UNIX are by default a multiuser and multitasking Operating System. Each user can login at same time on a single machine. Thus, UNIX have a regulation to manage users. One of this regulation is permission which constraint what user can do. A user can only do things they are privileged for.
The Read, Write, & Execute Access Permission
In UNIX world, everything is a file. Whether you access real file such as text document, a web page documents, images, song, video, etc; or something such as socket, devices, etc. Everything is file.
UNIX then gives privileges of who can access what resource (files) on the system. The access are divided into three types: read (r), write (w), and execute (x).
As the name suggest, each permission limiting user what user can do. If user has read access to a certain file, He then can read the file. To write a file, a user must obtain write permission. While execute permission allow user to execute a file as executable file. The files such as script and application are treated in this way.
A permission given to user is a set of three access mention before. Thus user can combination of three access, such as: read & write, read & execute, read only, write only, etc. To denote what privilege a user have, there is a common method: using octal number.
In representation of octal based number,
- read access (r) represented by 4
- write access (w) represented by 2
- execute access (x) represented by 1
Thus, a general formula to obtain user privileges is read + write + execute. For example,
- a user have no read access, have write access, have execute access = 0 + 2 + 1 = 3
- a user have read, write, and execute access = 4 + 2 + 1 = 7
On UNIX, there is also a common method to denote privileges using combination of character. UNIX use three field filled by r, w, and x for read, write, and execute access respectively. If User have don’t have corresponding access, it will be denote by ‘-‘ character. Thus for example above we have:
- a user have no read access, have write access, have execute access = -wx
- a user have read, write, and execute access = rwx
User, Groups, and Other
In advance, a user of UNIX machine is fall to certain groups of users. Groups is a class of user share same interest and can only be decided by root account. UNIX then divided permission into three category: user (the one who own the file, not always the one who create the file), the group (users who shares same group), and other (users who doesn’t have specified similar group to owner).
Thus, in UNIX every file having ownership. The ownership is identified by two value: the user owner, and group owner. The user owner determine a permission for user permission to file while the group owner determines a permission set for group. The access is denote by same method as mentioned above.
For example: A file “System Blueprint.odt” is created by user xathrya. The ownership of this file is xathrya (user), engineer (group). The file can be read and written by xathrya (as owner), each user in group engineer can read but cannot write, a user which is not inside engineer group cannot read,write,or execute this file. Thus user alice who is on engineer group, can read it, while user bob who is not engineer group is disallowed to access.
Let’s invoke this:
You will then see list of files and directory on current path. In the first segment of each entry, there is a string consist of d,r,w, and x. This denotes permission according to personal, group, and other classification we discuss above (except for d which denote if entry is a directory).
The character at 2nd to 4th denote permission for user. Character at 5th to 7 denote permission for group. Character at 8th to 10th denote permission for other. In short, if an entry has permission like this drw-rw-r–, then the directory (d) can be read & write by it user and group, while other user can only read / see it.
Changing the Permission
Like discussed above, a file can have permission of access. This privileges can be changed anytime using chmod. Here is an example:
chmod 444 foo
The 444 means user, group, and other can only read the foo (remember how we denote access using octal-based number).
Beside using numerical method like above, we can use chmod using symbol such as r,w, and x. First see this table:
|(permissions)||s||Set UID or GID|
Now, let see some example:
chmod a+rwx foo
That example will assign permission to foo. Symbol a means all user is affected and the permission is setted for read, write, and execute. Those any user has total access to foo.
If you target a you can also ommit the command as:
chmod +rwx foo
chmod g-x foobar
This command will remove execute permission from user who share same group of group owner. Thus this command only affect group owner.
FreeBSD File Flags
Exclusive to FreeBSD, there are some additional “file flags” applied. These flags is addition to control and security of file. With this, even root can be prevent to change or remove files.
The flags can be assigned with:
Some flags are described here:
- arch: archived flag
- nodump: nodump flag
- sappnd: system append-only flag
- schg: system immutable flag
- sunlnk: system undeletable flag
- uappnd: user append-only flag
- uchg: user immutable flag
- uunlnk: user undeletable flag
For example, we want to create a file and ensure the file cannot be written, then we use immutable flag, such as:
chflags schg foo
To check flags status, we can use:
Now try using root privileges to remove file with immutable flag 😀
setuid, setgid, and sticky
Along with permission system discussed before, another permission system is introduced: setuid, setgid, and sticky.These settings are important for some systems as they are providing functionality which are not given to normal user.
Setuid will set user ID upon execution. Setgid will set group ID upon execution. These
Before we proceed, let’s discuss about real-user ID and effective-user ID.
real-user ID is an UID which own or start a process.
effective-user ID is an UID which used at process’ runtime.
For example: a user run passwd will have passwd run by their UID but for updating password database, passwd will assign it’s UID as root. This will prevent user to get error message such as “Permission Denied”.
Permission setuid can be set by adding some set of permission with 4 as described here:
chmod 4755 foo
Then see the list of files on current directory. You will see an s symbol on file permission such as the permission will be rwsr-xr-x instead of rwxr-xr-x.
The setgid is similar to setuid, except it change group access. To set gid effective-user, add 2 instead of 4 for previous example such as:
chmod 2755 foo
Of course, using setuid and setgid will create threat. If an attacker can exploit setuid or setgid enabled binary, he can gain access to root level. To prevent this, make sure a normal user don’t have access to setuid, especially for user other then themselves.
For example: if text editor like vi having active setuid it can open any files which can be opened by only ertain user. It is because system will assume vi is ran by root even the one who ran it is normal user. Then, what if the user access sensitive files such as initialization script? or password files?
Last, the sticky permission. If this permission is set, then the one who can remove the file is only the file owner. To add sticky permission, we add 1 when setting permission with chmod, such as:
chmod 1755 foo
A permission set will emerge as character t on permission flags, such as: rwxr-xr-t instead of rwxr-xr-x.freebsd