Learning Tree’s System and Network Security Introduction course begins with a description of the four fundamental concepts of cyber security: authentication, confidentiality, integrity, and availability. That leads into a discussion of authorization: “who is allowed to do what.” The conclusion is the “access equation”:
Authentication + Authorization = Access
(We also discuss situations where access is allowed without authentication, but that is a topic for a different time).
When we discuss authorization specifics, many participants are intrigued by the UNIX/Linux/BSD file system permissions because they’ve never seen them before or because nobody ever explained them to them. In this post, we’ll look at the basic aspects of those file permissions.
First, let’s look at a simple “long” directory listing:
Here we see six files:
The four regular files each have permissions that reflect their names. An explanation of the octal and the meanings follows:
The permission characters are broken into three groups corresponding to user (owner of the file), group (the group associated with the file), and other (often referred to as “world”). The first character of the first column is the “type” – remember we saw a directory and a symbolic link, and there may be characters after the permissions for other information about the file type or characteristics.
The permission groups are divided into three permissions Read, Write, and eXecute. These can be expressed with the lowercase letters,
x, or as three bits written as an octal (base 8) digit. If the letter is present, it represents a 1, if there is a
-, it represents a 0:
With that information, consider writable. It has
w in the first group and dashes for all the other permissions. That means the owner can read and write the file, and nobody else can do anything. The permission code is 600 as noted in the table above. Seasoned users of the systems that use these file permissions will talk about files having permissions such as “644” and understand that 644 refers to
rw-r—r--. “644” is far easier to say than “user readable and writable and readable by group and other”, but it may take a while for new users to become fluent in that lingo.
One important principle of cyber security is that of “least privilege.” The idea as it applies here is that users, processes, and other system entities should have only the access to a file that is absolutely necessary. That generally means an administrator or the owner of the file will need to change the permissions on a file.
Suppose, for instance, that members of the group video need read access to the file “
readable”. We know from the description above that the permissions need to be “
-r—r-----“ or “440”. The
chmod command is used to change file permissions (technically called the “mode”). The general form is:
chmod mode file
One way to set the desired permission would be “
chmod 440 readable”. In fact, that was the only way to do it in the early days of UNIX. Now we have another way to do set the permission either explicitly or by adding or removing permissions (setting or clearing permission bits)
chmod g+r readable adds read permission for the group
chmod u=r,g=r readable or
chmod ug=rr readable to explicitly set the permission
If we wanted to add “other” read permission we could “
chmod o+r readable”.
Some common file modes are:
000, 777, 700, 555, 400, 444, 644, 660, and 600
If you aren’t proficient in reading these in octal, try explaining each by writing out the “
rwx” permissions and thinking about why they might be useful.
You can learn more about the mode bits in the chmod manual. If there isn’t one on your system, you can use your favorite search engine and search for
For more about the ls command, you can check its manual.
In future posts, I will discuss how to access these in a shell script.
To your safe computing,