Linux User Permissions Explained

Shell and Kernel

Linux is an open-source, Unix-based operating system. It is widely used in servers, embedded systems, supercomputers, and desktops due to its flexibility, stability, and performance.

The Linux kernel is the core of the operating system. It interacts directly with hardware and provides resource management and system services to user space programs and services via an interface.

Main responsibilities of the Linux kernel

Hardware abstraction: Abstracts low-level hardware resources such as CPU, memory, and disks into more usable interfaces.
Resource management: Allocates and manages CPU time, memory space, file systems, and other resources.
System call interface: Provides an API set that user programs can access via system calls to use hardware or OS functions.
Device drivers: Manages various hardware devices such as keyboards, displays, and network cards.

Users do not interact with the kernel directly; they use a shell as an intermediary. The shell is a command interpreter that translates user commands into system calls the kernel can understand, thereby controlling the operating system behavior.

Shell functions

Command parsing: Interprets and executes user commands such as file operations and program execution.
Script support: Runs shell scripts to automate tasks.
User environment: Allows users to run programs, manage files, and configure the system.

By analogy to Windows, the Windows GUI corresponds to the shell in Linux. When using Windows you are not operating the kernel directly but interacting through a graphical interface.

User Privileges

Linux distinguishes two main privilege levels: the root user and normal users. They serve different roles for system administration and regular operations.

root user: The superuser with highest privileges, able to perform any operation on the system.
normal user: A user with limited privileges intended for everyday tasks.

The command prompt for root is "#" while a normal user's prompt is "$".

Switching users

From a normal user to root:
- Use the
```
su
```
  command:
```
su
```
After entering the root password, the session switches to root.

Note that this switch happens in the current directory.
- Or switch to a specific normal user:
  - Exit root:From root to a normal user:
```
exit
```
```
su username
```
```
su -
```
command:
- ```
su -
```
  creates a login shell for the target user, not keeping the current directory.
- Default root home directory:
```
/root
```
- Default normal user home directory:
```
/home/username
```

sudo

Normal users have limited privileges and sometimes need to perform privileged operations. The

sudo

command allows a normal user to execute commands as root or another privileged user without logging in as that user. This reduces the risk of accidental system-wide changes and improves security.

To allow a normal user to use

sudo

, the user must be added to the whitelist configured in

/etc/sudoers

, which can be edited with an editor such as

vim

vim /etc/sudoers

Demonstration environment: Ubuntu 20.04.6

Example:

sudo apt update

The system will prompt for the current user's password, not the root password, and then execute the command with root privileges.

File and Directory Permissions

Access roles

Each file and directory on Linux has three categories of access entities:

Owner: The owner of the file or directory.
Group: A group of users that can share access to the file or directory.
Others: Users other than the owner and members of the group.

Permission representation

Permissions are represented with the rwx model:

r (read): Read permission.
w (write): Write permission.
x (execute): Execute permission.

Each file's permissions are shown as 10 characters, for example:

-rwxr-xr--

First character: file type

- indicates a regular file
d indicates a directory
l indicates a symbolic link
b indicates a block device file (for example, disk or optical drive)
p indicates a pipe
c indicates a character device file (for example, serial devices)
s indicates a socket

The next nine characters are divided into three groups (owner, group, others):

Owner: rwx means readable, writable, executable
Group: r-x means readable, not writable, executable
Others: r-- means readable, not writable, not executable

Permissions can also be expressed in octal and binary:

Permission	Octal	Binary
rwx	7	111
rw-	6	110
r-w	5	101
r--	4	100
-wr	3	011
-w-	2	010
--x	1	001
---	0	000

Use

ls -l

(or

ll

) to view file and directory permissions:

ls -l

Example output:

-rw-r--r-- 1user group 1234Dec 110:00file.txt

-rw-r--r--

: permission bits.

user

: file owner.

group

: file's group.

Changing permissions

chmod: Modify file or directory permissions.

Symbolic mode:

chmod u+x file.txt # Add execute permission for the ownerchmod g-w file.txt # Remove write permission for the groupchmod o+r file.txt # Add read permission for otherschmod o=r filename # Set others permission to read-only (overwrite other permissions)

Numeric mode (each permission corresponds to a number):

chmod754file.txt # Set permission to rwxr-xr--

Recursive change:

chmod -R755/path/to/directory

2. chown and chgrp: Change the owner and the group of a file.

chown user file.txt     # Change file ownerchgrp group file.txt    # Change file groupchown user:group file.txt  # Change file owner and group

Recursive change:

chown -R user:group /path/to/directory

umask

umask (User File Creation Mode Mask) sets the default permission mask for newly created files and directories. It defines which permission bits are disabled by default.

1. Default permissions

In Linux, new files and directories start from these defaults:

Files: 666 (read and write, no execute by default).
Directories: 777 (read, write, execute).

The final permissions after creation are:

Final permissions = Default permissions - umask

2. umask representation

umask is usually shown as a 4-digit value where the leading 0 indicates special permissions and can be ignored. Treat it as a three-digit octal number where each digit masks permissions:

First digit: owner.
Second digit: group.
Third digit: others.

Mask rules:

4: mask read permission (r).
2: mask write permission (w).
1: mask execute permission (x).
0: mask nothing.

For example,

umask 0002

masks the write permission for others;

umask 0033

masks write and execute for group and others.

3. View and set umask

View current umask:

umask

Set umask:

umask0xxx  // Set the umask code to 0xxx

Directory Permissions

Directory permissions determine what users can do with a directory. They are similar to file permissions but behave differently because directories organize files rather than storing content directly.

Read permission (r)

Allows listing files and subdirectories in the directory.
Without execute permission, you cannot enter the directory, so even with read permission you may not access contents.

Write permission (w)

Allows writing actions within the directory, including:
Creating new files or directories.
Deleting or renaming files/subdirectories.
Requires execute permission to take effect.

Execute permission (x)

Allows entering the directory.
Without read permission, you can enter but cannot list contents.

Sticky Bit

The sticky bit is a special permission used primarily on directories in Linux and Unix. It ensures that files within a directory can only be deleted or renamed by the file owner, the directory owner, or a privileged user, even when the directory is writable by others.

1. Purpose

Without the sticky bit, any user with write permission on a directory can delete or modify any files inside it, regardless of file ownership. The sticky bit restricts this behavior to provide finer-grained control:

Only the file owner, the directory owner, or the superuser can delete or rename files.
Other users with write permission on the directory cannot delete or modify files they do not own.

2. Typical use cases

Public directories:
- For example, /tmp allows all users to create files but prevents them from deleting other users' files.
- /tmp permissions are typically:
```
drwxrwxrwt # Note the trailing t indicates the sticky bit is set
```
Collaboration environments:
- In shared directories, different users can create their own files but cannot affect others' files.

3. View and set the sticky bit

Use

ls -ld

to view directory permission status:

ls -ld directory_name

Example output:

drwxrwxrwt # Note the trailing t indicates the sticky bit is set

The trailing

indicates the sticky bit is enabled. The base permission bits are the usual rwxrwxr- for owner, group, and others.

Use

chmod

to set or remove the sticky bit:

// Add sticky bitchmod +t directorychmod1775directory  // The octal value for sticky bit is 1000// Remove sticky bitchmod -t directorychmod0775directory