Skip to content

Linux Permissions Model

Linux permissions control everything
Every file and directory has permissions determining who can read , write , or execute and if you mess this up you either lock yourself out or grant attackers access

Three Permission Classes

  • Owner (u) - The user who owns the file
  • Group (g) - Users in the file's group
  • Others (o) - Everyone else

Three Permission Types

  • Read (r) - Value 4
  • Write (w) - Value 2
  • Execute (x) - Value 1

Reading Permission Strings

-rwxr-xr-- 1 root root 4096 Jan 01 12:00 exploit.sh

Breaking down: - = regular file , rwx = owner full , r-x = group read+execute , r-- = others read only

Octal Notation

rwx = 7  rw- = 6  r-x = 5  r-- = 4
-wx = 3  -w- = 2  --x = 1  --- = 0

Common patterns: 755 (executables) , 644 (text files) , 600 (SSH keys) , 700 (private dirs)

chmod

chmod 755 script.sh              # rwxr-xr-x
chmod 600 ~/.ssh/id_rsa          # rw-------
chmod u+x script.sh              # Add execute for owner
chmod -R 755 directory/          # Recursive
chmod u+s program                # Add SUID bit (DANGER ZONE)

SUID - The Danger Zone

When set on an executable , the program runs with permissions of the file owner instead of the user who executes it

chmod u+s /usr/bin/program       # Add SUID
chmod 4755 /usr/bin/program      # Octal (4 = SUID bit)

Finding SUID binaries is primary privilege escalation enumeration:

find / -perm -4000 -type f 2>/dev/null
find / -user root -perm -4000 -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null | grep -v "/usr/bin\|/bin\|/usr/sbin"

Check GTFOBins for exploitation methods for binaries like nmap, vim, find, cp, less

chown

chown user:group file.txt        # Change owner and group
chown -R www-data:www-data /var/www/html

Special Bits

  • SUID (4): Program runs as owner
  • SGID (2): Program runs as group; new files in directory inherit group
  • Sticky (1): Only owners can delete files in shared directories (/tmp)

File Attributes

chattr +i important.conf         # Make immutable (even root can't modify)
chattr +a logfile.log            # Append-only
lsattr file.txt                  # View attributes

Immutable files cannot be modified or deleted even by root. Attackers set immutable on backdoors to prevent removal