Stage 3 · Build
Users, Permissions & Processes
File Modes & ACLs
chmod, chown, umask, setuid, setgid, sticky bits, and getfacl/setfacl usage.
File Permissions
# View permissions
ls -la
# drwxr-xr-x 2 root root 4096 Jan 15 10:00 dir
# -rw-r--r-- 1 user user 1234 Jan 15 10:00 file
# lrwxrwxrwx 1 root root 5 Jan 15 10:00 link -> file
# Breakdown: d rwx r-x r-x
# d = directory type (- = file, l = link)
# rwx = owner permissions (read, write, execute)
# r-x = group permissions
# r-x = other permissions
# Numeric representation
# r=4, w=2, x=1
# rwx = 7 (4+2+1)
# r-x = 5 (4+0+1)
# r-- = 4 (4+0+0)
# 755 = rwxr-xr-x
# 644 = rw-r--r--Every file has owner, group, and other permissions. The kernel checks these in order: owner first, then group, then other.
chmod Operations
# Symbolic mode
chmod u+x script.sh # Add execute for user (owner)
chmod g+w file.txt # Add write for group
chmod o-rwx secret.txt # Remove all permissions for others
chmod a+r public.txt # Add read for everyone
# Numeric mode
chmod 755 script.sh # rwxr-xr-x
chmod 644 file.txt # rw-r--r--
chmod 700 private/ # rwx------
chmod 600 ~/.ssh/id_rsa # rw-------
# Recursive
chmod -R 755 directory/
chmod -R u=rwX directory/ # X = execute only for directories
# Reference
chmod --reference=otherfile targetfile
# Preserve special bits
chmod -p 755 script.shchmod changes permissions. Numeric mode sets all permissions at once. Symbolic mode modifies individual permissions. Use numeric for scripts, symbolic for interactive use.
Special Permission Bits
# setuid (4) — Run as file owner
chmod u+s /usr/bin/passwd
# -rwsr-xr-x 1 root root /usr/bin/passwd
# When executed, runs as root (owner)
# setgid (2) — Run as file group, or inherit directory group
chmod g+s shared/
# Files created in shared/ inherit the group
# sticky bit (1) — Only owner can delete files in directory
chmod +t /tmp
# drwxrwxrwt 1 root root /tmp
# Users can create files but only delete their own
# Numeric with special bits
chmod 4755 script # setuid + rwxr-xr-x
chmod 2755 dir/ # setgid + rwxr-xr-x
chmod 1777 /tmp # sticky + rwxrwxrwx
# View special bits
ls -la /usr/bin/passwd
# -rwsr-xr-x 1 root root 68208 Jan 1 10:00 /usr/bin/passwdsetuid on executables allows running as the file owner. setgid on directories ensures new files inherit the group. sticky bit on /tmp prevents users from deleting others' files.
umask Configuration
# Check current umask
umask
# 0022 (default: creates 644 files, 755 directories)
# How umask works
# Default permissions: 666 (files), 777 (directories)
# Minus umask = actual permissions
# 666 - 022 = 644 (rw-r--r--)
# 777 - 022 = 755 (rwxr-xr-x)
# Set umask
umask 027 # Creates 640 files, 750 directories
umask 077 # Creates 600 files, 700 directories (most restrictive)
# Set in /etc/profile or ~/.bashrc
echo "umask 027" >> /etc/profile
# System-wide configuration
cat /etc/login.defs | grep UMASK
# UMASK 022umask determines default permissions for new files. 027 is recommended for servers. 077 for maximum security (private files).
Access Control Lists
# View ACLs
getfacl file.txt
# # file: file.txt
# # owner: root
# # group: root
# user::rw-
# group::r--
# other::r--
# Grant specific user access
setfacl -m u:username:rwx file.txt
# Grant specific group access
setfacl -m g:project:rw shared/
# Remove ACL entry
setfacl -x u:username file.txt
# Remove all ACLs
setfacl -b file.txt
# Set default ACL (inherited by new files)
setfacl -d -m g:project:rw shared/
# Recursive ACL
setfacl -R -m g:project:rw directory/
# View ACL with ls
ls -la | grep "^+"
# -rw-rw-r--+ 1 root root 1234 Jan 15 10:00 file.txt
# The + indicates ACLs are presentACLs provide fine-grained access control beyond standard permissions. Use them when you need to grant access to specific users beyond owner/group/other.
Permission Auditing
# Find world-writable files
find / -xdev -type f -perm -002 -ls
# Find setuid files
find / -xdev -type f -perm -4000 -ls
# Find setgid files
find / -xdev -type f -perm -2000 -ls
# Find files with no owner
find / -xdev -nouser -o -nogroup
# Find files with 777 permissions
find / -xdev -type f -perm 0777 -ls
# Find directories writable by others
find / -xdev -type d -perm -002 -ls
# Check permissions of critical files
ls -la /etc/passwd /etc/shadow /etc/group
# -rw-r--r-- 1 root root 2048 Jan 15 10:00 /etc/passwd
# -rw-r----- 1 root shadow 1024 Jan 15 10:00 /etc/shadowAudit file permissions regularly. World-writable files, setuid binaries, and files without owners are security risks.
umask 027 creates files with 640 and directories with 750 permissions. This prevents other users from reading your files while allowing group access.
setuid programs run as root. Only setuid on well-tested, minimal programs like passwd. Never setuid on shell scripts or complex programs.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.