Viewing Permissions

You can display the permissions of a file using the ls -l command. For example, the following command

$ ls -l /home/ranga/.profile

produces the following output:

-rwxr-xr-x   1 ranga    users        2368 Jul 11 15:57 .profile*

Because the first character is a hyphen (-), you know that this is a regular file. Several characters appear after this hyphen. The first three characters indicate the permissions for the owner of the file, the next three characters indicate the permissions for the group the file is associated with, and the last three characters indicate the permissions for all other users.

The permission block for this file indicates that the user has read, write, and execute permissions, whereas members of the group users and all other users have only read and execute permissions.

Three basic permissions that can be granted or denied on a file are read, write, and execute. These permissions are defined in Table 5.2.

After the permissions block, the owner and the group are listed. For this file, the owner is ranga and the group is users.

Directory Permissions

The x bit on a directory grants access to the directory. The read and write permissions have no effect if the access bit is not set.

The read permission on a directory enables users to use the ls command to view files and their attributes that are located in the directory.

The write permission on a directory is the permission to watch out for because it lets a user add and also remove files from the directory.

A directory that grants a user only execute permission will not enable the user to view the contents of the directory or add or delete any files from the directory, but it will let the user run executable files located in the directory.

---

Tip:  
To ensure that your files are secure, check both the file permissions and the permissions of the directory where the file is located.

If a file has write permission for owner, group, and other, the file is insecure. Inversely, if a file is in a directory that has write and execute permissions for owner, group, and other, all files located in the directory are insecure, no matter what the permissions on the files themselves are.

---

SUID and SGID File Permission

Often when a command is executed, it will have to be executed with special privileges in order to accomplish its task.

As an example, when you change your password with the passwd command, your new password is stored in the file /etc/shadow. As a regular user, you do not have read or write access to this file for security reasons, but when you change your password, you need to have write permission to this file. This means that the passwd program has to give you additional permissions so that you can write to the file /etc/shadow.

Additional permissions are given to programs via a mechanism known as the Set User ID (SUID) and Set Group ID (SGID) bits. When you execute a program that has the SUID bit enabled, you inherit the permissions of that program’s owner. Programs that do not have the SUID bit set are run with the permissions of the user who started the program.

This is true for SGID as well. Normally programs execute with your group permissions, but instead your group will be changed just for this program to the group owner of the program.

As an example, the passwd command, used to change your password, is owned by the root and has the set SUID bit enabled. When you execute it, you effectively become root while the command runs.

---

The SUID and SGID bits will appear as the letter “s” if the permission is available. The SUID “s” bit will be located in the permission bits where the owners execute permission would normally reside. For example, the command

$ ls -l /usr/bin/passwd

produces the following output:

-r-sr-xr-x   1 root     bin         19031 Feb  7 13:47 /usr/bin/passwd*

which shows that the SUID bit is set and that the command is owned by the root. A capital letter S in the execute position instead of a lowercase s indicates that the execute bit is not set.

---

The SUID bit or stick bit imposes extra file removal permissions on a directory. A directory with write permissions enabled for a user enables that user to add and delete any files from this directory. If the sticky bit is enabled on the directory, files can only be removed if you are one of the following users:

•  The owner of the sticky directory

•  The owner the file being removed

•  The super user, root

You should consider enabling the sticky bit for any directories that nonprivileged users can write. Examples of such directories would include temporary directories and public file upload sites.

Directories can also take advantage of the SGID bit. If a directory has the SGID bit set, any new files added to the directory automatically inherit that directories group, instead of the group of the user writing the file.