# Permission control The primary security practice is to control every user’s permission to certain files. In linux there’s three main parts to configure **Read, Write** and E**xecute.** Know how to check and change permissions on files and directories(btw everything on linux is consider files) is crucial. Let’s dive in of how to do it! ## Main Permissions ### r - read “r” is to read, allowing only view and open files. ### w - write “w” is to write files, allowing view and edit files. ### x - execute “x” is to execute files, allowing user to execute files but not necessarily view or edit it ## Ownership to user Here we will use `chown` to change the ownership ```bash $ chown vix /tmp/torxfile ``` ## Ownership to group In case you want to assign the owner ship to a certain group we use `chgrp` command to do, so that people in that group can have the permission to do certain things ```bash $ chgrp mygroup C2 ``` ## Checking permissions We all use `ls -la` and I think that’s enough to get the solid idea of certain files or dirctories ```bash $ ls -la 1|2 |3 |4 |5 |6 |7 drwxrwxrwt 10 root root 4096 Jun 10 15:38 . drwxr-xr-x 18 root root 4096 Jun 13 14:58 .. drwx------ 2 vix vix 4096 Jun 10 15:38 burp18397847435395519291.tmp srwxrwxrwx 1 vix vix 0 Jul 17 2024 dbus-1RTN0d7hsH drwxr-xr-x 2 root root 4096 Jul 11 2024 hsperfdata_root drwxr-xr-x 2 vix vix 4096 Jun 10 15:38 hsperfdata_vix drwxrwxrwx 2 root root 60 Jun 13 14:58 .X11-unix -r--r--r-- 1 vix vix 11 Jul 17 2024 .X1-lock -|rw-|---|--- 1 vix vix 434 Jul 17 2024 .xfsm-ICE-5M8BR2 F|own|grp|non ``` 1. This column is the file type, and the “d” at the front means that it’s a directory and dash(-) means it’s a file 2. This one is permissions on the file for owner, groups, and users 1. `-|rw-|r--|r-- root root` this is a file that has root permission to **read** and **write** and each session will have 3 underlines the second session is for group of users and last one is for other users which means that other user and group of user can only read not write or execute. If it’s left just a dash like `-|rw-|---|---` it’s just for that user to read and write and not open to others and group to do anything 3. The number of links 4. The owner of the file 5. Size of the file in bytes 6. When the file was created or last modified 7. Name of the file ## Changing permissions Use `chmod` to change file permissions and we have 2 ways to do it first one is do with decimal notation and the other one is symbolic presentation ### Decimal Notation Often times you will see things like this and how and why 777 or other numbers? I recommend using a permission calculator ```bash $ chmod 777 file.sh $ ls -l file.sh -rwxrwxrwx 2 root root 60 Jun 20 11:01 file.sh $ chmod 774 file.sh -rwxrwxr-- 2 root root 60 Jun 20 11:09 file.sh ``` But here’s the reason, it’s simple and using 8 bit | Binary | Octal | r w x | | ------ | ----- | ----- | | 000 | 0 | - - - | | 001 | 1 | - - x | | 010 | 2 | - w - | | 011 | 3 | - w x | | 100 | 4 | r - - | | 101 | 5 | r - x | | 110 | 6 | r w - | | 111 | 7 | r w x | And this will do the exact same on the rest sessions group and others. That’s why you will see three digits for each digit is a permission session. ### Symbolic (UGO) Another way to change permission is to use UGO and it stands for **User(Owner), Group and Others** Here’s some operation you should know(`-, +, =`): * \- Remove a permission * \+ Add a permission * \= Set a permission ```bash -rwxrwxrwx 2 root root 60 Jun 20 11:09 file.sh $ chmod o-x file.sh $ ls -l file.sh -rwxrwxrw- 2 root root 60 Jun 20 11:30 file.sh $ chmod o+x, g-w, o-w file.sh -rwxr-xr-x 2 root root 60 Jun 20 11:39 file.sh ``` ## Default Permission with umask Usually, when downloading a file it will set to 777 or 666 which may be not that secure, and here’s the useful tool `umask` you can set the digits inside but it will subtract the original permission with set digits The example: | New files | New directories | | | --------- | --------------- | ---------------- | | 6 6 6 | 7 7 7 | Default settings | | -0 2 2 | -0 2 2 | umask | | 6 4 4 | 7 5 5 | Results | ```bash $ umask 002 ``` ## Special Permissions ### SUID Sometimes you may be able to execute certain files without permissions set to it and that’s why **SUID** comes in and why it’s often used when doing privilege escalation It’s basically temporarily grant the owner’s privileges to execute the file by setting the **SUID** bit on the program To set SUID bit you only need to add a “4” before the regular permissions. And that’s WHY we when finding **SUID** bit set we will set `-perm 04000` btw `-perm` is for permission. `find / -type f -perm -04000` ```bash $ chmod 4644 file.sh -rwsr-xr-x 2 root root 60 Jun 20 11:39 file.sh ``` Noticed that it will change the execute expression `x` to `s` ### SGID Similar to **SUID, SGID** is for file owner’s group. Which means that users in that group can execute files in that directory To set it add a “2” before regular permissions ```bash $ chmod 2644 file.sh ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://vix-w1zzer.gitbook.io/vixwizzer/notes/linux/permission-control.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.