rwx, chmod, chown — control who can read, write, and execute every file on the system. Misconfigurations here are one of the top privilege escalation vectors.
File permissions are the foundation of Linux security. They determine who can read, write, and execute every file on the system. A single misconfiguration — like making a private SSH key world-readable or a script writable by everyone — can lead to a complete system compromise.
In cybersecurity, permission misconfigurations are one of the top privilege escalation vectors. During a penetration test, one of the first things you check is: Are there any writable scripts that run as root? Are there SUID binaries that can be exploited? Are sensitive files readable by unauthorized users?
Linux uses a simple but powerful model: every file has an owner, belongs to a group, and has rules for everyone else. Each of these three categories can independently be granted or denied read, write, and execute permissions.
/tmp).Every file and directory in Linux has three types of permission for three groups. Importantly, permissions mean different things for files vs. directories:
cat)ls)cd into it)r but no x lets you list filenames
but not access the files inside. A directory with x but no r lets you access files if you know their name, but you can't list them.
Both are needed for normal use.
When you run ls -la, the permission
string shows 10 characters. The first is the file type, then three groups of three permissions each:
- = regular file,
d = directory, l = symbolic link,
b = block device.The octal system represents permissions as numbers. Each permission has a value: r=4, w=2, x=1. You add them together for each group. Three digits = owner, group, others.
| Octal | Binary | Permission | Meaning |
|---|---|---|---|
| 7 | 111 | rwx | Read + Write + Execute (4+2+1) |
| 6 | 110 | rw- | Read + Write (4+2) |
| 5 | 101 | r-x | Read + Execute (4+1) |
| 4 | 100 | r-- | Read only (4) |
| 2 | 010 | -w- | Write only (2) |
| 1 | 001 | --x | Execute only (1) |
| 0 | 000 | --- | No permissions |
SSH is extremely strict about file permissions. If your private key
(~/.ssh/id_rsa) is readable by anyone other than you, SSH will
refuse to use it and display: WARNING: UNPROTECTED PRIVATE KEY FILE!
There are two ways to use chmod:
octal (numeric) mode and symbolic mode. Both achieve the same result — use whichever
feels more intuitive.
In symbolic mode: u=owner, g=group, o=others, a=all. +=add, -=remove, ==set exactly. Use -R for recursive: chmod -R 755 directory/
Beyond the standard rwx permissions, Linux has three special permission bits that modify how files and directories
behave. These are represented by a fourth digit in octal notation (e.g., 4755).
When a file has SUID set, it executes with the
privileges of the file's owner, not the user who runs it. For example, /usr/bin/passwd is owned by root and has SUID — this lets
regular users change their own password (which requires writing to /etc/shadow, a root-only file).
chmod 4755 program → -rwsr-xr-x
⚠️ #1 privilege escalation vector! If an SUID binary has a vulnerability (like a buffer overflow or command injection), an attacker can exploit it to execute commands as root.
find / -perm -4000 2>/dev/null
^ This command finds all SUID binaries — the first thing to check during privilege escalation.
On files: The program runs with the group privileges of the file's group, not the user's group. Used for programs that need to access group-owned resources.
On directories: New files created inside inherit the directory's group instead of the user's default group. This is essential for shared project folders where multiple developers need access.
chmod 2755 shared_dir/ → drwxr-sr-x
The s in the group execute
position indicates SGID.
When set on a directory, only the file owner, directory owner, or root can delete/rename files inside — even if the directory is world-writable.
The classic example is /tmp: everyone can create files there, but you can only delete
your own files. Without the sticky bit, any user could delete any other user's temp files.
chmod 1777 /tmp → drwxrwxrwt
The t at the end indicates
the sticky bit.
SUID exploitation is one of the most common Linux privilege escalation techniques. If a root-owned SUID binary can be tricked into running arbitrary commands, you get root access.
Suppose /usr/local/bin/backup is SUID root and runs tar without a full path. An attacker can create a malicious
tar in their PATH:
These standard Linux binaries, when SUID, can often be exploited for privilege escalation. Check GTFOBins for exploitation methods:
Permissions control what you can do; ownership controls who the permissions apply to. Only root can change file ownership (otherwise, any user could "give" their malicious files to root).
chown -R www-data:www-data /var/www/html and permissions to 755 (directories) and 644 (files). This
lets the web server read everything but not modify files.
Standard Linux permissions only allow three categories (owner, group, others). Access Control Lists (ACLs) let you set permissions for specific individual users or groups, providing much finer-grained control.
When a file has ACLs, ls -la shows
a + after the permission string: -rw-r--r--+. ACLs are essential in enterprise environments where simple
owner/group/others isn't flexible enough.
Fix the file permissions using chmod. The visual grid updates in real-time!
script.sh executable by
everyone: chmod 755 script.shid_rsa (owner read/write
only): chmod 600 id_rsaconfig.cfg readable by
all, writable by owner: chmod 644 config.cfgdanger.sh: chmod 000 danger.shAll certification names are referenced for educational purposes only. This project is not affiliated with any certification body.