Linux File Permission Cheat Sheet
- Necessary and sufficient knowledge on Linux file and directory permissions
- With practical examples
- Sourced from GitHub
User permission triads
- There are three permission triads (
rwx rwx rwx
) corresponding to particular group of users
- The
1-st
one (rwx --- ---
) is for owner
user
- The
2-nd
one (--- rwx ---
) is for group
users
- The
3-rd
one (--- --- rwx
) is for other
users
- Each permission triad (
rwx
) corresponds to particular set of operations defined on files and directories
-
r
is for read
operation
-
w
is for write
operation
-
x
is for execute
operation
File permissions
-
read
file permission
- Allows the corresponding user (
owner
, group
, other
) to read the file
-
write
file permission
- Allows the corresponding user to modify (create, move, rename, change attributes, delete) the file
-
execute
file permission
- Allows the corresponding user to execute the file
- All the above permissions have effect only if
execute
permission for the corresponding user is set on the directory and all its parent directories
File permission examples
Effects of read
file permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ echo test > file
user1@ubuntu20lts:~/tmp$ ls -l file
-rw-rw-r-- 1 user1 user1 5 Jul 26 21:59 file
user1@ubuntu20lts:~/tmp$ cat file
test
user1@ubuntu20lts:~/tmp$ chmod a-r file
user1@ubuntu20lts:~/tmp$ ls -l file
--w--w---- 1 user1 user1 5 Jul 26 21:59 file
user1@ubuntu20lts:~/tmp$ cat file
cat: file: Permission denied
Effects of write
file permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ echo test > file
user1@ubuntu20lts:~/tmp$ ls -l file
-rw-rw-r-- 1 user1 user1 5 Jul 26 22:00 file
user1@ubuntu20lts:~/tmp$ chmod a-w file
user1@ubuntu20lts:~/tmp$ ls -l file
-r--r--r-- 1 user1 user1 5 Jul 26 22:00 file
user1@ubuntu20lts:~/tmp$ echo test > file
-bash: file: Permission denied
Effects of execute
file permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ echo "#/usr/bin/env bash" > file
user1@ubuntu20lts:~/tmp$ echo "date" >> file
user1@ubuntu20lts:~/tmp$ chmod a+x file
user1@ubuntu20lts:~/tmp$ ls -l file
-rwxrwxr-x 1 user1 user1 24 Jul 26 22:02 file
user1@ubuntu20lts:~/tmp$ ./file
Sun 26 Jul 2020 10:02:35 PM UTC
user1@ubuntu20lts:~/tmp$ chmod a-x file
user1@ubuntu20lts:~/tmp$ ls -l file
-rw-rw-r-- 1 user1 user1 24 Jul 26 22:02 file
user1@ubuntu20lts:~/tmp$ ./file
-bash: ./file: Permission denied
Effects of unset execute
directory permission on file permissions
read
file permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ echo test > file
user1@ubuntu20lts:~/tmp$ cd ..
user1@ubuntu20lts:~$ find ./tmp/ -ls
259893 4 drwxrwxr-x 2 user1 user1 4096 Jul 26 22:03 ./tmp/
259894 4 -rw-rw-r-- 1 user1 user1 5 Jul 26 22:03 ./tmp/file
user1@ubuntu20lts:~$ cat ./tmp/file
test
user1@ubuntu20lts:~$ chmod a-x tmp/
user1@ubuntu20lts:~$ find ./tmp/ -ls
259893 4 drw-rw-r-- 2 user1 user1 4096 Jul 26 22:03 ./tmp/
find: ‘./tmp/file’: Permission denied
user1@ubuntu20lts:~$ cat ./tmp/file
cat: ./tmp/file: Permission denied
write
file permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ cd ..
user1@ubuntu20lts:~$ echo test > tmp/file
user1@ubuntu20lts:~$ find ./tmp/ -ls
258932 4 drwxrwxr-x 2 user1 user1 4096 Jul 26 22:53 ./tmp/
258941 4 -rw-rw-r-- 1 user1 user1 5 Jul 26 22:53 ./tmp/file
user1@ubuntu20lts:~$ chmod a-x tmp/
user1@ubuntu20lts:~$ find ./tmp/ -ls
258932 4 drw-rw-r-- 2 user1 user1 4096 Jul 26 22:53 ./tmp/
find: ‘./tmp/file’: Permission denied
user1@ubuntu20lts:~$ echo test > tmp/file
-bash: tmp/file: Permission denied
execute
file permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ echo "#/usr/bin/env bash" > file
user1@ubuntu20lts:~/tmp$ echo "date" >> file
user1@ubuntu20lts:~/tmp$ chmod a+x file
user1@ubuntu20lts:~/tmp$ cd ..
user1@ubuntu20lts:~$ find ./tmp/ -ls
258932 4 drwxrwxr-x 2 user1 user1 4096 Jul 26 23:01 ./tmp/
258941 4 -rwxrwxr-x 1 user1 user1 24 Jul 26 23:01 ./tmp/file
user1@ubuntu20lts:~$ ./tmp/file
Sun 26 Jul 2020 11:01:41 PM UTC
user1@ubuntu20lts:~$ chmod a-x tmp/
user1@ubuntu20lts:~$ find ./tmp/ -ls
258932 4 drw-rw-r-- 2 user1 user1 4096 Jul 26 23:01 ./tmp/
find: ‘./tmp/file’: Permission denied
user1@ubuntu20lts:~$ ./tmp/file
-bash: ./tmp/file: Permission denied
Directory permissions
-
read
directory permission
- Allows the corresponding user (
owner
, group
, other
) to display directory’s files and subdirectories
- Has effect only on the files and subdirectories which are directly beneath the subject directory
- Has effect only if
execute
permission for the corresponding user is also set on the directory and all its parent directories
-
write
directory permission
- Allows the corresponding user to modify (create, move, rename, change attributes, delete) files and subdirectories within the directory
- Has effect only on the files and subdirectories which are directly beneath the subject directory
- Has effect on files and subdirectories of the subject directory independent of the permissions of these files and subdirectories
- Has effect only if
execute
permission for the corresponding user is also set on the directory and all its parent directories
-
execute
directory permission
- Allows the corresponding user to change their current working directory to this directory (via the
cd
command)
- Has effect as long as this
execute
permission is set on all parent directories as well
- Affects
read
and write
directory permissions
rwx
-
Full access to a directory is provided by combining
execute
permission with read
and write
permissions
r-x
-
Read only access to a directory is provided by combining
execute
permission with read
permission
-wx
- Combining
execute
and write
directory permissions (without read
permission) leads to weird access mode, where full access to the directory is enabled, but standard way of displaying names of files and directories is not possible
-
rw-
, r--
- Disabling
execute
permission for a directory with set read
permission leads to weird access mode, where only reading names of files and directories directly beneath the subject directory is possible
-
-w-
, ---
- Disabling
execute
permission for a directory with unset read
permission is the same as providing no access to the directory
--x
- Setting
execute
permission on a directory where read
and write
permissions are unset leads to weird access mode, where it is possible to change current working directory to subdirectories of the subject directory (if the names of those subdirectories are known preliminarily) and to do any operations except ones related to reading or modifying directory structures themselves (reading names from the directory; creating, moving, renaming, deleting files or subdirectories)
- Directory permissions short summary
permission triad |
access mode |
comments |
--- |
no access |
|
r-- |
weird mode |
only reading file and subdirectory names is possible |
-w- |
no access |
the same as ---
|
--x |
weird mode |
only changing to subdirectories are possible if their names are known |
rw- |
weird mode |
the same as r--
|
r-x |
read only |
|
-wx |
weird mode |
any operations on files and subdirectories are possible if their names are known |
rwx |
full |
|
Directory permission examples
Effects of read
directory permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file
user1@ubuntu20lts:~/tmp$ find . -ls
258126 4 drwxrwxr-x 3 user1 user1 4096 Jul 24 20:59 .
258308 4 drwxrwxr-x 3 user1 user1 4096 Jul 24 20:59 ./dirA
258915 4 drwxrwxr-x 2 user1 user1 4096 Jul 24 20:59 ./dirA/dirB
258916 0 -rw-rw-r-- 1 user1 user1 0 Jul 24 20:59 ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ chmod a-r ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258126 4 drwxrwxr-x 3 user1 user1 4096 Jul 24 20:59 .
258308 4 drwxrwxr-x 3 user1 user1 4096 Jul 24 20:59 ./dirA
258915 4 d-wx-wx--x 2 user1 user1 4096 Jul 24 20:59 ./dirA/dirB
find: ‘./dirA/dirB’: Permission denied
user1@ubuntu20lts:~/tmp$ chmod a+r ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258126 4 drwxrwxr-x 3 user1 user1 4096 Jul 24 21:02 .
258308 4 drwxrwxr-x 3 user1 user1 4096 Jul 24 21:02 ./dirA
258915 4 drwxrwxr-x 2 user1 user1 4096 Jul 24 21:02 ./dirA/dirB
258916 0 -rw-rw-r-- 1 user1 user1 0 Jul 24 21:02 ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ chmod a-r ./dirA
user1@ubuntu20lts:~/tmp$ find . -ls
258126 4 drwxrwxr-x 3 user1 user1 4096 Jul 24 21:02 .
258308 4 d-wx-wx--x 3 user1 user1 4096 Jul 24 21:02 ./dirA
find: ‘./dirA’: Permission denied
user1@ubuntu20lts:~/tmp$ chmod a+r ./dirA
user1@ubuntu20lts:~/tmp$ find . -ls
258126 4 drwxrwxr-x 3 user1 user1 4096 Jul 24 21:02 .
258308 4 drwxrwxr-x 3 user1 user1 4096 Jul 24 21:02 ./dirA
258915 4 drwxrwxr-x 2 user1 user1 4096 Jul 24 21:02 ./dirA/dirB
258916 0 -rw-rw-r-- 1 user1 user1 0 Jul 24 21:02 ./dirA/dirB/file
Effects of read
directory permission propagate only on files and subdirectories which are directly beneath the subject directory
- Directory
read
permission doesn't propagate to the directory hieracy further than the directory directly beneath the subject directory
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ echo test > dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 11:50 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 11:50 ./dirA
258920 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 11:50 ./dirA/dirB
258924 4 drwxrwxr-x 2 user1 user1 4096 Jul 31 11:50 ./dirA/dirB/dirC
258942 4 -rw-rw-r-- 1 user1 user1 5 Jul 31 11:50 ./dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ chmod a-r ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 11:50 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 11:50 ./dirA
258920 4 d-wx-wx--x 3 user1 user1 4096 Jul 31 11:50 ./dirA/dirB
find: ‘./dirA/dirB’: Permission denied
user1@ubuntu20lts:~/tmp$ ls -la ./dirA/dirB
ls: cannot open directory './dirA/dirB': Permission denied
user1@ubuntu20lts:~/tmp$ ls -la ./dirA/dirB/dirC
total 12
drwxrwxr-x 2 user1 user1 4096 Jul 31 11:50 .
d-wx-wx--x 3 user1 user1 4096 Jul 31 11:50 ..
-rw-rw-r-- 1 user1 user1 5 Jul 31 11:50 file
user1@ubuntu20lts:~/tmp$ cd ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp/dirA/dirB/dirC$ ls -la
total 12
drwxrwxr-x 2 user1 user1 4096 Jul 31 11:50 .
d-wx-wx--x 3 user1 user1 4096 Jul 31 11:50 ..
-rw-rw-r-- 1 user1 user1 5 Jul 31 11:50 file
user1@ubuntu20lts:~/tmp/dirA/dirB/dirC$ cat file
test
Effects of write
directory permission
- We cannot create, move, rename, and delete files and subdirectories in the directory which have no
write
directory permissions
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:35 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:35 ./dirA
258973 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:36 ./dirA/dirB
259894 0 -rw-rw-r-- 1 user1 user1 0 Jul 27 11:36 ./dirA/dirB/file
259889 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 11:35 ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ chmod a-w ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:35 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:35 ./dirA
258973 4 dr-xr-xr-x 3 user1 user1 4096 Jul 27 11:36 ./dirA/dirB
259894 0 -rw-rw-r-- 1 user1 user1 0 Jul 27 11:36 ./dirA/dirB/file
259889 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 11:35 ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB
rm: cannot remove './dirA/dirB/file': Permission denied
rm: cannot remove './dirA/dirB/dirC': Permission denied
user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/file
rm: cannot remove './dirA/dirB/file': Permission denied
user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/dirC
rm: cannot remove './dirA/dirB/dirC': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/file ./dirA/dirB/file1
mv: cannot move './dirA/dirB/file' to './dirA/dirB/file1': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC ./dirA/dirB/dirD
mv: cannot move './dirA/dirB/dirC' to './dirA/dirB/dirD': Permission denied
user1@ubuntu20lts:~/tmp$ touch ./dirA/dirB/file1
touch: cannot touch './dirA/dirB/file1': Permission denied
user1@ubuntu20lts:~/tmp$ mkdir ./dirA/dirB/dirD
mkdir: cannot create directory ‘./dirA/dirB/dirD’: Permission denied
user1@ubuntu20lts:~/tmp$ chmod a+w ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:35 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:35 ./dirA
258973 4 drwxrwxrwx 3 user1 user1 4096 Jul 27 11:36 ./dirA/dirB
259894 0 -rw-rw-r-- 1 user1 user1 0 Jul 27 11:36 ./dirA/dirB/file
259889 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 11:35 ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:35 .
258943 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 11:37 ./dirA
- But we can write to files (if file's permission allows this) and change attributes of files and subdirectories in the directory which has no
write
directory permissions
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:40 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:40 ./dirA
258973 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:40 ./dirA/dirB
259894 0 -rw-rw-r-- 1 user1 user1 0 Jul 27 11:40 ./dirA/dirB/file
259889 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 11:40 ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ chmod a-w ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:40 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:40 ./dirA
258973 4 dr-xr-xr-x 3 user1 user1 4096 Jul 27 11:40 ./dirA/dirB
259894 0 -rw-rw-r-- 1 user1 user1 0 Jul 27 11:40 ./dirA/dirB/file
259889 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 11:40 ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ chmod a-rw ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ chmod a-rwx ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:40 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:40 ./dirA
258973 4 dr-xr-xr-x 3 user1 user1 4096 Jul 27 11:40 ./dirA/dirB
259894 0 ---------- 1 user1 user1 0 Jul 27 11:40 ./dirA/dirB/file
259889 4 d--------- 2 user1 user1 4096 Jul 27 11:40 ./dirA/dirB/dirC
find: ‘./dirA/dirB/dirC’: Permission denied
user1@ubuntu20lts:~/tmp$ chmod a+rw ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ echo "test" > ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ cat ./dirA/dirB/file
test
Effects of write
directory permission propagate only on files and subdirectories which are directly beneath the subject directory
- Directory
write
permission doesn't propagate to the directory hieracy further than the directory directly beneath the subject directory
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ chmod a-w dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 13:13 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 13:13 ./dirA
258973 4 dr-xr-xr-x 3 user1 user1 4096 Jul 27 13:13 ./dirA/dirB
259889 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 13:13 ./dirA/dirB/dirC
259894 0 -rw-rw-r-- 1 user1 user1 0 Jul 27 13:13 ./dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC/file ./dirA/dirB/dirC/file1
user1@ubuntu20lts:~/tmp$ chmod o+w ./dirA/dirB/dirC/file1
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC/file1 ./
user1@ubuntu20lts:~/tmp$ mv file1 ./dirA/dirB/dirC/file2
user1@ubuntu20lts:~/tmp$ touch ./dirA/dirB/dirC/file3
user1@ubuntu20lts:~/tmp$ rm ./dirA/dirB/dirC/file3
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 13:14 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 13:13 ./dirA
258973 4 dr-xr-xr-x 3 user1 user1 4096 Jul 27 13:13 ./dirA/dirB
259889 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 13:14 ./dirA/dirB/dirC
259894 0 -rw-rw-rw- 1 user1 user1 0 Jul 27 13:13 ./dirA/dirB/dirC/file2
Effects of write
directory permission do not depend on permissions of files and subdirectories beneath the subject directory
- Within the directory with
write
permission we can modify (rename, change attributes, delete) files and subdirectories which have no write
permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB
user1@ubuntu20lts:~/tmp$ touch dirA/file
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:05 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:05 ./dirA
259889 0 -rw-rw-r-- 1 user1 user1 0 Jul 27 11:05 ./dirA/file
258973 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 11:05 ./dirA/dirB
user1@ubuntu20lts:~/tmp$ chmod a-w dirA/file dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:05 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:05 ./dirA
259889 0 -r--r--r-- 1 user1 user1 0 Jul 27 11:05 ./dirA/file
258973 4 dr-xr-xr-x 2 user1 user1 4096 Jul 27 11:05 ./dirA/dirB
user1@ubuntu20lts:~/tmp$ mv dirA/file dirA/file1
user1@ubuntu20lts:~/tmp$ mv dirA/dirB dirA/dirC
user1@ubuntu20lts:~/tmp$ chmod a-r ./dirA/file1
user1@ubuntu20lts:~/tmp$ chmod a-rx ./dirA/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:05 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:06 ./dirA
259889 0 ---------- 1 user1 user1 0 Jul 27 11:05 ./dirA/file1
258973 4 d--------- 2 user1 user1 4096 Jul 27 11:05 ./dirA/dirC
find: ‘./dirA/dirC’: Permission denied
user1@ubuntu20lts:~/tmp$ rm -fr dirA/file1 dirA/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:05 .
258943 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 11:06 ./dirA
- But within the directory with
write
permission we can only move files but not subdirectories which have no write
permission, ⁉️ which looks strange ⁉️
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB
user1@ubuntu20lts:~/tmp$ touch dirA/file
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:34 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:34 ./dirA
259889 0 -rw-rw-r-- 1 user1 user1 0 Jul 27 12:34 ./dirA/file
258973 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 12:34 ./dirA/dirB
user1@ubuntu20lts:~/tmp$ chmod a-w dirA/file dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:34 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:34 ./dirA
259889 0 -r--r--r-- 1 user1 user1 0 Jul 27 12:34 ./dirA/file
258973 4 dr-xr-xr-x 2 user1 user1 4096 Jul 27 12:34 ./dirA/dirB
user1@ubuntu20lts:~/tmp$ mv ./dirA/file ./
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB ./
mv: cannot move './dirA/dirB' to './dirB': Permission denied
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:35 .
259889 0 -r--r--r-- 1 user1 user1 0 Jul 27 12:34 ./file
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:35 ./dirA
258973 4 dr-xr-xr-x 2 user1 user1 4096 Jul 27 12:34 ./dirA/dirB
user1@ubuntu20lts:~/tmp$ chmod a+w dirA/dirB
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB ./
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 4 user1 user1 4096 Jul 27 12:36 .
259889 0 -r--r--r-- 1 user1 user1 0 Jul 27 12:34 ./file
258943 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 12:36 ./dirA
258973 4 drwxrwxrwx 2 user1 user1 4096 Jul 27 12:34 ./dirB
- Also within the directory with
write
permission we cannot delete subdirectories which have no write
permission and are not empty, but can rename them and change their attributes
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file
user1@ubuntu20lts:~/tmp$ chmod a-w dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:51 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:51 ./dirA
258973 4 dr-xr-xr-x 2 user1 user1 4096 Jul 27 12:51 ./dirA/dirB
259889 0 -rw-rw-r-- 1 user1 user1 0 Jul 27 12:51 ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ rm -fr dirA/dirB
rm: cannot remove 'dirA/dirB/file': Permission denied
user1@ubuntu20lts:~/tmp$ rm -fr dirA/dirB/file
rm: cannot remove 'dirA/dirB/file': Permission denied
user1@ubuntu20lts:~/tmp$ mv dirA/dirB dirA/dirC
user1@ubuntu20lts:~/tmp$ chmod o+t ./dirA/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:51 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:52 ./dirA
258973 4 dr-xr-xr-t 2 user1 user1 4096 Jul 27 12:51 ./dirA/dirC
259889 0 -rw-rw-r-- 1 user1 user1 0 Jul 27 12:51 ./dirA/dirC/file
user1@ubuntu20lts:~/tmp$ chmod a+w dirA/dirC
user1@ubuntu20lts:~/tmp$ rm -fr dirA/dirC/file
user1@ubuntu20lts:~/tmp$ chmod a-w dirA/dirC/
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:51 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:52 ./dirA
258973 4 dr-xr-xr-t 2 user1 user1 4096 Jul 27 12:55 ./dirA/dirC
user1@ubuntu20lts:~/tmp$ rm -fr dirA/dirC/
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:51 .
258943 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 12:55 ./dirA
Effects of execute
directory permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 28 15:19 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 28 15:19 ./dirA
258921 4 drwxrwxr-x 3 user1 user1 4096 Jul 28 15:19 ./dirA/dirB
258924 4 drwxrwxr-x 2 user1 user1 4096 Jul 28 15:19 ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ cd ./dirA/dirB
user1@ubuntu20lts:~/tmp/dirA/dirB$ cd dirC/
user1@ubuntu20lts:~/tmp/dirA/dirB/dirC$ cd ~/tmp
user1@ubuntu20lts:~/tmp$ chmod a-x ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 28 15:19 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 28 15:19 ./dirA
258921 4 drw-rw-r-- 3 user1 user1 4096 Jul 28 15:19 ./dirA/dirB
find: ‘./dirA/dirB/dirC’: Permission denied
user1@ubuntu20lts:~/tmp$ cd ./dirA/dirB
-bash: cd: ./dirA/dirB: Permission denied
user1@ubuntu20lts:~/tmp$ cd ./dirA/dirB/dirC
-bash: cd: ./dirA/dirB/dirC: Permission denied
Effects of execute
directory permission propagate on all subdirectories of the subject directory
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 12:34 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 12:34 ./dirA
258920 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 12:34 ./dirA/dirB
258924 4 drwxrwxr-x 2 user1 user1 4096 Jul 31 12:34 ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ cd dirA/dirB
user1@ubuntu20lts:~/tmp/dirA/dirB$ cd dirC/
user1@ubuntu20lts:~/tmp/dirA/dirB/dirC$ cd ~/tmp
user1@ubuntu20lts:~/tmp$ chmod a-x dirA/dirB
user1@ubuntu20lts:~/tmp$ ls -la dirA/dirB
ls: cannot access 'dirA/dirB/.': Permission denied
ls: cannot access 'dirA/dirB/dirC': Permission denied
ls: cannot access 'dirA/dirB/..': Permission denied
total 0
d????????? ? ? ? ? ? .
d????????? ? ? ? ? ? ..
d????????? ? ? ? ? ? dirC
user1@ubuntu20lts:~/tmp$ ls -la dirA/dirB/dirC
ls: cannot access 'dirA/dirB/dirC': Permission denied
user1@ubuntu20lts:~/tmp$ cd dirA/dirB
-bash: cd: dirA/dirB: Permission denied
user1@ubuntu20lts:~/tmp$ cd dirA/dirB/dirC
-bash: cd: dirA/dirB/dirC: Permission denied
Effects of unset execute
directory permission on read
directory permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 28 15:59 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 28 15:59 ./dirA
258921 4 drwxrwxr-x 3 user1 user1 4096 Jul 28 16:00 ./dirA/dirB
258942 0 -rw-rw-r-- 1 user1 user1 0 Jul 28 16:00 ./dirA/dirB/file
258924 4 drwxrwxr-x 2 user1 user1 4096 Jul 28 16:00 ./dirA/dirB/dirC
258943 0 -rw-rw-r-- 1 user1 user1 0 Jul 28 16:00 ./dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ chmod a-x ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 28 15:59 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 28 15:59 ./dirA
258921 4 drw-rw-r-- 3 user1 user1 4096 Jul 28 16:00 ./dirA/dirB
find: ‘./dirA/dirB/file’: Permission denied
find: ‘./dirA/dirB/dirC’: Permission denied
user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB
ls: cannot access './dirA/dirB/file': Permission denied
ls: cannot access './dirA/dirB/dirC': Permission denied
total 0
d????????? ? ? ? ? ? dirC
-????????? ? ? ? ? ? file
user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB/dirC
ls: cannot access './dirA/dirB/dirC': Permission denied
user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB/file
ls: cannot access './dirA/dirB/file': Permission denied
user1@ubuntu20lts:~/tmp$ cat ./dirA/dirB/file
cat: ./dirA/dirB/file: Permission denied
Effects of unset execute
directory permission on write
directory permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 06:11 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 06:11 ./dirA
258920 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 06:11 ./dirA/dirB
258922 0 -rw-rw-r-- 1 user1 user1 0 Jul 31 06:11 ./dirA/dirB/file
258921 4 drwxrwxr-x 2 user1 user1 4096 Jul 31 06:11 ./dirA/dirB/dirC
258924 0 -rw-rw-r-- 1 user1 user1 0 Jul 31 06:11 ./dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ chmod a-x ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 06:11 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 06:11 ./dirA
258920 4 drw-rw-r-- 3 user1 user1 4096 Jul 31 06:11 ./dirA/dirB
find: ‘./dirA/dirB/file’: Permission denied
find: ‘./dirA/dirB/dirC’: Permission denied
user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/file
rm: cannot remove './dirA/dirB/file': Permission denied
user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/dirC
rm: cannot remove './dirA/dirB/dirC': Permission denied
user1@ubuntu20lts:~/tmp$ touch ./dirA/dirB/file1
touch: cannot touch './dirA/dirB/file1': Permission denied
user1@ubuntu20lts:~/tmp$ mkdir ./dirA/dirB/dirD
mkdir: cannot create directory ‘./dirA/dirB/dirD’: Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/file ./dirA/dirB/file1
mv: failed to access './dirA/dirB/file1': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC ./dirA/dirB/dirD
mv: failed to access './dirA/dirB/dirD': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/file ./
mv: cannot stat './dirA/dirB/file': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC ./
mv: cannot stat './dirA/dirB/dirC': Permission denied
user1@ubuntu20lts:~/tmp$ chmod a+x ./dirA/dirB/file
chmod: cannot access './dirA/dirB/file': Permission denied
Combining execute
and write
directory permissions with unset read
directory permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ echo test > dirA/dirB/file
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 11:39 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 11:39 ./dirA
258920 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 11:39 ./dirA/dirB
258943 4 -rw-rw-r-- 1 user1 user1 5 Jul 31 11:39 ./dirA/dirB/file
258924 4 drwxrwxr-x 2 user1 user1 4096 Jul 31 11:39 ./dirA/dirB/dirC
258942 0 -rw-rw-r-- 1 user1 user1 0 Jul 31 11:39 ./dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ chmod a-r ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 11:39 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 11:39 ./dirA
258920 4 d-wx-wx--x 3 user1 user1 4096 Jul 31 11:39 ./dirA/dirB
find: ‘./dirA/dirB’: Permission denied
user1@ubuntu20lts:~/tmp$ ls -la ./dirA/dirB/file
-rw-rw-r-- 1 user1 user1 5 Jul 31 11:39 ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ cat ./dirA/dirB/file
test
user1@ubuntu20lts:~/tmp$ ls -la ./dirA/dirB/dirC
total 8
drwxrwxr-x 2 user1 user1 4096 Jul 31 11:39 .
d-wx-wx--x 3 user1 user1 4096 Jul 31 11:39 ..
-rw-rw-r-- 1 user1 user1 0 Jul 31 11:39 file
user1@ubuntu20lts:~/tmp$ cd ./dirA/dirB
user1@ubuntu20lts:~/tmp/dirA/dirB$ find . -ls
258920 4 d-wx-wx--x 3 user1 user1 4096 Jul 31 11:39 .
find: ‘.’: Permission denied
user1@ubuntu20lts:~/tmp/dirA/dirB$ ls -la .
ls: cannot open directory '.': Permission denied
user1@ubuntu20lts:~/tmp/dirA/dirB$ mkdir dirD
user1@ubuntu20lts:~/tmp/dirA/dirB$ mv dirD dirE
user1@ubuntu20lts:~/tmp/dirA/dirB$ rm -fr dirE
user1@ubuntu20lts:~/tmp/dirA/dirB$ touch file1
user1@ubuntu20lts:~/tmp/dirA/dirB$ mv file1 file2
user1@ubuntu20lts:~/tmp/dirA/dirB$ rm -fr file2
user1@ubuntu20lts:~/tmp/dirA/dirB$ mv dirC ../
user1@ubuntu20lts:~/tmp/dirA/dirB$ chmod a+x file
user1@ubuntu20lts:~/tmp/dirA/dirB$ ls -la file
-rwxrwxr-x 1 user1 user1 5 Jul 31 11:39 file
Effects of setting only execute
directory permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ echo test > dirA/dirB/file
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 13:48 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 13:48 ./dirA
258920 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 13:48 ./dirA/dirB
258942 4 -rw-rw-r-- 1 user1 user1 5 Jul 31 13:48 ./dirA/dirB/file
258924 4 drwxrwxr-x 2 user1 user1 4096 Jul 31 13:48 ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ chmod a-wr ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 13:48 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 13:48 ./dirA
258920 4 d--x--x--x 3 user1 user1 4096 Jul 31 13:48 ./dirA/dirB
find: ‘./dirA/dirB’: Permission denied
user1@ubuntu20lts:~/tmp$ ls -la ./dirA/dirB
ls: cannot open directory './dirA/dirB': Permission denied
user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB/file
-rw-rw-r-- 1 user1 user1 5 Jul 31 13:48 ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB/dirC
total 0
user1@ubuntu20lts:~/tmp$ cd dirA/dirB/
user1@ubuntu20lts:~/tmp/dirA/dirB$ ls -la
ls: cannot open directory '.': Permission denied
user1@ubuntu20lts:~/tmp/dirA/dirB$ find . -ls
258920 4 d--x--x--x 3 user1 user1 4096 Jul 31 13:48 .
find: ‘.’: Permission denied
user1@ubuntu20lts:~/tmp/dirA/dirB$ cd dirC
user1@ubuntu20lts:~/tmp/dirA/dirB/dirC$ cd ~/tmp
user1@ubuntu20lts:~/tmp$ cat ./dirA/dirB/file
test
user1@ubuntu20lts:~/tmp$ echo "date" > ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ chmod a+x ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB/file
-rwxrwxr-x 1 user1 user1 5 Jul 31 13:49 ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ ./dirA/dirB/file
Fri 31 Jul 2020 01:49:55 PM UTC
user1@ubuntu20lts:~/tmp$ touch ./dirA/dirB/file1
touch: cannot touch './dirA/dirB/file1': Permission denied
user1@ubuntu20lts:~/tmp$ mkdir ./dirA/dirB/dirD
mkdir: cannot create directory ‘./dirA/dirB/dirD’: Permission denied
user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/file
rm: cannot remove './dirA/dirB/file': Permission denied
user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/dirC
rm: cannot remove './dirA/dirB/dirC': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/file ./dirA/dirB/file1
mv: cannot move './dirA/dirB/file' to './dirA/dirB/file1': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC ./dirA/dirB/dirD
mv: cannot move './dirA/dirB/dirC' to './dirA/dirB/dirD': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/file ./
mv: cannot move './dirA/dirB/file' to './file': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC ./
mv: cannot move './dirA/dirB/dirC' to './dirC': Permission denied
Additional flags: SUID
, SGID
, Sticky bit
-
SUID
(Set User ID) flag — works only on files
-
On fies
- A process executing a file keeps its effective
UID
(User ID) the same as UID
of the user running the executable
- If the executable file has the
SUID
flag set, the process sets its effective UID
equals to the file's owner
- Due to security reason
SUID
flag only works on Linux ELF executables, meaning it does nothing on a Bash
or Python
scripts files
- Examples of well-known Linux system executables with
SUID
flag set
-
/usr/bin/passwd
-
SUID
flag set because the passwords are stored in the /etc/shadow
file, which has no permission on group
or other
user level
-
/usr/bin/mount
-
SUID
flag set because only the root
can mount filesystems, but when /etc/fstab
contains the user
option, anybody can mount the corresponding filesystem
-
SGID
(Set Group ID) flag — works both on files and directories
-
On files
- A process executing a file keeps its effective
GID
(Group ID) the same as GID
of the user running the executable
- If the executable file has the
SGID
flag set, the process sets its effective GID
equals to the file's group
- Due to security reason
SGID
flag works only on Linux ELF executables, meaning it does nothing on a Bash
or Python
scripts files
- Examples of well-known Linux system executables with
SGID
flag set
-
/usr/bin/ssh-agent
-
SGID
flag set to prevent ptrace(2)
attacks retrieving private key material
-
/usr/bin/crontab
-
SGID
flag set to provide the following restrictions (together with crontab
binary owned by crontab
group, and crontab
spool directory owned by crontab
group and Sticky bit
set on it)
- limiting access to
crontab
spool directory (/var/spool/cron/crontabs
)
- limiting edit or read access to users'
crontab
files (/var/spool/cron/crontabs/<username>
) only via crontab
binary
-
On directories
- When a file is created by a process, its
GID
(Group ID) can be either the GID
of the creator process or the GID
of the parent directory, depending on the value of the SGID
flag of the parent directory
- This behavior is applied only to
SGID
flag, but not to SUID
flag, SUID
flag doesn't have such a behavior
-
SGID
on directories is used for creating collaborative directories where some users work together on some project and belong to the same group
and should be able to see each other's files providing read file permission on that group
level
-
Sticky bit
— currently works only on directories (using it on files is deprecated)
-
On files
- This approach has become obsolete and is deprecated now, sharing of code pages is used
Running an executable file with the Sticky bit
set requests the kernel to keep the program in memory after its execution terminates
-
On directories
- With the
Sticky bit
set on a directory, only the file's owner
, the directory's owner
, or root
user can modify (for example delete or rename) the files and subdirectories in the directory
- Without the
Sticky bit
set on a directory, any user with write
and execute
permissions for the directory can modify contained files and subdirectories in the directory, regardless of the their owners
- If a user wants to create files and subdirectories in some directory, he/she needs
write
and exectute
permissions on that directory
- These
write
and exectute
permissions on the directory gives the user the privilege to create files and subdirectories as well as the privilege to modify them
- At the same time the user can modify any files or subdirectories in this directory, the permissions of those files and subdirectories do not have any effect on modification
- With
Sticky bit
set on a directory, anyone can create files in the directory, but can modify his/her own files only - files owned by other users cannot be modified
- Examples of well-known Linux system directories with
SGID
flag set
-
/tmp
- The
Sticky bit
is used for /tmp
directory because it has to have all the rights on all the user's permission triads allowing all the users to create/delete their temporary files there
-
/var/spool/cron/crontabs
- For details why the
Sticky bit
is used here, see the explanation of SGID
flag set on /usr/bin/crontab
above
SUID
, SGID
, and Sticky bit
examples
Effects of SUID
flag
user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user3@ubuntu20lts:~/tmp$ cp $(which id) ./
user3@ubuntu20lts:~/tmp$ sudo chown user1 ./id
user3@ubuntu20lts:~/tmp$ sudo chmod u+s ./id
user3@ubuntu20lts:~/tmp$ ls -l ./id
-rwsr-xr-x 1 user1 user3 47480 Jul 26 11:07 ./id
user3@ubuntu20lts:~/tmp$ id
uid=2003(user3) gid=2003(user3) groups=2003(user3)
user3@ubuntu20lts:~/tmp$ ./id
uid=2003(user3) gid=2003(user3) euid=2001(user1) groups=2003(user3)
Effects of SGID
flag on files
user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user3@ubuntu20lts:~/tmp$ cp $(which id) ./
user3@ubuntu20lts:~/tmp$ sudo chgrp user2 ./id
user3@ubuntu20lts:~/tmp$ sudo chmod g+s ./id
user3@ubuntu20lts:~/tmp$ ls -l ./id
-rwxr-sr-x 1 user3 user2 47480 Jul 26 11:13 ./id
user3@ubuntu20lts:~/tmp$ id
uid=2003(user3) gid=2003(user3) groups=2003(user3)
user3@ubuntu20lts:~/tmp$ ./id
uid=2003(user3) gid=2003(user3) egid=2002(user2) groups=2002(user2),2003(user3)
Effects of SGID
flag on directories
- If
SGID
flag is not set the created file get its GID
from the creator process
user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user3@ubuntu20lts:~/tmp$ echo "#/usr/bin/env bash" > file
user3@ubuntu20lts:~/tmp$ echo "touch test" >> file
user3@ubuntu20lts:~/tmp$ chmod a+x file
user3@ubuntu20lts:~/tmp$ sudo chgrp user1 ./
user3@ubuntu20lts:~/tmp$ find . -ls
258932 4 drwxrwxr-x 2 user3 user1 4096 Jul 27 06:25 .
258938 4 -rwxrwxr-x 1 user3 user3 30 Jul 27 06:25 ./file
user3@ubuntu20lts:~/tmp$ ./file
user3@ubuntu20lts:~/tmp$ find . -ls
258932 4 drwxrwxr-x 2 user3 user1 4096 Jul 27 06:26 .
258938 4 -rwxrwxr-x 1 user3 user3 30 Jul 27 06:25 ./file
258941 0 -rw-rw-r-- 1 user3 user3 0 Jul 27 06:26 ./test
- If
SGID
flag is set the created file get its GID
from the parent directory
user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user3@ubuntu20lts:~/tmp$ echo "#/usr/bin/env bash" > file
user3@ubuntu20lts:~/tmp$ echo "touch test" >> file
user3@ubuntu20lts:~/tmp$ chmod a+x file
user3@ubuntu20lts:~/tmp$ chmod g+s ./
user3@ubuntu20lts:~/tmp$ sudo chgrp user1 ./
user3@ubuntu20lts:~/tmp$ find . -ls
258932 4 drwxrwsr-x 2 user3 user1 4096 Jul 27 06:27 .
258938 4 -rwxrwxr-x 1 user3 user3 30 Jul 27 06:27 ./file
user3@ubuntu20lts:~/tmp$ ./file
user3@ubuntu20lts:~/tmp$ find . -ls
258932 4 drwxrwsr-x 2 user3 user1 4096 Jul 27 06:27 .
258938 4 -rwxrwxr-x 1 user3 user3 30 Jul 27 06:27 ./file
258941 0 -rw-rw-r-- 1 user3 user1 0 Jul 27 06:27 ./test
No effects of SUID
flag on directories
- Even if
SUID
flag is set, it has no effect on a directory
user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user3@ubuntu20lts:~/tmp$ echo "#/usr/bin/env bash" > file
user3@ubuntu20lts:~/tmp$ echo "touch test" >> file
user3@ubuntu20lts:~/tmp$ chmod a+x file
user3@ubuntu20lts:~/tmp$ chmod u+s ./
user3@ubuntu20lts:~/tmp$ sudo chown user2 ./
user3@ubuntu20lts:~/tmp$ find . -ls
258932 4 drwsrwxr-x 2 user2 user3 4096 Jul 27 06:29 .
258938 4 -rwxrwxr-x 1 user3 user3 30 Jul 27 06:30 ./file
user3@ubuntu20lts:~/tmp$ ./file
user3@ubuntu20lts:~/tmp$ find . -ls
258932 4 drwsrwxr-x 2 user2 user3 4096 Jul 27 06:30 .
258938 4 -rwxrwxr-x 1 user3 user3 30 Jul 27 06:30 ./file
258941 0 -rw-rw-r-- 1 user3 user3 0 Jul 27 06:30 ./test
Effects of Sticky bit
- If the
Sticky bit
is not set it allows user1
to delete files of user3
user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user3@ubuntu20lts:~/tmp$ chmod a+rwx ./
user3@ubuntu20lts:~/tmp$ touch user3-file
user3@ubuntu20lts:~/tmp$ mkdir user3-dir
user3@ubuntu20lts:~/tmp$ find . -ls
258932 4 drwxrwxrwx 3 user3 user3 4096 Jul 27 07:08 .
258941 4 drwxrwxr-x 2 user3 user3 4096 Jul 27 07:08 ./user3-dir
258938 0 -rw-rw-r-- 1 user3 user3 0 Jul 27 07:07 ./user3-file
user3@ubuntu20lts:~/tmp$ pwd
/home/user3/tmp
user3@ubuntu20lts:~/tmp$ sudo -i -u user1
user1@ubuntu20lts:~$ cd /home/user3/tmp
user1@ubuntu20lts:/home/user3/tmp$ find . -ls
258932 4 drwxrwxrwx 3 user3 user3 4096 Jul 27 07:08 .
258941 4 drwxrwxr-x 2 user3 user3 4096 Jul 27 07:08 ./user3-dir
258938 0 -rw-rw-r-- 1 user3 user3 0 Jul 27 07:07 ./user3-file
user1@ubuntu20lts:/home/user3/tmp$ rm -fr user3*
user1@ubuntu20lts:/home/user3/tmp$ find . -ls
258932 4 drwxrwxrwx 2 user3 user3 4096 Jul 27 07:09 .
user1@ubuntu20lts:/home/user3/tmp$ logout
user3@ubuntu20lts:~/tmp$ find . -ls
258932 4 drwxrwxrwx 2 user3 user3 4096 Jul 27 07:09 .
- If the
Sticky bit
is set it doesn't allow user1
to delete files of user3
user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user3@ubuntu20lts:~/tmp$ chmod a+rwx ./
user3@ubuntu20lts:~/tmp$ chmod o+t ./
user3@ubuntu20lts:~/tmp$ touch user3-file
user3@ubuntu20lts:~/tmp$ mkdir user3-dir
user3@ubuntu20lts:~/tmp$ find . -ls
258917 4 drwxrwxrwt 3 user3 user3 4096 Jul 27 07:42 .
258932 4 drwxrwxr-x 2 user3 user3 4096 Jul 27 07:42 ./user3-dir
258918 0 -rw-rw-r-- 1 user3 user3 0 Jul 27 07:42 ./user3-file
user3@ubuntu20lts:~/tmp$ pwd
/home/user3/tmp
user3@ubuntu20lts:~/tmp$ sudo -i -u user1
user1@ubuntu20lts:~$ cd /home/user3/tmp
user1@ubuntu20lts:/home/user3/tmp$ find . -ls
258917 4 drwxrwxrwt 3 user3 user3 4096 Jul 27 07:42 .
258932 4 drwxrwxr-x 2 user3 user3 4096 Jul 27 07:42 ./user3-dir
258918 0 -rw-rw-r-- 1 user3 user3 0 Jul 27 07:42 ./user3-file
user1@ubuntu20lts:/home/user3/tmp$ rm -fr ./user3-file
rm: cannot remove './user3-file': Operation not permitted
user1@ubuntu20lts:/home/user3/tmp$ rm -fr ./user3-dir
rm: cannot remove './user3-dir': Operation not permitted
Top comments (0)