The security of Linux files systems depends on the type of permission set. However, we have discussed how to use the chmod command to set permissions on files and directories. They are other permissions one can use to protect files and directories in Linux systems. These are special permissions and the system default permissions which can be modified to fit your needs.
In this article, I will be explaining how to set special permissions on files and directories, and the next section will talk about how to modify the system default permissions.
SPECIAL PERMISSIONS
Two special permissions are set on executable files: the setuid and setgid. These permissions allow files to be executed with the privileges of the user or group that executed the file. There are also two similar permissions for directories: the sticky bit and the setgid bit.
WHAT IS SETUID PERMISSION
Setuid permission is special permission assigned to files. It allows files to be executed with the privilege of the owner rather than the user who executed the file. It has an octal value of 4. It is represented by the lower case (s).
For instance, the passwd command allows regular users to run it and change their password which normally can’t be done by regular users, but this becomes possible because of the suid permission set on the /usr/bin/passwd file (This file is necessary for changing user’s password which is part of the shadow util package)
Notice the letter “s” in place of execute permission for the user. That’s the suid permission set on the file so that users can change passwords but with the root privilege
HOW TO SET SUID PERMISSION ON FILES
They are two ways in which you can set suid permissions on files. These are the symbolic method and the numeric method. The information about the permission can be viewed with ls –l filename
Symbolic Method of Setting SUID Permission: Just as we discussed in the previous article when changing permissions with the chmod command. suid permission follows with the option u+s.
The syntax is as follows;
Please note that whenever the execute permission is set on a file, the suid permission indicates a lower case “s,” but if no execute permission is set on the file, the suid permission indicates upper case (S).
Perform the command from the command line;
You notice the upper case S, that shows that the file has no execute permission set. A file can be setuid but not executable; this is denoted by upper case S. The upper case S indicates a wrong setting to the file because setuid is almost always useless when the file is not executable.
Now let’s add an execute permission to the file
You see the letter has turned to lowercase “s” after adding the execute permission
Numeric Method of Setting SUID Permission: You can as well set the suid permission by appending a 4 to the permission mode. Generally, the numerical method of setting special permissions follows this pattern.
Setuid= 4; setgid = 2; sticky = 1. Just as having read, write and execute permission set as 4; 2; 1 respectively
The first figure after the chmod command represents the special permission. Now we have four figures as against three when we were dealing with regular file permissions.
WHAT IS SETGID PERMISSION
The setgid can be set on both files and directories. Setting sgid permission on files act differently compared to when set on directories. It is represented by the same letter with the setuid and has an octal value of 2
When the setgid is set on a file, the executable is run with the authority of the group the file belongs. When the setgid permission is set on a directory, the files and subdirectories will inherit the group ownership from the parent directory rather than the user who created the directory
HOW TO SET SGID PERMISSION ON FILES AND DIRECTORIES
The setuid permission can be applied either numerically or symbolically on both files and directories.
Symbolical Method of Setting sgid Permission: It has a symbolical representation of g+s. Run the following command to set sgid permission on
files and directories
The first command above set sgid permission to a file. You can view the file permission information by entering ls –l filename. The second command sets sgid to a directory. You can also display the information of the permission with ls –ld directory name.
Numerical Method of Setting sgid Permission: To set the sgid permission,
use the following command.
WHAT IS STICKY BIT
A sticky bit on a directory set a special restriction on the deletion of files and subdirectories in the directory. Only the root user or the owner of the file has access to remove the file from the directory. This is useful for directories that are publically accessed such as /tmp directory.
The sticky bit is represented by the letter “t” and has an octal value of 1.
HOW TO SET STICKY BIT ON DIRECTORIES
The sticky bit permission can be represented numerically or symbolically. While representing symbolically, you have to append o+t option after the chmod command followed by the directory name.
Below command will describe how to set a sticky bit permission symbolically and
numerically
HOW TO VIEW FILES WITH SUID AND SGID
To view files with suid set in the current directory, use –perm (print files only with permission set to 4000). Run the command as seen on the terminal below. Use the ls command with –l option to expand permission information on the file
To view files with sgid set in the current directory, run the command below on the terminal. You can use the ls with –ld option to expand the permission information on the directory
To view files set with both suid and sgid, run the command below.
HOW TO SET DEFAULT PERMISSIONS IN LINUX
Every Linux system has default permission running on the system that treats how permissions are assigned to newly created files and directories. By default, permissions for files are set by the processes that creates them. For instance, the text editor or the output redirection creates files so that they are readable and writable but not executable by all (666). The mkdir command creates directories so that they can be readable, writable and executable by all (777).
All these happen by default, but you don’t see those permissions set on those files and directories because the umask clears some of the permissions of the shell process.
To understand this better, let’s view the current umask values of our shell by typing umask on the command line
Our current umask value is 0022 for special permission, user, group, and others. With this, any file created will have default permission of 644 (read and write permission for users and read permission for groups and others).
The final default permission can be calculated by subtracting the default
permission for files from the default umask value.
The default permission for a file is 666, and the default umask value is 022. This gives you final default permission of 644 for the newly created files. The same goes for directories which have default permission as 777
You can see that from the command above.
If you set your umask value of the current shell to be zero, the setting will not mask any value to newly created files and directories. This is more like disabling the default umask value and making newly created files and directories have their default values of 666 and 777 respectively.
Please note that when you set a umask value for a shell, it only affects newly created files and not the existing files
You can see that from the command below. Files and directories are having their default permission because no default umask value was set.
QUICK RECAP
Sticky bits are only set on directories with an octal value of 1
Setuid can only be set on files with an octal value of 4
Setgid can be set on both files and directories with an octal value of 2
Setting a suid to a file with no execute permission turns the suid letter representation to upper case “S.” which indicates that the file is somewhat useless if the file is not executable. It is important to set an execute permission to a file when setting the suid permission
Please note that the above umask used for illustration is for the root user.
Umask for root is 022
Umask for regular users is 002
Umask set to 0 disables the default umask values and set default permissions for the files (666) and directories (777)
Umask 077 is completely good when privatizing your files. No other user or group can read or write to your data
To view your umask value enter umask on the command line
Umask commands are used to set different security level on file and directories in Linux systems
To get more information about umask and permission generally, visit the manual page of umask, chmod, and bash
REFERENCES
Red Hat System Administration I Course Module
Man umask
Man bash