Skip to content
STAGING — not production

The Physics of Permissions: Inodes, Capabilities & ACLs

Why 'chmod 777' is amateur. The physics of Inode Bitmasks, Capability Sets (CAP_NET_ADMIN), and Access Control Lists.

Intermediate 40 min read Expert Version →

🎯 What You'll Learn

  • Decode the 12-bit Inode Mode Struct (Permission Physics)
  • Replace `sudo` with granular Capabilities (`setcap`)
  • Implement Extended Attributes (ACLs) with `setfacl`
  • Analyze the Security Physics of `setuid` binaries
  • Audit effective permissions using `namei`

🔐 Try It: chmod Calculator

Toggle permissions and see chmod value update in real-time:

🔐 chmod Permission Calculator

Toggle permissions and see the chmod value update in real-time.

OCTAL
754
chmod 754 file.txt
SYMBOLIC
-rwxr-xr--
ls -l output
Owner= 7 (rwx)
Group= 5 (r-x)
Other= 4 (r--)
Quick presets:

Introduction

“Permission Denied”. Every developer sees it. Most solve it with chmod 777 (The Nuclear Option). This is dangerous and lazy.

The Linux Kernel has a sophisticated permission physics engine embedded in the Virtual File System (VFS). It checks Capabilities first, then Owner, then Group, then Others. This lesson explores the bit-level mechanisms that decide if your write syscall succeeds or fails.

The Physics: Inode Mode Bits

In the kernel, every file is an inode. The i_mode field is a 16-bit integer.

  • Top 4 bits: File Type (File, Directory, Socket, etc).
  • Bottom 12 bits: The Permissions Physics.

The 12-Bit Mask

Each bit is a switch in the kernel logic gate.

Bit RangeFunctionPhysics Meaning
11SetUID”Run as Owner ID, not Caller ID”
10SetGID”Run as Group ID / Inherit Group”
9Sticky”Only Owner Can Delete”
8-6UserRead (4) + Write (2) + Exec (1)
5-3GroupRead (4) + Write (2) + Exec (1)
2-0OtherRead (4) + Write (2) + Exec (1)

Octal Physics: This is why chmod 755 works. 7 = 111 (RWX). 5 = 101 (R-X).

Capabilities: Breaking Root

Root (UID 0) is god. It ignores permission bits. But giving a web server Root just to bind Port 80 is insane. Capabilities break Root into ~40 discrete privileges (the exact count grows with kernel versions — currently around 41 as of Linux 5.x).

Common Capabilities

  • CAP_NET_BIND_SERVICE: Bind ports < 1024.
  • CAP_NET_ADMIN: Modify firewalls/routes.
  • CAP_SYS_ADMIN: The “New Root” (Mount, Swap, etc).
  • CAP_DAC_OVERRIDE: Bypass file read/write checks.

Code: granting a binary port 80 access without sudo

# 1. Check current caps
getcap /usr/bin/python3.11

# 2. Grant Bind capability
sudo setcap 'cap_net_bind_service=+ep' /usr/bin/python3.11

# 3. Verify
# Now this python binary can bind port 80 as a normal user!
```diff

---

## Access Control Lists (ACLs)

The standard UGO (User/Group/Other) model is rigid.
What if you want to give **Alice** R/W access, **Bob** Read access, and everyone else nothing?
UGO fails here. **ACLs** succeed.

ACLs work by attaching **Extended Attributes (xattr)** to the inode.

```bash
# 1. View default
getfacl myfile.txt

# 2. Add specific user permission (The Physics of Specificity)
setfacl -m u:bob:r myfile.txt
setfacl -m u:alice:rw myfile.txt

# 3. View result
# The `ls -l` output will now show a `+` sign (e.g., -rw-r-----+), indicating extended attributes exist.

The Danger of SetUID (s-bit)

If bit 11 is set (chmod u+s), the kernel ignores who launched the process. It sets the Effective UID (EUID) to the file owner.

  • Classic Example: passwd. Owned by root. Needs to write to /etc/shadow (Root only).
  • Physics: You run it -> Kernel sees SetUID -> Promotes process to Root -> Writes file -> Exits.
  • Risk: If passwd has a bug (Buffer Overflow), the attacker gets a generic Root Shell.

Practice Exercises

Exercise 1: The Sticker (Beginner)

Task: Create a directory /tmp/shared. chmod 1777 it. Action: Create a file as User A. Try to delete it as User B. Observation: “Operation not permitted”. The Sticky Bit logic gate prevents deletion unless you are Owner or Root.

Exercise 2: Capabilities (Intermediate)

Task: cp /bin/ping ./myping. Action: Run ./myping google.com. It fails (needs Raw Socket). Fix: sudo setcap cap_net_raw+p ./myping. Now it works without sudo.

Exercise 3: ACL Auditing (Advanced)

Task: Create a complex ACL scenario. Tool: Use namei -l /path/to/file to walk the directory tree and see permissions at every single node level.

Knowledge Check

  1. What does the Sticky Bit do on a directory?
  2. Which capability allows binding to port 80?
  3. How do you spot a file with ACLs in ls -l?
  4. What is the numeric value of SetUID?
  5. Why is CAP_SYS_ADMIN considered dangerous?
Answers
  1. Prevents non-owners from deleting files. Use case: /tmp.
  2. CAP_NET_BIND_SERVICE.
  3. A plus sign (+). e.g., -rw-r--r--+.
  4. 4000. (Octal).
  5. It contains too many powers. It’s effectively Root for many kernel subsystems.

Summary

  • Inode Mode: 12 bits define the law.
  • Capabilities: Granular permission tokens.
  • ACLs: Extended lists for complex auth.
  • SetUID: Identity shifting (use with caution).

Want to go deeper?

Weekly infrastructure insights for engineers who build trading systems.

Free forever. Unsubscribe anytime.

You're in. Check your inbox.

Questions about this lesson? Working on related infrastructure?

Let's discuss