Introduction

“Permission Denied”. Every developer sees it. Most solve it with chmod 777 (The Nuclear Option). This is dangerous and lazy.

The Linux Kernel has a sophisticated permission physics engine embedded in the Virtual File System (VFS). It checks Capabilities first, then Owner, then Group, then Others. This lesson explores the bit-level mechanisms that decide if your write syscall succeeds or fails.

---

The Physics: Inode Mode Bits

In the kernel, every file is an inode. The i_mode field is a 16-bit integer.

• Top 4 bits: File Type (File, Directory, Socket, etc).
• Bottom 12 bits: The Permissions Physics.

The 12-Bit Mask

Each bit is a switch in the kernel logic gate.

Bit Range	Function	Physics Meaning
11	SetUID	”Run as Owner ID, not Caller ID”
10	SetGID	”Run as Group ID / Inherit Group”
9	Sticky	”Only Owner Can Delete”
8-6	User	Read (4) + Write (2) + Exec (1)
5-3	Group	Read (4) + Write (2) + Exec (1)
2-0	Other	Read (4) + Write (2) + Exec (1)

Octal Physics: This is why chmod 755 works. 7 = 111 (RWX). 5 = 101 (R-X).

---

Capabilities: Breaking Root

Root (UID 0) is god. It ignores permission bits. But giving a web server Root just to bind Port 80 is insane. Capabilities break Root into ~40 specific distinct superpowers.

Common Capabilities

• CAP_NET_BIND_SERVICE: Bind ports < 1024.
• CAP_NET_ADMIN: Modify firewalls/routes.
• CAP_SYS_ADMIN: The “New Root” (Mount, Swap, etc).
• CAP_DAC_OVERRIDE: Bypass file read/write checks.

Code: granting a binary port 80 access without sudo

# 1. Check current caps
getcap /usr/bin/python3.11

# 2. Grant Bind capability
sudo setcap 'cap_net_bind_service=+ep' /usr/bin/python3.11

# 3. Verify
# Now this python binary can bind port 80 as a normal user!

---

Access Control Lists (ACLs)

The standard UGO (User/Group/Other) model is rigid. What if you want to give Alice R/W access, Bob Read access, and everyone else nothing? UGO fails here. ACLs succeed.

ACLs work by attaching Extended Attributes (xattr) to the inode.

# 1. View default
getfacl myfile.txt

# 2. Add specific user permission (The Physics of Specificity)
setfacl -m u:bob:r myfile.txt
setfacl -m u:alice:rw myfile.txt

# 3. View result
# The `ls -l` output will now show a `+` sign (e.g., -rw-r-----+), indicating extended attributes exist.

---

The Danger of SetUID (s-bit)

If bit 11 is set (chmod u+s), the kernel ignores who launched the process. It sets the Effective UID (EUID) to the file owner.

• Classic Example: passwd. Owned by root. Needs to write to /etc/shadow (Root only).
• Physics: You run it -> Kernel sees SetUID -> Promotes process to Root -> Writes file -> Exits.
• Risk: If passwd has a bug (Buffer Overflow), the attacker gets a generic Root Shell.

---

Practice Exercises

Exercise 1: The Sticker (Beginner)

Task: Create a directory /tmp/shared. chmod 1777 it. Action: Create a file as User A. Try to delete it as User B. Observation: “Operation not permitted”. The Sticky Bit logic gate prevents deletion unless you are Owner or Root.

Exercise 2: Capabilities (Intermediate)

Task: cp /bin/ping ./myping. Action: Run ./myping google.com. It fails (needs Raw Socket). Fix: sudo setcap cap_net_raw+p ./myping. Now it works without sudo.

Exercise 3: ACL Auditing (Advanced)

Task: Create a complex ACL scenario. Tool: Use namei -l /path/to/file to walk the directory tree and see permissions at every single node level.

---

Knowledge Check

1. What does the Sticky Bit do on a directory?
2. Which capability allows binding to port 80?
3. How do you spot a file with ACLs in ls -l?
4. What is the numeric value of SetUID?
5. Why is CAP_SYS_ADMIN considered dangerous?

Answers

1. Prevents non-owners from deleting files. Use case: /tmp.
2. CAP_NET_BIND_SERVICE.
3. A plus sign (+). e.g., -rw-r--r--+.
4. 4000. (Octal).
5. It contains too many powers. It’s effectively Root for many kernel subsystems.

---

Summary

• Inode Mode: 12 bits define the law.
• Capabilities: Granular permission tokens.
• ACLs: Extended lists for complex auth.
• SetUID: Identity shifting (use with caution).

---