# 1. Introduction ### **Users, Groups, and Files & Directories** * At a basic level, permissions in Linux are a relationship between users, groups, and files & directories. * Users can belong to multiple groups. * Groups can have multiple users. * Every file and directory defines its permissions in terms of a user, a group, and “others” (all other users). #### Users * User accounts are configured in the **/etc/passwd** file. * User password hashes are stored in the **/etc/shadow** file. * Users are identified by an integer user ID (**UID**). * The “root” user account is a special type of account in Linux. * It has an UID of **0**, and the system grants this user access to every file. #### Groups * Groups are configured in the **/etc/group** file. * Users have a primary group, and can have multiple secondary (or supplementary) groups. * By default, a user’s primary group has the same name as their user account. #### Files & Directories * All files & directories have a single owner and a group. * Permissions are defined in terms of read, write, and execute operations. * There are three sets of permissions, one for the owner, one for the group, and one for all “other” users (can also be referred to as “world”). * Only the owner can change permissions. *** ### **Permissions** #### File Permissions * **Read** – when set, the file contents can be read. * **Write** – when set, the file contents can be modified. * **Execute** – when set, the file can be executed (i.e. run as some kind of process). #### Directory Permissions * Execute – when set, the directory can be entered. Without this permission, neither the read nor write permissions will work. * Read – when set, the directory contents can be listed. * Write – when set, files and subdirectories can be created in the directory. #### Special Permissions 1. **setuid (SUID) bit** * When set, files will get executed with the privileges of the file owner 2. **setgid (SGID) bit** * When set on a file, the file will get executed with the privileges of the file group. * When set on a directory, files created within that directory will inherit the group of the directory itself. #### Viewing Permissions The `ls` command can be used to view permissions: ``` $ ls -l /bin/date -rwxr-xr-x 1 root root 60416 Apr 28 2010 /bin/date ``` * The first 10 characters indicate the permissions set on the file or directory. * The first character simply indicates the type (e.g. '-' for file, 'd' for directory). * The remaining 9 characters represent the 3 sets of permissions (owner, group, others). * Each set contains 3 characters, indicating the read (r), write (w), and execute (x) permissions. * SUID/SGID permissions are represented by an 's' in the execute position. *** ### **Real, Effective, & Saved UID/GID** Each user has 3 user IDs in Linux (real, effective, and saved). #### Real UID/GID * A user’s real ID is who they actually are (the ID defined in /etc/passwd). Ironically, the real ID is actually used less often to check a user’s identity #### Effective UID/GID * A user’s effective ID is normally equal to their real ID, however when executing a process as another user, the effective ID is set to that user’s real ID. * The effective ID is used in most access control decisions to verify a user, and commands such as `whoami` use the effective ID. #### Saved UID/GID The saved ID is used to ensure that SUID processes can temporarily switch a user’s effective ID back to their real ID and back again without losing track of the original effective ID. #### Viewing UID/GID Print real and effective user / group IDs using `id` command: ``` # id uid=1000(user) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user) ``` Print real, effective, saved, and file system user / group IDs of the current process (i.e. our shell): ``` # cat /proc/$$/status | grep "[UG]id" Uid: 1000 0 0 0 Gid: 1000 0 0 0 ``` ***