Skip to content

Instantly share code, notes, and snippets.

@diegoquintanav
Last active March 31, 2018 19:50
Show Gist options
  • Save diegoquintanav/707c1cbd8eda54acc4659b73720a93e6 to your computer and use it in GitHub Desktop.
Save diegoquintanav/707c1cbd8eda54acc4659b73720a93e6 to your computer and use it in GitHub Desktop.
About UNIX permissions

The command $ ls -l, for example, can return a list of the type

total 24
drwxrwxr-x 2 diego diego 4096 feb  2 11:16 logs
drwxrwxr-x 2 diego diego 4096 feb  5 13:42 __pycache__
-rw-rw-r-- 1 diego diego  185 feb  5 13:40 app.py
drwxrwxr-x 2 diego diego 4096 feb  5 13:34 templates
drwxrwxr-x 6 diego diego 4096 feb  2 10:55 venv
-rw-rw-r-- 1 diego diego   64 feb  5 13:41 wsgi.py

A good way to understand the first column and permissions is to think that each letter has an integer value of the form

r = 4 # read permission
w = 2 # write permission
x = 1 # list directories permission

So, a permission in the form of drwxrwxr-x 2 can be seen as the groups of permissions for 3 different groups (User, Group, Everyone Else)

d|rwx|rwx|r-x|2 = d|(4+2+1)|(4+2+1)|(4+1)|2

Here,

  • d means that the file is a directory. - means that it is a regular file
  • rwx (7) is the value for the User permissions. User can read, write, and list files from this directory
  • Same thing is for the Group permissions
  • However, every other user does not have write permission, since the w is missing (or sum is 5)
  • 2 is the amount of hard links this file has. An explanation of hard links can be read here. See the differences with soft links in here

An example of a common permission granted with chmod is 755 or rwxr-xr-x. Here,

  • User has complete control of the file
  • Groups can read and execute without modification
  • Everyone else can read and execute without modification.

Note that in production environments chmod should be as restrictive as possible, and as per this SO post

777 is a bad permission in general and I'll show you why.

Despite how it may look in a Casino or Las Vegas, 777 doesn't mean jackpot for you. Rather, jackpot for anyone who wishes to modify your files. 777 (and its ugly cousin 666) allow Read and Write permissions (and in the case of 777, Execute) to other. You can learn more about how file permissions work, but in short there are three groups of permissions: owner, group, and other. By setting the permission to 6 or 7 (rw- or rwx) for other you give any user the ability to edit and manipulate those files and folders. Typically, as you can imagine, this is bad for security.

Here's my example:

marco@desktop:~/Projects/AskUbuntu/20105$ cd ..
marco@desktop:~/Projects/AskUbuntu$ chmod 0777 20105
marco@desktop:~/Projects/AskUbuntu$ cd 20105/
marco@desktop:~/Projects/AskUbuntu/20105$ ls -lah
total 8.0K
drwxrwxrwx 2 marco marco 4.0K 2011-01-04 20:32 .
drwxr-xr-x 3 marco marco 4.0K 2011-01-04 20:32 ..
marco@desktop:~/Projects/AskUbuntu/20105$ touch test
marco@desktop:~/Projects/AskUbuntu/20105$ chmod 0666 test 

So far I have created a folder and made a file with "bad" permissions (777 and 666). Now I'll switch into another user and try to manipulate those files.

marco@desktop:~/Projects/AskUbuntu/20105$ sudo su - malicious
malicious@desktop:~$ cd /home/marco/Projects/AskUbuntu/20105
malicious@desktop:/home/marco/Projects/AskUbuntu/20105$ ls
test
malicious@desktop:/home/marco/Projects/AskUbuntu/20105$ ls -lah
total 8.0K
drwxrwxrwx 2 marco marco 4.0K 2011-01-04 20:33 .
drwxr-xr-x 3 marco marco 4.0K 2011-01-04 20:32 ..
-rw-rw-rw- 1 marco marco    0 2011-01-04 20:33 test
malicious@desktop:/home/marco/Projects/AskUbuntu/20105$ touch bad
malicious@desktop:/home/marco/Projects/AskUbuntu/20105$ echo "OVERWRITE" > test 
malicious@desktop:/home/marco/Projects/AskUbuntu/20105$ cat test 
OVERWRITE

As this "malicious" user I was able to place files into the directory and inject text into already existent files. Whereas below, in a directory with 755 and files with 644, I am able to see inside files and directories but I can not edit the files nor create new ones:

malicious@desktop:/home/marco/Projects/AskUbuntu/20105$ cd /home/marco/Projects
malicious@desktop:/home/marco/Projects$ touch hey
touch: cannot touch `hey': Permission denied

For Apache permissions, you're going to want to stick to 0755 and 0644 (AKA umask 022) for folders and files respectively. This allows you, as the owner of the files, to edit and manipulate them while giving Apache the bare minimum levels of access needed to operate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment