cyber revision

Linux security model

Users, permissions, SUID, and the hardening basics: the operating system you'll meet most in CTFs and on servers.

~4 min read

Why Linux first

Most servers, most cloud workloads, and nearly every CTF box run Linux. Its security model is also clean enough to teach the universal ideas (accounts, permissions, privilege boundaries) that reappear on every OS.

Users, groups and root

Every account has a numeric UID; root (UID 0) is the unrestricted superuser, exempt from permission checks. Regular users have their own UID and belong to one or more groups (GIDs). Accounts live in /etc/passwd (readable, no passwords); password hashes live in /etc/shadow (root-only). Seeing a user's shell set to /usr/sbin/nologin in /etc/passwd tells you it's a service account not meant for interactive login.

The security goal is to run as root as rarely as possible: least privilege at the OS level. Admins use sudo to run specific commands with elevated rights, logged and configured per-user in /etc/sudoers. A misconfigured sudoers file (letting a user run an overly permissive command as root) is a top privilege-escalation route, so sudo -l is the first thing an attacker runs.

File permissions

Every file and directory has an owner, a group, and a permission set for three classes (owner / group / others), each with read (r), write (w) and execute (x):

-rwxr-x---  1 alice devs  ...  script.sh
 │└┬┘└┬┘└┬┘
 │ │  │  └ others: none
 │ │  └── group (devs): read + execute
 │ └───── owner (alice): read + write + execute
 └─────── file type (- file, d directory, l link)

Permissions are often written in octal, summing r=4, w=2, x=1 per class:

  • 755 = rwxr-xr-x: owner full, others read+execute (typical for programs)
  • 644 = rw-r--r--: owner read/write, others read (typical for files)
  • 600 = rw-------: owner only (private keys, sensitive config)

On directories, the bits mean something slightly different: x is permission to enter the directory, and w lets you create/delete files within it (so write on a directory you don't own can let you delete others' files in it). chmod changes permissions, chown changes ownership.

SUID, SGID and the sticky bit

Three special bits sit above the normal nine, and they're disproportionately important for security:

  • SUID (set-user-ID, shows as s in the owner's execute slot): the program runs with the file owner's privileges, not the caller's. passwd is SUID-root so an ordinary user can update their hash in root-owned /etc/shadow. The danger: a SUID-root binary with a flaw, or one that calls out to other programs unsafely, hands an attacker root. Hunting SUID binaries (find / -perm -4000) is standard privilege-escalation enumeration.
  • SGID (set-group-ID): runs with the file's group, or on a directory, makes new files inherit that group.
  • Sticky bit (on a directory, shows as t): only a file's owner can delete it, even in a world-writable directory. /tmp uses this so users can't delete each other's temp files.

Hardening basics

A defensible Linux host follows a short, high-value checklist:

  • Patch promptly: apt/dnf updates; unpatched services are the most common way in.
  • Minimise attack surface: remove unused packages, disable unneeded services, close ports. Fewer things running, fewer things to exploit.
  • Least privilege: no routine root use; tightly scoped sudo; service accounts with nologin.
  • SSH hardening: disable password auth in favour of keys, disable root login (PermitRootLogin no), and consider moving off port 22 (obscurity, a minor extra).
  • Firewall: ufw/iptables/nftables with default-deny inbound.
  • Logging: ship logs off-box so an attacker can't simply erase them.
  • Mandatory Access Control: SELinux or AppArmor confine processes to only what they should do, containing a compromised service even if it's running as root. This is a stronger model than the discretionary owner-decides permissions above.

Discretionary vs mandatory access control: standard Unix permissions are DAC: the owner decides who gets access, and root can do anything. MAC (SELinux/AppArmor) enforces a system-wide policy the owner can't override, so even a compromised root-running web server is boxed in. Knowing the DAC/MAC distinction is a common exam point.

Quick recall

  • root = UID 0, unrestricted. Run as root as little as possible; sudo for scoped elevation (check /etc/sudoers).
  • Permissions: owner/group/others × rwx; octal 4/2/1. 755, 644, 600 are the common ones. Directory x = enter, w = add/remove files.
  • SUID runs as the file's owner; SUID-root binaries are prime privilege-escalation targets (find / -perm -4000). Sticky bit protects /tmp.
  • Harden: patch, reduce surface, least privilege, SSH keys, default-deny firewall, off-box logging.
  • DAC (owner decides, Unix permissions) vs MAC (system policy, SELinux/AppArmor); MAC contains even root-level compromise.
PreviousNext