Open in app

Sign in

Write

Sign in

Linux Permissions 101 — Part II

Working with File ownership, Group memberships, special permissions.

Harsha Nanayakkara
6 min readOct 1, 2022

Hello everyone, I hope you all are doing good :)

Previously, we have discussed what permissions are and how to change and calculate permissions using symbolic, octal notations and umask.

Please read Linux Permissions 101 — Part I

Contents

File Ownership and Group Membership

In Linux, each and every file and directory has an owner and a group assigned to them. By default, owner is the creator of the file. Group is a collection of users who share common characteristics. Every user is a member of at least one or more groups. By default, owners group is assigned to the file / directory upon creation. It is possible to alter the assigned owner and group.

drwxrwxr-x. 2 ec2-user ec2-user 6 Sep 30 16:19 testdir
-rw-rw-r--. 1 ec2-user ec2-user 0 Sep 30 16:19 testfile

As per the above permission output, both testdir and testfile have ec2-user assigned as file owner and group.

Modify File Ownership and Group Membership

We can change both ownership and group at once or separately. We can change both parameters from a single command using chown as depicted below. -v flag has been used to display how the permissions have changed.

$ sudo chown user1:user1 testfile -v
changed ownership of 'testfile' from ec2-user:ec2-user to user1:user1

$ ll testfile
-rw-rw-r--. 1 user1 user1 0 Sep 30 16:52 testfile

However, we can also change only the ownership using chown command. Here, only the ownership has been changed to user2 .

$ ll testfile
-rw-rw-r--. 1 user1 user1 0 Sep 30 16:52 testfile$ sudo chown user2 testfile -v
changed ownership of 'testfile' from user1 to user2$ ll testfile
-rw-rw-r--. 1 user2 user1 0 Sep 30 16:52 testfile

Similarly, we can change only the group using the chgrp command. In the following example only group has been changed from user2 to user3.

$ ll testfile
-rw-rw-r--. 1 user2 user1 0 Sep 30 16:52 testfile$ sudo chgrp user3 testfile -v
changed group of 'testfile' from user1 to user3$ ll testfile
-rw-rw-r--. 1 user2 user3 0 Sep 30 16:52 testfile

If you need to change permissions on a directory including sub-directories and files, we have to use the -R flag to make the changes recursively as shown as following example.

$ ll -d testdir/
drwxrwxr-x. 4 ec2-user ec2-user 87 Sep 30 17:21 testdir/$ ll testdir/
total 0
drwxrwxr-x. 2 ec2-user ec2-user  6 Sep 30 17:21 subdir1
drwxrwxr-x. 2 ec2-user ec2-user 40 Sep 30 17:22 subdir2
-rw-rw-r--. 1 ec2-user ec2-user  0 Sep 30 17:20 testfile1
-rw-rw-r--. 1 ec2-user ec2-user  0 Sep 30 17:20 testfile2


$ sudo chown -R user1:user1 testdir/ -v
changed ownership of 'testdir/testfile1' from ec2-user:ec2-user to user1:user1
changed ownership of 'testdir/testfile2' from ec2-user:ec2-user to user1:user1
changed ownership of 'testdir/subdir1' from ec2-user:ec2-user to user1:user1
changed ownership of 'testdir/subdir2/testfile4' from ec2-user:ec2-user to user1:user1
changed ownership of 'testdir/subdir2/testfile5' from ec2-user:ec2-user to user1:user1
changed ownership of 'testdir/subdir2' from ec2-user:ec2-user to user1:user1
changed ownership of 'testdir/' from ec2-user:ec2-user to user1:user1

Special Permissions

Linux offers 03 types of permission bits that can be set on executable files and directories to perform special tasks. These are;

  • setuid bit
  • setgid bit
  • sticky bit

Setuid Bit

This special bit is set on executable files at the file owner level. This allows other regular users to run the file with same privileges as the file owner.

We can find such files using the find command as shown below;

$ sudo find / -perm -u+s

/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/crontab
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/usr/sbin/grub2-set-bootflag
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/userhelper
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/dbus-1/dbus-daemon-launch-helper

Additionally, we can also replace -u+s with -4000 . Now, let’s see the permission of su command to better understand how this works.

$ ll /usr/bin/su
-rwsr-xr-x. 1 root root 50160 Mar  8  2022 /usr/bin/su

As per the result, su command is owned by root . However, this command has the setuid bit enabled by default. The letter s instead of x in the owner permission column denotes that setuid is enabled. Due to this when a normal user runs this command it will run as root (the owner).

What happens if setuid bit is removed?

Before removal the su command gives the output without error. ec2-user has been switched touser1 successfully.

[ec2-user@ip-172-31-91-214 ~]$ su - user1
Password:
[user1@ip-172-31-91-214 ~]$

Now, let’s remove the special setuid bit. Now, letter s is no longer there meaning setuid bit is removed.

$ sudo chmod u-s /usr/bin/su

$ ll /usr/bin/su
-rwxr-xr-x. 1 root root 50160 Mar  8  2022 /usr/bin/su

Now we will try to switch user again.

[ec2-user@ip-172-31-91-214 ~]$ su - user1
Password:
su: Authentication failure

It fails even though we give the correct password. The command is still executable by any user (non-owner). However, it prevents regular non-owner users from switching user accounts due to the absence of the setuid bit. Once the permission is re-enabled it is possible to switch user without any issue.

Note: to enable the setuid bit use digit 4 (four) in-front of other permission bits. Alternatively, it can be set as u+s using the symbolic notation.
Octal Notation: chmod 4755 /usr/bin/su
Symbolic Notation: chmod u+s /usr/bin/su

Setgid Bit

This special bit is set on executable files at the group level. This allows other regular users to run the file with same privileges as the group members have. To find what files have setgid bit set use find command as below.

$ sudo find / -perm -g+s

/run/log/journal
/run/log/journal/d9327cbae61c4827b3aa77d6658bd2d1
/run/log/journal/614e184fb381457fb93a38be212913a2
/usr/bin/write
/usr/libexec/utempter/utempter
/usr/libexec/openssh/ssh-keysign`

We will take write command as an example to check further.

$ ll /usr/bin/write
-rwxr-sr-x. 1 root tty 21104 Mar  8  2022 /usr/bin/write

write command is owned by tty group. This command allows us to send text (message) to a remote terminal. Also, it has setgid bit set (r-s). Sending text to another user’s terminal is usually not permitted. In order to bypass this issue, a group (tty) has been created, which owns all terminal devices.

Setgid Bit on Directories

This is useful if we need files and sub-directories to automatically inherit the parent directory’s owning group. This will help to avoid changing the groups manually in newly created files and sub-directories. The group members of the parent directory will have the permissions on newly created files automatically.

Note: to enable the setgid bit use digit 2(two) in-front of other permission bits. Alternatively, it can be set as g+s using the symbolic notation.
Octal Notation: chmod 2775 /dir
Symbolic Notation: chmod g+s /dir

Sticky Bit

This will prevent users from deleting files that they don’t own. In other words, you cannot delete the files created by me and vice versa.

sudo find / -perm -o+t/tmp
/dev/mqueue
/dev/shm
/var/tmp

/tmp and /var/tmp files have sticky bit set. the letter t denotes that.

$ ll -d /var/tmp/
drwxrwxrwt. 4 root root 132 Oct  1 12:14 /var/tmp/

I have created 02 files inside /var/tmp using 2 different users.

$ ll /var/tmp/
-rw-rw-r--. 1 ec2-user ec2-user  0 Oct  1 12:13 ec2-user
-rw-rw-r--. 1 user1    user1     0 Oct  1 12:13 user1

Let’s try what will happen when we try to remove the files owned by other user. ec2-user tries to delete user1 file.

$ rm user1
rm: remove write-protected regular empty file 'user1'? Y
rm: cannot remove 'user1': Operation not permitted

It doesn’t allow to be deleted. Also, it is not allowed to move as well.

$ mv user1 user2
mv: cannot move 'user1' to 'user2': Operation not permitted$ mv user1 /home/ec2-user/testdir/
mv: cannot move 'user1' to '/home/ec2-user/testdir/user1': Operation not permitted

Note: to enable the sticky bit use digit 1(one) in-front of other permission bits. Alternatively, it can be set as o+t using the symbolic notation.
Octal Notation: chmod 1775 /dir
Symbolic Notation: chmod o+t /dir

Conclusion

In this article we have seen what and how to change the file and directory ownership and special permissions. Next, we’ll have a look at Access Control Lists (ACLs).

I sincerely hope this article will be helpful to understand Linux permissions. I highly value your feedback and support!

Thank you for reading and stay safe!

Linux Permissions
Special Permissions
Chmod
Chown

--

--

Harsha Nanayakkara

Written by Harsha Nanayakkara

426 Followers

An enthusiastic autodidact who is passionate to gain and freely share knowledge. I would really appreciate your feedback and support!

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams