Linux File Permission Cheat Sheet
- Necessary and sufficient knowledge on Linux file and directory permissions
- With practical examples
- Sourced from GitHub
User permission triads
- There are three permission triads (
rwx rwx rwx) corresponding to particular group of users
- The
1-st one (rwx --- ---) is for owner user
- The
2-nd one (--- rwx ---) is for group users
- The
3-rd one (--- --- rwx) is for other users
- Each permission triad (
rwx) corresponds to particular set of operations defined on files and directories
-
r is for read operation
-
w is for write operation
-
x is for execute operation
File permissions
-
read file permission
- Allows the corresponding user (
owner, group, other) to read the file
-
write file permission
- Allows the corresponding user to modify (create, move, rename, change attributes, delete) the file
-
execute file permission
- Allows the corresponding user to execute the file
- All the above permissions have effect only if
execute permission for the corresponding user is set on the directory and all its parent directories
File permission examples
Effects of read file permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ echo test > file
user1@ubuntu20lts:~/tmp$ ls -l file
-rw-rw-r-- 1 user1 user1 5 Jul 26 21:59 file
user1@ubuntu20lts:~/tmp$ cat file
test
user1@ubuntu20lts:~/tmp$ chmod a-r file
user1@ubuntu20lts:~/tmp$ ls -l file
--w--w---- 1 user1 user1 5 Jul 26 21:59 file
user1@ubuntu20lts:~/tmp$ cat file
cat: file: Permission denied
Effects of write file permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ echo test > file
user1@ubuntu20lts:~/tmp$ ls -l file
-rw-rw-r-- 1 user1 user1 5 Jul 26 22:00 file
user1@ubuntu20lts:~/tmp$ chmod a-w file
user1@ubuntu20lts:~/tmp$ ls -l file
-r--r--r-- 1 user1 user1 5 Jul 26 22:00 file
user1@ubuntu20lts:~/tmp$ echo test > file
-bash: file: Permission denied
Effects of execute file permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ echo "#/usr/bin/env bash" > file
user1@ubuntu20lts:~/tmp$ echo "date" >> file
user1@ubuntu20lts:~/tmp$ chmod a+x file
user1@ubuntu20lts:~/tmp$ ls -l file
-rwxrwxr-x 1 user1 user1 24 Jul 26 22:02 file
user1@ubuntu20lts:~/tmp$ ./file
Sun 26 Jul 2020 10:02:35 PM UTC
user1@ubuntu20lts:~/tmp$ chmod a-x file
user1@ubuntu20lts:~/tmp$ ls -l file
-rw-rw-r-- 1 user1 user1 24 Jul 26 22:02 file
user1@ubuntu20lts:~/tmp$ ./file
-bash: ./file: Permission denied
Effects of unset execute directory permission on file permissions
read file permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ echo test > file
user1@ubuntu20lts:~/tmp$ cd ..
user1@ubuntu20lts:~$ find ./tmp/ -ls
259893 4 drwxrwxr-x 2 user1 user1 4096 Jul 26 22:03 ./tmp/
259894 4 -rw-rw-r-- 1 user1 user1 5 Jul 26 22:03 ./tmp/file
user1@ubuntu20lts:~$ cat ./tmp/file
test
user1@ubuntu20lts:~$ chmod a-x tmp/
user1@ubuntu20lts:~$ find ./tmp/ -ls
259893 4 drw-rw-r-- 2 user1 user1 4096 Jul 26 22:03 ./tmp/
find: ‘./tmp/file’: Permission denied
user1@ubuntu20lts:~$ cat ./tmp/file
cat: ./tmp/file: Permission denied
write file permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ cd ..
user1@ubuntu20lts:~$ echo test > tmp/file
user1@ubuntu20lts:~$ find ./tmp/ -ls
258932 4 drwxrwxr-x 2 user1 user1 4096 Jul 26 22:53 ./tmp/
258941 4 -rw-rw-r-- 1 user1 user1 5 Jul 26 22:53 ./tmp/file
user1@ubuntu20lts:~$ chmod a-x tmp/
user1@ubuntu20lts:~$ find ./tmp/ -ls
258932 4 drw-rw-r-- 2 user1 user1 4096 Jul 26 22:53 ./tmp/
find: ‘./tmp/file’: Permission denied
user1@ubuntu20lts:~$ echo test > tmp/file
-bash: tmp/file: Permission denied
execute file permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ echo "#/usr/bin/env bash" > file
user1@ubuntu20lts:~/tmp$ echo "date" >> file
user1@ubuntu20lts:~/tmp$ chmod a+x file
user1@ubuntu20lts:~/tmp$ cd ..
user1@ubuntu20lts:~$ find ./tmp/ -ls
258932 4 drwxrwxr-x 2 user1 user1 4096 Jul 26 23:01 ./tmp/
258941 4 -rwxrwxr-x 1 user1 user1 24 Jul 26 23:01 ./tmp/file
user1@ubuntu20lts:~$ ./tmp/file
Sun 26 Jul 2020 11:01:41 PM UTC
user1@ubuntu20lts:~$ chmod a-x tmp/
user1@ubuntu20lts:~$ find ./tmp/ -ls
258932 4 drw-rw-r-- 2 user1 user1 4096 Jul 26 23:01 ./tmp/
find: ‘./tmp/file’: Permission denied
user1@ubuntu20lts:~$ ./tmp/file
-bash: ./tmp/file: Permission denied
Directory permissions
-
read directory permission
- Allows the corresponding user (
owner, group, other) to display directory’s files and subdirectories
- Has effect only on the files and subdirectories which are directly beneath the subject directory
- Has effect only if
execute permission for the corresponding user is also set on the directory and all its parent directories
-
write directory permission
- Allows the corresponding user to modify (create, move, rename, change attributes, delete) files and subdirectories within the directory
- Has effect only on the files and subdirectories which are directly beneath the subject directory
- Has effect on files and subdirectories of the subject directory independent of the permissions of these files and subdirectories
- Has effect only if
execute permission for the corresponding user is also set on the directory and all its parent directories
-
execute directory permission
- Allows the corresponding user to change their current working directory to this directory (via the
cd command)
- Has effect as long as this
execute permission is set on all parent directories as well
- Affects
read and write directory permissions
rwx-
Full access to a directory is provided by combining
execute permission with read and write permissions
r-x-
Read only access to a directory is provided by combining
execute permission with read permission
-wx- Combining
execute and write directory permissions (without read permission) leads to weird access mode, where full access to the directory is enabled, but standard way of displaying names of files and directories is not possible
-
rw-, r--
- Disabling
execute permission for a directory with set read permission leads to weird access mode, where only reading names of files and directories directly beneath the subject directory is possible
-
-w-, ---
- Disabling
execute permission for a directory with unset read permission is the same as providing no access to the directory
--x- Setting
execute permission on a directory where read and write permissions are unset leads to weird access mode, where it is possible to change current working directory to subdirectories of the subject directory (if the names of those subdirectories are known preliminarily) and to do any operations except ones related to reading or modifying directory structures themselves (reading names from the directory; creating, moving, renaming, deleting files or subdirectories)
- Directory permissions short summary
| permission triad |
access mode |
comments |
--- |
no access |
|
r-- |
weird mode |
only reading file and subdirectory names is possible |
-w- |
no access |
the same as ---
|
--x |
weird mode |
only changing to subdirectories are possible if their names are known |
rw- |
weird mode |
the same as r--
|
r-x |
read only |
|
-wx |
weird mode |
any operations on files and subdirectories are possible if their names are known |
rwx |
full |
|
Directory permission examples
Effects of read directory permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file
user1@ubuntu20lts:~/tmp$ find . -ls
258126 4 drwxrwxr-x 3 user1 user1 4096 Jul 24 20:59 .
258308 4 drwxrwxr-x 3 user1 user1 4096 Jul 24 20:59 ./dirA
258915 4 drwxrwxr-x 2 user1 user1 4096 Jul 24 20:59 ./dirA/dirB
258916 0 -rw-rw-r-- 1 user1 user1 0 Jul 24 20:59 ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ chmod a-r ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258126 4 drwxrwxr-x 3 user1 user1 4096 Jul 24 20:59 .
258308 4 drwxrwxr-x 3 user1 user1 4096 Jul 24 20:59 ./dirA
258915 4 d-wx-wx--x 2 user1 user1 4096 Jul 24 20:59 ./dirA/dirB
find: ‘./dirA/dirB’: Permission denied
user1@ubuntu20lts:~/tmp$ chmod a+r ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258126 4 drwxrwxr-x 3 user1 user1 4096 Jul 24 21:02 .
258308 4 drwxrwxr-x 3 user1 user1 4096 Jul 24 21:02 ./dirA
258915 4 drwxrwxr-x 2 user1 user1 4096 Jul 24 21:02 ./dirA/dirB
258916 0 -rw-rw-r-- 1 user1 user1 0 Jul 24 21:02 ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ chmod a-r ./dirA
user1@ubuntu20lts:~/tmp$ find . -ls
258126 4 drwxrwxr-x 3 user1 user1 4096 Jul 24 21:02 .
258308 4 d-wx-wx--x 3 user1 user1 4096 Jul 24 21:02 ./dirA
find: ‘./dirA’: Permission denied
user1@ubuntu20lts:~/tmp$ chmod a+r ./dirA
user1@ubuntu20lts:~/tmp$ find . -ls
258126 4 drwxrwxr-x 3 user1 user1 4096 Jul 24 21:02 .
258308 4 drwxrwxr-x 3 user1 user1 4096 Jul 24 21:02 ./dirA
258915 4 drwxrwxr-x 2 user1 user1 4096 Jul 24 21:02 ./dirA/dirB
258916 0 -rw-rw-r-- 1 user1 user1 0 Jul 24 21:02 ./dirA/dirB/file
Effects of read directory permission propagate only on files and subdirectories which are directly beneath the subject directory
- Directory
read permission doesn't propagate to the directory hieracy further than the directory directly beneath the subject directory
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ echo test > dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 11:50 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 11:50 ./dirA
258920 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 11:50 ./dirA/dirB
258924 4 drwxrwxr-x 2 user1 user1 4096 Jul 31 11:50 ./dirA/dirB/dirC
258942 4 -rw-rw-r-- 1 user1 user1 5 Jul 31 11:50 ./dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ chmod a-r ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 11:50 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 11:50 ./dirA
258920 4 d-wx-wx--x 3 user1 user1 4096 Jul 31 11:50 ./dirA/dirB
find: ‘./dirA/dirB’: Permission denied
user1@ubuntu20lts:~/tmp$ ls -la ./dirA/dirB
ls: cannot open directory './dirA/dirB': Permission denied
user1@ubuntu20lts:~/tmp$ ls -la ./dirA/dirB/dirC
total 12
drwxrwxr-x 2 user1 user1 4096 Jul 31 11:50 .
d-wx-wx--x 3 user1 user1 4096 Jul 31 11:50 ..
-rw-rw-r-- 1 user1 user1 5 Jul 31 11:50 file
user1@ubuntu20lts:~/tmp$ cd ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp/dirA/dirB/dirC$ ls -la
total 12
drwxrwxr-x 2 user1 user1 4096 Jul 31 11:50 .
d-wx-wx--x 3 user1 user1 4096 Jul 31 11:50 ..
-rw-rw-r-- 1 user1 user1 5 Jul 31 11:50 file
user1@ubuntu20lts:~/tmp/dirA/dirB/dirC$ cat file
test
Effects of write directory permission
- We cannot create, move, rename, and delete files and subdirectories in the directory which have no
write directory permissions
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:35 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:35 ./dirA
258973 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:36 ./dirA/dirB
259894 0 -rw-rw-r-- 1 user1 user1 0 Jul 27 11:36 ./dirA/dirB/file
259889 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 11:35 ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ chmod a-w ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:35 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:35 ./dirA
258973 4 dr-xr-xr-x 3 user1 user1 4096 Jul 27 11:36 ./dirA/dirB
259894 0 -rw-rw-r-- 1 user1 user1 0 Jul 27 11:36 ./dirA/dirB/file
259889 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 11:35 ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB
rm: cannot remove './dirA/dirB/file': Permission denied
rm: cannot remove './dirA/dirB/dirC': Permission denied
user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/file
rm: cannot remove './dirA/dirB/file': Permission denied
user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/dirC
rm: cannot remove './dirA/dirB/dirC': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/file ./dirA/dirB/file1
mv: cannot move './dirA/dirB/file' to './dirA/dirB/file1': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC ./dirA/dirB/dirD
mv: cannot move './dirA/dirB/dirC' to './dirA/dirB/dirD': Permission denied
user1@ubuntu20lts:~/tmp$ touch ./dirA/dirB/file1
touch: cannot touch './dirA/dirB/file1': Permission denied
user1@ubuntu20lts:~/tmp$ mkdir ./dirA/dirB/dirD
mkdir: cannot create directory ‘./dirA/dirB/dirD’: Permission denied
user1@ubuntu20lts:~/tmp$ chmod a+w ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:35 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:35 ./dirA
258973 4 drwxrwxrwx 3 user1 user1 4096 Jul 27 11:36 ./dirA/dirB
259894 0 -rw-rw-r-- 1 user1 user1 0 Jul 27 11:36 ./dirA/dirB/file
259889 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 11:35 ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:35 .
258943 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 11:37 ./dirA
- But we can write to files (if file's permission allows this) and change attributes of files and subdirectories in the directory which has no
write directory permissions
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:40 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:40 ./dirA
258973 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:40 ./dirA/dirB
259894 0 -rw-rw-r-- 1 user1 user1 0 Jul 27 11:40 ./dirA/dirB/file
259889 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 11:40 ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ chmod a-w ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:40 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:40 ./dirA
258973 4 dr-xr-xr-x 3 user1 user1 4096 Jul 27 11:40 ./dirA/dirB
259894 0 -rw-rw-r-- 1 user1 user1 0 Jul 27 11:40 ./dirA/dirB/file
259889 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 11:40 ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ chmod a-rw ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ chmod a-rwx ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:40 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:40 ./dirA
258973 4 dr-xr-xr-x 3 user1 user1 4096 Jul 27 11:40 ./dirA/dirB
259894 0 ---------- 1 user1 user1 0 Jul 27 11:40 ./dirA/dirB/file
259889 4 d--------- 2 user1 user1 4096 Jul 27 11:40 ./dirA/dirB/dirC
find: ‘./dirA/dirB/dirC’: Permission denied
user1@ubuntu20lts:~/tmp$ chmod a+rw ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ echo "test" > ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ cat ./dirA/dirB/file
test
Effects of write directory permission propagate only on files and subdirectories which are directly beneath the subject directory
- Directory
write permission doesn't propagate to the directory hieracy further than the directory directly beneath the subject directory
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ chmod a-w dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 13:13 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 13:13 ./dirA
258973 4 dr-xr-xr-x 3 user1 user1 4096 Jul 27 13:13 ./dirA/dirB
259889 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 13:13 ./dirA/dirB/dirC
259894 0 -rw-rw-r-- 1 user1 user1 0 Jul 27 13:13 ./dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC/file ./dirA/dirB/dirC/file1
user1@ubuntu20lts:~/tmp$ chmod o+w ./dirA/dirB/dirC/file1
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC/file1 ./
user1@ubuntu20lts:~/tmp$ mv file1 ./dirA/dirB/dirC/file2
user1@ubuntu20lts:~/tmp$ touch ./dirA/dirB/dirC/file3
user1@ubuntu20lts:~/tmp$ rm ./dirA/dirB/dirC/file3
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 13:14 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 13:13 ./dirA
258973 4 dr-xr-xr-x 3 user1 user1 4096 Jul 27 13:13 ./dirA/dirB
259889 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 13:14 ./dirA/dirB/dirC
259894 0 -rw-rw-rw- 1 user1 user1 0 Jul 27 13:13 ./dirA/dirB/dirC/file2
Effects of write directory permission do not depend on permissions of files and subdirectories beneath the subject directory
- Within the directory with
write permission we can modify (rename, change attributes, delete) files and subdirectories which have no write permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB
user1@ubuntu20lts:~/tmp$ touch dirA/file
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:05 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:05 ./dirA
259889 0 -rw-rw-r-- 1 user1 user1 0 Jul 27 11:05 ./dirA/file
258973 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 11:05 ./dirA/dirB
user1@ubuntu20lts:~/tmp$ chmod a-w dirA/file dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:05 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:05 ./dirA
259889 0 -r--r--r-- 1 user1 user1 0 Jul 27 11:05 ./dirA/file
258973 4 dr-xr-xr-x 2 user1 user1 4096 Jul 27 11:05 ./dirA/dirB
user1@ubuntu20lts:~/tmp$ mv dirA/file dirA/file1
user1@ubuntu20lts:~/tmp$ mv dirA/dirB dirA/dirC
user1@ubuntu20lts:~/tmp$ chmod a-r ./dirA/file1
user1@ubuntu20lts:~/tmp$ chmod a-rx ./dirA/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:05 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:06 ./dirA
259889 0 ---------- 1 user1 user1 0 Jul 27 11:05 ./dirA/file1
258973 4 d--------- 2 user1 user1 4096 Jul 27 11:05 ./dirA/dirC
find: ‘./dirA/dirC’: Permission denied
user1@ubuntu20lts:~/tmp$ rm -fr dirA/file1 dirA/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 11:05 .
258943 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 11:06 ./dirA
- But within the directory with
write permission we can only move files but not subdirectories which have no write permission, ⁉️ which looks strange ⁉️
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB
user1@ubuntu20lts:~/tmp$ touch dirA/file
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:34 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:34 ./dirA
259889 0 -rw-rw-r-- 1 user1 user1 0 Jul 27 12:34 ./dirA/file
258973 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 12:34 ./dirA/dirB
user1@ubuntu20lts:~/tmp$ chmod a-w dirA/file dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:34 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:34 ./dirA
259889 0 -r--r--r-- 1 user1 user1 0 Jul 27 12:34 ./dirA/file
258973 4 dr-xr-xr-x 2 user1 user1 4096 Jul 27 12:34 ./dirA/dirB
user1@ubuntu20lts:~/tmp$ mv ./dirA/file ./
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB ./
mv: cannot move './dirA/dirB' to './dirB': Permission denied
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:35 .
259889 0 -r--r--r-- 1 user1 user1 0 Jul 27 12:34 ./file
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:35 ./dirA
258973 4 dr-xr-xr-x 2 user1 user1 4096 Jul 27 12:34 ./dirA/dirB
user1@ubuntu20lts:~/tmp$ chmod a+w dirA/dirB
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB ./
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 4 user1 user1 4096 Jul 27 12:36 .
259889 0 -r--r--r-- 1 user1 user1 0 Jul 27 12:34 ./file
258943 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 12:36 ./dirA
258973 4 drwxrwxrwx 2 user1 user1 4096 Jul 27 12:34 ./dirB
- Also within the directory with
write permission we cannot delete subdirectories which have no write permission and are not empty, but can rename them and change their attributes
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file
user1@ubuntu20lts:~/tmp$ chmod a-w dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:51 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:51 ./dirA
258973 4 dr-xr-xr-x 2 user1 user1 4096 Jul 27 12:51 ./dirA/dirB
259889 0 -rw-rw-r-- 1 user1 user1 0 Jul 27 12:51 ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ rm -fr dirA/dirB
rm: cannot remove 'dirA/dirB/file': Permission denied
user1@ubuntu20lts:~/tmp$ rm -fr dirA/dirB/file
rm: cannot remove 'dirA/dirB/file': Permission denied
user1@ubuntu20lts:~/tmp$ mv dirA/dirB dirA/dirC
user1@ubuntu20lts:~/tmp$ chmod o+t ./dirA/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:51 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:52 ./dirA
258973 4 dr-xr-xr-t 2 user1 user1 4096 Jul 27 12:51 ./dirA/dirC
259889 0 -rw-rw-r-- 1 user1 user1 0 Jul 27 12:51 ./dirA/dirC/file
user1@ubuntu20lts:~/tmp$ chmod a+w dirA/dirC
user1@ubuntu20lts:~/tmp$ rm -fr dirA/dirC/file
user1@ubuntu20lts:~/tmp$ chmod a-w dirA/dirC/
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:51 .
258943 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:52 ./dirA
258973 4 dr-xr-xr-t 2 user1 user1 4096 Jul 27 12:55 ./dirA/dirC
user1@ubuntu20lts:~/tmp$ rm -fr dirA/dirC/
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 27 12:51 .
258943 4 drwxrwxr-x 2 user1 user1 4096 Jul 27 12:55 ./dirA
Effects of execute directory permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 28 15:19 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 28 15:19 ./dirA
258921 4 drwxrwxr-x 3 user1 user1 4096 Jul 28 15:19 ./dirA/dirB
258924 4 drwxrwxr-x 2 user1 user1 4096 Jul 28 15:19 ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ cd ./dirA/dirB
user1@ubuntu20lts:~/tmp/dirA/dirB$ cd dirC/
user1@ubuntu20lts:~/tmp/dirA/dirB/dirC$ cd ~/tmp
user1@ubuntu20lts:~/tmp$ chmod a-x ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 28 15:19 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 28 15:19 ./dirA
258921 4 drw-rw-r-- 3 user1 user1 4096 Jul 28 15:19 ./dirA/dirB
find: ‘./dirA/dirB/dirC’: Permission denied
user1@ubuntu20lts:~/tmp$ cd ./dirA/dirB
-bash: cd: ./dirA/dirB: Permission denied
user1@ubuntu20lts:~/tmp$ cd ./dirA/dirB/dirC
-bash: cd: ./dirA/dirB/dirC: Permission denied
Effects of execute directory permission propagate on all subdirectories of the subject directory
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 12:34 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 12:34 ./dirA
258920 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 12:34 ./dirA/dirB
258924 4 drwxrwxr-x 2 user1 user1 4096 Jul 31 12:34 ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ cd dirA/dirB
user1@ubuntu20lts:~/tmp/dirA/dirB$ cd dirC/
user1@ubuntu20lts:~/tmp/dirA/dirB/dirC$ cd ~/tmp
user1@ubuntu20lts:~/tmp$ chmod a-x dirA/dirB
user1@ubuntu20lts:~/tmp$ ls -la dirA/dirB
ls: cannot access 'dirA/dirB/.': Permission denied
ls: cannot access 'dirA/dirB/dirC': Permission denied
ls: cannot access 'dirA/dirB/..': Permission denied
total 0
d????????? ? ? ? ? ? .
d????????? ? ? ? ? ? ..
d????????? ? ? ? ? ? dirC
user1@ubuntu20lts:~/tmp$ ls -la dirA/dirB/dirC
ls: cannot access 'dirA/dirB/dirC': Permission denied
user1@ubuntu20lts:~/tmp$ cd dirA/dirB
-bash: cd: dirA/dirB: Permission denied
user1@ubuntu20lts:~/tmp$ cd dirA/dirB/dirC
-bash: cd: dirA/dirB/dirC: Permission denied
Effects of unset execute directory permission on read directory permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 28 15:59 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 28 15:59 ./dirA
258921 4 drwxrwxr-x 3 user1 user1 4096 Jul 28 16:00 ./dirA/dirB
258942 0 -rw-rw-r-- 1 user1 user1 0 Jul 28 16:00 ./dirA/dirB/file
258924 4 drwxrwxr-x 2 user1 user1 4096 Jul 28 16:00 ./dirA/dirB/dirC
258943 0 -rw-rw-r-- 1 user1 user1 0 Jul 28 16:00 ./dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ chmod a-x ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 28 15:59 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 28 15:59 ./dirA
258921 4 drw-rw-r-- 3 user1 user1 4096 Jul 28 16:00 ./dirA/dirB
find: ‘./dirA/dirB/file’: Permission denied
find: ‘./dirA/dirB/dirC’: Permission denied
user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB
ls: cannot access './dirA/dirB/file': Permission denied
ls: cannot access './dirA/dirB/dirC': Permission denied
total 0
d????????? ? ? ? ? ? dirC
-????????? ? ? ? ? ? file
user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB/dirC
ls: cannot access './dirA/dirB/dirC': Permission denied
user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB/file
ls: cannot access './dirA/dirB/file': Permission denied
user1@ubuntu20lts:~/tmp$ cat ./dirA/dirB/file
cat: ./dirA/dirB/file: Permission denied
Effects of unset execute directory permission on write directory permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 06:11 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 06:11 ./dirA
258920 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 06:11 ./dirA/dirB
258922 0 -rw-rw-r-- 1 user1 user1 0 Jul 31 06:11 ./dirA/dirB/file
258921 4 drwxrwxr-x 2 user1 user1 4096 Jul 31 06:11 ./dirA/dirB/dirC
258924 0 -rw-rw-r-- 1 user1 user1 0 Jul 31 06:11 ./dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ chmod a-x ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 06:11 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 06:11 ./dirA
258920 4 drw-rw-r-- 3 user1 user1 4096 Jul 31 06:11 ./dirA/dirB
find: ‘./dirA/dirB/file’: Permission denied
find: ‘./dirA/dirB/dirC’: Permission denied
user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/file
rm: cannot remove './dirA/dirB/file': Permission denied
user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/dirC
rm: cannot remove './dirA/dirB/dirC': Permission denied
user1@ubuntu20lts:~/tmp$ touch ./dirA/dirB/file1
touch: cannot touch './dirA/dirB/file1': Permission denied
user1@ubuntu20lts:~/tmp$ mkdir ./dirA/dirB/dirD
mkdir: cannot create directory ‘./dirA/dirB/dirD’: Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/file ./dirA/dirB/file1
mv: failed to access './dirA/dirB/file1': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC ./dirA/dirB/dirD
mv: failed to access './dirA/dirB/dirD': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/file ./
mv: cannot stat './dirA/dirB/file': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC ./
mv: cannot stat './dirA/dirB/dirC': Permission denied
user1@ubuntu20lts:~/tmp$ chmod a+x ./dirA/dirB/file
chmod: cannot access './dirA/dirB/file': Permission denied
Combining execute and write directory permissions with unset read directory permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ echo test > dirA/dirB/file
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 11:39 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 11:39 ./dirA
258920 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 11:39 ./dirA/dirB
258943 4 -rw-rw-r-- 1 user1 user1 5 Jul 31 11:39 ./dirA/dirB/file
258924 4 drwxrwxr-x 2 user1 user1 4096 Jul 31 11:39 ./dirA/dirB/dirC
258942 0 -rw-rw-r-- 1 user1 user1 0 Jul 31 11:39 ./dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ chmod a-r ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 11:39 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 11:39 ./dirA
258920 4 d-wx-wx--x 3 user1 user1 4096 Jul 31 11:39 ./dirA/dirB
find: ‘./dirA/dirB’: Permission denied
user1@ubuntu20lts:~/tmp$ ls -la ./dirA/dirB/file
-rw-rw-r-- 1 user1 user1 5 Jul 31 11:39 ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ cat ./dirA/dirB/file
test
user1@ubuntu20lts:~/tmp$ ls -la ./dirA/dirB/dirC
total 8
drwxrwxr-x 2 user1 user1 4096 Jul 31 11:39 .
d-wx-wx--x 3 user1 user1 4096 Jul 31 11:39 ..
-rw-rw-r-- 1 user1 user1 0 Jul 31 11:39 file
user1@ubuntu20lts:~/tmp$ cd ./dirA/dirB
user1@ubuntu20lts:~/tmp/dirA/dirB$ find . -ls
258920 4 d-wx-wx--x 3 user1 user1 4096 Jul 31 11:39 .
find: ‘.’: Permission denied
user1@ubuntu20lts:~/tmp/dirA/dirB$ ls -la .
ls: cannot open directory '.': Permission denied
user1@ubuntu20lts:~/tmp/dirA/dirB$ mkdir dirD
user1@ubuntu20lts:~/tmp/dirA/dirB$ mv dirD dirE
user1@ubuntu20lts:~/tmp/dirA/dirB$ rm -fr dirE
user1@ubuntu20lts:~/tmp/dirA/dirB$ touch file1
user1@ubuntu20lts:~/tmp/dirA/dirB$ mv file1 file2
user1@ubuntu20lts:~/tmp/dirA/dirB$ rm -fr file2
user1@ubuntu20lts:~/tmp/dirA/dirB$ mv dirC ../
user1@ubuntu20lts:~/tmp/dirA/dirB$ chmod a+x file
user1@ubuntu20lts:~/tmp/dirA/dirB$ ls -la file
-rwxrwxr-x 1 user1 user1 5 Jul 31 11:39 file
Effects of setting only execute directory permission
user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ echo test > dirA/dirB/file
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 13:48 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 13:48 ./dirA
258920 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 13:48 ./dirA/dirB
258942 4 -rw-rw-r-- 1 user1 user1 5 Jul 31 13:48 ./dirA/dirB/file
258924 4 drwxrwxr-x 2 user1 user1 4096 Jul 31 13:48 ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ chmod a-wr ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
258312 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 13:48 .
258916 4 drwxrwxr-x 3 user1 user1 4096 Jul 31 13:48 ./dirA
258920 4 d--x--x--x 3 user1 user1 4096 Jul 31 13:48 ./dirA/dirB
find: ‘./dirA/dirB’: Permission denied
user1@ubuntu20lts:~/tmp$ ls -la ./dirA/dirB
ls: cannot open directory './dirA/dirB': Permission denied
user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB/file
-rw-rw-r-- 1 user1 user1 5 Jul 31 13:48 ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB/dirC
total 0
user1@ubuntu20lts:~/tmp$ cd dirA/dirB/
user1@ubuntu20lts:~/tmp/dirA/dirB$ ls -la
ls: cannot open directory '.': Permission denied
user1@ubuntu20lts:~/tmp/dirA/dirB$ find . -ls
258920 4 d--x--x--x 3 user1 user1 4096 Jul 31 13:48 .
find: ‘.’: Permission denied
user1@ubuntu20lts:~/tmp/dirA/dirB$ cd dirC
user1@ubuntu20lts:~/tmp/dirA/dirB/dirC$ cd ~/tmp
user1@ubuntu20lts:~/tmp$ cat ./dirA/dirB/file
test
user1@ubuntu20lts:~/tmp$ echo "date" > ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ chmod a+x ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB/file
-rwxrwxr-x 1 user1 user1 5 Jul 31 13:49 ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ ./dirA/dirB/file
Fri 31 Jul 2020 01:49:55 PM UTC
user1@ubuntu20lts:~/tmp$ touch ./dirA/dirB/file1
touch: cannot touch './dirA/dirB/file1': Permission denied
user1@ubuntu20lts:~/tmp$ mkdir ./dirA/dirB/dirD
mkdir: cannot create directory ‘./dirA/dirB/dirD’: Permission denied
user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/file
rm: cannot remove './dirA/dirB/file': Permission denied
user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/dirC
rm: cannot remove './dirA/dirB/dirC': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/file ./dirA/dirB/file1
mv: cannot move './dirA/dirB/file' to './dirA/dirB/file1': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC ./dirA/dirB/dirD
mv: cannot move './dirA/dirB/dirC' to './dirA/dirB/dirD': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/file ./
mv: cannot move './dirA/dirB/file' to './file': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC ./
mv: cannot move './dirA/dirB/dirC' to './dirC': Permission denied
Additional flags: SUID, SGID, Sticky bit
-
SUID (Set User ID) flag — works only on files
-
On fies
- A process executing a file keeps its effective
UID (User ID) the same as UID of the user running the executable
- If the executable file has the
SUID flag set, the process sets its effective UID equals to the file's owner
- Due to security reason
SUID flag only works on Linux ELF executables, meaning it does nothing on a Bash or Python scripts files
- Examples of well-known Linux system executables with
SUID flag set
-
/usr/bin/passwd
-
SUID flag set because the passwords are stored in the /etc/shadow file, which has no permission on group or other user level
-
/usr/bin/mount
-
SUID flag set because only the root can mount filesystems, but when /etc/fstab contains the user option, anybody can mount the corresponding filesystem
-
SGID (Set Group ID) flag — works both on files and directories
-
On files
- A process executing a file keeps its effective
GID (Group ID) the same as GID of the user running the executable
- If the executable file has the
SGID flag set, the process sets its effective GID equals to the file's group
- Due to security reason
SGID flag works only on Linux ELF executables, meaning it does nothing on a Bash or Python scripts files
- Examples of well-known Linux system executables with
SGID flag set
-
/usr/bin/ssh-agent
-
SGID flag set to prevent ptrace(2) attacks retrieving private key material
-
/usr/bin/crontab
-
SGID flag set to provide the following restrictions (together with crontab binary owned by crontab group, and crontab spool directory owned by crontab group and Sticky bit set on it)
- limiting access to
crontab spool directory (/var/spool/cron/crontabs)
- limiting edit or read access to users'
crontab files (/var/spool/cron/crontabs/<username>) only via crontab binary
-
On directories
- When a file is created by a process, its
GID (Group ID) can be either the GID of the creator process or the GID of the parent directory, depending on the value of the SGID flag of the parent directory
- This behavior is applied only to
SGID flag, but not to SUID flag, SUID flag doesn't have such a behavior
-
SGID on directories is used for creating collaborative directories where some users work together on some project and belong to the same group and should be able to see each other's files providing read file permission on that group level
-
Sticky bit — currently works only on directories (using it on files is deprecated)
-
On files
- This approach has become obsolete and is deprecated now, sharing of code pages is used
Running an executable file with the Sticky bit set requests the kernel to keep the program in memory after its execution terminates
-
On directories
- With the
Sticky bit set on a directory, only the file's owner, the directory's owner, or root user can modify (for example delete or rename) the files and subdirectories in the directory
- Without the
Sticky bit set on a directory, any user with write and execute permissions for the directory can modify contained files and subdirectories in the directory, regardless of the their owners
- If a user wants to create files and subdirectories in some directory, he/she needs
write and exectute permissions on that directory
- These
write and exectute permissions on the directory gives the user the privilege to create files and subdirectories as well as the privilege to modify them
- At the same time the user can modify any files or subdirectories in this directory, the permissions of those files and subdirectories do not have any effect on modification
- With
Sticky bit set on a directory, anyone can create files in the directory, but can modify his/her own files only - files owned by other users cannot be modified
- Examples of well-known Linux system directories with
SGID flag set
-
/tmp
- The
Sticky bit is used for /tmp directory because it has to have all the rights on all the user's permission triads allowing all the users to create/delete their temporary files there
-
/var/spool/cron/crontabs
- For details why the
Sticky bit is used here, see the explanation of SGID flag set on /usr/bin/crontab above
SUID, SGID, and Sticky bit examples
Effects of SUID flag
user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user3@ubuntu20lts:~/tmp$ cp $(which id) ./
user3@ubuntu20lts:~/tmp$ sudo chown user1 ./id
user3@ubuntu20lts:~/tmp$ sudo chmod u+s ./id
user3@ubuntu20lts:~/tmp$ ls -l ./id
-rwsr-xr-x 1 user1 user3 47480 Jul 26 11:07 ./id
user3@ubuntu20lts:~/tmp$ id
uid=2003(user3) gid=2003(user3) groups=2003(user3)
user3@ubuntu20lts:~/tmp$ ./id
uid=2003(user3) gid=2003(user3) euid=2001(user1) groups=2003(user3)
Effects of SGID flag on files
user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user3@ubuntu20lts:~/tmp$ cp $(which id) ./
user3@ubuntu20lts:~/tmp$ sudo chgrp user2 ./id
user3@ubuntu20lts:~/tmp$ sudo chmod g+s ./id
user3@ubuntu20lts:~/tmp$ ls -l ./id
-rwxr-sr-x 1 user3 user2 47480 Jul 26 11:13 ./id
user3@ubuntu20lts:~/tmp$ id
uid=2003(user3) gid=2003(user3) groups=2003(user3)
user3@ubuntu20lts:~/tmp$ ./id
uid=2003(user3) gid=2003(user3) egid=2002(user2) groups=2002(user2),2003(user3)
Effects of SGID flag on directories
- If
SGID flag is not set the created file get its GID from the creator process
user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user3@ubuntu20lts:~/tmp$ echo "#/usr/bin/env bash" > file
user3@ubuntu20lts:~/tmp$ echo "touch test" >> file
user3@ubuntu20lts:~/tmp$ chmod a+x file
user3@ubuntu20lts:~/tmp$ sudo chgrp user1 ./
user3@ubuntu20lts:~/tmp$ find . -ls
258932 4 drwxrwxr-x 2 user3 user1 4096 Jul 27 06:25 .
258938 4 -rwxrwxr-x 1 user3 user3 30 Jul 27 06:25 ./file
user3@ubuntu20lts:~/tmp$ ./file
user3@ubuntu20lts:~/tmp$ find . -ls
258932 4 drwxrwxr-x 2 user3 user1 4096 Jul 27 06:26 .
258938 4 -rwxrwxr-x 1 user3 user3 30 Jul 27 06:25 ./file
258941 0 -rw-rw-r-- 1 user3 user3 0 Jul 27 06:26 ./test
- If
SGID flag is set the created file get its GID from the parent directory
user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user3@ubuntu20lts:~/tmp$ echo "#/usr/bin/env bash" > file
user3@ubuntu20lts:~/tmp$ echo "touch test" >> file
user3@ubuntu20lts:~/tmp$ chmod a+x file
user3@ubuntu20lts:~/tmp$ chmod g+s ./
user3@ubuntu20lts:~/tmp$ sudo chgrp user1 ./
user3@ubuntu20lts:~/tmp$ find . -ls
258932 4 drwxrwsr-x 2 user3 user1 4096 Jul 27 06:27 .
258938 4 -rwxrwxr-x 1 user3 user3 30 Jul 27 06:27 ./file
user3@ubuntu20lts:~/tmp$ ./file
user3@ubuntu20lts:~/tmp$ find . -ls
258932 4 drwxrwsr-x 2 user3 user1 4096 Jul 27 06:27 .
258938 4 -rwxrwxr-x 1 user3 user3 30 Jul 27 06:27 ./file
258941 0 -rw-rw-r-- 1 user3 user1 0 Jul 27 06:27 ./test
No effects of SUID flag on directories
- Even if
SUID flag is set, it has no effect on a directory
user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user3@ubuntu20lts:~/tmp$ echo "#/usr/bin/env bash" > file
user3@ubuntu20lts:~/tmp$ echo "touch test" >> file
user3@ubuntu20lts:~/tmp$ chmod a+x file
user3@ubuntu20lts:~/tmp$ chmod u+s ./
user3@ubuntu20lts:~/tmp$ sudo chown user2 ./
user3@ubuntu20lts:~/tmp$ find . -ls
258932 4 drwsrwxr-x 2 user2 user3 4096 Jul 27 06:29 .
258938 4 -rwxrwxr-x 1 user3 user3 30 Jul 27 06:30 ./file
user3@ubuntu20lts:~/tmp$ ./file
user3@ubuntu20lts:~/tmp$ find . -ls
258932 4 drwsrwxr-x 2 user2 user3 4096 Jul 27 06:30 .
258938 4 -rwxrwxr-x 1 user3 user3 30 Jul 27 06:30 ./file
258941 0 -rw-rw-r-- 1 user3 user3 0 Jul 27 06:30 ./test
Effects of Sticky bit
- If the
Sticky bit is not set it allows user1 to delete files of user3
user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user3@ubuntu20lts:~/tmp$ chmod a+rwx ./
user3@ubuntu20lts:~/tmp$ touch user3-file
user3@ubuntu20lts:~/tmp$ mkdir user3-dir
user3@ubuntu20lts:~/tmp$ find . -ls
258932 4 drwxrwxrwx 3 user3 user3 4096 Jul 27 07:08 .
258941 4 drwxrwxr-x 2 user3 user3 4096 Jul 27 07:08 ./user3-dir
258938 0 -rw-rw-r-- 1 user3 user3 0 Jul 27 07:07 ./user3-file
user3@ubuntu20lts:~/tmp$ pwd
/home/user3/tmp
user3@ubuntu20lts:~/tmp$ sudo -i -u user1
user1@ubuntu20lts:~$ cd /home/user3/tmp
user1@ubuntu20lts:/home/user3/tmp$ find . -ls
258932 4 drwxrwxrwx 3 user3 user3 4096 Jul 27 07:08 .
258941 4 drwxrwxr-x 2 user3 user3 4096 Jul 27 07:08 ./user3-dir
258938 0 -rw-rw-r-- 1 user3 user3 0 Jul 27 07:07 ./user3-file
user1@ubuntu20lts:/home/user3/tmp$ rm -fr user3*
user1@ubuntu20lts:/home/user3/tmp$ find . -ls
258932 4 drwxrwxrwx 2 user3 user3 4096 Jul 27 07:09 .
user1@ubuntu20lts:/home/user3/tmp$ logout
user3@ubuntu20lts:~/tmp$ find . -ls
258932 4 drwxrwxrwx 2 user3 user3 4096 Jul 27 07:09 .
- If the
Sticky bit is set it doesn't allow user1 to delete files of user3
user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp
user3@ubuntu20lts:~/tmp$ chmod a+rwx ./
user3@ubuntu20lts:~/tmp$ chmod o+t ./
user3@ubuntu20lts:~/tmp$ touch user3-file
user3@ubuntu20lts:~/tmp$ mkdir user3-dir
user3@ubuntu20lts:~/tmp$ find . -ls
258917 4 drwxrwxrwt 3 user3 user3 4096 Jul 27 07:42 .
258932 4 drwxrwxr-x 2 user3 user3 4096 Jul 27 07:42 ./user3-dir
258918 0 -rw-rw-r-- 1 user3 user3 0 Jul 27 07:42 ./user3-file
user3@ubuntu20lts:~/tmp$ pwd
/home/user3/tmp
user3@ubuntu20lts:~/tmp$ sudo -i -u user1
user1@ubuntu20lts:~$ cd /home/user3/tmp
user1@ubuntu20lts:/home/user3/tmp$ find . -ls
258917 4 drwxrwxrwt 3 user3 user3 4096 Jul 27 07:42 .
258932 4 drwxrwxr-x 2 user3 user3 4096 Jul 27 07:42 ./user3-dir
258918 0 -rw-rw-r-- 1 user3 user3 0 Jul 27 07:42 ./user3-file
user1@ubuntu20lts:/home/user3/tmp$ rm -fr ./user3-file
rm: cannot remove './user3-file': Operation not permitted
user1@ubuntu20lts:/home/user3/tmp$ rm -fr ./user3-dir
rm: cannot remove './user3-dir': Operation not permitted
Top comments (0)