RH199 - ch04s03

Control the default permissions of user-created files, explain the effect of special permissions, and use special and default permissions to set the group owner of files that are created in a directory.

Special Permissions

Special permissions are a fourth permission type in addition to the user, group, and other types. As the name implies, special permissions provide additional access-related features beyond what the basic permission types allow. This section describes the impact of special permissions, which are summarized in the following table.

Table 4.1. Effects of Special Permissions on Files and Directories

Permission	Effect on files	Effect on directories
`u+s` (suid)	File executes as the user that owns the file, not as the user that ran the file.	No effect.
`g+s` (sgid)	File executes as the group that owns the file.	Files that are created in the directory have a group owner to match the group owner of the directory.
`o+t` (sticky)	No effect.	Users with write access to the directory can remove only files that they own; they cannot remove or force saves to files that other users own.

The setuid permission on an executable file means that commands run as the user that owns that file, rather than as the user that ran the command. One example is the passwd command:

[user@host ~]$ ls -l /usr/bin/passwd
-rwsr-xr-x. 1 root root 35504 Jul 16  2010 /usr/bin/passwd

In a long listing, you can identify the setuid permissions by a lowercase s character in the place where you would normally expect the x character (owner execute permissions). If the owner does not have execute permissions, then this character is replaced by an uppercase S character.

The setgid special permission on a directory means that created files in the directory inherit their group ownership from the directory, rather than inheriting group ownership from the creating user. This feature is commonly used on group collaborative directories to automatically change a file from the default private group to the shared group, or if a specific group should always own files in a directory. An example of this behavior is the /run/log/journal directory:

[user@host ~]$ ls -ld /run/log/journal
drwxr-sr-x. 3 root systemd-journal 60 May 18 09:15 /run/log/journal

If setgid is set on an executable file, then commands run as the group that owns that file, rather than as the primary group of the user that ran the command. This condition is similar to the way that setuid works. One example is the locate command:

[user@host ~]$ ls -ld /usr/bin/locate
-rwx--s--x. 1 root slocate 47128 Aug 12 17:17 /usr/bin/locate

In a long listing, you can identify the setgid permissions by a lowercase s character in the place where you would normally expect the x character (group execute permissions). If the group does not have execute permissions, then this character is replaced by an uppercase S character.

Finally, the sticky bit for a directory sets a special restriction on deletion of files. Only the owner of the file (and the root user) can delete files within the directory. An example is the /tmp directory:

[user@host ~]$ ls -ld /tmp
drwxrwxrwt. 39 root root 4096 Feb  8 20:52 /tmp

In a long listing, you can identify the sticky permissions by a lowercase t character in the place where you would normally expect the x character (other execute permissions). If other does not have execute permissions, then this character is replaced by an uppercase T character.

Setting Special Permissions

Symbolic : setuid = u+s; setgid = g+s; sticky = o+t
Octal : In the added fourth preceding digit; setuid = 4; setgid = 2; sticky = 1

Examples of Special Permissions

Add the setgid bit on the example directory by using the symbolic method:

[user@host ~]# chmod g+s example

Remove the setuid bit on the example directory by using the symbolic method:

[user@host ~]# chmod u-s example

Set the setgid bit and add read, write, and execute permissions for user and group, with no access for others, on the example directory by using the octal method:

[user@host ~]# chmod 2770 example

Remove the setgid bit and add read, write, and execute permissions for user and group, with no access for others, on the example directory by using the octal method. Note that you need to add an extra 0 at the beginning of the permissions value when removing special permissions by using the octal method:

[user@host ~]# chmod 00770 example

Default File Permissions

On creation, a file is assigned initial permissions. Two factors affect these initial permissions. The first is whether you are creating a regular file or a directory. The second is the current umask, which stands for user file-creation mask.

If you create a directory, then its initial octal permissions are 0777 (drwxrwxrwx). If you create a regular file, then its initial octal permissions are 0666 (-rw-rw-rw-). You must always explicitly add execute permission to a regular file. This step makes it harder for an attacker to compromise a system, create a malicious file, and run it.

Additionally, the shell session sets a umask to further restrict the initial permissions of a file. The umask is an octal bitmask that clears the permissions of new files and directories that a process creates. If a bit is set in the umask, then the corresponding permission is cleared on new files. For example, the umask 0002 clears the write bit for other users. The leading zeros indicate that the special, user, and group permissions are not cleared. A umask of 0077 clears all the group and other permissions of newly created files.

The umask command without arguments displays the current value of the shell's umask:

[user@host ~]$ umask
0022

Use the umask command with a single octal argument to change the umask of the current shell. The argument should be an octal value that corresponds to the new umask value. You can omit any leading zeros in the umask. For example, umask 077 is the same as umask 0077.

The system's default umask values for Bash shell users are defined in the /etc/login.defs file, and in the /etc/bashrc file. Users can override the system defaults in the .bash_profile or .bashrc files in their home directories.

Important

In Red Hat Enterprise Linux 8 and earlier, if a user account has a UID of 200 or greater and the username and the account's primary group name are the same, then its default umask is 0002. Otherwise, its default umask is 0022.

Red Hat Enterprise Linux 9 is in the process of changing the default umask so that all accounts have a umask of 0022. In RHEL 9.0 and 9.1, when you start a login shell, your umask is 0022. However, when you start an interactive non-login shell (such as when you start gnome-terminal in the graphical UI), your umask is 0002 if your account's UID is 200 or greater and your primary group has the same name as your user account. This default umask is expected to change in future versions of Red Hat Enterprise Linux 9 so that the umask defaults to 0022 in all circumstances.

Bugzilla issue https://bugzilla.redhat.com/show_bug.cgi?id=2062601 is tracking this change in the behavior of RHEL 9.

Effect of umask Utility on Permissions

The following example explains how the umask affects the permissions of files and directories. Look at the default umask permissions for both files and directories in the current shell.

Important

The following examples assume that the umask of the shell is set to 0022.

If you create a regular file, then its initial octal permissions are 0666 (000 110 110 110, in binary representation). Then, the 0022 umask (000 000 010 010) disables the write permission bit for group and others. Thus, the owner has both read and write permission on files, and both group and other are set to read (000 110 100 100).

Figure 4.2: Example of umask calculation on a file

[user@host ~]$ umask
0022
[user@host ~]$ touch default.txt
[user@host ~]$ ls -l default.txt
-rw-r--r--. 1 user user 0 May  9 01:54 default.txt

If you create a directory, then its initial octal permissions are 0777 (000 111 111 111). Then, the 0022 umask (000 000 010 010) disables the write permission bit for group and other. Thus, the owner has read, write, and execute permissions on directories, and both group and other are set for read and execution (000 111 101 101).

Figure 4.3: Example of umask calculation on a directory

[user@host ~]$ umask
0022
[user@host ~]$ mkdir default
[user@host ~]$ ls -ld default
drwxr-xr-x. 2 user user 0 May  9 01:54 default

By setting the umask value to 0, the file permissions for other change from read to read and write. The directory permissions for other change from read and execute to read, write, and execute.

[user@host ~]$ umask 0
[user@host ~]$ touch zero.txt
[user@host ~]$ ls -l zero.txt
-rw-rw-rw-. 1 user user 0 May  9 01:54 zero.txt
[user@host ~]$ mkdir zero
[user@host ~]$ ls -ld zero
drwxrwxrwx. 2 user user 0 May  9 01:54 zero

To mask all file and directory permissions for other, set the umask value to 007.

[user@host ~]$ umask 007
[user@host ~]$ touch seven.txt
[user@host ~]$ ls -l seven.txt
-rw-rw----. 1 user user 0 May  9 01:55 seven.txt
[user@host ~]$ mkdir seven
[user@host ~]$ ls -ld seven
drwxrwx---. 2 user user 0 May  9 01:54 seven

A umask of 027 ensures that new files have read and write permissions for user and read permission for group. New directories have read and execute permissions for group and no permissions for other.

[user@host ~]$ umask 027
[user@host ~]$ touch two-seven.txt
[user@host ~]$ ls -l two-seven.txt
-rw-r-----. 1 user user 0 May  9 01:55 two-seven.txt
[user@host ~]$ mkdir two-seven
[user@host ~]$ ls -ld two-seven
drwxr-x---. 2 user user 0 May  9 01:54 two-seven

Changing Default Permissions

In Red Hat Enterprise Linux 9, the /etc/login.defs file sets the default umask for users. By default, its UMASK line specifies that the default umask is 0022.

In Red Hat Enterprise Linux 9.0 and 9.1, this file affects only login shells. If you start a new terminal window or start an interactive non-login shell in some other way, then settings in /etc/bashrc still apply. For these shells, if the account's UID is 200 or greater and the username and primary group name are the same, then the account is assigned a umask of 0002. Otherwise, the umask is 0022.

The root user can change the default umask for interactive non-login shells by adding a local-umask.sh shell startup script in the /etc/profile.d/ directory. The following example shows a local-umask.sh file:

[root@host ~]# cat /etc/profile.d/local-umask.sh
# Overrides default umask configuration asda sda
if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
    umask 007
else
    umask 022
fi

The preceding example sets the umask to 0007 for users with a UID greater than 199 and with a username and primary group name that match, and to 0022 for everyone else. (Leading zeros can be omitted.) To set the umask to 0022 for everyone, then create that file with the following content:

# Overrides default umask configuration
umask 022

The current umask of a shell applies until you log out of the shell and log back in, or until you change it manually with the umask command.

References

bash(1), ls(1), chmod(1), and umask(1) man pages

Revision: rh199-9.3-8dd73db

Click CREATE to build all of the virtual machines needed for the classroom lab environment. This may take several minutes to complete. Once created the environment can then be stopped and restarted to pause your experience.

If you DELETE your lab, you will remove all of the virtual machines in your classroom and lose all of your progress.