{"id":2833,"date":"2025-05-25T15:18:07","date_gmt":"2025-05-25T15:18:07","guid":{"rendered":"https:\/\/codeinsightacademy.com\/blog\/?p=2833"},"modified":"2025-05-25T16:18:22","modified_gmt":"2025-05-25T16:18:22","slug":"linux-permissions","status":"publish","type":"post","link":"https:\/\/codeinsightacademy.com\/blog\/linux\/linux-permissions\/","title":{"rendered":"Linux Permissions"},"content":{"rendered":"\n<h1>Linux Permissions &amp; Security: Hands-On Guide (Ubuntu)<\/h1>\n\n\n\n<h2>Prerequisites<\/h2>\n\n\n\n<ul><li>Ubuntu system (desktop or server)<\/li><li>Terminal access<\/li><li>Sudo privileges<\/li><\/ul>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2>1. Basic File Permissions<\/h2>\n\n\n\n<p>In Linux, each file has three types of permission groups:<\/p>\n\n\n\n<ul><li><strong>User (u)<\/strong> \u2013 Owner of the file<\/li><li><strong>Group (g)<\/strong> \u2013 Users belonging to the same group<\/li><li><strong>Others (o)<\/strong> \u2013 Everyone else<\/li><\/ul>\n\n\n\n<p>And three types of permissions:<\/p>\n\n\n\n<ul><li><strong>Read (r)<\/strong> \u2013 View the contents of a file<\/li><li><strong>Write (w)<\/strong> \u2013 Modify the contents of a file<\/li><li><strong>Execute (x)<\/strong> \u2013 Run the file as a program or script<\/li><\/ul>\n\n\n\n<h3>Step 1: Create a test file<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir ~\/perms-test &amp;&amp; cd ~\/perms-test\ntouch file.txt\nls -l file.txt\n<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>This will show default permissions. You\u2019ll see something like <code>-rw-r--r--<\/code>.<\/p><\/blockquote>\n\n\n\n<h3>Step 2: Change permissions using <code>chmod<\/code><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>chmod 644 file.txt  # rw-r--r-- (user can read\/write, group\/others can read)\nchmod u+x file.txt  # Add execute permission to user\nchmod o-r file.txt  # Remove read from others\n<\/code><\/pre>\n\n\n\n<h3>Step 3: Change ownership using <code>chown<\/code><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo chown $USER:$USER file.txt\n<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p><code>chown<\/code> changes the owner and group of a file.<\/p><\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2>2. Umask (Default Permission Mask)<\/h2>\n\n\n\n<p><code>umask<\/code> controls the default permission set for new files.<\/p>\n\n\n\n<ul><li>Default umask is usually <code>0022<\/code><\/li><li>Affects permissions like this: <code>Final = Base - Umask<\/code><ul><li>Base is 666 for files, 777 for directories<\/li><\/ul><\/li><\/ul>\n\n\n\n<h3>Step 1: Check current umask<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>umask\n<\/code><\/pre>\n\n\n\n<h3>Step 2: Create new file to test<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>touch test.txt\nls -l test.txt\n<\/code><\/pre>\n\n\n\n<h3>Step 3: Set a different umask temporarily<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>umask 027\numask\n<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>Now new files will have permissions 640 (rw-r&#8212;&#8211;)<\/p><\/blockquote>\n\n\n\n<h3>Step 4: Make it permanent (optional)<\/h3>\n\n\n\n<p>Add to <code>~\/.bashrc<\/code> or <code>~\/.profile<\/code>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>umask 027\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2>3. Special Permission Bits<\/h2>\n\n\n\n<h3>3.1 SUID (Set User ID)<\/h3>\n\n\n\n<ul><li>Makes an executable run with the privileges of the file&#8217;s owner. (only works for binary files)<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo cp \/bin\/ping .\/ping_test\nsudo chmod u+s ping_test\nls -l ping_test  # Look for 's' in user exec\n<\/code><\/pre>\n\n\n\n<h3>3.2 SGID (Set Group ID)<\/h3>\n\n\n\n<ul><li>For directories: new files inherit the directory\u2019s group.<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir sgid_dir\nchmod g+s sgid_dir\nls -ld sgid_dir  # Look for 's' in group exec\n<\/code><\/pre>\n\n\n\n<h3>3.3 Sticky Bit<\/h3>\n\n\n\n<ul><li>Commonly used in shared directories like <code>\/tmp<\/code>.<\/li><li>Only the file owner can delete their files.<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir sticky_dir\nchmod 1777 sticky_dir\nOR\nchmod +t sticky_dir\nls -ld sticky_dir  # Look for 't' at the end\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2>4. File Attributes (using <code>chattr<\/code> and <code>lsattr<\/code>)<\/h2>\n\n\n\n<p>Attributes provide extra protection beyond <code>chmod<\/code>.<\/p>\n\n\n\n<h3>Step 1: Set immutable attribute<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>touch immutable.txt\nsudo chattr +i immutable.txt\nlsattr immutable.txt\n<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>Immutable files can\u2019t be modified, renamed, or deleted even by root.<\/p><\/blockquote>\n\n\n\n<h3>Step 2: Try editing or deleting it<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"test\" &gt; immutable.txt  # Should fail\nrm immutable.txt             # Should fail\n<\/code><\/pre>\n\n\n\n<h3>Step 3: Remove the attribute<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo chattr -i immutable.txt\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2>5. SELinux vs AppArmor (Ubuntu uses AppArmor)<\/h2>\n\n\n\n<ul><li>SELinux is more common on RedHat-based systems.<\/li><li>Ubuntu uses AppArmor by default for Mandatory Access Control (MAC).<\/li><\/ul>\n\n\n\n<h3>Step 1: Check if SELinux is installed<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sestatus  # May return command not found\n<\/code><\/pre>\n\n\n\n<h3>Step 2: Check AppArmor status<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo aa-status\n<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>Shows enforced and complain profiles in use.<\/p><\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2>6. Mount Options: <code>nosuid<\/code>, <code>nodev<\/code>, <code>noexec<\/code><\/h2>\n\n\n\n<p>These options restrict capabilities at the filesystem mount level.<\/p>\n\n\n\n<h3>Step 1: Create a virtual disk and mount it<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir ~\/mnt-test\ndd if=\/dev\/zero of=loopback.img bs=1M count=50\nmkfs.ext4 loopback.img\nsudo mount -o loop loopback.img ~\/mnt-test\n<\/code><\/pre>\n\n\n\n<h3>Step 2: Test with <code>nosuid<\/code><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo mount -o remount,nosuid ~\/mnt-test\n<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p><code>nosuid<\/code> disables SUID\/SGID execution on this filesystem.<\/p><\/blockquote>\n\n\n\n<h3>Step 3: Test with <code>noexec<\/code><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>echo -e '#!\/bin\/bash\\necho Hello' &gt; ~\/mnt-test\/test.sh\nchmod +x ~\/mnt-test\/test.sh\n~\/mnt-test\/test.sh  # Should fail with noexec\n<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p><code>noexec<\/code> prevents execution of binaries\/scripts on the mounted directory.<\/p><\/blockquote>\n\n\n\n<h3>Step 4: Unmount<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo umount ~\/mnt-test\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2>7. Additional Topics for Advanced Security<\/h2>\n\n\n\n<h3>7.1 Access Control Lists (ACLs)<\/h3>\n\n\n\n<p>ACLs provide fine-grained file permissions for multiple users and groups.<\/p>\n\n\n\n<h4>Commands:<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>setfacl -m u:username:r file.txt  # Give read access to specific user\ngetfacl file.txt                  # View ACLs\nsetfacl -x u:username file.txt    # Remove ACL for user\n<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>Useful when more than one user needs different levels of access to a file.<\/p><\/blockquote>\n\n\n\n<h3>7.2 Sudo Configuration (<code>\/etc\/sudoers<\/code>)<\/h3>\n\n\n\n<p>Allows restricting and auditing root access per user or group.<\/p>\n\n\n\n<h4>Safely edit sudoers file:<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo visudo\n<\/code><\/pre>\n\n\n\n<h4>Example entry:<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>jane ALL=(ALL) NOPASSWD: \/usr\/bin\/systemctl restart apache2\n<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>Allows <code>jane<\/code> to restart Apache without password.<\/p><\/blockquote>\n\n\n\n<h3>7.3 Systemd Service Permissions<\/h3>\n\n\n\n<p>Used to harden services using isolation techniques.<\/p>\n\n\n\n<h4>Example: Restrict access<\/h4>\n\n\n\n<p>In a systemd service file:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ProtectSystem=full\nReadOnlyPaths=\/etc\nPrivateTmp=true\n<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>Prevents service from modifying system files and isolates <code>\/tmp<\/code>.<\/p><\/blockquote>\n\n\n\n<h3>7.4 Auditd and Logging<\/h3>\n\n\n\n<p>To track who accessed\/modified files or ran sensitive commands.<\/p>\n\n\n\n<h4>Install and start Auditd:<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install auditd\nsudo systemctl enable --now auditd\n<\/code><\/pre>\n\n\n\n<h4>Add a watch rule:<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>audctl -w \/etc\/passwd -p wa -k passwd_watch\n<\/code><\/pre>\n\n\n\n<h4>View logs:<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>aureport -f  # File access reports\naureport -au # Authentication reports\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2>8. Summary &amp; Cleanup<\/h2>\n\n\n\n<h3>Summary Table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Feature<\/th><th>Description<\/th><th>Command Example<\/th><\/tr><\/thead><tbody><tr><td>chmod<\/td><td>Change file permissions<\/td><td>chmod 755 file.sh<\/td><\/tr><tr><td>chown<\/td><td>Change file ownership<\/td><td>sudo chown user:group file<\/td><\/tr><tr><td>umask<\/td><td>Default permission for new files<\/td><td>umask 027<\/td><\/tr><tr><td>SUID<\/td><td>Run program with file owner&#8217;s privileges<\/td><td>chmod u+s \/bin\/file<\/td><\/tr><tr><td>SGID<\/td><td>New files inherit directory&#8217;s group<\/td><td>chmod g+s dir<\/td><\/tr><tr><td>Sticky Bit<\/td><td>Only owner can delete their file in dir<\/td><td>chmod +t \/tmp<\/td><\/tr><tr><td>Immutable<\/td><td>Prevent modification\/deletion<\/td><td>sudo chattr +i file<\/td><\/tr><tr><td>AppArmor<\/td><td>MAC system used on Ubuntu<\/td><td>sudo aa-status<\/td><\/tr><tr><td>Mount Options<\/td><td>Restrict capabilities like exec\/suid\/device<\/td><td>mount -o nosuid,nodev,noexec &#8230;<\/td><\/tr><tr><td>ACLs<\/td><td>Extra user-specific permissions<\/td><td>setfacl -m u:user:rw file<\/td><\/tr><tr><td>Sudoers<\/td><td>Control admin rights<\/td><td>sudo visudo<\/td><\/tr><tr><td>Systemd Sec<\/td><td>Service-level isolation and hardening<\/td><td>ProtectSystem=full etc.<\/td><\/tr><tr><td>Auditd<\/td><td>File access and auth logging<\/td><td>auditctl, aureport<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3>Cleanup<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>cd ~\nrm -rf ~\/perms-test\nsudo umount ~\/mnt-test 2&gt;\/dev\/null\nrm -f loopback.img<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Linux Permissions &amp; Security: Hands-On Guide (Ubuntu) Prerequisites Ubuntu system (desktop or server) Terminal access Sudo privileges 1. Basic File Permissions In Linux, each file has three types of permission groups: User (u) \u2013 Owner of the file Group (g) \u2013 Users belonging to the same group Others (o) \u2013 Everyone else And three types [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[31],"tags":[],"_links":{"self":[{"href":"https:\/\/codeinsightacademy.com\/blog\/wp-json\/wp\/v2\/posts\/2833"}],"collection":[{"href":"https:\/\/codeinsightacademy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/codeinsightacademy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/codeinsightacademy.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/codeinsightacademy.com\/blog\/wp-json\/wp\/v2\/comments?post=2833"}],"version-history":[{"count":4,"href":"https:\/\/codeinsightacademy.com\/blog\/wp-json\/wp\/v2\/posts\/2833\/revisions"}],"predecessor-version":[{"id":2837,"href":"https:\/\/codeinsightacademy.com\/blog\/wp-json\/wp\/v2\/posts\/2833\/revisions\/2837"}],"wp:attachment":[{"href":"https:\/\/codeinsightacademy.com\/blog\/wp-json\/wp\/v2\/media?parent=2833"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/codeinsightacademy.com\/blog\/wp-json\/wp\/v2\/categories?post=2833"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/codeinsightacademy.com\/blog\/wp-json\/wp\/v2\/tags?post=2833"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}