DEV Community

Cover image for How to deal with Linux file and directory permission
mtilson
mtilson

Posted on

How to deal with Linux file and directory permission

FlowerPuzzleM

Linux File Permission Cheat Sheet

  • Necessary and sufficient knowledge on Linux file and directory permissions
  • With practical examples
  • Sourced from GitHub

User permission triads

  • There are three permission triads (rwx rwx rwx) corresponding to particular group of users
    • The 1-st one (rwx --- ---) is for owner user
    • The 2-nd one (--- rwx ---) is for group users
    • The 3-rd one (--- --- rwx) is for other users
  • Each permission triad (rwx) corresponds to particular set of operations defined on files and directories
    • r is for read operation
    • w is for write operation
    • x is for execute operation

File permissions

  1. read file permission
    • Allows the corresponding user (owner, group, other) to read the file
  2. write file permission
    • Allows the corresponding user to modify (create, move, rename, change attributes, delete) the file
  3. execute file permission
    • Allows the corresponding user to execute the file
  4. All the above permissions have effect only if execute permission for the corresponding user is set on the directory and all its parent directories

File permission examples

Effects of read file permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ echo test > file
user1@ubuntu20lts:~/tmp$ ls -l file
-rw-rw-r-- 1 user1 user1 5 Jul 26 21:59 file

user1@ubuntu20lts:~/tmp$ cat file
test

user1@ubuntu20lts:~/tmp$ chmod a-r file
user1@ubuntu20lts:~/tmp$ ls -l file
--w--w---- 1 user1 user1 5 Jul 26 21:59 file

user1@ubuntu20lts:~/tmp$ cat file
cat: file: Permission denied

Effects of write file permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ echo test > file
user1@ubuntu20lts:~/tmp$ ls -l file
-rw-rw-r-- 1 user1 user1 5 Jul 26 22:00 file

user1@ubuntu20lts:~/tmp$ chmod a-w file
user1@ubuntu20lts:~/tmp$ ls -l file
-r--r--r-- 1 user1 user1 5 Jul 26 22:00 file

user1@ubuntu20lts:~/tmp$ echo test > file
-bash: file: Permission denied

Effects of execute file permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ echo "#/usr/bin/env bash" > file
user1@ubuntu20lts:~/tmp$ echo "date" >> file
user1@ubuntu20lts:~/tmp$ chmod a+x file
user1@ubuntu20lts:~/tmp$ ls -l file
-rwxrwxr-x 1 user1 user1 24 Jul 26 22:02 file

user1@ubuntu20lts:~/tmp$ ./file
Sun 26 Jul 2020 10:02:35 PM UTC

user1@ubuntu20lts:~/tmp$ chmod a-x file
user1@ubuntu20lts:~/tmp$ ls -l file
-rw-rw-r-- 1 user1 user1 24 Jul 26 22:02 file

user1@ubuntu20lts:~/tmp$ ./file
-bash: ./file: Permission denied

Effects of unset execute directory permission on file permissions

read file permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ echo test > file
user1@ubuntu20lts:~/tmp$ cd ..
user1@ubuntu20lts:~$ find ./tmp/ -ls
   259893      4 drwxrwxr-x   2 user1    user1        4096 Jul 26 22:03 ./tmp/
   259894      4 -rw-rw-r--   1 user1    user1           5 Jul 26 22:03 ./tmp/file

user1@ubuntu20lts:~$ cat ./tmp/file
test

user1@ubuntu20lts:~$ chmod a-x tmp/
user1@ubuntu20lts:~$ find ./tmp/ -ls
   259893      4 drw-rw-r--   2 user1    user1        4096 Jul 26 22:03 ./tmp/
find: ‘./tmp/file’: Permission denied

user1@ubuntu20lts:~$ cat ./tmp/file
cat: ./tmp/file: Permission denied
write file permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ cd ..
user1@ubuntu20lts:~$ echo test > tmp/file
user1@ubuntu20lts:~$ find ./tmp/ -ls
   258932      4 drwxrwxr-x   2 user1    user1        4096 Jul 26 22:53 ./tmp/
   258941      4 -rw-rw-r--   1 user1    user1           5 Jul 26 22:53 ./tmp/file

user1@ubuntu20lts:~$ chmod a-x tmp/
user1@ubuntu20lts:~$ find ./tmp/ -ls
   258932      4 drw-rw-r--   2 user1    user1        4096 Jul 26 22:53 ./tmp/
find: ‘./tmp/file’: Permission denied

user1@ubuntu20lts:~$ echo test > tmp/file
-bash: tmp/file: Permission denied
execute file permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ echo "#/usr/bin/env bash" > file
user1@ubuntu20lts:~/tmp$ echo "date" >> file
user1@ubuntu20lts:~/tmp$ chmod a+x file

user1@ubuntu20lts:~/tmp$ cd ..
user1@ubuntu20lts:~$ find ./tmp/ -ls
   258932      4 drwxrwxr-x   2 user1    user1        4096 Jul 26 23:01 ./tmp/
   258941      4 -rwxrwxr-x   1 user1    user1          24 Jul 26 23:01 ./tmp/file

user1@ubuntu20lts:~$ ./tmp/file
Sun 26 Jul 2020 11:01:41 PM UTC

user1@ubuntu20lts:~$ chmod a-x tmp/
user1@ubuntu20lts:~$ find ./tmp/ -ls
   258932      4 drw-rw-r--   2 user1    user1        4096 Jul 26 23:01 ./tmp/
find: ‘./tmp/file’: Permission denied

user1@ubuntu20lts:~$ ./tmp/file
-bash: ./tmp/file: Permission denied

Directory permissions

  1. read directory permission
  2. write directory permission
  3. execute directory permission
  4. Directory permissions short summary
permission triad access mode comments
--- no access
r-- weird mode only reading file and subdirectory names is possible
-w- no access the same as ---
--x weird mode only changing to subdirectories are possible if their names are known
rw- weird mode the same as r--
r-x read only
-wx weird mode any operations on files and subdirectories are possible if their names are known
rwx full

Directory permission examples

Effects of read directory permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file

user1@ubuntu20lts:~/tmp$ find . -ls
   258126      4 drwxrwxr-x   3 user1    user1        4096 Jul 24 20:59 .
   258308      4 drwxrwxr-x   3 user1    user1        4096 Jul 24 20:59 ./dirA
   258915      4 drwxrwxr-x   2 user1    user1        4096 Jul 24 20:59 ./dirA/dirB
   258916      0 -rw-rw-r--   1 user1    user1           0 Jul 24 20:59 ./dirA/dirB/file

user1@ubuntu20lts:~/tmp$ chmod a-r ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258126      4 drwxrwxr-x   3 user1    user1        4096 Jul 24 20:59 .
   258308      4 drwxrwxr-x   3 user1    user1        4096 Jul 24 20:59 ./dirA
   258915      4 d-wx-wx--x   2 user1    user1        4096 Jul 24 20:59 ./dirA/dirB
find: ‘./dirA/dirB’: Permission denied

user1@ubuntu20lts:~/tmp$ chmod a+r ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258126      4 drwxrwxr-x   3 user1    user1        4096 Jul 24 21:02 .
   258308      4 drwxrwxr-x   3 user1    user1        4096 Jul 24 21:02 ./dirA
   258915      4 drwxrwxr-x   2 user1    user1        4096 Jul 24 21:02 ./dirA/dirB
   258916      0 -rw-rw-r--   1 user1    user1           0 Jul 24 21:02 ./dirA/dirB/file

user1@ubuntu20lts:~/tmp$ chmod a-r ./dirA
user1@ubuntu20lts:~/tmp$ find . -ls
   258126      4 drwxrwxr-x   3 user1    user1        4096 Jul 24 21:02 .
   258308      4 d-wx-wx--x   3 user1    user1        4096 Jul 24 21:02 ./dirA
find: ‘./dirA’: Permission denied

user1@ubuntu20lts:~/tmp$ chmod a+r ./dirA
user1@ubuntu20lts:~/tmp$ find . -ls
   258126      4 drwxrwxr-x   3 user1    user1        4096 Jul 24 21:02 .
   258308      4 drwxrwxr-x   3 user1    user1        4096 Jul 24 21:02 ./dirA
   258915      4 drwxrwxr-x   2 user1    user1        4096 Jul 24 21:02 ./dirA/dirB
   258916      0 -rw-rw-r--   1 user1    user1           0 Jul 24 21:02 ./dirA/dirB/file

Effects of read directory permission propagate only on files and subdirectories which are directly beneath the subject directory

  • Directory read permission doesn't propagate to the directory hieracy further than the directory directly beneath the subject directory
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ echo test > dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 11:50 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 11:50 ./dirA
   258920      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 11:50 ./dirA/dirB
   258924      4 drwxrwxr-x   2 user1    user1        4096 Jul 31 11:50 ./dirA/dirB/dirC
   258942      4 -rw-rw-r--   1 user1    user1           5 Jul 31 11:50 ./dirA/dirB/dirC/file

user1@ubuntu20lts:~/tmp$ chmod a-r ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 11:50 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 11:50 ./dirA
   258920      4 d-wx-wx--x   3 user1    user1        4096 Jul 31 11:50 ./dirA/dirB
find: ‘./dirA/dirB’: Permission denied

user1@ubuntu20lts:~/tmp$ ls -la ./dirA/dirB
ls: cannot open directory './dirA/dirB': Permission denied

user1@ubuntu20lts:~/tmp$ ls -la ./dirA/dirB/dirC
total 12
drwxrwxr-x 2 user1 user1 4096 Jul 31 11:50 .
d-wx-wx--x 3 user1 user1 4096 Jul 31 11:50 ..
-rw-rw-r-- 1 user1 user1    5 Jul 31 11:50 file

user1@ubuntu20lts:~/tmp$ cd ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp/dirA/dirB/dirC$ ls -la
total 12
drwxrwxr-x 2 user1 user1 4096 Jul 31 11:50 .
d-wx-wx--x 3 user1 user1 4096 Jul 31 11:50 ..
-rw-rw-r-- 1 user1 user1    5 Jul 31 11:50 file

user1@ubuntu20lts:~/tmp/dirA/dirB/dirC$ cat file
test

Effects of write directory permission

  • We cannot create, move, rename, and delete files and subdirectories in the directory which have no write directory permissions
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:35 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:35 ./dirA
   258973      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:36 ./dirA/dirB
   259894      0 -rw-rw-r--   1 user1    user1           0 Jul 27 11:36 ./dirA/dirB/file
   259889      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 11:35 ./dirA/dirB/dirC

user1@ubuntu20lts:~/tmp$ chmod a-w ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:35 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:35 ./dirA
   258973      4 dr-xr-xr-x   3 user1    user1        4096 Jul 27 11:36 ./dirA/dirB
   259894      0 -rw-rw-r--   1 user1    user1           0 Jul 27 11:36 ./dirA/dirB/file
   259889      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 11:35 ./dirA/dirB/dirC

user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB
rm: cannot remove './dirA/dirB/file': Permission denied
rm: cannot remove './dirA/dirB/dirC': Permission denied

user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/file
rm: cannot remove './dirA/dirB/file': Permission denied

user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/dirC
rm: cannot remove './dirA/dirB/dirC': Permission denied

user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/file ./dirA/dirB/file1
mv: cannot move './dirA/dirB/file' to './dirA/dirB/file1': Permission denied

user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC ./dirA/dirB/dirD
mv: cannot move './dirA/dirB/dirC' to './dirA/dirB/dirD': Permission denied

user1@ubuntu20lts:~/tmp$ touch ./dirA/dirB/file1
touch: cannot touch './dirA/dirB/file1': Permission denied

user1@ubuntu20lts:~/tmp$ mkdir ./dirA/dirB/dirD
mkdir: cannot create directory ‘./dirA/dirB/dirD’: Permission denied

user1@ubuntu20lts:~/tmp$ chmod a+w ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:35 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:35 ./dirA
   258973      4 drwxrwxrwx   3 user1    user1        4096 Jul 27 11:36 ./dirA/dirB
   259894      0 -rw-rw-r--   1 user1    user1           0 Jul 27 11:36 ./dirA/dirB/file
   259889      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 11:35 ./dirA/dirB/dirC

user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:35 .
   258943      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 11:37 ./dirA
  • But we can write to files (if file's permission allows this) and change attributes of files and subdirectories in the directory which has no write directory permissions
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:40 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:40 ./dirA
   258973      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:40 ./dirA/dirB
   259894      0 -rw-rw-r--   1 user1    user1           0 Jul 27 11:40 ./dirA/dirB/file
   259889      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 11:40 ./dirA/dirB/dirC

user1@ubuntu20lts:~/tmp$ chmod a-w ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:40 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:40 ./dirA
   258973      4 dr-xr-xr-x   3 user1    user1        4096 Jul 27 11:40 ./dirA/dirB
   259894      0 -rw-rw-r--   1 user1    user1           0 Jul 27 11:40 ./dirA/dirB/file
   259889      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 11:40 ./dirA/dirB/dirC

user1@ubuntu20lts:~/tmp$ chmod a-rw ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ chmod a-rwx ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:40 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:40 ./dirA
   258973      4 dr-xr-xr-x   3 user1    user1        4096 Jul 27 11:40 ./dirA/dirB
   259894      0 ----------   1 user1    user1           0 Jul 27 11:40 ./dirA/dirB/file
   259889      4 d---------   2 user1    user1        4096 Jul 27 11:40 ./dirA/dirB/dirC
find: ‘./dirA/dirB/dirC’: Permission denied

user1@ubuntu20lts:~/tmp$ chmod a+rw ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ echo "test" > ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ cat ./dirA/dirB/file
test

Effects of write directory permission propagate only on files and subdirectories which are directly beneath the subject directory

  • Directory write permission doesn't propagate to the directory hieracy further than the directory directly beneath the subject directory
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ chmod a-w dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 13:13 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 13:13 ./dirA
   258973      4 dr-xr-xr-x   3 user1    user1        4096 Jul 27 13:13 ./dirA/dirB
   259889      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 13:13 ./dirA/dirB/dirC
   259894      0 -rw-rw-r--   1 user1    user1           0 Jul 27 13:13 ./dirA/dirB/dirC/file

user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC/file ./dirA/dirB/dirC/file1
user1@ubuntu20lts:~/tmp$ chmod o+w ./dirA/dirB/dirC/file1
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC/file1 ./
user1@ubuntu20lts:~/tmp$ mv file1 ./dirA/dirB/dirC/file2
user1@ubuntu20lts:~/tmp$ touch ./dirA/dirB/dirC/file3
user1@ubuntu20lts:~/tmp$ rm ./dirA/dirB/dirC/file3
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 13:14 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 13:13 ./dirA
   258973      4 dr-xr-xr-x   3 user1    user1        4096 Jul 27 13:13 ./dirA/dirB
   259889      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 13:14 ./dirA/dirB/dirC
   259894      0 -rw-rw-rw-   1 user1    user1           0 Jul 27 13:13 ./dirA/dirB/dirC/file2

Effects of write directory permission do not depend on permissions of files and subdirectories beneath the subject directory

  • Within the directory with write permission we can modify (rename, change attributes, delete) files and subdirectories which have no write permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB
user1@ubuntu20lts:~/tmp$ touch dirA/file
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:05 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:05 ./dirA
   259889      0 -rw-rw-r--   1 user1    user1           0 Jul 27 11:05 ./dirA/file
   258973      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 11:05 ./dirA/dirB

user1@ubuntu20lts:~/tmp$ chmod a-w dirA/file dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:05 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:05 ./dirA
   259889      0 -r--r--r--   1 user1    user1           0 Jul 27 11:05 ./dirA/file
   258973      4 dr-xr-xr-x   2 user1    user1        4096 Jul 27 11:05 ./dirA/dirB

user1@ubuntu20lts:~/tmp$ mv dirA/file dirA/file1
user1@ubuntu20lts:~/tmp$ mv dirA/dirB dirA/dirC
user1@ubuntu20lts:~/tmp$ chmod a-r ./dirA/file1
user1@ubuntu20lts:~/tmp$ chmod a-rx ./dirA/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:05 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:06 ./dirA
   259889      0 ----------   1 user1    user1           0 Jul 27 11:05 ./dirA/file1
   258973      4 d---------   2 user1    user1        4096 Jul 27 11:05 ./dirA/dirC
find: ‘./dirA/dirC’: Permission denied

user1@ubuntu20lts:~/tmp$ rm -fr dirA/file1 dirA/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:05 .
   258943      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 11:06 ./dirA
  • But within the directory with write permission we can only move files but not subdirectories which have no write permission, ⁉️ which looks strange ⁉️
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB
user1@ubuntu20lts:~/tmp$ touch dirA/file
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:34 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:34 ./dirA
   259889      0 -rw-rw-r--   1 user1    user1           0 Jul 27 12:34 ./dirA/file
   258973      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 12:34 ./dirA/dirB

user1@ubuntu20lts:~/tmp$ chmod a-w dirA/file dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:34 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:34 ./dirA
   259889      0 -r--r--r--   1 user1    user1           0 Jul 27 12:34 ./dirA/file
   258973      4 dr-xr-xr-x   2 user1    user1        4096 Jul 27 12:34 ./dirA/dirB

user1@ubuntu20lts:~/tmp$ mv ./dirA/file ./
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB ./
mv: cannot move './dirA/dirB' to './dirB': Permission denied

user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:35 .
   259889      0 -r--r--r--   1 user1    user1           0 Jul 27 12:34 ./file
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:35 ./dirA
   258973      4 dr-xr-xr-x   2 user1    user1        4096 Jul 27 12:34 ./dirA/dirB

user1@ubuntu20lts:~/tmp$ chmod a+w dirA/dirB
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB ./
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   4 user1    user1        4096 Jul 27 12:36 .
   259889      0 -r--r--r--   1 user1    user1           0 Jul 27 12:34 ./file
   258943      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 12:36 ./dirA
   258973      4 drwxrwxrwx   2 user1    user1        4096 Jul 27 12:34 ./dirB
  • Also within the directory with write permission we cannot delete subdirectories which have no write permission and are not empty, but can rename them and change their attributes
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file
user1@ubuntu20lts:~/tmp$ chmod a-w dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:51 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:51 ./dirA
   258973      4 dr-xr-xr-x   2 user1    user1        4096 Jul 27 12:51 ./dirA/dirB
   259889      0 -rw-rw-r--   1 user1    user1           0 Jul 27 12:51 ./dirA/dirB/file

user1@ubuntu20lts:~/tmp$ rm -fr dirA/dirB
rm: cannot remove 'dirA/dirB/file': Permission denied

user1@ubuntu20lts:~/tmp$ rm -fr dirA/dirB/file
rm: cannot remove 'dirA/dirB/file': Permission denied

user1@ubuntu20lts:~/tmp$ mv dirA/dirB dirA/dirC
user1@ubuntu20lts:~/tmp$ chmod o+t ./dirA/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:51 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:52 ./dirA
   258973      4 dr-xr-xr-t   2 user1    user1        4096 Jul 27 12:51 ./dirA/dirC
   259889      0 -rw-rw-r--   1 user1    user1           0 Jul 27 12:51 ./dirA/dirC/file

user1@ubuntu20lts:~/tmp$ chmod a+w dirA/dirC
user1@ubuntu20lts:~/tmp$ rm -fr dirA/dirC/file
user1@ubuntu20lts:~/tmp$ chmod a-w dirA/dirC/
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:51 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:52 ./dirA
   258973      4 dr-xr-xr-t   2 user1    user1        4096 Jul 27 12:55 ./dirA/dirC

user1@ubuntu20lts:~/tmp$ rm -fr dirA/dirC/
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:51 .
   258943      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 12:55 ./dirA

Effects of execute directory permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 28 15:19 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 28 15:19 ./dirA
   258921      4 drwxrwxr-x   3 user1    user1        4096 Jul 28 15:19 ./dirA/dirB
   258924      4 drwxrwxr-x   2 user1    user1        4096 Jul 28 15:19 ./dirA/dirB/dirC

user1@ubuntu20lts:~/tmp$ cd ./dirA/dirB
user1@ubuntu20lts:~/tmp/dirA/dirB$ cd dirC/
user1@ubuntu20lts:~/tmp/dirA/dirB/dirC$ cd ~/tmp

user1@ubuntu20lts:~/tmp$ chmod a-x ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 28 15:19 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 28 15:19 ./dirA
   258921      4 drw-rw-r--   3 user1    user1        4096 Jul 28 15:19 ./dirA/dirB
find: ‘./dirA/dirB/dirC’: Permission denied

user1@ubuntu20lts:~/tmp$ cd ./dirA/dirB
-bash: cd: ./dirA/dirB: Permission denied

user1@ubuntu20lts:~/tmp$ cd ./dirA/dirB/dirC
-bash: cd: ./dirA/dirB/dirC: Permission denied

Effects of execute directory permission propagate on all subdirectories of the subject directory

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 12:34 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 12:34 ./dirA
   258920      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 12:34 ./dirA/dirB
   258924      4 drwxrwxr-x   2 user1    user1        4096 Jul 31 12:34 ./dirA/dirB/dirC

user1@ubuntu20lts:~/tmp$ cd dirA/dirB
user1@ubuntu20lts:~/tmp/dirA/dirB$ cd dirC/
user1@ubuntu20lts:~/tmp/dirA/dirB/dirC$ cd ~/tmp

user1@ubuntu20lts:~/tmp$ chmod a-x dirA/dirB

user1@ubuntu20lts:~/tmp$ ls -la dirA/dirB
ls: cannot access 'dirA/dirB/.': Permission denied
ls: cannot access 'dirA/dirB/dirC': Permission denied
ls: cannot access 'dirA/dirB/..': Permission denied
total 0
d????????? ? ? ? ?            ? .
d????????? ? ? ? ?            ? ..
d????????? ? ? ? ?            ? dirC

user1@ubuntu20lts:~/tmp$ ls -la dirA/dirB/dirC
ls: cannot access 'dirA/dirB/dirC': Permission denied

user1@ubuntu20lts:~/tmp$ cd dirA/dirB
-bash: cd: dirA/dirB: Permission denied

user1@ubuntu20lts:~/tmp$ cd dirA/dirB/dirC
-bash: cd: dirA/dirB/dirC: Permission denied

Effects of unset execute directory permission on read directory permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 28 15:59 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 28 15:59 ./dirA
   258921      4 drwxrwxr-x   3 user1    user1        4096 Jul 28 16:00 ./dirA/dirB
   258942      0 -rw-rw-r--   1 user1    user1           0 Jul 28 16:00 ./dirA/dirB/file
   258924      4 drwxrwxr-x   2 user1    user1        4096 Jul 28 16:00 ./dirA/dirB/dirC
   258943      0 -rw-rw-r--   1 user1    user1           0 Jul 28 16:00 ./dirA/dirB/dirC/file

user1@ubuntu20lts:~/tmp$ chmod a-x ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 28 15:59 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 28 15:59 ./dirA
   258921      4 drw-rw-r--   3 user1    user1        4096 Jul 28 16:00 ./dirA/dirB
find: ‘./dirA/dirB/file’: Permission denied
find: ‘./dirA/dirB/dirC’: Permission denied

user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB
ls: cannot access './dirA/dirB/file': Permission denied
ls: cannot access './dirA/dirB/dirC': Permission denied
total 0
d????????? ? ? ? ?            ? dirC
-????????? ? ? ? ?            ? file

user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB/dirC
ls: cannot access './dirA/dirB/dirC': Permission denied

user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB/file
ls: cannot access './dirA/dirB/file': Permission denied

user1@ubuntu20lts:~/tmp$ cat ./dirA/dirB/file
cat: ./dirA/dirB/file: Permission denied

Effects of unset execute directory permission on write directory permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 06:11 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 06:11 ./dirA
   258920      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 06:11 ./dirA/dirB
   258922      0 -rw-rw-r--   1 user1    user1           0 Jul 31 06:11 ./dirA/dirB/file
   258921      4 drwxrwxr-x   2 user1    user1        4096 Jul 31 06:11 ./dirA/dirB/dirC
   258924      0 -rw-rw-r--   1 user1    user1           0 Jul 31 06:11 ./dirA/dirB/dirC/file

user1@ubuntu20lts:~/tmp$ chmod a-x ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 06:11 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 06:11 ./dirA
   258920      4 drw-rw-r--   3 user1    user1        4096 Jul 31 06:11 ./dirA/dirB
find: ‘./dirA/dirB/file’: Permission denied
find: ‘./dirA/dirB/dirC’: Permission denied

user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/file
rm: cannot remove './dirA/dirB/file': Permission denied

user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/dirC
rm: cannot remove './dirA/dirB/dirC': Permission denied

user1@ubuntu20lts:~/tmp$ touch ./dirA/dirB/file1
touch: cannot touch './dirA/dirB/file1': Permission denied

user1@ubuntu20lts:~/tmp$ mkdir ./dirA/dirB/dirD
mkdir: cannot create directory ‘./dirA/dirB/dirD’: Permission denied

user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/file ./dirA/dirB/file1
mv: failed to access './dirA/dirB/file1': Permission denied

user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC ./dirA/dirB/dirD
mv: failed to access './dirA/dirB/dirD': Permission denied

user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/file ./
mv: cannot stat './dirA/dirB/file': Permission denied

user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC ./
mv: cannot stat './dirA/dirB/dirC': Permission denied

user1@ubuntu20lts:~/tmp$ chmod a+x ./dirA/dirB/file
chmod: cannot access './dirA/dirB/file': Permission denied

Combining execute and write directory permissions with unset read directory permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ echo test > dirA/dirB/file
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 11:39 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 11:39 ./dirA
   258920      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 11:39 ./dirA/dirB
   258943      4 -rw-rw-r--   1 user1    user1           5 Jul 31 11:39 ./dirA/dirB/file
   258924      4 drwxrwxr-x   2 user1    user1        4096 Jul 31 11:39 ./dirA/dirB/dirC
   258942      0 -rw-rw-r--   1 user1    user1           0 Jul 31 11:39 ./dirA/dirB/dirC/file

user1@ubuntu20lts:~/tmp$ chmod a-r ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 11:39 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 11:39 ./dirA
   258920      4 d-wx-wx--x   3 user1    user1        4096 Jul 31 11:39 ./dirA/dirB
find: ‘./dirA/dirB’: Permission denied

user1@ubuntu20lts:~/tmp$ ls -la ./dirA/dirB/file
-rw-rw-r-- 1 user1 user1 5 Jul 31 11:39 ./dirA/dirB/file

user1@ubuntu20lts:~/tmp$ cat ./dirA/dirB/file
test

user1@ubuntu20lts:~/tmp$ ls -la ./dirA/dirB/dirC
total 8
drwxrwxr-x 2 user1 user1 4096 Jul 31 11:39 .
d-wx-wx--x 3 user1 user1 4096 Jul 31 11:39 ..
-rw-rw-r-- 1 user1 user1    0 Jul 31 11:39 file

user1@ubuntu20lts:~/tmp$ cd ./dirA/dirB
user1@ubuntu20lts:~/tmp/dirA/dirB$ find . -ls
   258920      4 d-wx-wx--x   3 user1    user1        4096 Jul 31 11:39 .
find: ‘.’: Permission denied

user1@ubuntu20lts:~/tmp/dirA/dirB$ ls -la .
ls: cannot open directory '.': Permission denied

user1@ubuntu20lts:~/tmp/dirA/dirB$ mkdir dirD
user1@ubuntu20lts:~/tmp/dirA/dirB$ mv dirD dirE
user1@ubuntu20lts:~/tmp/dirA/dirB$ rm -fr dirE

user1@ubuntu20lts:~/tmp/dirA/dirB$ touch file1
user1@ubuntu20lts:~/tmp/dirA/dirB$ mv file1 file2
user1@ubuntu20lts:~/tmp/dirA/dirB$ rm -fr file2

user1@ubuntu20lts:~/tmp/dirA/dirB$ mv dirC ../

user1@ubuntu20lts:~/tmp/dirA/dirB$ chmod a+x file
user1@ubuntu20lts:~/tmp/dirA/dirB$ ls -la file
-rwxrwxr-x 1 user1 user1 5 Jul 31 11:39 file

Effects of setting only execute directory permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ echo test > dirA/dirB/file
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 13:48 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 13:48 ./dirA
   258920      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 13:48 ./dirA/dirB
   258942      4 -rw-rw-r--   1 user1    user1           5 Jul 31 13:48 ./dirA/dirB/file
   258924      4 drwxrwxr-x   2 user1    user1        4096 Jul 31 13:48 ./dirA/dirB/dirC

user1@ubuntu20lts:~/tmp$ chmod a-wr ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 13:48 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 13:48 ./dirA
   258920      4 d--x--x--x   3 user1    user1        4096 Jul 31 13:48 ./dirA/dirB
find: ‘./dirA/dirB’: Permission denied

user1@ubuntu20lts:~/tmp$ ls -la ./dirA/dirB
ls: cannot open directory './dirA/dirB': Permission denied

user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB/file
-rw-rw-r-- 1 user1 user1 5 Jul 31 13:48 ./dirA/dirB/file

user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB/dirC
total 0

user1@ubuntu20lts:~/tmp$ cd dirA/dirB/
user1@ubuntu20lts:~/tmp/dirA/dirB$ ls -la
ls: cannot open directory '.': Permission denied

user1@ubuntu20lts:~/tmp/dirA/dirB$ find . -ls
   258920      4 d--x--x--x   3 user1    user1        4096 Jul 31 13:48 .
find: ‘.’: Permission denied

user1@ubuntu20lts:~/tmp/dirA/dirB$ cd dirC
user1@ubuntu20lts:~/tmp/dirA/dirB/dirC$ cd ~/tmp

user1@ubuntu20lts:~/tmp$ cat ./dirA/dirB/file
test

user1@ubuntu20lts:~/tmp$ echo "date" > ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ chmod a+x ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB/file
-rwxrwxr-x 1 user1 user1 5 Jul 31 13:49 ./dirA/dirB/file

user1@ubuntu20lts:~/tmp$ ./dirA/dirB/file
Fri 31 Jul 2020 01:49:55 PM UTC

user1@ubuntu20lts:~/tmp$ touch ./dirA/dirB/file1
touch: cannot touch './dirA/dirB/file1': Permission denied
user1@ubuntu20lts:~/tmp$ mkdir ./dirA/dirB/dirD
mkdir: cannot create directory ‘./dirA/dirB/dirD’: Permission denied

user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/file
rm: cannot remove './dirA/dirB/file': Permission denied
user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/dirC
rm: cannot remove './dirA/dirB/dirC': Permission denied

user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/file ./dirA/dirB/file1
mv: cannot move './dirA/dirB/file' to './dirA/dirB/file1': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC ./dirA/dirB/dirD
mv: cannot move './dirA/dirB/dirC' to './dirA/dirB/dirD': Permission denied

user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/file ./
mv: cannot move './dirA/dirB/file' to './file': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC ./
mv: cannot move './dirA/dirB/dirC' to './dirC': Permission denied

Additional flags: SUID, SGID, Sticky bit

  1. SUID (Set User ID) flag — works only on files
    • On fies
      • A process executing a file keeps its effective UID (User ID) the same as UID of the user running the executable
      • If the executable file has the SUID flag set, the process sets its effective UID equals to the file's owner
      • Due to security reason SUID flag only works on Linux ELF executables, meaning it does nothing on a Bash or Python scripts files
      • Examples of well-known Linux system executables with SUID flag set
      • /usr/bin/passwd
        • SUID flag set because the passwords are stored in the /etc/shadow file, which has no permission on group or other user level
      • /usr/bin/mount
        • SUID flag set because only the root can mount filesystems, but when /etc/fstab contains the user option, anybody can mount the corresponding filesystem
  2. SGID (Set Group ID) flag — works both on files and directories
    • On files
      • A process executing a file keeps its effective GID (Group ID) the same as GID of the user running the executable
      • If the executable file has the SGID flag set, the process sets its effective GID equals to the file's group
      • Due to security reason SGID flag works only on Linux ELF executables, meaning it does nothing on a Bash or Python scripts files
      • Examples of well-known Linux system executables with SGID flag set
      • /usr/bin/ssh-agent
        • SGID flag set to prevent ptrace(2) attacks retrieving private key material
      • /usr/bin/crontab
        • SGID flag set to provide the following restrictions (together with crontab binary owned by crontab group, and crontab spool directory owned by crontab group and Sticky bit set on it)
        • limiting access to crontab spool directory (/var/spool/cron/crontabs)
        • limiting edit or read access to users' crontab files (/var/spool/cron/crontabs/<username>) only via crontab binary
    • On directories
      • When a file is created by a process, its GID (Group ID) can be either the GID of the creator process or the GID of the parent directory, depending on the value of the SGID flag of the parent directory
      • This behavior is applied only to SGID flag, but not to SUID flag, SUID flag doesn't have such a behavior
      • SGID on directories is used for creating collaborative directories where some users work together on some project and belong to the same group and should be able to see each other's files providing read file permission on that group level
  3. Sticky bit — currently works only on directories (using it on files is deprecated)
    • On files
      • This approach has become obsolete and is deprecated now, sharing of code pages is used
      • Running an executable file with the Sticky bit set requests the kernel to keep the program in memory after its execution terminates
    • On directories
      • With the Sticky bit set on a directory, only the file's owner, the directory's owner, or root user can modify (for example delete or rename) the files and subdirectories in the directory
      • Without the Sticky bit set on a directory, any user with write and execute permissions for the directory can modify contained files and subdirectories in the directory, regardless of the their owners
      • If a user wants to create files and subdirectories in some directory, he/she needs write and exectute permissions on that directory
      • These write and exectute permissions on the directory gives the user the privilege to create files and subdirectories as well as the privilege to modify them
      • At the same time the user can modify any files or subdirectories in this directory, the permissions of those files and subdirectories do not have any effect on modification
      • With Sticky bit set on a directory, anyone can create files in the directory, but can modify his/her own files only - files owned by other users cannot be modified
      • Examples of well-known Linux system directories with SGID flag set
      • /tmp
        • The Sticky bit is used for /tmp directory because it has to have all the rights on all the user's permission triads allowing all the users to create/delete their temporary files there
      • /var/spool/cron/crontabs
        • For details why the Sticky bit is used here, see the explanation of SGID flag set on /usr/bin/crontab above

SUID, SGID, and Sticky bit examples

Effects of SUID flag

user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user3@ubuntu20lts:~/tmp$ cp $(which id) ./
user3@ubuntu20lts:~/tmp$ sudo chown user1 ./id
user3@ubuntu20lts:~/tmp$ sudo chmod u+s ./id
user3@ubuntu20lts:~/tmp$ ls -l ./id
-rwsr-xr-x 1 user1 user3 47480 Jul 26 11:07 ./id

user3@ubuntu20lts:~/tmp$ id
uid=2003(user3) gid=2003(user3) groups=2003(user3)

user3@ubuntu20lts:~/tmp$ ./id
uid=2003(user3) gid=2003(user3) euid=2001(user1) groups=2003(user3)

Effects of SGID flag on files

user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user3@ubuntu20lts:~/tmp$ cp $(which id) ./
user3@ubuntu20lts:~/tmp$ sudo chgrp user2 ./id
user3@ubuntu20lts:~/tmp$ sudo chmod g+s ./id
user3@ubuntu20lts:~/tmp$ ls -l ./id
-rwxr-sr-x 1 user3 user2 47480 Jul 26 11:13 ./id

user3@ubuntu20lts:~/tmp$ id
uid=2003(user3) gid=2003(user3) groups=2003(user3)

user3@ubuntu20lts:~/tmp$ ./id
uid=2003(user3) gid=2003(user3) egid=2002(user2) groups=2002(user2),2003(user3)

Effects of SGID flag on directories

  • If SGID flag is not set the created file get its GID from the creator process
user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user3@ubuntu20lts:~/tmp$ echo "#/usr/bin/env bash" > file
user3@ubuntu20lts:~/tmp$ echo "touch test" >> file
user3@ubuntu20lts:~/tmp$ chmod a+x file

user3@ubuntu20lts:~/tmp$ sudo chgrp user1 ./
user3@ubuntu20lts:~/tmp$ find . -ls
   258932      4 drwxrwxr-x   2 user3    user1        4096 Jul 27 06:25 .
   258938      4 -rwxrwxr-x   1 user3    user3          30 Jul 27 06:25 ./file

user3@ubuntu20lts:~/tmp$ ./file
user3@ubuntu20lts:~/tmp$ find . -ls
   258932      4 drwxrwxr-x   2 user3    user1        4096 Jul 27 06:26 .
   258938      4 -rwxrwxr-x   1 user3    user3          30 Jul 27 06:25 ./file
   258941      0 -rw-rw-r--   1 user3    user3           0 Jul 27 06:26 ./test
  • If SGID flag is set the created file get its GID from the parent directory
user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user3@ubuntu20lts:~/tmp$ echo "#/usr/bin/env bash" > file
user3@ubuntu20lts:~/tmp$ echo "touch test" >> file
user3@ubuntu20lts:~/tmp$ chmod a+x file

user3@ubuntu20lts:~/tmp$ chmod g+s ./
user3@ubuntu20lts:~/tmp$ sudo chgrp user1 ./
user3@ubuntu20lts:~/tmp$ find . -ls
   258932      4 drwxrwsr-x   2 user3    user1        4096 Jul 27 06:27 .
   258938      4 -rwxrwxr-x   1 user3    user3          30 Jul 27 06:27 ./file

user3@ubuntu20lts:~/tmp$ ./file
user3@ubuntu20lts:~/tmp$ find . -ls
   258932      4 drwxrwsr-x   2 user3    user1        4096 Jul 27 06:27 .
   258938      4 -rwxrwxr-x   1 user3    user3          30 Jul 27 06:27 ./file
   258941      0 -rw-rw-r--   1 user3    user1           0 Jul 27 06:27 ./test

No effects of SUID flag on directories

  • Even if SUID flag is set, it has no effect on a directory
user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user3@ubuntu20lts:~/tmp$ echo "#/usr/bin/env bash" > file
user3@ubuntu20lts:~/tmp$ echo "touch test" >> file
user3@ubuntu20lts:~/tmp$ chmod a+x file

user3@ubuntu20lts:~/tmp$ chmod u+s ./
user3@ubuntu20lts:~/tmp$ sudo chown user2 ./
user3@ubuntu20lts:~/tmp$ find . -ls
   258932      4 drwsrwxr-x   2 user2    user3        4096 Jul 27 06:29 .
   258938      4 -rwxrwxr-x   1 user3    user3          30 Jul 27 06:30 ./file

user3@ubuntu20lts:~/tmp$ ./file
user3@ubuntu20lts:~/tmp$ find . -ls
   258932      4 drwsrwxr-x   2 user2    user3        4096 Jul 27 06:30 .
   258938      4 -rwxrwxr-x   1 user3    user3          30 Jul 27 06:30 ./file
   258941      0 -rw-rw-r--   1 user3    user3           0 Jul 27 06:30 ./test

Effects of Sticky bit

  • If the Sticky bit is not set it allows user1 to delete files of user3
user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user3@ubuntu20lts:~/tmp$ chmod a+rwx ./
user3@ubuntu20lts:~/tmp$ touch user3-file
user3@ubuntu20lts:~/tmp$ mkdir user3-dir
user3@ubuntu20lts:~/tmp$ find . -ls
   258932      4 drwxrwxrwx   3 user3    user3        4096 Jul 27 07:08 .
   258941      4 drwxrwxr-x   2 user3    user3        4096 Jul 27 07:08 ./user3-dir
   258938      0 -rw-rw-r--   1 user3    user3           0 Jul 27 07:07 ./user3-file

user3@ubuntu20lts:~/tmp$ pwd
/home/user3/tmp

user3@ubuntu20lts:~/tmp$ sudo -i -u user1
user1@ubuntu20lts:~$ cd /home/user3/tmp

user1@ubuntu20lts:/home/user3/tmp$ find . -ls
   258932      4 drwxrwxrwx   3 user3    user3        4096 Jul 27 07:08 .
   258941      4 drwxrwxr-x   2 user3    user3        4096 Jul 27 07:08 ./user3-dir
   258938      0 -rw-rw-r--   1 user3    user3           0 Jul 27 07:07 ./user3-file

user1@ubuntu20lts:/home/user3/tmp$ rm -fr user3*
user1@ubuntu20lts:/home/user3/tmp$ find . -ls
   258932      4 drwxrwxrwx   2 user3    user3        4096 Jul 27 07:09 .

user1@ubuntu20lts:/home/user3/tmp$ logout
user3@ubuntu20lts:~/tmp$ find . -ls
   258932      4 drwxrwxrwx   2 user3    user3        4096 Jul 27 07:09 .
  • If the Sticky bit is set it doesn't allow user1 to delete files of user3
user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user3@ubuntu20lts:~/tmp$ chmod a+rwx ./
user3@ubuntu20lts:~/tmp$ chmod o+t ./
user3@ubuntu20lts:~/tmp$ touch user3-file
user3@ubuntu20lts:~/tmp$ mkdir user3-dir
user3@ubuntu20lts:~/tmp$ find . -ls
   258917      4 drwxrwxrwt   3 user3    user3        4096 Jul 27 07:42 .
   258932      4 drwxrwxr-x   2 user3    user3        4096 Jul 27 07:42 ./user3-dir
   258918      0 -rw-rw-r--   1 user3    user3           0 Jul 27 07:42 ./user3-file

user3@ubuntu20lts:~/tmp$ pwd
/home/user3/tmp

user3@ubuntu20lts:~/tmp$ sudo -i -u user1
user1@ubuntu20lts:~$ cd /home/user3/tmp

user1@ubuntu20lts:/home/user3/tmp$ find . -ls
   258917      4 drwxrwxrwt   3 user3    user3        4096 Jul 27 07:42 .
   258932      4 drwxrwxr-x   2 user3    user3        4096 Jul 27 07:42 ./user3-dir
   258918      0 -rw-rw-r--   1 user3    user3           0 Jul 27 07:42 ./user3-file

user1@ubuntu20lts:/home/user3/tmp$ rm -fr ./user3-file
rm: cannot remove './user3-file': Operation not permitted

user1@ubuntu20lts:/home/user3/tmp$ rm -fr ./user3-dir
rm: cannot remove './user3-dir': Operation not permitted

FlowerPuzzleB

Top comments (0)