Have you ever wondered why permissions in linux are typically listed as a 3 or 4 digit number? Here’s why.
There are 4 groups of permissions. Special, User, Group, and Other.
Three special types of permissions are available for executable files and public directories. When these permissions are set, any user who runs that executable file assumes the user ID of the owner (or group) of the executable file.
You must be extremely careful when you set special permissions, because special permissions constitute a security risk. For example, a user can gain superuser privileges by executing a program that sets the user ID (UID) to root. Also, all users can set special permissions for files they own, which constitutes another security concern.
You should monitor your system for any unauthorized use of the setuid and setgid permissions to gain superuser privileges. To search for and list all of the files that use these permissions, see How to Find Files With setuid Permissions. A suspicious listing grants ownership of such a program to a user rather than to root or bin.
The file or directory owner, which is usually the user who created the file. The owner of a file can decide who has the right to read it, to write to it (make changes to it), or, if it is a command, to execute it.
This permission affects any users in the group assgined to the file or folder.
This permission affects the rest of the world. Basically anyone who is not the owner or in the group assigned to the file or folder.
Calculating the permissions
To calculate the permission number, it’s nothing more then basic math. There are 3 type of permissions you can assign. Read, Write, and eXecutre
Each permission is assigned a number, 1, 2, or 4. To figure out the number, just add them up.
Read = 4
Write = 2
Execute = 1
If you want to assign full permission, you would add all 3 together to give you 7. If you want just Read and Execute, the number would be 5.
Typically, a public_html folder would be listed as 750 or 755. This would give permissions as follows.
[USER] [GROUP] [OTHER] [USER] [GROUP] [OTHER]
rwx r-x — rwx r-x r-x
The example above gives the user full permissions to do everything. The group would have only read and execute, and the rest of the world has no permissions at all (or read and execute for 755).
If you need to assign these permissions to the public html folder, the command would be this:
chmod 750 public_html
The Special Permissions
Binary executables with the setuid bit (chmod u+s path) can be executed with the privileges of the file’s owner. Due to it’s nature it should be used with care.
In octal, the setuid bit is set with 4000 e.g: “chmod 4755 path“.
setuid has no effect if the user does not have execute permissions.
setuid is represented with a lower-case “s” in the output of ls. In cases where it has no effect it is represented with an upper-case “S”.
Binary executables with the setgid bit (chmod g+s path) can be executed with the privileges of the file’s group.
A useful property is to set the setgid bit on a directory so that all files and directories newly created within it inherit the group from that directory.
In octal, the setgid bit is represented by 2000 e.g: “chmod 2755 path“.
setgid has no effect if the group does not have execute permissions.
setgid is represented with a lower-case “s” in the output of ls. In cases where it has no effect it is represented with an upper-case “S”.
The sticky bit (chmod +t path) was introduced for use with executables as a way of telling an operating system to keep the text segment of the program in swap space after the process had terminated. This was a performance feature designed to make subsequent execution of the program faster.
The sticky bit is more commonly used on directories where it allows the files or directories within to only be moved or deleted by that object’s owner, the directory owner, or the super-user.
In octal, the sticky bit is set with 1000 e.g: “chmod 1755 path“.
The sticky bit has no effect if other does not have execute permissions.
The sticky bit is represented with a lower-case “t” in the output of ls. In cases where it has no effect it is represented with an upper-case “T”.
These follow the same number scheme as read write and execute.
setuid = 4
Sticky Bit = 1
So if you need to assign a sticky bit, and 755 permissions, you would use a command like this:
chmod 1755 public_html
This would make the permissions look like this in a ls -l
root@localhost [~]# ls -al | grep test
drwxr-xr-t. 2 root root 4096 Jan 24 03:08 test/