Linux File Permissions is a basic thing we miss to notice unless we are System Admins/ Security Team / or we face some error. I will try to explain few details how to handle Linux File permissions. Lets see some examples, and the terminal output of each case. When we discuss files in Linux, I always fear deviating from the topic as there are multiple things to discuss, if I miss some I will update or continue in another post.

We can protect the directories/files from other users from writing/reading or any kind of access. We can give 3 permissions to users that are Read, Write, Execute. These permissions can be give at three levels: Users, Groups, Others.

User Denotations
uuser/owner
ggroup
oother
aall

These can be used to keep someone from accessing the file, or say allow only a user to access or write a file to directory.

chmod is how we handle the file permissions. Lets see few example

 _____ _ _        ____                     _         _                 
|  ___(_) | ___  |  _ \ ___ _ __ _ __ ___ (_)___ ___(_) ___  _ __  ___ 
| |_  | | |/ _ \ | |_) / _ \ '__| '_ ` _ \| / __/ __| |/ _ \| '_ \/ __|
|  _| | | |  __/ |  __/  __/ |  | | | | | | \__ \__ \ | (_) | | | \__ \
|_|   |_|_|\___| |_|   \___|_|  |_| |_| |_|_|___/___/_|\___/|_| |_|___/
                                                                       
      _                         _ 
  ___| |__  _ __ ___   ___   __| |
 / __| '_ \| '_ ` _ \ / _ \ / _` |
| (__| | | | | | | | | (_) | (_| |
 \___|_| |_|_| |_| |_|\___/ \__,_|
                                  
abhinav@ETHICALHACKX:~$ ls -l
total 50732
-rw-r--r-- 1 abhinav abhinav 51906136 kax 21 23:59 2019-12-22-04-35-00am.zip
drwxr-xr-x 2 abhinav abhinav     4096 kax 21 23:41 Desktop
drwxr-xr-x 2 abhinav abhinav     4096 kax 28 18:22 dir1
drwxr-xr-x 2 abhinav abhinav     4096 kax 21 23:41 Documents
drwxr-xr-x 3 abhinav abhinav     4096 kax 23 10:06 Downloads
drwxr-xr-x 2 abhinav abhinav     4096 kax 21 23:41 Music
drwxr-xr-x 2 abhinav abhinav     4096 kax 28 18:37 Pictures
drwxr-xr-x 2 abhinav abhinav     4096 kax 21 23:41 Public
drwxr-xr-x 2 abhinav abhinav     4096 kax 21 23:41 Templates
drwxr-xr-x 2 abhinav abhinav     4096 kax 21 23:41 Videos
abhinav@ETHICALHACKX:~$ 

We here have a directory dir1 where we will do all the test, we create few dummy files to test namely file1, file2 file3. And let’s check the permission on these files.

abhinav@ETHICALHACKX:~/dir1$ touch file1 fil2 file3
abhinav@ETHICALHACKX:~/dir1$ mkdir dir2
abhinav@ETHICALHACKX:~/dir1$ ls -l
total 4
drwxr-xr-x 2 abhinav abhinav 4096 kax 28 19:10 dir2
-rw-r--r-- 1 abhinav abhinav    0 kax 28 19:08 fil2
-rw-r--r-- 1 abhinav abhinav    0 kax 28 19:08 file1
-rw-r--r-- 1 abhinav abhinav    0 kax 28 19:08 file3
abhinav@ETHICALHACKX:~/dir1$ 

Things to Notice

Column:1 shows the File Types and Permissions
Column:2 tells about the number of links or directories in the directory.
Column:3 is the user who owns the File/directory
Column:4 Group to which file/directory belongs, all users in the group will have the mentioned permission.
Column:5 The size of the directory/file in k,M,G .
Column:6 Last Modification date of the file
Column:7 Name of the File/Directory.

Lets have some fun with File Permissions and we will mention other things later in the post.

Check permission on only particular file directory

abhinav@ETHICALHACKX:~/dir1$ ls -l file1
-rw-r--r-- 1 abhinav abhinav 0 kax 28 19:08 file1
abhinav@ETHICALHACKX:~/dir1$ 

So file1 has : -rw-r--r-- , which can be divided into 4 parts tin the format of -|—|—|— . The first part says about the file type, Linux has 7 file types (  : regular file,d : directory, c : character device file, b : block device file, s : local socket file, p : named pipe, l : symbolic link)

Part 2 of the permissions Columns is the user permissions set, the 3rd part is Group permissions, 4th part is for others. So in above example if it is -rw-r--r-- means -|***|***|*** means it is a regular file. *|rw-|***|*** means user has read write permissions but not execute.
*|***|r*-|*** means the group has read permission but not write or execute.
*|***|***|r– means other can only read and not perform and write or execute.

Lets change permission for user or groups. In Linux Permission can be changed for 3 entities, user, group or other.

abhinav@ETHICALHACKX:~/dir1$ chmod u+x file1
abhinav@ETHICALHACKX:~/dir1$ ls -l file1
-rwxr--r-- 1 abhinav abhinav 0 kax 28 19:08 file1

So we see the permission for user has now changed and now user has execute permission.

There are three ways to modify permissions, +, -, = . We can use it like u-r, whch means from user remove read.

+add permission
remove permission
=assign/set permission

Let’s add write permission to group.

bhinav@ETHICALHACKX:~/dir1$ chmod g+w file2
abhinav@ETHICALHACKX:~/dir1$ ls -l file2 file1
-rwxr--r-- 1 abhinav abhinav 0 kax 28 19:08 file1
-rw-rw-r-- 1 abhinav abhinav 0 kax 28 19:42 file2

Remove Read permission from user.

abhinav@ETHICALHACKX:~/dir1$ chmod u-r file1
abhinav@ETHICALHACKX:~/dir1$ cat file1
cat: file1: Permission denied
abhinav@ETHICALHACKX:~/dir1$ 

So we now know if we want to restrict the file or directory access for users, lets do the same for groups, which will be helpful in case you want users of a group to be able to access and not others.

abhinav@ETHICALHACKX:~/dir1$ chmod u-r file2
abhinav@ETHICALHACKX:~/dir1$ ls -l file2
--w--w-r-- 1 abhinav abhinav 0 kax 28 19:42 file2

Similarly if you want to restrict others from accessing the read write execute for other users. We will remove all permissions for other users from file3

bhinav@ETHICALHACKX:~/dir1$ chmod o-rwx file3
abhinav@ETHICALHACKX:~/dir1$ ls -l
total 4
drwxr-xr-x 2 abhinav abhinav 4096 kax 28 19:10 dir2
-rw-r--r-- 1 abhinav abhinav    0 kax 28 19:08 fil2
--wxr--r-- 1 abhinav abhinav    0 kax 28 19:08 file1
--w--w-r-- 1 abhinav abhinav    0 kax 28 19:42 file2
-rw-r----- 1 abhinav abhinav    0 kax 28 19:08 file3
abhinav@ETHICALHACKX:~/dir1$ 

Lets remove read permission from all users and add execute permission on all users, We have seen by now 3 permission level u- user , g -group, o -other. let’s just make it a- all.

abhinav@ETHICALHACKX:~/dir1$ chmod a-r file3
abhinav@ETHICALHACKX:~/dir1$ ls -l file3
--w------- 1 abhinav abhinav 0 kax 28 19:08 file3
abhinav@ETHICALHACKX:~/dir1$ chmod a+x file3
abhinav@ETHICALHACKX:~/dir1$ ls -l file3
--wx--x--x 1 abhinav abhinav 0 kax 28 19:08 file3
abhinav@ETHICALHACKX:~/dir1$ 

Lets also check what happens when we want to write over a file where we don’t have permission or try to delete it.

abhinav@ETHICALHACKX:~/dir1$ touch file4
abhinav@ETHICALHACKX:~/dir1$ ls -l file4
-rw-r--r-- 1 abhinav abhinav 0 kax 28 19:59 file4
abhinav@ETHICALHACKX:~/dir1$ cat file4
abhinav@ETHICALHACKX:~/dir1$ echo "Hello CHMOD" > file4
abhinav@ETHICALHACKX:~/dir1$ cat file4
Hello CHMOD
abhinav@ETHICALHACKX:~/dir1$ chmod u-w file4
abhinav@ETHICALHACKX:~/dir1$ ls -l file4
-r--r--r-- 1 abhinav abhinav 12 kax 28 19:59 file4
abhinav@ETHICALHACKX:~/dir1$ #We can notice file write permission changed
abhinav@ETHICALHACKX:~/dir1$ echo "Hello chmod" > file4
bash: file4: Permission denied

However when you try to delete the file, it will let you delete after asking again for the write -protected file, as here you are owner of the file.

abhinav@ETHICALHACKX:~/dir1$ rm file4
rm: remove write-protected regular file 'file4'? y
abhinav@ETHICALHACKX:~/dir1$ ls
dir2  fil2  file1  file2  file3

Apply permission on all files in directories/ sub-directories files recursively.

abhinav@ETHICALHACKX:~$ chmod -R u+x dir1
abhinav@ETHICALHACKX:~$ ls -l dir1/
total 8
drwxr-xr-x 2 abhinav abhinav 4096 kax 28 19:10 dir2
-rwxr--r-- 1 abhinav abhinav    0 kax 28 19:08 fil2
--wxr--r-- 1 abhinav abhinav    0 kax 28 19:08 file1
--wx-w-r-- 1 abhinav abhinav    0 kax 28 19:42 file2
--wx--x--x 1 abhinav abhinav    0 kax 28 19:08 file3
-rwxr--r-- 1 abhinav abhinav   12 kax 28 20:03 file4

But what does Executable permission on a directory means, how to execute a directory? What does it means ? That is if you can access the directory or not. Let’s see dir1 here.

abhinav@ETHICALHACKX:~$ ls -l
total 50732
-rw-r--r-- 1 abhinav abhinav 51906136 kax 21 23:59 2019-12-22-04-35-00am.zip
drwxr-xr-x 2 abhinav abhinav     4096 kax 21 23:41 Desktop
drwxr-xr-x 3 abhinav abhinav     4096 kax 28 20:03 dir1
drwxr-xr-x 2 abhinav abhinav     4096 kax 21 23:41 Documents
drwxr-xr-x 3 abhinav abhinav     4096 kax 23 10:06 Downloads
drwxr-xr-x 2 abhinav abhinav     4096 kax 21 23:41 Music
drwxr-xr-x 2 abhinav abhinav     4096 kax 28 18:37 Pictures
drwxr-xr-x 2 abhinav abhinav     4096 kax 21 23:41 Public
drwxr-xr-x 2 abhinav abhinav     4096 kax 21 23:41 Templates
drwxr-xr-x 2 abhinav abhinav     4096 kax 21 23:41 Videos

Notice the permission changed and we ain’t able to access dir1

abhinav@ETHICALHACKX:~$ cd dir1
abhinav@ETHICALHACKX:~/dir1$ cd ..
abhinav@ETHICALHACKX:~$ chmod u-x dir1
abhinav@ETHICALHACKX:~$ cd dir1
bash: cd: dir1: Permission denied
abhinav@ETHICALHACKX:~$ ls -l
total 50732
-rw-r--r-- 1 abhinav abhinav 51906136 kax 21 23:59 2019-12-22-04-35-00am.zip
drwxr-xr-x 2 abhinav abhinav     4096 kax 21 23:41 Desktop
drw-r-xr-x 3 abhinav abhinav     4096 kax 28 20:03 dir1
abhinav@ETHICALHACKX:~$ chmod u+x dir1
abhinav@ETHICALHACKX:~$ ls -l 
total 50732
-rw-r--r-- 1 abhinav abhinav 51906136 kax 21 23:59 2019-12-22-04-35-00am.zip
drwxr-xr-x 2 abhinav abhinav     4096 kax 21 23:41 Desktop
drwxr-xr-x 3 abhinav abhinav     4096 kax 28 20:03 dir1
drwxr-xr-x 2 abhinav abhinav     4096 kax 21 23:41 Documents
drwxr-xr-x 3 abhinav abhinav     4096 kax 23 10:06 Downloads
drwxr-xr-x 2 abhinav abhinav     4096 kax 21 23:41 Music
drwxr-xr-x 2 abhinav abhinav     4096 kax 28 18:37 Pictures
drwxr-xr-x 2 abhinav abhinav     4096 kax 21 23:41 Public
drwxr-xr-x 2 abhinav abhinav     4096 kax 21 23:41 Templates
drwxr-xr-x 2 abhinav abhinav     4096 kax 21 23:41 Videos
abhinav@ETHICALHACKX:~$ cd dir1
abhinav@ETHICALHACKX:~/dir1$ 

What’s with the last modification date of files ? Can the audit logs know in case of an attack which files were accessed ? See the file timestamp changed( though there are multiple types of timestamp in Linux).

abhinav@ETHICALHACKX:~/dir1$ ls -l file4
-rwxr--r-- 1 abhinav abhinav 12 kax 28 20:14 file4
abhinav@ETHICALHACKX:~/dir1$ touch file4
abhinav@ETHICALHACKX:~/dir1$ ls -l file4
-rwxr--r-- 1 abhinav abhinav 12 kax 28 20:15 file4

Setting File Permissions the Numeric Way

NumberPermission TypeSymbol
0No Permission
1Execute–x
2Write-w-
3Execute + Write-wx
4Readr–
5Read + Executer-x
6Read +Writerw-
7Read + Write +Executerwx

Lets see how to use the the above numbers to set permission, we remove all permissions from group and give rwx :7 permission to group and others.

abhinav@ETHICALHACKX:~/dir1$ ls -l file2
--wx-w-r-- 1 abhinav abhinav 0 kax 28 19:42 file2
abhinav@ETHICALHACKX:~/dir1$ chmod 077 file2
abhinav@ETHICALHACKX:~/dir1$ ls -l file2
----rwxrwx 1 abhinav abhinav 0 kax 28 19:42 file2
abhinav@ETHICALHACKX:~/dir1$ 

We can change multiple permissions at once. Here we remove rwx permission from a file from user, group, others

abhinav@ETHICALHACKX:~/dir1$ ls -l file2
----rwxrwx 1 abhinav abhinav 0 kax 28 19:42 file2
abhinav@ETHICALHACKX:~/dir1$ chmod ugo-rwx file2
abhinav@ETHICALHACKX:~/dir1$ ls -l file2
---------- 1 abhinav abhinav 0 kax 28 19:42 file2
abhinav@ETHICALHACKX:~/dir1$ 

We can specify seperately like below, setting different permissions for user group and others

abhinav@ETHICALHACKX:~/dir1$ ls -l file2
---------- 1 abhinav abhinav 0 kax 28 19:42 file2
abhinav@ETHICALHACKX:~/dir1$ chmod uo=x,g=w file2
abhinav@ETHICALHACKX:~/dir1$ ls -l file2
---x-w---x 1 abhinav abhinav 0 kax 28 19:42 file2
abhinav@ETHICALHACKX:~/dir1$ 

The above example can be done the numeric way by setting the appropriate digits.

abhinav@ETHICALHACKX:~/dir1$ chmod uo=x,g=w file2
abhinav@ETHICALHACKX:~/dir1$ ls -l file2
---x-w---x 1 abhinav abhinav 0 kax 28 19:42 file2
abhinav@ETHICALHACKX:~/dir1$ chmod 121 file2
abhinav@ETHICALHACKX:~/dir1$ ls -l file2
---x-w---x 1 abhinav abhinav 0 kax 28 19:42 file2
abhinav@ETHICALHACKX:~/dir1$ 

What Do You Think on This ? Say Here