Master Linux Permissions: From Basics to Advanced Security Practices

Overview

After a decade of operations experience, the author shares hard‑learned lessons about Linux permission management, emphasizing its critical role in preventing production incidents.

1. Background and Evolution

Linux permissions have progressed through five generations: traditional UGO (1970s), special bits (1980s), POSIX ACLs (late 1990s), mandatory access control (2000s), and container/cloud‑native mechanisms (2015‑present). Modern environments often combine these techniques.

2. Applicable Scenarios

Web server directory and file permissions

Database service hardening

Multi‑user development environment isolation

Container permission control

Compliance audit checks

CI/CD permission automation

3. Environment Requirements

OS: Ubuntu 24.04 LTS / Rocky Linux 9 / Debian 12
Kernel: 6.x+
File systems: ext4 / xfs (ACL support)
Tools: coreutils, acl, policycoreutils

Install required tools:

# Debian/Ubuntu
sudo apt update && sudo apt install -y acl attr policycoreutils
# RHEL/Rocky/AlmaLinux
sudo dnf install -y acl attr policycoreutils-python-utils

4. Detailed Steps

4.1 Understanding Permissions

File vs. directory permissions differ: r reads file content; on a directory it lists entries. w modifies a file; on a directory it creates, deletes, or renames entries. x executes a file; on a directory it allows entering and accessing contained files.

Common pitfalls include setting r-- on a directory (can list but not cd) or --x (can cd but not list contents).

4.2 Viewing Current Permissions

# List permissions
ls -l filename
ls -la directory/
# Show ACLs
getfacl filename
# Show SELinux context
ls -Z filename

4.3 Numeric Representation

r = 4
w = 2
x = 1
# Common combos
755 = rwxr-xr-x
644 = rw-r--r--
700 = rwx------
600 = rw-------
777 = rwxrwxrwx (dangerous)

4.4 Core Commands

chmod : chmod 755 file (numeric) or chmod u+x file (symbolic).

chown : chown user:group file.

chgrp : chgrp group file.

umask : default mask; umask 022 yields 755 for directories and 644 for files.

4.5 Special Permission Bits

SUID ( chmod u+s file or chmod 4755 file): runs with file owner’s UID.

SGID ( chmod g+s dir or chmod 2755 dir): new files inherit the directory’s group.

Sticky Bit ( chmod +t dir or chmod 1777 dir): only owners can delete their files in a shared directory.

4.6 ACL (Access Control List)

ACLs allow fine‑grained permissions for multiple users/groups.

# Set ACL for user bob
setfacl -m u:bob:rw file.txt
# Set default ACL for a directory
setfacl -d -m g:developers:rwx project/

Remember the mask limits effective permissions; use setfacl -n to prevent automatic mask recalculation.

4.7 SELinux

SELinux enforces mandatory access control via security contexts.

# Check status
getenforce
# Change file type
chcon -t httpd_sys_content_t /var/www/html/index.html
# Restore default context
restorecon -Rv /var/www/html/

Typical booleans for web services: setsebool -P httpd_can_network_connect on.

4.8 AppArmor

# Show status
aa-status
# Enforce profile for nginx
aa-enforce /etc/apparmor.d/usr.sbin.nginx

Profiles define allowed paths and operations; adjust as needed.

5. Best Practices

Principle of Least Privilege : grant only the permissions required for a task.

Separation of Duties : use distinct users/groups for web, database, ops, etc.

Defense in Depth : combine file permissions, ACLs, SELinux/AppArmor, and encryption.

Avoid chmod 777 on production directories.

6. Common Pitfalls

Using chmod -R 777 creates world‑writable files.

Missing execute ( x) on directories prevents traversal.

Recursive chmod 755 gives execute bits to regular files.

ACLs can mask underlying permission issues; clear ACLs with setfacl -b when troubleshooting.

7. Troubleshooting Workflow

# Verify file existence
ls -la /path/to/file
# Inspect each component of the path
namei -l /path/to/file
# Check ACLs
getfacl /path/to/file
# View SELinux context
ls -Z /path/to/file
# Test access as the target user
sudo -u www-data test -r /var/www/html/index.html && echo "readable" || echo "not readable"

8. Auditing with auditd

Install auditd, enable the service, and add rules to monitor critical files and permission‑changing commands.

# Example rules
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -k permission_changes
-a always,exit -F arch=b64 -S chown -S fchown -S lchown -S fchownat -k ownership_changes

Query logs with ausearch -k permission_changes and generate reports via aureport.

9. Monitoring and Alerting

Export permission metrics (SUID count, world‑writable files, etc.) via a custom script for Prometheus and define alert rules for abnormal spikes.

# permission_metrics.sh (simplified)
#!/bin/bash
METRICS=/var/lib/node_exporter/textfile_collector/permissions.prom
suid=$(find / -type f -perm -4000 2>/dev/null | wc -l)
echo "node_file_suid_count $suid" > $METRICS
world=$(find / -type f -perm -0002 2>/dev/null | wc -l)
echo "node_file_world_writable_count $world" >> $METRICS

10. Summary of Key Points

Understand the difference between file and directory permissions.

Use numeric mode for exact settings; symbolic mode for incremental changes.

Apply special bits (SUID/SGID/Sticky) only when necessary.

Leverage ACLs for complex multi‑user scenarios, remembering the mask.

Employ SELinux or AppArmor for mandatory access control.

Follow least‑privilege, separation, and defense‑in‑depth principles.

Never use chmod 777 on production assets.

11. Advanced Topics

Linux Capabilities : fine‑grained privileges such as CAP_NET_BIND_SERVICE ( setcap cap_net_bind_service=+ep /usr/bin/myapp).

Namespaces : user, mount, and network namespaces for container isolation.

Seccomp : system‑call filtering, e.g., Docker --security-opt seccomp=profile.json.

Immutable Infrastructure : read‑only root filesystems to eliminate permission‑related drift.

12. References

The Linux Command Line – William Shotts

Red Hat Enterprise Linux Security Guide

CIS Benchmarks for Linux

NIST SP 800‑123: Guide to General Server Security

Linux man pages: chmod(1), chown(1), setfacl(1), semanage(8)

Linux Kernel Documentation: security/

Appendix A – Command Cheat Sheet

# Permission inspection
ls -l file
ls -la dir/
stat file
namei -l /path/to/file
getfacl file
# Modification
chmod 755 file
chmod u+x file
chmod -R 755 dir/
chown user:group file
chgrp group file
# ACL
setfacl -m u:bob:rwx file
setfacl -d -m g:devs:rwx project/
getfacl file
# Special bits
chmod u+s exe
chmod g+s dir
chmod +t dir
# SELinux
getenforce
chcon -t httpd_sys_content_t file
restorecon -Rv /var/www/html/
setsebool -P httpd_can_network_connect on
# AppArmor
aa-status
aa-enforce /etc/apparmor.d/usr.sbin.nginx
# Auditd rules (example)
-w /etc/passwd -p wa -k identity
-a always,exit -F arch=b64 -S chmod -k permission_changes