwx permissions, ownership, special permissions (setuid, setgid, sticky bit), umask, sudo, SELinux basics, and hardening Linux systems.
Introduction
Linux is a multi-user operating system, and file permissions are the primary mechanism that prevents users from interfering with each other. Every file and directory has an owner, a group, and a set of permission bits that control exactly who can read, write, or execute it. Understanding permissions deeply is not just an academic exercise — it is essential for system administration, security hardening, and daily work on any Linux system.
A single misconfigured permission (like making /etc/shadow world-readable or a web script writable by everyone) can compromise an entire system. Let us understand how Linux permissions work at every level.
Basic Permission Model
Every file has three sets of permissions for three classes of users:
| -rwxr-xr-- 1 alice developers 4096 Jun 10 14 | 30 deploy.sh |
| │││ │││ └──── Other | read only (r--) |
| │││ └────── Group | read + execute (r-x) |
| └──────── Owner | read + write + execute (rwx) |
Permission Meanings
| Permission | On Files | On Directories |
|---|---|---|
r (read) | View file contents | List directory contents (ls) |
w (write) | Modify file contents | Create/delete files inside |
x (execute) | Run as program | Access directory (cd into it) |
Important for directories: Without x on a directory, you cannot access anything inside it — even if you know the exact filename. Without r, you cannot list contents but CAN access files if you know their names (assuming x is set).
Changing Permissions
# Numeric (octal) method — most common
chmod 755 script.sh # rwxr-xr-x
chmod 644 config.txt # rw-r--r--
chmod 600 private.key # rw------- (only owner can access)
# Symbolic method
chmod u+x file # Add execute for user (owner)
chmod g-w file # Remove write from group
chmod o= file # Remove all permissions for others
chmod a+r file # Add read for all (a = all = u+g+o)
# Recursive (apply to directory and all contents)
chmod -R 750 /var/www/app/Changing Ownership
# Change owner
chown alice file.txt
# Change owner and group
chown alice:developers file.txt
# Change group only
chgrp developers file.txt
# Recursive
chown -R www-data:www-data /var/www/Special Permissions
Beyond basic rwx, Linux has three special permission bits:
Setuid (Set User ID)
When set on an executable, it runs with the file OWNER's permissions rather than the executing user's permissions.
# The passwd command needs to modify /etc/shadow (owned by root)
# Solution: setuid bit — it runs as root regardless of who calls it
-rwsr-xr-x 1 root root 59640 passwd
# ^ 's' in owner execute position = setuid
# Set setuid
chmod u+s program
chmod 4755 program # 4 prefix = setuidSecurity risk: A vulnerable setuid-root program gives attackers root access. Minimize setuid programs and audit them carefully.
Setgid (Set Group ID)
On executables: runs with file's group permissions. On directories: new files inherit the directory's group (not the creator's primary group).
# Shared project directory — all files get 'developers' group
chmod g+s /shared/project/
# Now: touch /shared/project/newfile → group is 'developers'Sticky Bit
On directories: prevents users from deleting files they do not own, even if they have write permission on the directory.
# /tmp has sticky bit — anyone can create files, but only delete their own
drwxrwxrwt 10 root root 4096 tmp
# ^ 't' = sticky bit
chmod +t /shared/dropbox/
chmod 1777 /tmp # 1 prefix = sticky bitUmask — Default Permission Filter
The umask determines default permissions for newly created files:
# Check current umask
umask # Typically 0022
# How it works:
# Default file permission: 666 (rw-rw-rw-)
# Umask: 022
# Result: 644 (rw-r--r--)
# Default directory permission: 777 (rwxrwxrwx)
# Umask: 022
# Result: 755 (rwxr-xr-x)
# Set stricter umask (private files)
umask 077 # Files: 600, Directories: 700Sudo — Controlled Privilege Escalation
sudo allows authorized users to execute commands as root (or another user) without knowing the root password:
# Run single command as root
sudo systemctl restart nginx
# Edit file as root
sudo vim /etc/hosts
# Run shell as root
sudo -i
# Run command as another user
sudo -u postgres psqlThe /etc/sudoers file (edited with visudo) controls who can do what:
# Allow alice full sudo access
alice ALL=(ALL:ALL) ALL
# Allow developers group to restart services without password
%developers ALL=(root) NOPASSWD: /bin/systemctl restart *
# Allow bob to run only specific commands
bob ALL=(root) /usr/bin/apt update, /usr/bin/apt upgradeSELinux — Mandatory Access Control
SELinux adds a mandatory layer on top of standard permissions:
# View SELinux context
ls -Z /var/www/html/index.html
# unconfined_u:object_r:httpd_sys_content_t:s0
# Every process has a context (domain)
ps auxZ | grep httpd
# system_u:system_r:httpd_t:s0 /usr/sbin/httpd
# SELinux rule: httpd_t can read httpd_sys_content_t
# Even if standard permissions allow access, SELinux can still denyKey concept: Even root cannot override SELinux policies in enforcing mode. A compromised web server with root access still cannot read /etc/shadow if SELinux policy does not allow httpd_t to access shadow_t files.
Security Hardening Checklist
# 1. No world-writable files in sensitive locations
find / -perm -002 -type f 2>/dev/null
# 2. Find setuid/setgid programs (potential escalation vectors)
find / -perm /6000 -type f 2>/dev/null
# 3. Ensure important files have correct permissions
chmod 600 /etc/shadow
chmod 644 /etc/passwd
chmod 700 /root
# 4. No unowned files (could be from deleted users)
find / -nouser -o -nogroup 2>/dev/null
# 5. SSH key permissions (SSH refuses insecure keys)
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pubKey Takeaways
- Linux permissions (rwx) control access at three levels: owner, group, others
- Special permissions (setuid, setgid, sticky) solve specific sharing and security problems
- Umask controls default permissions for new files — set it appropriately for your environment
- Sudo provides controlled privilege escalation without sharing root password
- SELinux adds mandatory access control that even root cannot bypass
- Regular permission auditing catches misconfigurations before attackers exploit them
- The principle of least privilege should guide every permission decision
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Permissions and Security - Linux Security.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Operating Systems topic.
Search Terms
operating-systems, operating systems, operating, systems, linux, and, unix, permissions
Related Operating Systems Topics