In-Depth Analysis of Linux File Permissions: From Basics to Special Permissions
1. Linux File Types: Understanding the “ID Card” of Files
2. Basic Permissions: The Mystery of rwx
3. Permission Management Commands
4. Special Permissions: SUID, SGID, Sticky Bit
5. umask: Default Permission Control
6. ACL: Fine-Grained Permission Control
7. Practical Case Analysis
8. Permission Troubleshooting Techniques
9. Best Security Practices
10. Summary
In-Depth Analysis of Linux File Permissions: From Basics to Special Permissions
In the multi-user system of Linux, file permissions are the first line of defense for protecting system security. Whether preventing accidental operations or resisting malicious attacks, reasonable permission settings are crucial. Today, we will unveil the mystery of the Linux permission system, transforming you from a “user” of permissions to a “master” of them.
1. Linux File Types: Understanding the “ID Card” of Files
Before delving into permissions, we first need to understand the file types in Linux. By examining the first character of the output from <span>ls -l</span>, we can identify the type of file:
$ ls -l
total 48
-rw-r--r-- 1 root root 120 Jun 15 10:30 config.txt # Regular file
drwxr-xr-x 2 root root 4096 Jun 15 10:30 documents/ # Directory
lrwxrwxrwx 1 root root 8 Jun 15 10:30 link -> file.txt # Symbolic link
crw-rw-rw- 1 root tty 5, 0 Jun 15 10:30 /dev/tty # Character device
brw-r----- 1 root disk 8, 0 Jun 15 10:30 /dev/sda # Block device
srwxr-xr-x 1 mysql mysql 0 Jun 15 10:30 mysql.sock # Socket file
prw------- 1 root root 0 Jun 15 10:30 mypipe # Pipe fileDetailed Explanation of File Types:
-
<span>-</span>: Regular file (text, binary, image, etc.) -
<span>d</span>: Directory -
<span>l</span>: Symbolic link (equivalent to a Windows shortcut) -
<span>c</span>: Character device (e.g., terminal, serial port) -
<span>b</span>: Block device (e.g., hard disk, CD-ROM) -
<span>s</span>: Socket file (inter-process communication) -
<span>p</span>: Pipe file (inter-process communication)
2. Basic Permissions: The Mystery of rwx
1. Breakdown of Permission Bits
When we see <span>-rwxr-xr--</span>, it should be understood as follows:
- rwx r-x r--
Type User Group Other UsersMeaning of Permission Characters:
-
<span>r</span>(Read): Read permission -
File: Can view file content
-
Directory: Can list directory contents (ls)
-
<span>w</span>(Write): Write permission -
File: Can modify file content
-
Directory: Can create, delete, or rename files in the directory
-
<span>x</span>(Execute): Execute permission -
File: Can execute as a program
-
Directory: Can enter the directory (cd)
2. Numeric Representation of Permissions
Permissions can also be represented using a three-digit octal number, which is a more common way to set permissions:
| Permission | Binary | Octal | Meaning |
|---|---|---|---|
| — | 000 | 0 | No permissions |
| –x | 001 | 1 | Execute |
| -w- | 010 | 2 | Write |
| -wx | 011 | 3 | Write + Execute |
| r– | 100 | 4 | Read |
| r-x | 101 | 5 | Read + Execute |
| rw- | 110 | 6 | Read + Write |
| rwx | 111 | 7 | Read + Write + Execute |
Common Permission Combinations:
-
755:
<span>rwxr-xr-x</span>– User has all permissions, group and other users have read and execute permissions -
644:
<span>rw-r--r--</span>– User has read and write permissions, group and other users have only read permissions -
700:
<span>rwx------</span>– Only the user has all permissions -
777:
<span>rwxrwxrwx</span>– All users have all permissions (dangerous!)
3. Permission Management Commands
1. chmod – Change File Permissions
Numeric Method (Recommended):
# Set file to 755 permissions
chmod 755 script.sh
# Set directory to 644 permissions
chmod 644 config
# Recursively set permissions for directory and its contents
chmod -R 755 /path/to/directorySymbolic Method:
# Add execute permission for all users
chmod a+x script.sh
# Remove write permission for group and other users
chmod go-w sensitive_file
# Set user to have all permissions, group to have read permission, and other users to have no permissions
chmod u=rwx,g=r,o= file.txt2. chown – Change File Owner
# Change file owner
chown username file.txt
# Change both owner and group
chown username:groupname file.txt
# Recursively change directory ownership
chown -R username:groupname /path/to/directory
# Change only group
chown :groupname file.txt
# Or use chgrp
chgrp groupname file.txt4. Special Permissions: SUID, SGID, Sticky Bit
In addition to the basic rwx permissions, Linux has three special permission bits that are very useful in specific scenarios.
1. SUID (Set User ID)
When an executable file is set with SUID permission, no matter who executes this file, it will run as the file owner.
Typical Example:<span>/usr/bin/passwd</span>
$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 59640 Jan 25 2023 /usr/bin/passwdNote: The user permission execution bit changes to <span>s</span>, which means that when a regular user executes passwd, they will temporarily gain root permissions to modify the /etc/shadow file.
Setting SUID:
# Numeric method (add 4 to the normal permissions)
chmod 4755 /usr/local/bin/myprogram
# Symbolic method
chmod u+s /usr/local/bin/myprogram2. SGID (Set Group ID)
For files: Similar to SUID, but runs as the file’s group.For directories: Files created in that directory will automatically inherit the directory’s group.
Setting SGID:
# Numeric method (add 2 to the normal permissions)
chmod 2755 /shared-directory
# Symbolic method
chmod g+s /shared-directoryTeam Collaboration Example:
# Create shared directory
mkdir /team-project
chown :dev-team /team-project
chmod 2775 /team-project # SGID + rwxrwxr-x
# Now any user creating files in /team-project will belong to the dev-team group3. Sticky Bit
Only effective for directories, ensuring that only the file owner can delete their own files.
Typical Example:<span>/tmp</span> directory
$ ls -ld /tmp
drwxrwxrwt 10 root root 4096 Jun 15 11:00 /tmpNote: The execute bit for other users changes to <span>t</span>, which ensures that users can only delete files they created.
Setting Sticky Bit:
# Numeric method (add 1 to the normal permissions)
chmod 1777 /public-upload
# Symbolic method
chmod o+t /public-upload5. umask: Default Permission Control
<span>umask</span> value determines the default permissions for newly created files and directories.
Calculation Method:
-
Default file permissions = 666 – umask
-
Default directory permissions = 777 – umask
Viewing and Setting umask:
# View current umask
umask
# Output: 0022
# Set umask
umask 0027
# Permanent setting (add to ~/.bashrc or /etc/profile)
echo "umask 0027" >> ~/.bashrcumask Value Correspondence:
| umask | File Permissions | Directory Permissions | Description |
|---|---|---|---|
| 0022 | 644 | 755 | Default setting, relatively loose |
| 0027 | 640 | 750 | More secure, other users have no permissions |
| 0077 | 600 | 700 | Most strict, only the user has permissions |
6. ACL: Fine-Grained Permission Control
When the basic user-group-other permission model is insufficient, ACL (Access Control List) provides more fine-grained permission control.
1. Enabling ACL
# Check if the file system supports ACL
tune2fs -l /dev/sda1 | grep acl
# Enable ACL when mounting (add to /etc/fstab)
/dev/sda1 /data ext4 defaults,acl 0 0
# Remount
mount -o remount,acl /data2. Basic ACL Commands
setfacl – Set ACL Permissions
# Add permissions for a specific user
setfacl -m u:username:rwx /shared/file
# Add permissions for a specific group
setfacl -m g:groupname:r-x /shared/file
# Remove ACL permissions for a specific user
setfacl -x u:username /shared/file
# View ACL permissions
getfacl /shared/file
# Set default ACL (newly created files inherit these permissions)
setfacl -d -m u:username:rwx /shared-directorygetfacl – View ACL Permissions
$ getfacl /shared/file
# file: shared/file
# owner: root
# group: root
user::rw-
user:john:rwx
group::r--
mask::rwx
other::r--7. Practical Case Analysis
Case 1: Web Server Directory Permission Configuration
# Create web directory
mkdir /var/www/myapp
chown www-data:www-data /var/www/myapp
chmod 755 /var/www/myapp
# Upload directory needs write permission
mkdir /var/www/myapp/uploads
chown www-data:www-data /var/www/myapp/uploads
chmod 775 /var/www/myapp/uploads # Or use SGID: 2775
# Configuration file needs strict permissions
chmod 640 /var/www/myapp/config.phpCase 2: Team Collaboration Directory
# Create team directory
mkdir /team-projects
chown :developers /team-projects
chmod 2775 /team-projects # SGID ensures file inherits group permissions
# Set ACL to give specific user special permissions
setfacl -m u:manager:rwx /team-projects
setfacl -d -m g:developers:rwx /team-projects # Default ACLCase 3: Secure Isolated FTP Directory
mkdir /ftp-upload
chmod 1777 /ftp-upload # Sticky Bit prevents users from deleting others' files
# Or a more secure way: each user has an independent directory
mkdir /ftp-users
chmod 755 /ftp-users
for user in user1 user2 user3; do
mkdir /ftp-users/$user
chown $user:$user /ftp-users/$user
chmod 755 /ftp-users/$user
done8. Permission Troubleshooting Techniques
1. Steps for Diagnosing Permission Issues
# 1. Check file permissions and owner
ls -l problematic-file
# 2. Check current user and group
id
whoami
# 3. Check user groups
groups
# 4. If there are ACLs, check detailed permissions
getfacl problematic-file
# 5. Check parent directory permissions (affects file operations)
ls -ld parent-directory2. Common Permission Issues and Solutions
# Script cannot be executed
chmod +x script.sh
# Cannot read file
chmod o+r file.txt # Or make it readable for other users
chmod g+r file.txt # Or make it readable for group users
# Cannot write to directory
chmod u+w directory/ # Or adjust as needed
# Cannot delete file (check directory write permissions and Sticky Bit)
ls -ld containing-directory3. Permission Check Script
#!/bin/bash
check_permissions() {
echo "Checking: $1"
echo "Permissions: $(ls -ld $1)"
echo "Current user: $(whoami)"
echo "User groups: $(groups)"
if [ -d "$1" ]; then
echo "Directory contents:"
ls -la "$1"
fi
echo "----------------------------------------"
}
check_permissions $19. Best Security Practices
-
Follow the Principle of Least Privilege: Only grant the minimum permissions necessary to complete the work
-
Regularly Audit Permissions: Check permission settings for critical directories and files
-
Use Special Permissions with Caution: SUID/SGID may pose security risks
-
Use Groups for Permission Management: More efficient than managing users individually
-
Strictly Protect Important Files: Set configuration files, key files, etc., to 600 or 400
-
Monitor Permission Changes: Use tools like auditd to monitor permission changes on critical files
10. Summary
The Linux file permission system is a powerful and flexible mechanism, from basic rwx permissions to special SUID/SGID/Sticky Bit, and to fine-grained ACL control, it can meet the permission management needs in various complex scenarios.
Through this article, you should now be able to:
-
Accurately interpret and understand various file permissions
-
Proficiently use commands like chmod, chown for permission management
-
Reasonably apply special permissions to solve practical problems
-
Use ACL for fine-grained permission control
-
Quickly diagnose and resolve permission-related issues
Remember, good permission management is not only the foundation of system security but also a guarantee of efficient collaboration. In practical work, develop reasonable permission strategies based on specific needs, and find a balance between security and convenience.
Next Article Preview: In the next article, we will delve into Linux user and group management, covering account creation, password policies, and permission allocation, helping you master identity management techniques in a multi-user environment!
👍 Like, your recognition is the motivation for my creation!
⭐️ Bookmark, your favor is the direction of my efforts!
✏️ Comment, your opinions are the wealth of my progress!
PS: Due to changes in the public account platform’s push rules, if you don’t want to miss the content, remember to click “View” after reading, and add a “Star Mark” so that new articles will appear in your subscription list as soon as they are pushed. Click “View” to support me!