By Bri Hatch.
Summary: File permissions, the most basic form of security control that exists on Unix-like systems, is still misunderstood by many.
Linux has many different level of security. The kernel is protected from user processes; a user can only affect his own processes; and user processes are protected from each other. This security model requires that you must specifically allow users and processes to interact, otherwise there is no avenue for interaction and thus no avenue for attack.
The most basic security feature of any unix-like operating system is file permissions. However, even though this is the most simple line of defence, it is still misunderstood by many. Frequently, in an administrator perspective, I need to re-teach users how file perms work when they find that other users can access files they thought were unaccessible. Worse yet is when poor file permissions are used as part of an attack that should never have had a chance.
File permissions are those letters you see at the beginning of
$ ls -l drwxrwxrwx 1 reegen reegen 4096 Jan 22 10:05 dropbox drwx------ 1 reegen reegen 4096 Dec 6 8:50 private_logs -rw-r--r-- 1 reegen reegen 9663 Oct 8 16:03 public -rw------- 1 reegen reegen 8925 Jan 12 11:17 secret
The first part of the output has 10 characters, which can be broken up as follows (excuse the ASCII art....)
d rwx rwx rwx | | | | | | | \-> "Other" permissions | | | | | \-> "Group" permissions | | | \-> "User" permissions | \-> Type of file
The first character says what kind of file this is. (d==directory, l==symlink, p==pipe, s==socket, etc). The next three groups define the permissions of this file. An "r" means "allow read access", a "w" means "allow write access", and "x" means "allow execute access.
On a normal file ("-" in the type-of-file field) "read" and "write"
are pretty self explanatory. "Execute" means that this file
can be executed as a program.. So if the file were a shell script
or valid compiled executable (ELF format, etc) named
The kernel decides if you have read/write/execute access based on these
$ id uid=1000(doug) gid=1000(doug) groups=1000(doug),1001(web) $ ls -l foo.html -rw-r----- 1 www-data web 9663 Oct 8 16:03 foo.html
Following this logic, we'd all agree that
$ id uid=1000(doug) gid=1000(doug) groups=1000(doug),1001(web) $ ls -l bar.html -rw----r-- 1 www-data web 19838 Sep 17 4:22 bar.html
Most people's intuition would say sure,
Standard file permissions come in three flavours: user, group, and other. Many people think that if any option is satisfied, then access is granted. In reality, the kernel checks only the most appropriate - it does not "check all of them, falling through when a particular test fails"!
So, to be explicit, here is how you can think of the file permission logic, using read access as an example:
The distinction is an important one. You could create a file that you own that is readable by group and other, but not by you. Yes, this seems somewhat counterintuitive.
We are frequently put in a position where we want to give only certain users access to a directory or files. We put them in a special group, and tailor the group permissions of the files/directories to allow them this special access. Say we wanted to have the compiler only available to developers, we may do the following:
# ls -l /usr/bin/gcc -rwxr-xr-x 1 root root 74088 Sep 23 15:13 /usr/bin/gcc # addgroup devel # chgrp devel /usr/bin/gcc # ls -l /usr/bin/gcc -rwxr-xr-x 1 root devel 74088 Sep 23 15:13 /usr/bin/gcc # chmod o-rx /usr/bin/gcc # ls -l /usr/bin/gcc -rwxr-x--- 1 root devel 74088 Sep 23 15:13 /usr/bin/gcc
Now only root and the users in the
# ls -l /usr/bin/gcc -rwxr-xr-x 1 root root 74088 Sep 23 15:13 /usr/bin/gcc # addgroup jerks # chgrp jerks /usr/bin/gcc # ls -l /usr/bin/gcc -rwxr-xr-x 1 root jerks 74088 Sep 23 15:13 /usr/bin/gcc # chmod g-rx /usr/bin/gcc # ls -l /usr/bin/gcc -rwx---r-x 1 root jerks 74088 Sep 23 15:13 /usr/bin/gcc
What do we have now?
Next week we'll cover the finer points of directory permissions, after which we'll get back to more interesting aspects of Linux Security.
 Of course, if the file isn't an executable program, shell script, or other recognisable form, Linux will stick it's tongue out at you.
compiled executables can often be run without the execute bit, such as using
course you could always
Bri Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. Several years ago he ran "chown bree /dev/heart" and has been happy ever since. Bri can be reached at firstname.lastname@example.org.
Copyright Bri Hatch, 2003
This is the April 17, 2003 issue of the Linux Security: Tips, Tricks, and Hackery newsletter. If you wish to subscribe, visit http://lists.onsight.com/ or send email to Linux_Securityemail@example.com.