Linux Permissions & Security: Hands-On Guide (Ubuntu)
Prerequisites
- Ubuntu system (desktop or server)
- Terminal access
- Sudo privileges
1. Basic File Permissions
In Linux, each file has three types of permission groups:
- User (u) – Owner of the file
- Group (g) – Users belonging to the same group
- Others (o) – Everyone else
And three types of permissions:
- Read (r) – View the contents of a file
- Write (w) – Modify the contents of a file
- Execute (x) – Run the file as a program or script
Step 1: Create a test file
mkdir ~/perms-test && cd ~/perms-test
touch file.txt
ls -l file.txt
This will show default permissions. You’ll see something like
-rw-r--r--.
Step 2: Change permissions using chmod
chmod 644 file.txt # rw-r--r-- (user can read/write, group/others can read)
chmod u+x file.txt # Add execute permission to user
chmod o-r file.txt # Remove read from others
Step 3: Change ownership using chown
sudo chown $USER:$USER file.txt
chownchanges the owner and group of a file.
2. Umask (Default Permission Mask)
umask controls the default permission set for new files.
- Default umask is usually
0022 - Affects permissions like this:
Final = Base - Umask- Base is 666 for files, 777 for directories
Step 1: Check current umask
umask
Step 2: Create new file to test
touch test.txt
ls -l test.txt
Step 3: Set a different umask temporarily
umask 027
umask
Now new files will have permissions 640 (rw-r—–)
Step 4: Make it permanent (optional)
Add to ~/.bashrc or ~/.profile:
umask 027
3. Special Permission Bits
3.1 SUID (Set User ID)
- Makes an executable run with the privileges of the file’s owner. (only works for binary files)
sudo cp /bin/ping ./ping_test
sudo chmod u+s ping_test
ls -l ping_test # Look for 's' in user exec
3.2 SGID (Set Group ID)
- For directories: new files inherit the directory’s group.
mkdir sgid_dir
chmod g+s sgid_dir
ls -ld sgid_dir # Look for 's' in group exec
3.3 Sticky Bit
- Commonly used in shared directories like
/tmp. - Only the file owner can delete their files.
mkdir sticky_dir
chmod 1777 sticky_dir
OR
chmod +t sticky_dir
ls -ld sticky_dir # Look for 't' at the end
4. File Attributes (using chattr and lsattr)
Attributes provide extra protection beyond chmod.
Step 1: Set immutable attribute
touch immutable.txt
sudo chattr +i immutable.txt
lsattr immutable.txt
Immutable files can’t be modified, renamed, or deleted even by root.
Step 2: Try editing or deleting it
echo "test" > immutable.txt # Should fail
rm immutable.txt # Should fail
Step 3: Remove the attribute
sudo chattr -i immutable.txt
5. SELinux vs AppArmor (Ubuntu uses AppArmor)
- SELinux is more common on RedHat-based systems.
- Ubuntu uses AppArmor by default for Mandatory Access Control (MAC).
Step 1: Check if SELinux is installed
sestatus # May return command not found
Step 2: Check AppArmor status
sudo aa-status
Shows enforced and complain profiles in use.
6. Mount Options: nosuid, nodev, noexec
These options restrict capabilities at the filesystem mount level.
Step 1: Create a virtual disk and mount it
mkdir ~/mnt-test
dd if=/dev/zero of=loopback.img bs=1M count=50
mkfs.ext4 loopback.img
sudo mount -o loop loopback.img ~/mnt-test
Step 2: Test with nosuid
sudo mount -o remount,nosuid ~/mnt-test
nosuiddisables SUID/SGID execution on this filesystem.
Step 3: Test with noexec
echo -e '#!/bin/bash\necho Hello' > ~/mnt-test/test.sh
chmod +x ~/mnt-test/test.sh
~/mnt-test/test.sh # Should fail with noexec
noexecprevents execution of binaries/scripts on the mounted directory.
Step 4: Unmount
sudo umount ~/mnt-test
7. Additional Topics for Advanced Security
7.1 Access Control Lists (ACLs)
ACLs provide fine-grained file permissions for multiple users and groups.
Commands:
setfacl -m u:username:r file.txt # Give read access to specific user
getfacl file.txt # View ACLs
setfacl -x u:username file.txt # Remove ACL for user
Useful when more than one user needs different levels of access to a file.
7.2 Sudo Configuration (/etc/sudoers)
Allows restricting and auditing root access per user or group.
Safely edit sudoers file:
sudo visudo
Example entry:
jane ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart apache2
Allows
janeto restart Apache without password.
7.3 Systemd Service Permissions
Used to harden services using isolation techniques.
Example: Restrict access
In a systemd service file:
ProtectSystem=full
ReadOnlyPaths=/etc
PrivateTmp=true
Prevents service from modifying system files and isolates
/tmp.
7.4 Auditd and Logging
To track who accessed/modified files or ran sensitive commands.
Install and start Auditd:
sudo apt install auditd
sudo systemctl enable --now auditd
Add a watch rule:
audctl -w /etc/passwd -p wa -k passwd_watch
View logs:
aureport -f # File access reports
aureport -au # Authentication reports
8. Summary & Cleanup
Summary Table
| Feature | Description | Command Example |
|---|---|---|
| chmod | Change file permissions | chmod 755 file.sh |
| chown | Change file ownership | sudo chown user:group file |
| umask | Default permission for new files | umask 027 |
| SUID | Run program with file owner’s privileges | chmod u+s /bin/file |
| SGID | New files inherit directory’s group | chmod g+s dir |
| Sticky Bit | Only owner can delete their file in dir | chmod +t /tmp |
| Immutable | Prevent modification/deletion | sudo chattr +i file |
| AppArmor | MAC system used on Ubuntu | sudo aa-status |
| Mount Options | Restrict capabilities like exec/suid/device | mount -o nosuid,nodev,noexec … |
| ACLs | Extra user-specific permissions | setfacl -m u:user:rw file |
| Sudoers | Control admin rights | sudo visudo |
| Systemd Sec | Service-level isolation and hardening | ProtectSystem=full etc. |
| Auditd | File access and auth logging | auditctl, aureport |
Cleanup
cd ~
rm -rf ~/perms-test
sudo umount ~/mnt-test 2>/dev/null
rm -f loopback.img