1.

File permissions in Linux (ACL-Access Control

List)
2. The su command
3. What is Suid bit?
4. What is Sguid bit?
5. What is sticky bit?
________________________________________________
File permissions in Linux
We call it ACL (Access Control List), in Linux, known as file permissions.
Files permission here mean that which user, which file, which way.
Ownership of Linux files
Every file and directory on your Unix/Linux system is assigned 3 types of
owner, given below.
User
A user is the owner of the file. By default, the person who created a file
becomes its owner. Hence, a user is also sometimes called an owner.
Group
A user- group can contain multiple users. All users belonging to a group will
have the same access permissions to the file. Suppose you have a project
where a number of people require access to a file. Instead of manually
assigning permissions to each user, you could add all users to a group, and
assign group permission to file such that only this group members and no one
else can read or modify the files.
Other
Any other user who has access to a file. This person has neither created the
file, nor he belongs to a usergroup who could own the file. Practically, it
means everybody else. Hence, when you set the permission for others, it is
also referred as set permissions for the world.
1
Aparna Raj Singh Access Control List in LINUX
Now, the big question arises how does Linux distinguish between these three
user types so that a user 'A' cannot affect a file which contains some other user
'B's' vital information/data. It is like you do not want your colleague, who
works on your Linux computer, to view your images. This is
where Permissions set in, and they define user behaviour.
Let us understand the Permission system on Linux.

Permissions

Every file and directory in your UNIX/Linux system has following 3

permissions defined for all the 3 owners discussed above.
Read: This permission gives you the authority to open and read a file. Read
permission on a directory gives you the ability to lists it’s content.
Write: The write permission gives you the authority to modify the contents of
a file. The write permission on a directory gives you the authority to add,
remove and rename files stored in the directory. Consider a scenario where
you have to write permission on file but do not have write permission on the
directory where the file is stored. You will be able to modify the file contents.
But you will not be able to rename, move or remove the file from the
directory.
Execute: In Windows, an executable program usually has an extension ".exe"
and which you can easily run. In Unix/Linux, you cannot run a program
unless the execute permission is set. If the execute permission is not set, you
might still be able to see/modify the program code (provided read & write
permissions are set), but not run it.

2
Aparna Raj Singh Access Control List in LINUX
ls - l on terminal gives
ls - l

The characters are pretty easy to remember.

r = read permission
w = write permission
x = execute permission
- = no permission
The first part of the code is 'rw-'. This suggests that the owner 'Home' can:

 Read the file

 Write or edit the file

3
Aparna Raj Singh Access Control List in LINUX
  He cannot execute the file since the execute bit is set to '-'.
By design, many Linux distributions like Fedora, CentOS, Ubuntu, etc. will
add users to a group of the same group name as the user name. Thus, a user
'tom' is added to a group named 'tom'.
The second part is 'rw-'. It for the user group 'Home' and group-members can:

 Read the file

 Write or edit the file
The third part is for the world which means any user. It says 'r--'. This means
the user can only:

 Read the file

Changing file/directory permissions with 'chmod' command

Say you do not want your colleague to see your personal images. This can be
achieved by changing file permissions.
We can use the 'chmod' command which stands for 'change mode'. Using the
command, we can set permissions (read, write, execute) on a file/directory for
the owner, group and the world. Syntax:
chmod permissions filename

There are 2 ways to use the command -

1. Absolute mode
2. Symbolic mode

4
Aparna Raj Singh Access Control List in LINUX
Absolute (Numeric) Mode

In this mode, file permissions are not represented as characters but a three-
digit octal number.
The table below gives numbers for all for permissions types.

Number Permission Type Symbol

0 No Permission ---

1 Execute --x

2 Write -w-

3 Execute + Write -wx

4 Read r--

5 Read + Execute r-x

6 Read +Write rw-

7 Read + Write +Execute rwx

Let's see the chmod command in action.

5
Aparna Raj Singh Access Control List in LINUX
In the above-given terminal window, we have changed the permissions of the
file 'sample to '764'.

'764' absolute code says the following:

 Owner can read, write and execute
 Usergroup can read and write
 World can only read

This is shown as '-rwxrw-r-

This is how you can change the permissions on file by assigning an absolute
number.

Symbolic Mode
In the Absolute mode, you change permissions for all 3 owners. In the
symbolic mode, you can modify permissions of a specific owner. It makes use
of mathematical symbols to modify the file permissions.

Operator Description

+ Adds a permission to a file or directory

- Removes the permission

= Sets the permission and overrides the permissions set earlier.

6
Aparna Raj Singh Access Control List in LINUX
The various owners are represented as -

User Denotations

u user/owner

g group

o other

a all

We will not be using permissions in numbers like 755 but characters like rwx.
Let's look into an example

Or
Changing security permissions
The command you use to change the security permissions on files is called
“chmod”, which stands for “change mode”, because the nine security
characters are collectively called the security “mode” of the file.

7
Aparna Raj Singh Access Control List in LINUX
1. The first argument you give to the “chmod” command is ‘u’, ‘g’, ‘o’. We
use:
 u for user
 g for group
 o for others,
 you can also use a combination of them (u,g,o).
This specifies which of the three groups you want to modify.

2. After this use

a ‘+’ for adding
a ‘-‘ for removing
and a “=” for assigning a permission.

3. Then specify the permission r,w or x you want to change.

Here also you can use a combination of r,w,x.
This specifies which of the three permissions “rwx” you want to modify
4. use can use commas to modify more permissions
5. Finally, the name of the file whose permission you are changing
An example will make this clearer.
For example, if you want to give “execute” permission to the world (“other”)
for file “xyz.txt”, you would start by typing
chmod o
Now you would type a ‘+’ to say that you are “adding” a permission.
chmod o+
Then you would type an ‘x’ to say that you are adding “execute” permission.
chmod o+x
Finally, specify which file you are changing.
chmod o+x xyz.txt
Summary:

 Linux being a multi-user system uses permissions and ownership for

security.
8
Aparna Raj Singh Access Control List in LINUX
  There are three user types on a Linux system viz. User, Group and Other
 Linux divides the file permissions into read, write and execute denoted
by r,w, and x
 The permissions on a file can be changed by 'chmod' command which
can be further divided into Absolute and Symbolic mode
 The 'chown' command can change the ownership of a file/directory. Use
the following commands: chown user file or chown user:group file
 The 'chgrp' command can change the group ownership chrgrp group
filename
 What does x - eXecuting a directory mean? A: Being allowed to "enter"
a dir and gain possible access to sub-dirs.

Default File Permissions (umask)

When you create a file or directory, the default file permissions assigned to
the file or directory are controlled by the user mask. The user mask is set by
the umask command in a user initialization file. You can display the current
value of the user mask by typing umask and pressing Return.
The user mask contains the following octal values:
 The first digit sets permissions for the user
 The second sets permissions for group
 The third sets permissions for other, also referred to as “world”
Table 4–22 Permissions for umask Values

umask Octal Value File Permissions Directory Permissions

0 rw- rwx

1 rw- rw-

2 r-- r-x

3 r-- r--

9
Aparna Raj Singh Access Control List in LINUX
umask Octal Value File Permissions Directory Permissions

4 -w- -wx

5 -w- -w-

6 --x --x

7 --- (none) --- (none)

FILES USERS ARE IS DIVIDED IN TO 3 CLASSES:

1. FILE OWNER 2. GROUP 3. OTHER GROUPS

WE CAN GIVE DIFFERENT PERMISSIONS TO DIFFERENT USERS.

EX:-
(FOR OWNER) (GROUP) (USERS)
1+4+2=7
IF 7 IS GIVEN TO ALL USERS THEN ALL USER CAN
READ+WRITE+EXECUTE.
$ chmod u+rwx filename (hit enter)
-rwx------ 1 root root april 9 19:44 filename.txt
$ chmod g+rwx filename (hit enter)
-rwxrwx--- 1 root root april 9 19:44 filename.txt
$ chmod o+rwx filename (hit enter)
-rwxrwxrwx 1 root root april 9 19:44 filename.txt
To all users
$ chmod ugo=w filename (hit enter)
-only write permission to all users 1 root root april 9 19:44 filename.txt
10
Aparna Raj Singh Access Control List in LINUX
To all users in one command
$ chmod ugo=wrx filename (hit enter)
-rwxrwxrwx 1 root root april 9 19:44 filename.txt
$chmod 777 filename
-rwxrwxrwx 1 root root april 9 19:44 filename.txt
In above syntax we are giving all permission to all users.
1. First 7 represents owner
2. Second 7 represent group
3. Third 7 represent other users.
To remove any one permission from any one user
$ chmod u=r filename (hit enter)
-r--rwxrwx 1 root root april 9 19:44 filename.txt
$ chmod o=x filename (hit enter)
-r--rwx--x 1 root root april 9 19:44 filename.txt
$ chmod o-rwx filename (hit enter)
-rwxrwx--- 1 root root april 9 19:44 filename.txt
$ chmod ug-rwx filename (hit enter)
-------rwx 1 root root april 9 19:44 filename.txt
THESE THREE TYPES OF PERMISSIONS THAT CAN BE
REPRESENTED IN NUMBERS ALSO.

11
Aparna Raj Singh Access Control List in LINUX
How can we see all permissions on any file?
To see all permissions implemented on any file we run the following
command:-
$ ls –l (l=long)s
Output for this command

(-)Specifies file type

D=directory
L=link
-=file
Permissions normally divided into 3 classes

To change file permission run the following command:-

12
Aparna Raj Singh Access Control List in LINUX
$chmod 472 filename.txt (Here owner can Read, Group can Read,
Write execute, other can Write only)
$ ls –l (show file permissions l=long)

472 means
4 = root user
7= group user
2=other user
To set all permission for all users, run the following command:-
$chmod 777 filename.txt
$ ls –l

13
Aparna Raj Singh Access Control List in LINUX
To implement the previous permissions back to the same file:-
$ chmod 644 file.txt
All permission reset

Advance Permissions in Linux

There are some special/Advance permission

14
Aparna Raj Singh Access Control List in LINUX
To set user id(suid), group user id(guid), others id(sticky) bits we use:-
$ chmod u+s g+s o+t

What is SUID (set user id)?

 There are special type of permissions which add to a file or a directory

and known as SUID and GUID permissions
 Known as set user id bit
 If you want a file to carry the same permissions as for the owner
then owner will set a UID bit on this file. So that it can be executed
easily by second users also.
 This means that you are inheriting permission from a super user.
 Suid is used for second or third users where as GUID is used for
group members.
 They are the advance permissions which can be further inherited.
 At the time of file creation suid bit is set by the owner or who has
created the file, then this file will be executed by the owner, group
members and others(r,w,x). As it is. Because the file permission have
been given to all users only when there is a suid bit set by the owner.
 They will be like the owner of that file. But just they will be able to
execute that file.
 Instead of the normal x which represents execute permissions, you will see an s
to indicate SUID special permission for the user.
 These permissions allow the file being executed with the privileges of the owner.
15
Aparna Raj Singh Access Control List in LINUX
This command is showing only ----------- dashes.

As this file has been created by root user. But it gets updated with password changed
by any of the user. Because UID bit is set on this file.

Octal Numbers for

Suid- 4

Guid - 2

Sticky bit - 1

To know Advance permissions applied on any of the file, we use :-

$ find / -prem -4000 //4 is telling uid (hit enetr)

16
Aparna Raj Singh Access Control List in LINUX
How to set UID bit on a file?
You must be the owner of the file or the root user to set the uid bit.

Run the following command to set the uid bit:

Here is the implementation of SUID on file under Linux system:-

$ chmod u+s file1.txt

$ ls -l file1.txt

Or

$ ll

Output: -rwsr-xr-x 1 root root 0 Mar 8 02:06 file1.txt

$chmod g+s file2 (hit enter)

$ ls –l file2 (hit enetr)

Output: -rwSrwSr-- 1 root root 0 Mar 8 02:06 file2.txt

Note: Small s represents that there is no execute permission given to this user and file.
To add execute permission as well we use:

$ chmode u+x filename (hit enter big S will change in small s to user)

$ chmode g+x filename (hit enter big S will change in small s, to group also)

How to remove SUID and GUID:-

$ chmod u-s,g-s file2 (hit enter)
$ ll (hit enter)
Output: -rwxrwxr-- 1 root root 0 Mar 8 02:06 file2.txt

SGID command (set Group user ID)

This bit applies on the directories

This bit applies on the groups

SGID is a special file permission that also applies to executable files and enables other
users to inherit the effective GID of file group owner.

17
Aparna Raj Singh Access Control List in LINUX
 Likewise, rather than the usual x which represents execute permissions, you will see
an s (to indicate SGID) special permission for group user.

What is Sticky Bit? (for others)

The sticky bit is used to indicate special permissions on directories.

Sticky bit can be applied on directories.

Directory which can be accessed by user, group and others. (means sharable directory)

If a directory with sticky bit enabled will restrict deletion of the file inside it. It can be
removed by the root, owner of the file or who have to write permission on it. This is
useful for publically accessible directories like /tmp.

Here is the implementation of Sticky bit on file on Linux system.

Suid- 4

Sgit- 2

Sticky bit – 1

Total =4+2+1=7

If we implement 7 then we applies all three bit on a file/directory.

Method 1:
18
Aparna Raj Singh Access Control List in LINUX
$ chmod +t /directory (hit enter)

$ ll (hit enter)

To see how many users are there?

$ls cat /etc/passwd (hit enter)
In this we found 3 users (A,B,C)

Set sticky bit on a directory name sticky

19
Aparna Raj Singh Access Control List in LINUX
 20
Aparna Raj Singh Access Control List in LINUX
The su Command (substitute user)
• We use su for switching user
• This command makes it possible to change a login session's owner
• su command can be used to change the ownership of a session.
• It is most commonly used command to change the ownership from an
ordinary user to the root (i.e., administrative) user.
• It is often referred as the super user command.
Command is:

$ su A (A is a user)

$ ll (long list)- is used to see all permissions

To set all permissions to all users we use:

$ chmod 777 sticky (read, write, execute and hit enter)

Advantages of using su

• The main work of the su command is to let you switch to some other user during
a login session.

Command: $ ls /etc/bin/passwd (hit enter)

• su is usually the simplest and most convenient way to change the ownership of a
login session to root or to any other user.

• it provides a safer way for administrators on multi-user systems

• You need to use the Linux passwd command to change your password. The
syntax is:

21
Aparna Raj Singh Access Control List in LINUX
How do I change the password for other users?

# passwd userNameHere
OR
$ sudo passwd userNameHere

22
Aparna Raj Singh Access Control List in LINUX