Managing File system security

chmod command can be use to change different permission configurations. chmod takes two lists as its arguments: permission changes and filenames.

You can specify the list of permissions in two different ways. One way uses permission symbols and is referred to as the symbolic method. The other uses what is known as a “binary mask” and is referred to as either the absolute or the relative method.

Symbolic Method

The symbolic method of setting permissions uses the characters r, w, and x for read, write, and execute, respectively. Any of these permissions can be added or removed. The symbol to add a permission is the plus sign, +. The symbol to remove a permission is the minus sign, -.

chmod :- File Permissions in Symbolic Method

r Read
w Write
x Execute (also gives permission to change into a directory)
X Execute only if it is a directory or has execute permission for some user
s Set user or group ID on execution
t Sticky bit
u Permissions granted to user who owns the file
g Permissions granted to users in the file's group
o Permissions granted to owner of the group and users in the file's group

r w x permissions

The first three (r, w, x) are clear. Use them to set read, write, and execute permissions.

s permission

The s permission is used on directories to keep the user or group ID for a file created in the directory. To set the user ID for any new files created in the directory to the owner of the directory, use the chmod u+s <directory> command. To set the group ID for any new files created in the directory to the directory's group, use the chmod g+s <directory> command.

t permission

t is a special permission which provides greater security on directories. Sticky bit is used for directories to protect files within them. Files in a directory with the sticky bit set can only be deleted or renamed by the root user or the owner of the directory.

Sticky Bit Permission Using Symbols

The sticky bit permission symbol is t. The sticky bit shows up as a t in the execute position of the other permissions. A program with read and execute permissions with the sticky bit has its permissions displayed as r-t.

#chmod +t /home/vinita/account_detail
#ls -l /home/vinita/account_detail
-rwxr-xr-t 1 root root 4096 /home/vinita/account_detail

u g o permission

The last three permissions (u, g, o) are only used with the = operator to set permissions for the owner, group, others, or everyone equal to the existing permissions for the owner, group, others, or everyone. For example, chmod g=u [filename] sets the group permissions to the current permissions for the owner of the file.

Examples of symbolic method
linux chmod commands

Absolute Permissions: Binary Masks

The absolute method changes all the permissions at once, instead of specifying one or the other. It uses a binary mask that references all the permissions in each category.

Binary Masks
When dealing with a binary mask, you need to specify three digits for all three categories, as well as their permissions. This makes a binary mask less flexible than the permission symbols.

 Digits permission
0            none
1            execute
2            write
4            read
3 (1+2)      write and execute
5 (1+4)      read and execute
7 (1+2+4)    read write execute
Value Meaning
777 (rwxrwxrwx) No restrictions on permissions. Anybody may do anything. Generally not a desirable setting.
755 (rwxr-xr-x) The file’s owner may read, write, and execute the file. All others may read and execute the file. This setting is common for programs that are used by all users.
700 (rwx——) The file’s owner may read, write, and execute the file. Nobody else has any rights. This setting is useful for programs that only the owner may use and must be kept private from others.
666 (rw-rw-rw-) All users may read and write the file.
644 (rw-r–r–) The owner may read and write a file, while all others may only read the file. A common setting for data files that everybody may read, but only the owner may change.
600 (rw——-) The owner may read and write a file. All others have no rights. A common setting for data files that the owner wants to keep private.

Examples of binary masks

linux chmod commands

Linux chmod commands

linux chmod commands

Defaults Permission : umask

Whenever you create a file or directory, it is given default permissions. You can display the current defaults or change them with the umask command. The permissions are displayed in binary or symbolic format. The default permissions include any execute permissions that are applied to a directory. Execute permission for a file is turned off by default when you create it because standard data files do not use the executable permissions (to make a file executable like a script, you have to manually set its execute permission). To display the current default permissions, use the umask command with no arguments.

The -S option uses the symbolic format.

 #umask -S u=rwx,g=rx,o=rx

This default umask provides rw-r--r-- permission for standard files and adds execute permission for directories, rwxr-xr-x.

You can set a new default by specifying permissions in either symbolic or binary format. To specify the new permissions, use the -S option. The following example denies others read permission, while allowing user and group read access, which results in permissions of rwxr-x---:

 #umask -S u=rwx,g=rx,o=

When you use the binary format, the mask is the inverse of the permissions you want to set. To set both the read and execute permission on and the write permission off, you use the octal number 2, a binary 010. To set all permissions on, you use an octal 0, a binary 000.

The following example shows the mask for the permission defaults rwx, rx, and rx (rw, r, and r for files):

 #umask 0022

To set the default to only deny all permissions for others, you use 0027, using the binary mask 0111 for the other permissions.

 #umask 0027