Linux Security Context and Permission Model
In the Linux security framework, processes operate as agents for the user who initiated them. Consequently, these processes execute with the identity and privileges of that user. The system evaluates file access through a sequential matching model:
- The system checks if the process owner matches the file's owner. If true, owner permissions are applied.
- If there is no match, the system checks if the process owner belongs to the file's group. If true, group permissions are applied.
- If neither condition is met, the permissions designated for "others" are applied.
Special Permission Bits
Beyond standard read, write, and execute flags, Linux supports special permissions: SUID, SGID, and the Sticky Bit.
Set User ID (SUID)
By default, a process inherits the identity of the user executing it. When the SUID bit is set on an executable file, the process assumes the identity of the file's owner rather than the user who launched it.
# Grant SUID permission
chmod u+s /usr/local/bin/admin-tool
# Revoke SUID permission
chmod u-s /usr/local/bin/admin-tool
This flag appears in the owner's execute position. It displays as a lowercase s if the execute bit is present, or an uppercase S if execute permission is absent.
Set Group ID (SGID)
When applied to a directory that has group write permissions, SGID forces new files and subdirectories created within it to inherit the directory's group ownership, rather than the primary group of the user who created them.
# Grant SGID permission
chmod g+s /srv/shared-repo
# Revoke SGID permission
chmod g-s /srv/shared-repo
This flag occupies the group's execute position. It displays as s or S depending on the presence of the underlying execute permission.
Sticky Bit
For directories writable by a group or all users, users can typically delete any file within that directory. Setting the Sticky Bit restricts deletion so that users can only remove files they own, even if they have write access to the directory.
# Grant Sticky Bit permission
chmod o+t /var/public-uploads
# Revoke Sticky Bit permission
chmod o-t /var/public-uploads
This flag appears in the others' execute position. It shows as t if execute is enabled, or T if not. Common examples include /tmp and /var/tmp.
Octal Representation of Special Permissions
Special bits can also be managed using a fourth octal digit prepended to the standard mode:
- 4: SUID
- 2: SGID
- 1: Sticky Bit
For example, to set the Sticky Bit, SUID, and standard permissions rwxrwxrwx:
chmod 1777 /tmp/dropbox
File Access Control Lists (FACL)
Access Control Lists provide an additional layer of authorization beyond the standard user, group, and other model. They allow for granting specific permissions to distinct users or groups.
Viewing ACLs
The getfacl command displays the current access control list.
getfacl /srv/project-data
Modifying ACLs
Use setfacl to modify entries. The -m flag adds or modifies a rule.
# Grant read/write access to a specific user
setfacl -m u:dev_user:rw /srv/project-data
# Grant read/write access to a specific group
setfacl -m g:auditors:rw /srv/project-data
Removing ACLs
The -x flag removes specific entries from the ACL.
# Remove permissions for a user
setfacl -x u:dev_user /srv/project-data
# Remove permissions for a group
setfacl -x g:auditors /srv/project-data