How to calculate linux permissions

Posted on: January 23, 2015

Have you ever wondered why permissions in linux are typically listed as a 3 or 4 digit number?  Here’s why.

There are 4 groups of permissions.  Special, User, Group, and Other.

Special

Three special types of permissions are available for executable files and public directories. When these permissions are set, any user who runs that executable file assumes the user ID of the owner (or group) of the executable file.

You must be extremely careful when you set special permissions, because special permissions constitute a security risk. For example, a user can gain superuser privileges by executing a program that sets the user ID (UID) to root. Also, all users can set special permissions for files they own, which constitutes another security concern.

You should monitor your system for any unauthorized use of the setuid and setgid permissions to gain superuser privileges. To search for and list all of the files that use these permissions, see How to Find Files With setuid Permissions. A suspicious listing grants ownership of such a program to a user rather than to root or bin.

 

User

The file or directory owner, which is usually the user who created the file. The owner of a file can decide who has the right to read it, to write to it (make changes to it), or, if it is a command, to execute it.

Group

This permission affects any users in the group assgined to the file or folder.

Other

This permission affects the rest of the world.  Basically anyone who is not the owner or in the group assigned to the file or folder.

 

Calculating the permissions

To calculate the permission number, it’s nothing more then basic math.  There are 3 type of permissions you can assign.  Read, Write, and eXecutre

Each permission is assigned a number, 1, 2, or 4.  To figure out the number, just add them up.

Read = 4
Write = 2
Execute = 1

If you want to assign full permission, you would add all 3 together to give you 7.  If you want just Read and Execute, the number would be 5.

 

Typically, a public_html folder would be listed as 750 or 755.  This would give permissions as follows.

 

750                                                                         755
[USER]  [GROUP]  [OTHER]                           [USER]  [GROUP]  [OTHER]
rwx          r-x                —                                       rwx           r-x              r-x

The example above gives the user full permissions to do everything.  The group would have only read and execute, and the rest of the world has no permissions at all (or read and execute for 755).

 

If you need to assign these permissions to the public html folder, the command would be this:

chmod 750 public_html

 

The Special Permissions

setuid:

Binary executables with the setuid bit (chmod u+s path) can be executed with the privileges of the file’s owner. Due to it’s nature it should be used with care.
In octal, the setuid bit is set with 4000 e.g: “chmod 4755 path“.
setuid has no effect if the user does not have execute permissions.
setuid is represented with a lower-case “s” in the output of ls. In cases where it has no effect it is represented with an upper-case “S”.

setgid:

 

Binary executables with the setgid bit (chmod g+s path) can be executed with the privileges of the file’s group.
A useful property is to set the setgid bit on a directory so that all files and directories newly created within it inherit the group from that directory.
In octal, the setgid bit is represented by 2000 e.g: “chmod 2755 path“.
setgid has no effect if the group does not have execute permissions.
setgid is represented with a lower-case “s” in the output of ls. In cases where it has no effect it is represented with an upper-case “S”.

 

Sticky bit:

 

The sticky bit (chmod +t path) was introduced for use with executables as a way of telling an operating system to keep the text segment of the program in swap space after the process had terminated. This was a performance feature designed to make subsequent execution of the program faster.
The sticky bit is more commonly used on directories where it allows the files or directories within to only be moved or deleted by that object’s owner, the directory owner, or the super-user.
In octal, the sticky bit is set with 1000 e.g: “chmod 1755 path“.
The sticky bit has no effect if other does not have execute permissions.
The sticky bit is represented with a lower-case “t” in the output of ls. In cases where it has no effect it is represented with an upper-case “T”.

These follow the same number scheme as read write and execute.

setuid = 4
setgid= 2
Sticky Bit = 1

So if you need to assign a sticky bit, and 755 permissions, you would use a command like this:

chmod 1755 public_html

This would make the permissions look like this in a ls -l

root@localhost [~]# ls -al | grep test
drwxr-xr-t.  2 root root    4096 Jan 24 03:08 test/

Server Sitters is an Outsourced Hosting Support provider. We provide outsourced hosting support and specialize in hosting support for web hosting companies that require Helpdesk Support, Telephone Support Services or want to Outsource Chat Support.