File Permissions and Security

Working Code

Example 1: Reading file permissions

ls -la

Example output:

drwxr-xr-x  5 dale staff  160 Jan 15 10:30 Documents
-rw-r--r--  1 dale staff  1.2K Jan 14 09:00 README.md
-rwxr-xr-x  1 dale staff  245 Jan 13 08:00 script.sh
lrwxr-xr-x  1 dale staff   35 Jan 12 09:00 link -> /path/to/target

The first column shows permission info. It consists of 10 characters:

d rwx r-x r-x
^  ^   ^   ^
|  |   |   └── others permissions
|  |   └────── group permissions
|  └────────── user/owner permissions
└────────────── file type (d=directory, -=file, l=link)

Example 2: Understanding permission characters

Each set of 3 characters represents rwx:

| Character | Meaning | For Files | For Directories | | --------- | ------- | --------------- | ------------------- | | r | read | Read contents | List files | | w | write | Modify contents | Create/delete files | | x | execute | Run as program | Enter with cd | | - | none | No permission | No permission |

Example 3: Reading actual permissions

-rw-r--r--

File (-)
Owner: rw- (read yes, write yes, execute no)
Group: r-- (read yes, write no, execute no)
Others: r-- (read yes, write no, execute no)

-rwxr-xr-x

File (-)
Owner: rwx (all permissions)
Group: r-x (read + execute)
Others: r-x (read + execute)

Try It Yourself

chmod: Changing Permissions (Symbolic Notation)

# Add execute permission for the owner
chmod u+x script.sh

# Remove write permission for group and others
chmod go-w secret.txt

# Add read permission for everyone
chmod a+r document.txt

# Set multiple permissions at once
chmod u+rwx,go-w config.sh

Symbolic notation:

u — user (owner)
g — group
o — others
a — all
+ — add permission
- — remove permission
= — set exactly (removes everything else)

chmod: Numeric Notation

Each permission is represented as a number:

| Permission | Binary | Decimal | | ---------- | ------ | ------- | | --- | 000 | 0 | | --x | 001 | 1 | | -w- | 010 | 2 | | -wx | 011 | 3 | | r-- | 100 | 4 | | r-x | 101 | 5 | | rw- | 110 | 6 | | rwx | 111 | 7 |

Common numeric patterns:

chmod 755 script.sh   # rwxr-xr-x (executable file)
chmod 644 file.txt    # rw-r--r-- (regular text file)
chmod 600 secret.txt  # rw------- (private file)
chmod 700 private/    # rwx------ (private directory)

# Verify
ls -la script.sh
# -rwxr-xr-x  1 dale staff ...

sudo: Running as Administrator

# Edit a system file (requires admin privileges)
sudo nano /etc/hosts

# Install system packages
sudo apt install package-name

# Open an admin shell
sudo -s

sudo runs a command with root (administrator) privileges. You'll need to enter your password.

Important precautions with sudo:

# Dangerous: sudo rm -rf can delete system files
sudo rm -rf /

# Safe approach: test with normal permissions first
rm testfile   # test without sudo
sudo rm systemfile  # use sudo only when needed

"Why?" — Why the Permission System Matters

The Unix permission model is the foundation of security in multi-user environments.

Real-world scenarios:

# Web server files (world-readable)
chmod 644 /var/www/html/index.html

# Private SSH key (owner-only read)
chmod 600 ~/.ssh/id_rsa
# SSH refuses to use the key without this permission!

# Executable script
chmod 755 deploy.sh

# Config file with API keys (owner-only)
chmod 600 .env

Why scripts need execute permission:

./script.sh
# zsh: permission denied: ./script.sh

ls -la script.sh
# -rw-r--r--  (no execute permission)

chmod +x script.sh
./script.sh   # now it works

Common Mistakes

Mistake 1: Permissions too wide open

# Bad habit: allow everything
chmod 777 myfile.sh   # anyone can modify

# Good habit: minimum necessary permissions
chmod 755 myfile.sh   # only owner can modify, others can read+execute

Mistake 2: SSH key permission errors

# SSH refuses keys with permissions too open
ls -la ~/.ssh/
# -rw-r--r-- id_rsa  (too open!)

# SSH warning:
# WARNING: UNPROTECTED PRIVATE KEY FILE!

# Fix
chmod 600 ~/.ssh/id_rsa

Mistake 3: Missing x permission on directories

# Read without execute means cd fails
chmod 644 mydir/

cd mydir/
# zsh: permission denied: mydir

# Correct
chmod 755 mydir/

The x permission on a directory means "can enter this directory."

Mistake 4: Overusing sudo

# Unnecessary sudo (your own home directory)
sudo mkdir ~/projects   # wrong, ownership becomes root
mkdir ~/projects        # correct

# Necessary sudo (system directory)
sudo mkdir /opt/myapp   # correct

Deep Dive

chown: Changing file ownership

# Change file owner
sudo chown newuser file.txt

# Change owner and group at once
sudo chown newuser:newgroup file.txt

# Recursively change an entire directory
sudo chown -R newuser:newgroup directory/

chown requires administrator privileges.

umask: Default permission settings

Controls the default permissions for new files/directories:

# Check current umask
umask
# 0022

# New files get 644 (666 - 022)
# New directories get 755 (777 - 022)

# More restrictive defaults
umask 077   # files: 600, directories: 700

Security-sensitive servers set umask to 027 or higher.

Special permissions: setuid, setgid, sticky bit

# setuid: run with owner's permissions
chmod u+s program
ls -la program
# -rwsr-xr-x  (s indicates setuid)

# sticky bit: only delete your own files in a directory
chmod +t /tmp
ls -la /
# drwxrwxrwt  (t indicates sticky bit)

Why /tmp has the sticky bit: everyone can write to it, but you can only delete files you created.

Create a file and check its default permissions with ls -la.
Change permissions with chmod 755 filename and verify.
Remove owner write permission with chmod u-w filename, then try to modify the file and see what happens.
Compare whether chmod a+x filename and chmod 755 filename produce the same result.
If ~/.ssh/ exists, check SSH key permissions with ls -la ~/.ssh/.

Q1. With permissions -rw-r--r--, what can group users do?

A) Read, write, and execute
B) Read and write
C) Read only
D) Nothing