Day 3: Permissions and ownership
Day 3: Permissions and ownership
In a multi-user Linux environment, security is built on the foundation of Ownership and Permissions.
1. Classical File Permissions
Linux uses a 10-character string to represent file types and access rights.
Anatomy of drwxrwxrwx
| Position | Character | Meaning |
|---|---|---|
| 1 | d / - / l | Directory / Regular File / Symbolic Link |
| 2-4 | rwx | User (Owner) permissions |
| 5-7 | rwx | Group permissions |
| 8-10 | rwx | Others (Everyone else) permissions |
Permission Effects
| Bit | For Files | For Directories |
|---|---|---|
| r (Read) | View file content | List files inside (ls) |
| w (Write) | Modify file content | Create/Delete files (touch, rm) |
| x (Execute) | Run as a program | Access/Enter the directory (cd) |
The Sticky Bit (t)
Used primarily on shared directories like /tmp to prevent users from deleting files owned by others.
- Behavior: Only the file owner, directory owner, or root can delete/rename files.
- Visual: Appears as
t(with execute) orT(without execute) in the “Others” block.
2. Modifying Access: chmod & chown
chmod (Change Mode)
Modify permissions using Numeric (Octal) or Symbolic modes.
Numeric Mode (4=r, 2=w, 1=x)
755:rwxr-xr-x(Standard for binaries/dirs)644:rw-r--r--(Standard for text files)1777: Sticky bit + Full access (Used for/tmp)
Symbolic Examples
chmod u+x script.sh- Add execute for owner.chmod -R g+w project/- Recursively add write for group.
chown (Change Owner)
Used to transfer ownership. Requires sudo.
chown alice:developers file.txt- Sets user and group.chown :staff file.txt- Changes only the group.chown -R www-data: project/- Syncs ownership to user and their primary group.
Resources
Self-study Task: Advanced Security
The following topics provide granular and mandatory security controls that extend beyond classical POSIX permissions. They are not covered in this session, and it is highly recommended to research them independently as you progress toward SRE mastery:
- ACLs (Access Control Lists): Provides more granular permissions than the standard User/Group/Other model (e.g., giving a specific fourth user access to a file).
- SELinux (Security-Enhanced Linux): A kernel security module (common in RHEL/Fedora) that uses a “Labeling” system to enforce Mandatory Access Control.
- AppArmor: A simpler alternative to SELinux (standard on Debian/Ubuntu) that restricts programs’ capabilities based on profiles.
- Look up the difference between Discretionary Access Control (DAC)—what we covered today—and Mandatory Access Control (MAC).