File Permissions in Linux
Controlling users’ access to files & directories
One of the most essential aspects of the Linux operating system is file permissions: they determine how users on the system can interact with the various files available on it, which are a basic function of any operating system.
During our struggle with the Bandit machines (check my profile for the articles in the series!), we frequently encountered the concepts of file permissions — from changing the access restrictions of a file in order to enable other programs to use it, to finding the right file based on its specified permissions.
However, especially for beginners, this concept is not that easy to grasp as well as very general and detailed to be a side-note in any post — so this is the answer to the call: this article will explain this crucial subject in depth.
Why are permissions even necessary?
At first thought, we might consider completely abolishing the idea of permissions. Why complicate things? Let’s just let everyone have access to everything, and explain the users of the system what are their constraints and provide guidelines of usage. Sounds easy, right?
But this attitude is prone to many problems. First of all, we humans tend to mistake. A lot. This is natural, but the potential problems are too risky for us to just cope with them — maybe we destroy a configuration file for a program or corrupt an important file. We can’t just hope for the best — we need to actively protect ourselves and avoid such issues.
Nevertheless, the biggest problem resides in the field of information security. An attacker acquiring access to the system is a big issue for itself, and significantly worse if he could do whatever he wants with any file — we should keep in mind that enterprise machines contain many sensitive pieces of data, and the potential for vital, dangerous problems is huge. Do these comprise enough reasons for us to utilize a system managing access permissions?
I hope you are convinced in the need for such system. The developers of the Linux OS certainly are, so let’s dive in and explore the subject.
Understanding file permissions
When we open our terminal, we are presented with a shell and located in a particular directory. By executing the ls command, we can view the files in the mentioned directory.
For demonstration purposes, let’s navigate to the /etc directory, inside which there are both files and directories.
Using the ls command without parameters simply show the available files and folders (the white are files, the blue are directories, and the light-blue is a different concept we’ll briefly touch later, called a link). For us to see the permissions of the various entries, as well as many other relevant details, we need to add the -l parameter:
The first group of letters are the heart of this article, we’ll focus on them. The number after them is the amount of links to the file/directory, the name after it is the owning user, followed by the group of the owning users (users in Linux are divided into logical structures called groups. A user can be a part of more than a single group). Next, the number represents the size of the file in bytes, after which we have the time of last modification, followed by the name of the file/folder.
As I said, we’ll take a look at the group of letters on the left. The first one is either “-”, “d” or “l”. “-” mentions a file, “d” is a directory, and “l” is a link. So far, so good. Now things become more interesting.
The remaining letters actually comprise 3 groups of 3 letters: “r”, “w”, “x”. The first group describes the permissions of the user who owns the file, the second group describes the permissions of the owner’s group, and the third describes the permissions for any other user on the system. It’s worth mentioning that the root user has full access to any file, and can do whatever he wants.
Now we’ll understand how permissions are specified by the 3 mentioned letters — and the concept is the same for the user, group and other users. Each letter represents a permission: the “r” stands for reading the file, the “w” stands for writing to the file, and the “x” stands for executing the file, running it as a program. The sequence “rwx” gives full permissions, whereas if a particular permission is denied, the pertinent letter would be substituted by a dash “-”. For instance, “r-x” allows reading and executing, and “- -x” allows execution only.
For example, let’s take a look at the sequence “-rwxr-xr- -”. Because it starts with a “-”, it means it is a file. The next group of letters is “rwx”, providing the owning user with full permissions. As opposed to him/her, the users of the same group cannot write, but only read and execute (“r-x”). Other users can only read the file (“r- -”).
The equivalent for directories
Permissions of directories differ a bit from those regarding files. If a given sequence of letters is pertinent to a directory, but not to a file, the read permission allows examining the contents of the directory, seeing what files are inside it — basically, performing ls. The write permission makes it possible to create, rename or delete a file in the relevant directory, as well as altering the attributes of the directory. The execute permissions determines whether it is possible to enter the folder, basically cd into it.
Changing permissions
Only the root user or the owner of the file can alter the access permissions of the file.
To update the permissions of any given file or directory, we utilize the chmod command. There are 2 ways of doing so: numerically and with alphabetical expressions. Let’s start by the numerical method. In this method, every permission is assigned to a number: read = 4, write = 2, execute = 1. The numbers are not random, but are the values of the first three bits in the binary representation. Notice that there cannot be two combinations (let alone more) of permissions whose sum is identical. In this way, we can specify the permissions:
chmod 644 file
The first number sets the permissions for the user, the second number is pertinent to the group, and the last one is for other users. This statement says that the user has reading + writing (4 + 2 = 6), whereas any other user, no matter what group s/he’s in, has only writing permissions. To allow full access to any user, we can type:
chmod 777 file
Since reading + writing + executing = 7 (4 + 2 + 1 = 7).
Now let’s scrutinize the alphabetical expressions. In this attitude, instead of the digits, we type: {who}{+ or -}{what permission}. For instance:
chmod u+x file
The u indicates the user, and we add the execution permission to him/her. Another example:
chmod g-w file
The g indicates the group, and we remove the writing permission from it. “Other users” are described by the letter o, and reading permission is tied to the letter r.
A little debt — what links are
We saw before that apart from files and directories (folders), we also have links. Basically, links point to another file, providing a way to reach it from a different place. There are hard links — which are files standing for themselves, pointing into the same location on the hard disk as does the file to whom they are linked. As opposed to them, we have soft links, that are not files standing for themselves, but point to the location in the file system where the linked file is located. This is a very interesting subject, and I recommend you take a deeper look into it on your own.
Real-world example of protection provided by file permissions
Imagine you are a simple user in an organization, reckless and carefree. A malicious person succeeded in laying a hand on your credentials, and logs into the system with them.
This for itself is a significant breach, but thanks to file permissions, the damage is relatively mitigated. As a simple user, you don’t have access to sensitive data, and you cannot read the passwords file, for example. Deriving from that, so would the attacker not be able to do so, and the damage s/he can cause is limited.
Moreover, even if the attacker planned to corrupt the system by editing particular files or executing a dangerous script, a wise setting of permissions will block this offensive vector as well.
This way, until the breach is discovered and dealt with, there would be no crucial issues caused. Thank God and the Linux file permissions.
Conclusion
In this article we learned the most important concepts and aspects of file permissions in the Linux OS (and yet, it is not all there is to know), such as: the various access permissions and their meaning, for both files and directories, why they are important, how to change them, how to check them, the separation between the owning user, his group and other users on the system, and more.
For any user of Linux, it is vital to comprehend file permissions and know how to use them. They are utilized in many fields, especially in Information Security.
I hope you learned new things and enjoyed reading this article. Please follow me, clap for this post and comment what more content you would like to see, or any other remarks you have. Thank you!
