Permissions and Ownership
Chapter 8: File Permissions and Ownership
Section titled “Chapter 8: File Permissions and Ownership”Comprehensive Linux File Permissions and Access Control
Section titled “Comprehensive Linux File Permissions and Access Control”Why This Matters in DevOps/SRE
Section titled “Why This Matters in DevOps/SRE”File permissions are the frontline defense for Linux system security:
Permissions for DevOps/SRE+------------------------------------------------------------------+| || Security Hardening: || +----------------------------------------------------------+ || | Web root → 755 (read-only by web server) | || | Config files → 600 (owner only) | || | SSH keys → 600 (never 644!) | || | /tmp → 1777 with sticky bit (prevent deletion) | || +----------------------------------------------------------+ || || Container Security: || +----------------------------------------------------------+ || | Run as non-root user in containers | || | Use read-only filesystems where possible | || | Security contexts map to Linux permissions | || +----------------------------------------------------------+ || || Automation & Compliance: || +----------------------------------------------------------+ || | Ansible file permissions for secure config deployment | || | PCI-DSS requires specific permission patterns | || | Audit logs must be protected (640, owned by root) | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Practical Impact:
- Prevent unauthorized access to sensitive files
- Secure SSH keys and credentials
- Comply with security standards (PCI-DSS, HIPAA)
- Prevent privilege escalation vulnerabilities
8.1 Permission Model Overview
Section titled “8.1 Permission Model Overview”Understanding Linux Permissions
Section titled “Understanding Linux Permissions”Linux uses a discretionary access control (DAC) model where each file and directory has:
- Owner: The user who created or owns the file
- Group: A group associated with the file
- Others: Everyone else on the system
┌────────────────────────────────────────────────────────────────────────┐│ LINUX PERMISSION MODEL │├────────────────────────────────────────────────────────────────────────┤│ ││ Each file/directory has: ││ ││ ┌──────────────────────────────────────────────────────────────┐ ││ │ PERMISSIONS │ ││ │ │ ││ │ Owner (u) │ Group (g) │ Others (o) │ ││ │ ┌─────────┐ │ ┌─────────┐ │ ┌─────────┐ │ ││ │ │ r │ w │ x│ │ │ r │ w │ x│ │ │ r │ w │ x│ │ ││ │ └─────────┘ │ └─────────┘ │ └─────────┘ │ ││ │ 4 2 1 │ 4 2 1 │ 4 2 1 │ ││ │ │ │ │ ││ └──────────────────────────────────────────────────────────────┘ ││ ││ Permission Evaluation Order: ││ ││ 1. Is the current user the owner? → Check owner permissions ││ 2. Is the current user's group the → Check group permissions ││ file's group? ││ 3. Otherwise → Check others permissions ││ ││ NOTE: Owner permissions always take precedence if user is owner ││ │└────────────────────────────────────────────────────────────────────────┘Permission Types Explained
Section titled “Permission Types Explained”| Permission | On Files | On Directories |
|---|---|---|
| Read (r) | View file contents (cat, less) | List directory contents (ls) |
| Write (w) | Modify file (vim, echo >>) | Create/delete files in directory |
| Execute (x) | Run as program (./script) | Access directory contents (cd) |
Permission Numeric Values
Section titled “Permission Numeric Values”┌────────────────────────────────────────────────────────────────────────┐│ PERMISSION NUMERIC VALUES │├────────────────────────────────────────────────────────────────────────┤│ ││ Permission Set │ Numeric │ Binary │ Permission String ││ ─────────────────────┼─────────┼────────┼─────────────────── ││ --- │ 0 │ 000 │ No permissions ││ --x │ 1 │ 001 │ Execute only ││ -w- │ 2 │ 010 │ Write only ││ -wx │ 3 │ 011 │ Write + Execute ││ r-- │ 4 │ 100 │ Read only ││ r-x │ 5 │ 101 │ Read + Execute ││ rw- │ 6 │ 110 │ Read + Write ││ rwx │ 7 │ 111 │ Full permissions ││ ││ Common Permission Sets: ││ ││ 755 │ rwxr-xr-x │ Standard for executables/scripts ││ 644 │ rw-r--r-- │ Standard for regular files ││ 600 │ rw------- │ Private files ││ 700 │ rwx------ │ Private directories ││ 777 │ rwxrwxrwx │ World-writable (avoid!) ││ 2755 │ rwxr-sr-x │ SetGID on directory ││ 4755 │ rwsr-xr-x │ SetUID (dangerous!) ││ 1755 │ rwxr-xr-t │ Sticky bit ││ │└────────────────────────────────────────────────────────────────────────┘8.2 chmod - Changing Permissions
Section titled “8.2 chmod - Changing Permissions”Symbolic Mode
Section titled “Symbolic Mode”# Format: [who][operator][permissions]
# WHO:# u = user (owner)# g = group# o = others# a = all (u+g+o)
# OPERATOR:# + = add permission# - = remove permission# = = set exact permission
# PERMISSIONS:# r = read# w = write# x = execute# s = setuid/setgid# t = sticky bit# X = execute only if directory or already executable
# Add permissionschmod u+x script.sh # Add execute for ownerchmod g+rw file.txt # Add read/write for groupchmod o+r file.txt # Add read for otherschmod a+x program # Add execute for allchmod +x script.sh # Same as a+x
# Remove permissionschmod u-x script.sh # Remove execute from ownerchmod go-w file.txt # Remove write from group and otherschmod -r file.txt # Remove read from allchmod o-rwx file.txt # Remove all from others
# Set exact permissionschmod u=rwx file.sh # Set exactly rwx for ownerchmod go=rw file.txt # Set exactly rw for group/otherschmod a=r file.txt # Set exactly r for allchmod = file.txt # Remove all permissions
# Multiple operationschmod u+x,g+rw file.txt # Multiple changes at oncechmod u=rwx,g=rw,o=r file # Different for each
# Copy permissionschmod --reference=file1.txt file2.txtNumeric Mode
Section titled “Numeric Mode”# Using octal numberschmod 644 file.txt # rw-r--r--chmod 755 script.sh # rwxr-xr-xchmod 600 secret.txt # rw-------chmod 700 private_dir # rwx------chmod 777 public # rwxrwxrwx (dangerous!)
# Special permissions with numericchmod 4755 program # SetUID + rwxr-xr-xchmod 2755 directory # SetGID + rwxr-sr-xchmod 1755 directory # Sticky bit + rwxr-xr-tchmod 6755 program # SetUID + SetGID + rwsr-sr-x
# What each digit means:# First digit: special (4=SetUID, 2=SetGID, 1=Sticky)# Second digit: owner permissions# Third digit: group permissions# Fourth digit: others permissionsRecursive Operations
Section titled “Recursive Operations”# Apply to all files in directorychmod -R 755 /path/to/dir
# Only apply to directoriesfind /path -type d -exec chmod 755 {} \;
# Only apply to filesfind /path -type f -exec chmod 644 {} \;
# Combinechmod -R u=rwX,g=rX,o=rX /path# Note: X = execute only for directories or files with existing execute
# Using find with permissionsfind /var/www -type f -exec chmod 644 {} +find /var/www -type d -exec chmod 755 {} +
# Modern approach (faster)chmod -R u+rwX,g+rwX,o=rX /pathPractical Examples
Section titled “Practical Examples”# Web server fileschmod -R 644 /var/www/htmlchmod -R 755 /var/www/cgi-binchmod 644 /var/www/html/index.html
# SSH keyschmod 600 ~/.ssh/id_rsachmod 644 ~/.ssh/id_rsa.pubchmod 700 ~/.ssh
# Shell scriptschmod 755 /usr/local/bin/myscriptchmod +x script.sh
# Configuration fileschmod 600 /etc/myapp/config.confchmod 640 /etc/myapp/app.conf
# Log files (append only)chmod 640 /var/log/app.logchattr +a /var/log/app.log
# Directorieschmod 755 /home/userchmod 700 /home/user/private8.3 chown - Changing Ownership
Section titled “8.3 chown - Changing Ownership”Basic Syntax
Section titled “Basic Syntax”# Change owner onlysudo chown username file.txtsudo chown john file.txt
# Change owner and groupsudo chown username:groupname file.txtsudo chown john:developers file.txt
# Change group onlysudo chown :groupname file.txtsudo chown :developers file.txt
# Same as abovesudo chgrp developers file.txt
# Change owner recursivelysudo chown -R username /path/to/dir
# Change owner and group recursivelysudo chown -R username:groupname /path/to/dirPreserving Ownership
Section titled “Preserving Ownership”# Copy ownership from another filechown --reference=original.txt new.txt
# Preserve ownership during copycp -a source destcp -p source dest
# Use rsync with ownershiprsync -aO source/ dest/User and Group IDs
Section titled “User and Group IDs”# Using numeric IDssudo chown 1000:1000 file.txtsudo chown :1000 file.txt
# Find UID/GID of userid usernameid -u usernameid -g username
# Change using IDsudo chown 1000:1000 file.txtSpecial Cases
Section titled “Special Cases”# Change owner of symbolic link (not target)chown -h user linkname
# Change owner recursively but not follow symlinkschown -HR user /path
# Only change if already owned by specified userchown --from=john mary file.txt
# Change files owned by one user to anotherfind /path -user olduser -exec chown newuser {} \;
# Change group for files owned by specific groupfind /path -group oldgroup -exec chgrp newgroup {} \;8.4 Special Permissions
Section titled “8.4 Special Permissions”SetUID (suid) - 4xxx
Section titled “SetUID (suid) - 4xxx”┌────────────────────────────────────────────────────────────────────────┐│ SETUID PERMISSION │├────────────────────────────────────────────────────────────────────────┤│ ││ What it does: ││ When a file with SetUID is executed, it runs with the permissions ││ of the file's OWNER, not the user running it. ││ ││ Security Implication: ││ - Very powerful, can lead to privilege escalation ││ - Only use when absolutely necessary ││ - Should never have SetUID on shell scripts ││ ││ Examples: ││ - /usr/bin/passwd (4,755) - runs as root to change passwords ││ - /usr/bin/su (4,755) - runs as root to switch users ││ - /usr/bin/mount (4,755) - runs as root to mount filesystems ││ - /usr/bin/umount (4,755) - runs as root to unmount ││ ││ How to identify: ││ ls -l /usr/bin/passwd ││ -rwsr-xr-x 1 root root 68000 Jan 15 10:30 /usr/bin/passwd ││ ^ ││ └── 's' instead of 'x' in owner execute ││ ││ Setting: ││ chmod 4755 program ││ chmod u+s program ││ ││ Removing: ││ chmod 0755 program ││ chmod u-s program ││ │└────────────────────────────────────────────────────────────────────────┘SetGID (sgid) - 2xxx
Section titled “SetGID (sgid) - 2xxx”┌────────────────────────────────────────────────────────────────────────┐│ SETGID PERMISSION │├────────────────────────────────────────────────────────────────────────┤│ ││ On Files: ││ - Runs with permissions of file's GROUP ││ - Similar to SetUID but for group ││ - Rarely used on files ││ ││ On Directories: ││ - New files/dirs inherit the group from the directory ││ - Essential for shared group directories ││ ││ Example: /var/www (web server group) ││ chmod 2775 /var/www ││ chown :www-data /var/www ││ ││ Any file created in /var/www will have www-data group ││ ││ How to identify: ││ ls -ld /var/www ││ drwxrwsr-x 2 root www-data 4096 Jan 15 10:30 /var/www ││ ^ ││ └── 's' instead of 'x' in group execute ││ ││ Setting: ││ chmod 2775 /shared ││ chmod g+s /shared ││ │└────────────────────────────────────────────────────────────────────────┘Sticky Bit - 1xxx
Section titled “Sticky Bit - 1xxx”┌────────────────────────────────────────────────────────────────────────┐│ STICKY BIT │├────────────────────────────────────────────────────────────────────────┤│ ││ What it does: ││ On directories, only the owner (or root) can delete or rename ││ files within that directory, even if others have write permission ││ ││ Use cases: ││ - /tmp (world-writable temp directory) ││ - Shared directories where users can create files ││ - Prevents users from deleting others' files ││ ││ How to identify: ││ ls -ld /tmp ││ drwxrwxrwt 10 root root 4096 Jan 15 10:30 /tmp ││ ^ ││ └── 't' instead of 'x' in others execute ││ ││ Setting: ││ chmod 1777 /tmp ││ chmod +t /tmp ││ ││ Removing: ││ chmod 777 /tmp ││ chmod -t /tmp ││ │└────────────────────────────────────────────────────────────────────────┘8.5 Viewing and Interpreting Permissions
Section titled “8.5 Viewing and Interpreting Permissions”ls -l Output
Section titled “ls -l Output”# Basic outputls -l file.txt-rw-r--r-- 1 john developers 1024 Jan 15 10:30 file.txt
# Breakdown:# - = file type (- = regular, d = directory, l = symlink)# rw- = owner permissions (rw-)# r-- = group permissions (r--)# r-- = other permissions (r--)# 1 = number of hard links# john = owner# developers = group# 1024 = size in bytes# Jan 15 10:30 = modification time# file.txt = filenameFile Type Indicators
Section titled “File Type Indicators”| Character | Type |
|---|---|
- | Regular file |
d | Directory |
l | Symbolic link |
c | Character device |
b | Block device |
p | Named pipe (FIFO) |
s | Socket |
Advanced Viewing
Section titled “Advanced Viewing”# Numeric formatstat -c "%a %n" file.txt# Output: 644 file.txt
# Detailed access control listsgetfacl file.txt
# Show permission in binarypython3 -c "print(f'{644:012b}')"# 110100100
# Show in human readablestat -c "%A (%a) %n" file.txt# -rw-r--r-- (644) file.txt
# Show owner and group numericallystat -c "%U:%G %a %n" file.txt# john:developers 644 file.txt8.6 Access Control Lists (ACL)
Section titled “8.6 Access Control Lists (ACL)”Basic ACL Operations
Section titled “Basic ACL Operations”# Install if neededsudo apt-get install acl
# View ACLgetfacl file.txt
# Set ACL for usersetfacl -m u:john:rw file.txt
# Set ACL for groupsetfacl -m g:developers:rw file.txt
# Set ACL for otherssetfacl -m o::r file.txt
# Remove specific ACLsetfacl -x u:john file.txt
# Remove all ACLssetfacl -b file.txtDefault ACLs
Section titled “Default ACLs”# Default ACL for directory (new files inherit)setfacl -R -m d:u:john:rw /path/to/dir
# Set default for groupssetfacl -R -m d:g:developers:rw /path/to/dir
# View default ACLsgetfacl /path/to/dir
# Remove default ACLsetfacl -k /path/to/dirACL Examples
Section titled “ACL Examples”# Give specific user read/writesetfacl -m u:bob:rw- /shared/file.txt
# Give group read accesssetfacl -m g:team:r-- /shared/file.txt
# Multiple ACLssetfacl -m u:alice:rwx,u:bob:rw-,g:team:r-- file.txt
# Copy ACL from another filegetfacl file1.txt | setfacl -b -f - file2.txt
# Backup and restore ACLsgetfacl -R /path > acl_backup.txtsetfacl -R --restore=acl_backup.txtACL Permission Mask
Section titled “ACL Permission Mask”# The effective permissions are determined by (owner permissions & mask)# Default mask is usually the group permissions
# Set masksetfacl -m m::r file.txt
# View maskgetfacl file.txt | grep mask8.7 umask
Section titled “8.7 umask”Understanding umask
Section titled “Understanding umask”┌────────────────────────────────────────────────────────────────────────┐│ UMASK EXPLAINED │├────────────────────────────────────────────────────────────────────────┤│ ││ umask subtracts from default permissions ││ ││ Default file permissions: 666 (rw-rw-rw-) ││ Default dir permissions: 777 (rwxrwxrwx) ││ ││ umask 022: ││ File: 666 - 022 = 644 (rw-r--r--) ││ Dir: 777 - 022 = 755 (rwxr-xr-x) ││ ││ Common umask values: ││ ┌─────────┬────────────┬────────────┐ ││ │ umask │ File │ Directory │ ││ ├─────────┼────────────┼────────────┤ ││ │ 000 │ 666 │ 777 │ ││ │ 022 │ 644 │ 755 │ (default) ││ │ 027 │ 640 │ 750 │ ││ │ 077 │ 600 │ 700 │ (restrictive) ││ │ 133 │ 644 │ 644 │ ││ └─────────┴────────────┴────────────┘ ││ │└────────────────────────────────────────────────────────────────────────┘Setting umask
Section titled “Setting umask”# View current umaskumask
# Set for current sessionumask 022
# Set in ~/.bashrc or ~/.profileecho "umask 022" >> ~/.bashrc
# Set for all users (system-wide)echo "umask 022" >> /etc/profileecho "umask 022" >> /etc/bash.bashrc
# Set for specific service# In /etc/pam.d/sshdsession optional pam_umask.so umask=00278.8 Secure Permissions Best Practices
Section titled “8.8 Secure Permissions Best Practices”Common Security Mistakes
Section titled “Common Security Mistakes”# DANGEROUS - Never do this!chmod 777 file # Anyone can modify!chmod -R 777 /directory # Huge security hole!chmod +s file # SetUID without understanding
# Safer alternativeschmod 755 /directory # Owner full, others read/executechmod 644 file # Owner rw, others readchmod 600 keyfile # Owner onlyHardening Scripts
Section titled “Hardening Scripts”#!/bin/bash# Web serverchown -R www-data:www-data /var/wwwfind /var/www -type f -exec chmod 644 {} \;find /var/www -type d -exec chmod 755 {} \;
# SSH keyschmod 700 ~/.sshchmod 600 ~/.ssh/*chmod 644 ~/.ssh/*.pub
# Configuration fileschmod 600 /etc/app/config.conf
# Log fileschown -R root:adm /var/log/appfind /var/log/app -type f -exec chmod 640 {} \;File Permission Checklist
Section titled “File Permission Checklist”┌────────────────────────────────────────────────────────────────────────┐│ PERMISSION SECURITY CHECKLIST │├────────────────────────────────────────────────────────────────────────┤│ ││ Files: ││ □ Private keys: 600 (owner only) ││ □ Config files: 640 or 600 ││ □ Scripts: 755 (if executable) or 644 ││ □ Data files: 644 or 600 ││ □ Sensitive data: 600 ││ ││ Directories: ││ □ Private: 700 (owner only) ││ □ Shared: 750 with appropriate group ││ □ Public writable with sticky bit: 1777 ││ ││ Special: ││ □ Avoid SetUID unless absolutely necessary ││ □ Use SetGID for shared group directories ││ □ Use sticky bit on /tmp-like directories ││ ││ Review: ││ □ Regular permission audits ││ □ Check for world-writable files ││ □ Monitor for new SetUID binaries ││ │└────────────────────────────────────────────────────────────────────────┘8.9 Troubleshooting
Section titled “8.9 Troubleshooting”Common Issues
Section titled “Common Issues”# Permission denied errorls -l /path/to/file# Check owner and permissions
# Cannot delete filels -ld /directory# Check directory permissions and sticky bit
# Cannot access directoryls -ld /path# Check execute permission on each parent
# "Operation not permitted" even as rootlsattr file# Check for immutable attribute
# Cannot change permissionsls -l file# Check if file is on NFS with nosuid
# "Too many levels of symbolic links"file link# Check circular linksDebugging Commands
Section titled “Debugging Commands”# Check who owns the filestat file.txt
# Check effective permissions for current usernamei -l /path/to/file
# Check ACLsgetfacl file.txt
# Check attributeslsattr file.txt
# Check process capabilitiesgetpcaps <pid>
# Monitor permission changesinotifywait -m -r -e mode /path &8.10 Interview Questions
Section titled “8.10 Interview Questions”Q1: What is the difference between chmod 755 and chmod 655?
Section titled “Q1: What is the difference between chmod 755 and chmod 655?”Answer:
-
chmod 755: rwxr-xr-x (owner: rwx, group: r-x, others: r-x)- Owner can read, write, execute
- Group and others can read and execute
-
chmod 655: rw-r-xr-x (owner: rw-, group: r-x, others: r-x)- Owner can read and write (not execute)
- Group and others can read and execute
The difference is that 755 allows execute for owner, while 655 does not.
Q2: What does the SetUID bit do and why is it dangerous?
Section titled “Q2: What does the SetUID bit do and why is it dangerous?”Answer: The SetUID (suid) bit makes a program run with the permissions of the file’s owner (usually root), regardless of who executes it.
Danger:
- If the program has vulnerabilities, any user can exploit them with root privileges
- Shell scripts with SetUID are especially dangerous (injection attacks)
- Many privilege escalation exploits target SetUID binaries
Safe examples:
/usr/bin/passwdneeds it to modify /etc/shadow/usr/bin/suneeds it to switch users
Best practice: Avoid SetUID on custom programs; use sudo instead.
Q3: How would you give a user read/write access to a specific file without affecting others?
Section titled “Q3: How would you give a user read/write access to a specific file without affecting others?”Answer:
# Using ACLsetfacl -m u:username:rw- /path/to/file
# Or change ownershipsudo chown username:groupname /path/to/filesudo chmod 640 /path/to/fileACL is more flexible as it doesn’t change the primary owner.
Q4: What is the sticky bit and where is it commonly used?
Section titled “Q4: What is the sticky bit and where is it commonly used?”Answer: The sticky bit on directories prevents users from deleting or renaming files they don’t own, even if they have write permission to the directory.
Common uses:
/tmp- allows anyone to create files but not delete others- Shared directories where users need to create files
Without sticky bit, any user with write access could delete any file in the directory.
Q5: What happens when you set execute permission on a directory?
Section titled “Q5: What happens when you set execute permission on a directory?”Answer: Execute permission on a directory allows:
- Entering (cd) into the directory
- Accessing files within (if you have permission to those files)
- Using the directory as part of a path
Without execute, you cannot access anything inside, even if you have read permission on the files.
Q6: What is the difference between chmod -R and chmod -R?
Section titled “Q6: What is the difference between chmod -R and chmod -R?”Answer:
chmod -R- Applies recursively to all files and directorieschmod -R(capital R) - Same as above but follows symbolic links
Be careful: chmod -R 777 / would be catastrophic!
Use -X (capital X) for safe recursion that only applies execute to directories.
Q7: How do you find all SetUID binaries on your system?
Section titled “Q7: How do you find all SetUID binaries on your system?”Answer:
# Find all SetUID filesfind / -perm /4000 2>/dev/null
# Find SetGID filesfind / -perm /2000 2>/dev/null
# Find bothfind / -perm /6000 2>/dev/null
# More readable outputfind / -perm /4000 -ls 2>/dev/nullQ8: What is the purpose of umask?
Section titled “Q8: What is the purpose of umask?”Answer: umask sets the default permissions for newly created files and directories by masking (subtracting) bits from the default permissions.
- Default file: 666
- Default directory: 777
- umask 022 removes write for group/others
This ensures files aren’t accidentally created with overly permissive access.
Quick Reference
Section titled “Quick Reference”Commands
Section titled “Commands”# Change modechmod 644 file # Numericchmod u+x file # Symbolicchmod -R 755 dir # Recursive
# Change ownerchown user:group file # Owner and groupchown user file # Owner onlychgrp group file # Group only
# Viewls -l file # Detailsstat file # Full infogetfacl file # ACLs
# Special bitschmod u+s file # SetUIDchmod g+s dir # SetGIDchmod +t dir # Sticky bitNumeric Permissions
Section titled “Numeric Permissions”| Octal | Binary | Permission |
|---|---|---|
| 0 | 000 | --- |
| 1 | 001 | —x |
| 2 | 010 | -w- |
| 3 | 011 | -wx |
| 4 | 100 | r— |
| 5 | 101 | r-x |
| 6 | 110 | rw- |
| 7 | 111 | rwx |
Common Values
Section titled “Common Values”| Value | Use Case |
|---|---|
| 600 | Private file |
| 644 | Public file |
| 700 | Private directory |
| 755 | Executable/public dir |
| 775 | Shared group dir |
| 777 | Public writable |
Common Mistakes & Anti-Patterns
Section titled “Common Mistakes & Anti-Patterns”1. Setting World-Writable Permissions
Section titled “1. Setting World-Writable Permissions”# ❌ WRONG: World-writable is a security riskchmod 777 /etc/myapp/config # Anyone can read/modify!chmod -R 777 /opt/myapp # HORRIBLE practice!
# ✅ CORRECT: Use minimum necessary permissionschmod 640 /etc/myapp/config # Owner rw, group r, others nonechmod 755 /opt/myapp/bin # Owner rwx, group r-x, others r-x2. Ignoring SetUID/SetGID Security
Section titled “2. Ignoring SetUID/SetGID Security”# ❌ WRONG: Leaving dangerous SetUID binaries# /usr/bin/passwd has SetUID (needed) - but others shouldn't!find / -perm -4000 2>/dev/null # Check for SetUID# Unknown SetUID binaries = potential privilege escalation
# ✅ CORRECT: Audit SetUID/SetGID regularlyfind / -perm -4000 -user root 2>/dev/null | grep -v "/usr/bin/passwd"# Remove SetUID if not needed: chmod u-s /path/to/binary3. Setting Incorrect umask
Section titled “3. Setting Incorrect umask”# ❌ WRONG: Too permissive umaskumask 000 # Files created with 777!
# ✅ CORRECT: Secure umaskumask 077 # Files: 700, directories: 777# Add to ~/.bashrc or /etc/profile4. Not Using ACLs When Needed
Section titled “4. Not Using ACLs When Needed”# ❌ WRONG: Trying to solve everything with basic permissions# Need 3+ groups with different access?# Basic permissions only support owner, group, other!
# ✅ CORRECT: Use ACLs for fine-grained accesssetfacl -m g:developers:rw /shared/filesetfacl -m g:qasales:r /shared/filegetfacl /shared/file # View all ACLsSummary
Section titled “Summary”In this chapter, you learned:
- ✅ Permission model (owner, group, others)
- ✅ chmod numeric and symbolic modes
- ✅ chown and chgrp for ownership
- ✅ Special permissions (SetUID, SetGID, sticky bit)
- ✅ Viewing and interpreting permissions
- ✅ Access Control Lists (ACLs)
- ✅ umask and default permissions
- ✅ Security best practices
- ✅ Troubleshooting common issues
- ✅ Interview questions and answers
Next Chapter
Section titled “Next Chapter”Chapter 9: sudo and Privilege Escalation
Last Updated: February 2026