Why 99% of Linux Hacks Stem from Misconfigured Permissions

Linux Permissions Overview

Linux uses a permission system to control access to files and directories. Permissions are defined for three classes: User (owner) , Group , and Others . Each class can have read ( r, value 4), write ( w, value 2), and execute ( x, value 1) bits.

Basic Permission Types

Read (r) : Allows viewing file contents or listing directory entries.

Write (w) : Allows modifying a file or creating/deleting/renaming entries in a directory (requires execute on the directory).

Execute (x) : Allows executing a file or entering a directory.

Permission Representation

Symbolic notation (e.g., -rwxr-xr-x) shows file type and the three sets of rwx bits.

-rwxr-xr-x 1 user group 1024 Jan 15 10:30 filename

Octal notation combines the bits: read=4, write=2, execute=1. Common values:

755 → rwxr-xr-x (owner full, group/others read & execute)

644 → rw-r--r-- (owner read/write, others read only)

600 → rw------- (owner only)

777 → rwxrwxrwx (insecure, full access)

Directory Permission Specifics

Read (r) : List names in the directory.

Write (w) : Create, delete, rename entries (effective only with execute).

Execute (x) : Enter the directory and access file metadata.

Permission Management Commands

Viewing Permissions

# List permissions of the current directory
ls -l

# List a specific file
ls -l filename

# List directory permissions
ls -ld dirname

# Show hidden files
ls -la

# Detailed file information
stat filename

# Show only permission bits
stat -c '%A %n' filename

Modifying Permissions

Symbolic mode (chmod) :

# Add execute permission for owner
chmod u+x filename

# Remove write permission from group
chmod g-w filename

# Set read‑only for others
chmod o=r filename

# Add read permission for everyone
chmod a+r filename

# Combined operation
chmod u+x,g-w,o=r filename

Numeric mode (chmod) :

# Set 755 (rwxr-xr-x)
chmod 755 filename

# Set 644 (rw-r--r--)
chmod 644 filename

# Recursively set directory permissions
chmod -R 755 dirname

Permission symbols: u – user (owner) g – group o – others a – all + – add - – remove = – set exact

Changing Owner and Group

# Change file owner
chown username filename

# Change owner and group
chown username:groupname filename

# Change only group
chown :groupname filename

# Recursively change a directory
chown -R username:groupname dirname

# Change file group
chgrp groupname filename

# Recursively change group on a directory
chgrp -R groupname dirname

Special Permissions

SUID (Set User ID)

Numeric value: 4

Symbol: s in the owner execute position

Effect: Executable runs with the file owner's privileges.

# Set SUID on a file
chmod u+s filename
chmod 4755 filename

# Verify SUID file
ls -l /usr/bin/passwd

SGID (Set Group ID)

Numeric value: 2

Symbol: s in the group execute position

Effect on files: Executes with the file's group privileges.

Effect on directories: New files inherit the directory's group.

# Set SGID on a directory
chmod g+s dirname
chmod 2755 dirname

# Verify
ls -ld dirname

Sticky Bit

Numeric value: 1

Symbol: t in the others execute position

Effect: Only the file owner (or root) can delete or rename files within the directory.

# Show /tmp permissions
ls -ld /tmp

# Set sticky bit on a directory
chmod +t dirname
chmod 1755 dirname

Default Permissions and umask

umask defines the default mask applied when new files or directories are created. The maximum permissions are 666 for files and 777 for directories; the actual permissions are calculated as max - umask.

# Show current umask
umask

# Symbolic display
umask -S

# Set umask to 022 (default, others can read)
umask 022

# Temporary stricter mask
umask 077

Common umask values:

022 → files 644, directories 755

077 → files 600, directories 700 (private)

002 → files 664, directories 775 (group writable)

Access Control Lists (ACL)

ACLs provide finer‑grained permissions beyond the traditional owner/group/others model.

ACL Commands

# View ACL
getfacl filename
getfacl dirname

# Set ACL entries
setfacl -m u:alice:rwx filename
setfacl -m g:dev:rw filename
setfacl -d -m u:bob:rwx dirname

# Remove a specific entry
setfacl -x u:alice filename

# Remove all ACLs
setfacl -b filename

ACL Example

# Create test file
touch test.txt

# Grant ACLs
setfacl -m u:alice:rw test.txt
setfacl -m u:bob:r test.txt

# View ACL
getfacl test.txt

Permission Troubleshooting

Common Issues

# Check file permissions
ls -l filename

# Check directory permissions
ls -ld dirname

# Check full path permissions
namei -l /path/to/file

# Make a script executable
chmod +x script.sh

# Verify file type
file script.sh

Diagnostic Tools

# Find SUID files
find /usr -perm -4000 -type f 2>/dev/null

# Find world‑writable files
find /home -perm -002 -type f 2>/dev/null

# Find files without owner or group
find / -nouser -o -nogroup 2>/dev/null

Security Best Practices

Least Privilege : Grant only the permissions required for a task.

Separation : Isolate system files, user files, and application files.

Avoid using 777 permissions.

Permission Auditing

# Check SUID/SGID files
find / -perm -4000 -o -perm -2000 -type f 2>/dev/null

# Check world‑writable files
find / -perm -002 -type f 2>/dev/null

# Check files without owner
find / -nouser -o -nogroup 2>/dev/null

# Monitor changes with auditd
auditctl -w /etc/passwd -p wa -k passwd_changes
auditctl -w /etc/shadow -p wa -k shadow_changes

Advanced Permission Management

SELinux Integration

# Show SELinux status
sestatus

# Show file context
ls -Z filename

# Set SELinux context
chcon -t httpd_exec_t /var/www/cgi-bin/script.cgi

sudo Configuration

# Edit sudoers safely
visudo

# Example entries
username ALL=(ALL:ALL) ALL
%wheel ALL=(ALL:ALL) ALL
username ALL=(ALL) NOPASSWD: /usr/bin/systemctl

# Run as another user
sudo -u otheruser command

# Preserve environment variables
sudo -E command

# Open a root shell
sudo -i

Secure Mount Options

# /etc/fstab example
/dev/sda1 /tmp ext4 defaults,nodev,nosuid,noexec 0 2
/dev/sda2 /home ext4 defaults,nodev,nosuid 0 2

nodev

– disallow device files. nosuid – ignore SUID/SGID bits. noexec – prevent execution of binaries.

Real‑World Cases

Web Server Permission Setup

# Create web user and group
groupadd webgroup
useradd -g webgroup webuser

# Set website directory permissions
chown -R webuser:webgroup /var/www/html
chmod -R 755 /var/www/html

# Restrict configuration directory
chmod 750 /var/www/html/config
chmod 600 /var/www/html/config/database.conf

Database Permission Configuration

# MySQL data directory
chown -R mysql:mysql /var/lib/mysql
chmod 700 /var/lib/mysql
chmod 600 /var/lib/mysql/*

# Backup directory
mkdir /backup/mysql
chown mysql:mysql /backup/mysql
chmod 700 /backup/mysql

Log File Permissions

# System logs
chmod 755 /var/log
chmod 644 /var/log/messages
chmod 640 /var/log/secure

# Application logs
mkdir /var/log/myapp
chown appuser:appgroup /var/log/myapp
chmod 750 /var/log/myapp

Permission Management Scripts

Permission Audit Script

#!/bin/bash
# Permission audit report

echo "=== Permission Audit Report ==="
echo "Report generated at $(date)"

echo "
1. SUID files:"
find / -perm -4000 -type f 2>/dev/null | head -n 10

echo "
2. World‑writable files:"
find /home -perm -002 -type f 2>/dev/null | head -n 10

echo "
3. Files without owner/group:"
find / -nouser -o -nogroup 2>/dev/null | head -n 10

echo "
4. Critical file permissions:"
ls -l /etc/passwd /etc/shadow /etc/sudoers 2>/dev/null

Permission Fix Script

#!/bin/bash
# Fix common permission issues

# Home directories
chmod 755 /home/username
chmod 700 /home/username/.ssh
chmod 600 /home/username/.ssh/authorized_keys

# Web directories
find /var/www -type d -exec chmod 755 {} \;
find /var/www -type f -exec chmod 644 {} \;