A previous article covered some basics about file permissions on your Fedora system. This installment shows you additional ways to use permissions to manage file access and sharing. It also builds on the knowledge and examples in the previous article, so if you haven’t read that one, do check it out.
Symbolic and octal
In the previous article you saw how there are three distinct permission sets for a file. The user that owns the file has a set, members of the group that owns the file has a set, and then a final set is for everyone else. These permissions are expressed on screen in a long listing (ls -l) using symbolic mode.
Each set has r, w, and x entries for whether a particular user (owner, group member, or other) can read, write, or execute that file. But there’s another way to express these permissions: in octal mode.
You’re used to the decimal numbering system, which has ten distinct values (0 through 9). The octal system, on the other hand, has eight distinct values (0 through 7). In the case of permissions, octal is used as a shorthand to show the value of the r, w, and x fields. Think of each field as having a value:
- r = 4
- w = 2
- x = 1
Now you can express any combination with a single octal value. For instance, read and write permission, but no execute permission, would have a value of 6. Read and execute permission only would have a value of 5. A file’s rwxr-xr-x symbolic permission has an octal value of 755.
You can use octal values to set file permissions with the chmod command similarly to symbolic values. The following two commands set the same permissions on a file:
chmod u=rw,g=r,o=r myfile1
chmod 644 myfile1
Special permission bits
There are several special permission bits also available on a file. These are called setuid (or suid), setgid (or sgid), and the sticky bit (or delete inhibit). Think of this as yet another set of octal values:
- setuid = 4
- setgid = 2
- sticky = 1
The setuid bit is ignored unless the file is executable. If that’s the case, the file (presumably an app or a script) runs as if it were launched by the user who owns the file. A good example of setuid is the /bin/passwd utility, which allows a user to set or change passwords. This utility must be able to write to files no user should be allowed to change. Therefore it is carefully written, owned by the root user, and has a setuid bit so it can alter the password related files.
The setgid bit works similarly for executable files. The file will run with the permissions of the group that owns it. However, setgid also has an additional use for directories. If a file is created in a directory with setgid permission, the group owner for the file will be set to the group owner of the directory.
Finally, the sticky bit, while ignored for files, is useful for directories. The sticky bit set on a directory will prevent a user from deleting files in that directory owned by other users.
The way to set these bits with chmod in octal mode is to add a value prefix, such as 4755 to add setuid to an executable file. In symbolic mode, the u and g can be used to set or remove setuid and setgid, such as u+s,g+s. The sticky bit is set using o+t. (Other combinations, like o+s or u+t, are meaningless and ignored.)
Sharing and special permissions
Recall the example from the previous article concerning a finance team that needs to share files. As you can imagine, the special permission bits help to solve their problem even more effectively. The original solution simply made a directory the whole group could write to:
drwxrwx---. 2 root finance 4096 Jul 6 15:35 finance
One problem with this directory is that users dwayne and jill, who are both members of the finance group, can delete each other’s files. That’s not optimal for a shared space. It might be useful in some situations, but probably not when dealing with financial records!
Another problem is that files in this directory may not be truly shared, because they will be owned by the default groups of dwayne and jill — most likely the user private groups also named dwayne and jill.
A better way to solve this is to set both setgid and the sticky bit on the folder. This will do two things — cause files created in the folder to be owned by the finance group automatically, and prevent dwayne and jill from deleting each other’s files. Either of these commands will work:
sudo chmod 3770 finance
sudo chmod u+rwx,g+rwxs,o+t finance
The long listing for the file now shows the new special permissions applied. The sticky bit appears as T and not t because the folder is not searchable for users outside the finance group.
drwxrws--T. 2 root finance 4096 Jul 6 15:35 finance
Elmar Fudd
In the paragraph before the last:
„A better way to solve this is to set both setuid and the sticky bit on the folder.“
Aren’t the groups permission bound to be changed? setgid?
sudo chmod 3770 finance
Paul W. Frields
@Elmar: Good catch, thanks — fixed.
Jake
just want to note that gnu chmod made it impossible to clear the setuid/setgid bits on directories using octal mode. a personal pet peeve that still annoys me to this day.
Rich
All you need is add an additional leading double zero like 00755.
Pat
A use-case example I recently have to use, when copying files back from an NTFS partition. All files came back as 777 since NTFS doesn’t support (afaik) Linux user permissions. To get them back to a usable form, i.e. 755 for directories, 644 for users:
$ chmod -R a=r,u+w,a+X .
Where:
-R, is recursive down directories from current (.),
a=r, sets all permissions to read (user, group & others),
u+w, sets files owned by user to be writable,
a+X, sets executable bit only if the entry is a directory (not a file)
Nice article btw! I learned something about special permissions.
Thanks,
-Pat
Rick
My Fedora chmod man page acknowledges GNU and says “To clear these bits for directories with a numeric mode requires an additional leading zero, or leading = like 00755 , or =755”. I remember this slowed me up for awhile, a long time ago.
Alex
Normally I would’ve thought you’d carefuly ‘only’ permit users in the finance group whom you’d wish to be able to rwx in that shared folder, but didn’t even occur to me the default group on file creation would not be finance.
This is a great chmod article, explanation, and simple & effective use-cases for the special permissions which this workstation user rarely uses–Thanks
dac.override
Nice, unless I overlooked it you did not mention the first bit that indicates the object class: – plain file d directory l symlink p fifo file s sock file c character file b block file
You did mentiion that bits can have a different meaning depending on the object class ihey’re associated with (for example x with plain file means execute, whereas x with directory means traverse)
It gets even more interesting when you compare and contrast DAC with SELinux. After all: SELinux enhances DAC.
Where DAC is identity-based (a decentralized or discrtionary access control framework), SELinux is label-based (a centralized or mandatory access control framework). Where DAC only knows few object classes to set few permission on, SELinux knows many object classes to set many permisisons on (i.e. more comprehenssive)
What is also interesting is how DAC setuid/setgid compares to SELinux transitions.