Access Rights

Viewing the access rights for a file or directory

At a console prompt type "ls -al <file-name>".  The access rights appear in the form "d rwx rwx rwx", which represents the following information:

  • The presence of a "d" means the file in question is a directory.
  • For each file or directory, the access rights are listed for the owner, group, and others (from left to right):
  • First "rwx": Owner of the file
  • Second  "rwx": Other users in the file's group
  • Third  "rwx": Other users not in the file's group
  • The following letters are used to display the access rights of the files and directories:
  • r: Read-access enabled
  • w: Write-access enabled
  • x: Execute-access enabled
  • s: SUID enabled (for owner) or SGID enabled (for group); execute-access enabled
  • S: SUID enabled (for owner) or SGID enabled (for group); execute-access disabled
  • t: Sticky bit enabled (for other); execute-access enabled
  • T: Sticky bit enabled (for other); execute-access disabled
Access rights for directories
  • r: The user can view the contents of the directory
  • w: The user can add or delete files or subdirectories in the directory (the directory entries themselves, not necessarily the files, are writeable).
  • x: The user can enter the directory
  • There are effectively only three levels of access rights for directories (each of which separately applies to the owner, the group, and others):
  • Write-access (read-write): rwx   (rw, exec) (mode 7) (umask 0)
  • Read-access  (read-only):  r-x   (ro, exec) (mode 5) (umask 2)
  • No-access:                 ---   ( )        (mode 0) (umask 7)
  • Read-access is disabled for a directory by turning off both the r and x bits.  There may never be a need to have only one of r or x are enabled; They're generally either both on or both off.
  • If read-access is disabled for a directory, the w bit should be disabled as well, even though disabling read-access prevents a user from making use of write-access anyways.

  • A directory can only be viewed if both r and x are enabled.
  • Directory entries can only be added or deleted if both w and x are enabled.
  • A directory that doesn't allow read-access for others (with r and x disabled) is like a locked gate; it doesn't let others in.
  • Other users are unable to view or alter the recursive contents of the directory.
  • Symbolic links pointing to a less-secure child directory don't allow access to the child directory and its contents unless the user has read-access to all of the parent directories.
Access rights for files
  • r: The user can view the file
  • w: The user can write to the file (but cannot necessarily delete it)
  • x: The user can execute the file
  • If the w bit is enabled but the r bit is disabled, the file can still be overwritten.
  • A file can only be executed if the both the r and x bits are enabled.
  • Access rights for files are different from directories because sometimes the x bit is disabled even if r or w are enabled (to prevent the file from being executed, but still allow read or write access).
  • When new text files are created, the x bit will be turned off by default, even if the user's umask allows the x bit for new files; so if a bash script is created in a new text file, the x bit will have to be turned on manually for the owner and, if needed, for group and others.
Precedence of access rights
  • If the user is the owner of the file or directory, then the "owner" rights apply ("group" and "other" don't apply.)
  • If the user is a member of the group that the file or directory belongs to, but is not the owner of the file or directory, then the "group" rights apply ("owner" and "other" don't apply).
  • If the user is neither the owner nor a member of the group that the file or directory belongs to, then the "other" rights apply ("owner" and "group" don't apply).
  • To view or enter a directory, all parent directories must allow read access.
  • The contents of a directory are not affected by the access rights of the parent directory(s) (assuming the user has sufficient rights to view and enter the directory).
  • If write access is disabled for a directory but is allowed for files in the directory, the files can still be written to; they simply can't be deleted, nor can new files be created.
  • If the rights for a file don't allow write access, can still (sometimes) write to the file if the directory allows write access (in this case, the directory settings override the file settings).
  • If the rights for a file don't allow read access, the directory rights won't allow it either (won't override the file rights).
User private groups (UPG)
  • A group that only one user will have membership in, and which is the primary group for that user (typically the group will have the same name as the user).
  • So long as no additional users are granted membership in the other user's UPG:
  • The access rights for UPGs will never be applied, because either the current user is the owner AND group member, or they're neither.
  • Assigning a file to a UPG essentially says that no group has special access to that file, since the group rights will never be applied.
  • When UPGs are used, it's safe (and and preferrable) to allow the same access rights for the group and owner for new files and directories (via the user's umask value); and for existing files, if the corresponding UPG is assigned along with the owner.
  • One advantage of UPGs is that, when needed, the administrator can grant access for a certain user's files to others on a user-by-user basis, by adding them to the user's UPG.  In this way, the set of users authorized to access the files can be carefully controlled, without requiring them to login as the owner.
Umask
  • The umask value sets the default level of owner, group, and other rights for newly-created files and directories, on a per-user basis.
  • Subtract the umask value from 777 to obtain the access rights that the umask allows.
  • The umask value is set in one or more of the user login scripts
  • /home/<user>/.profile
  • /home/<user>/.bashrc
  • /etc/profile
  • /etc/bashrc
  • For users, a default umask of 022 is recommend; if user private groups are used (UPGs), a default umask of 002 is reasonable (and preferrable).
  • If there's a compelling reason to deny others read-access to a user's files and directories by default, then a umask of 027 (or 007 if UPGs are used) is reasonable.
  • For root, a umask of 022 or 077 is recommended.
  • Using 077 for root can be a hassle, as there are many root-owned files that need to be accessed or run at times by users.
  • If 022 is used for root, chmod can be used to further restrict access to sensitive files, such as password files (i.e. chmod 700, or chmod 600).
  • If 077 is used for root, chmod can be used to increase access to non-sensitive files or directories, such as the mount points for mounted partitions (i.e. chmod 755).
  • As a default guideline, use a umask that doesn't allow others write-access to newly-created files (i.e. disable the w bit for others).
  • Unless there's a reason to do otherwise, use a umask that doesn't allow the group write-access to newly created files, unless UPGs are used (i.e. disable the w bit for group, unless UPGs are used).
Special attributes
  • Sticky bit
  • For files, there is no effect.
  • For directories, if write access is enabled (which allows file deletion), a user can only delete files in the directory if they're the owner of the file, or if they have write access to the file.
  • By default, for non-sticky directories in which write access is enabled, a user can delete files without having ownership of the file and without having write access to the file.
  • Useful for world-writeable directories where users should not be able to delete all of the files (i.e. shared public directories, like /tmp).
  • SGID (set group ID) bit
  • For files, if the file is executable and the partition was mounted with the suid and exec options (explicitly or implicitly), the file will execute with GID = file group rather than GID = primary group of the current user.
  • For directories, if the partition was mounted with the suid option (explicitly or implicitly), new files or subdirectories created in that directory will have their group attribute set to the directory's group.
  • SUID (set user ID) bit
  • For files, if the file is executable and the partition was mounted with the suid and exec options (explicitly or implicitly), the file will execute with UID = file owner rather than UID = current user.
  • This often causes "buffer overflow" vulnerabilities.
  • Mounting a partition with the suid and exec options (explicitly or implicitly) creates security problems, because a user can run files which will execute with a greater level of access than the user possesses.
  • Usage of the suid mount option with the exec option (explicitly or implicitly) should be avoided whenever possible, due to security concerns.
  • For partitions where SGID is desired for directories, and where files do not need to be executed, it may be reasonable to use the suid mount option as long as the noexec option is used as well, since files have to be executable for the SUID security hole to be exploited.
  • For directories, there is no effect.
Default attributes
  • The user ownership of a new file or directory is the user who created it.
  • By default, group membership of a new file or directory is the primary group of the user who created it.
  • If suid is enabled for the partition and the GUID bit is set for the current directory, new files or subdirectories created will have their group attribute set to the directory's group.
  • The access rights for new files and directories are determined by the user's umask value, with "x" bits turned off for text files.
Changing attributes
  • The owner of a file or directory is the only non-root user that can change the access rights.
  • The owner of a file or directory can always change the access rights, regardless of what their current access rights are for the file or directory (i.e. If they disable all access rights to the file or directory, they can still re-enable the access rights).
  • Non-root users cannot change the ownership and group membership of a file or directory, even if they're the owner of the file or directory.
  • Root can change the access rights, ownership, and group membership for all files and directories.

Setting the default access rights for new files and directories

Use the "umask" command in the appropriate user login script.