1. Introduction

Users, Groups, and Files & Directories

• At a basic level, permissions in Linux are a relationship between users, groups, and files & directories.

• Users can belong to multiple groups.

• Groups can have multiple users.

• Every file and directory defines its permissions in terms of a user, a group, and “others” (all other users).

Users

• User accounts are configured in the /etc/passwd file.

• User password hashes are stored in the /etc/shadow file.

• Users are identified by an integer user ID (UID).

• The “root” user account is a special type of account in Linux.

  • It has an UID of 0, and the system grants this user access to every file.

Groups

• Groups are configured in the /etc/group file.

• Users have a primary group, and can have multiple secondary (or supplementary) groups.

• By default, a user’s primary group has the same name as their user account.

Files & Directories

• All files & directories have a single owner and a group.

• Permissions are defined in terms of read, write, and execute operations.

• There are three sets of permissions, one for the owner, one for the group, and one for all “other” users (can also be referred to as “world”).

• Only the owner can change permissions.

Permissions

File Permissions

• Read – when set, the file contents can be read.

• Write – when set, the file contents can be modified.

• Execute – when set, the file can be executed (i.e. run as some kind of process).

Directory Permissions

• Execute – when set, the directory can be entered. Without this permission, neither the read nor write permissions will work.

• Read – when set, the directory contents can be listed.

• Write – when set, files and subdirectories can be created in the directory.

Special Permissions

1. setuid (SUID) bit

   • When set, files will get executed with the privileges of the file owner

2. setgid (SGID) bit

   • When set on a file, the file will get executed with the privileges of the file group.

   • When set on a directory, files created within that directory will inherit the group of the directory itself.

Viewing Permissions

The ls command can be used to view permissions:

$ ls -l /bin/date
-rwxr-xr-x 1 root root 60416 Apr 28 2010 /bin/date

• The first 10 characters indicate the permissions set on the file or directory.

• The first character simply indicates the type (e.g. '-' for file, 'd' for directory).

• The remaining 9 characters represent the 3 sets of permissions (owner, group, others).

• Each set contains 3 characters, indicating the read (r), write (w), and execute (x) permissions.

• SUID/SGID permissions are represented by an 's' in the execute position.

Real, Effective, & Saved UID/GID

Each user has 3 user IDs in Linux (real, effective, and saved).

Real UID/GID

• A user’s real ID is who they actually are (the ID defined in /etc/passwd). Ironically, the real ID is actually used less often to check a user’s identity

Effective UID/GID

• A user’s effective ID is normally equal to their real ID, however when executing a process as another user, the effective ID is set to that user’s real ID.

• The effective ID is used in most access control decisions to verify a user, and commands such as whoami use the effective ID.

Saved UID/GID

The saved ID is used to ensure that SUID processes can temporarily switch a user’s effective ID back to their real ID and back again without losing track of the original effective ID.

Viewing UID/GID

Print real and effective user / group IDs using id command:

# id
uid=1000(user) gid=1000(user) euid=0(root) egid=0(root)
groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)

Print real, effective, saved, and file system user / group IDs of the current process (i.e. our shell):

# cat /proc/$$/status | grep "[UG]id"
Uid:	1000	0	0	0
Gid:	1000	0	0	0