1. Introduction

Users, Groups, and Files & Directories

At a basic level, permissions in Linux are a relationship between users, groups, and files & directories.
Users can belong to multiple groups.
Groups can have multiple users.
Every file and directory defines its permissions in terms of a user, a group, and “others” (all other users).

Users

User accounts are configured in the /etc/passwd file.
User password hashes are stored in the /etc/shadow file.
Users are identified by an integer user ID (UID).
The “root” user account is a special type of account in Linux.
- It has an UID of 0, and the system grants this user access to every file.

Groups

Groups are configured in the /etc/group file.
Users have a primary group, and can have multiple secondary (or supplementary) groups.
By default, a user’s primary group has the same name as their user account.

Files & Directories

All files & directories have a single owner and a group.
Permissions are defined in terms of read, write, and execute operations.
There are three sets of permissions, one for the owner, one for the group, and one for all “other” users (can also be referred to as “world”).
Only the owner can change permissions.

Permissions

File Permissions

Read – when set, the file contents can be read.
Write – when set, the file contents can be modified.
Execute – when set, the file can be executed (i.e. run as some kind of process).

Directory Permissions

Execute – when set, the directory can be entered. Without this permission, neither the read nor write permissions will work.
Read – when set, the directory contents can be listed.
Write – when set, files and subdirectories can be created in the directory.

Special Permissions

setuid (SUID) bit
- When set, files will get executed with the privileges of the file owner
setgid (SGID) bit
- When set on a file, the file will get executed with the privileges of the file group.
- When set on a directory, files created within that directory will inherit the group of the directory itself.

Viewing Permissions

The ls command can be used to view permissions:

$ ls -l /bin/date
-rwxr-xr-x 1 root root 60416 Apr 28 2010 /bin/date

The first 10 characters indicate the permissions set on the file or directory.
The first character simply indicates the type (e.g. '-' for file, 'd' for directory).
The remaining 9 characters represent the 3 sets of permissions (owner, group, others).
Each set contains 3 characters, indicating the read (r), write (w), and execute (x) permissions.
SUID/SGID permissions are represented by an 's' in the execute position.

Real, Effective, & Saved UID/GID

Each user has 3 user IDs in Linux (real, effective, and saved).

Real UID/GID

A user’s real ID is who they actually are (the ID defined in /etc/passwd). Ironically, the real ID is actually used less often to check a user’s identity

Effective UID/GID

A user’s effective ID is normally equal to their real ID, however when executing a process as another user, the effective ID is set to that user’s real ID.
The effective ID is used in most access control decisions to verify a user, and commands such as whoami use the effective ID.

Saved UID/GID

The saved ID is used to ensure that SUID processes can temporarily switch a user’s effective ID back to their real ID and back again without losing track of the original effective ID.

Viewing UID/GID

Print real and effective user / group IDs using id command:

# id
uid=1000(user) gid=1000(user) euid=0(root) egid=0(root)
groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)

Print real, effective, saved, and file system user / group IDs of the current process (i.e. our shell):

# cat /proc/$$/status | grep "[UG]id"
Uid:	1000	0	0	0
Gid:	1000	0	0	0

PreviousLinux Next2. Scripts

Last updated 1 year ago