Skip to main content
← Back to lab
SEC401 - Containers, Linux and Mac Security | Printable command sheet
Lab 6.1 - Linux Permissions

Lab 6.1 - Linux Permissions

Linux Security | SEC401 | Apr 2026

Spun up a Docker permissions lab, tested default umask 0022 (producing 644/755), tightened to umask 0027 to strip world access (640/750), and demonstrated the /tmp sticky bit (drwxrwxrwt) preventing non-owner delete on a shared directory.

Tools: Linux, bash, Docker, umask, ls, chmod

Commands

1. Start the Docker lab container

Ran start_6.1.sh to bring up the lab-61-permissions-1 container on the lab-61_default network. The 'docker stop/rm requires at least 1 argument' lines are the script safely reporting that no prior container existed to clean up. End state: container Running 2/2.

cd /sec401/labs/6.1
./start_6.1.sh

2. Connect into the container as annika

Ran connect.sh to drop into a shell inside the container as user annika. Every subsequent command runs inside this disposable container, so nothing touches the host.

./connect.sh

3. Create a file with the default umask

Wrote a line to test_perms.txt with echo, cat-ed it back to confirm content, then ls -l to read the mode. Output: -rw-r--r-- 1 annika annika 7. Owner rw, group r, other r — the canonical 644 you get with umask 0022.

echo annika > test_perms.txt
cat test_perms.txt
ls -l test_perms.txt

4. Read the current umask

umask prints 0022. The mask works by subtracting bits from the base (666 for files, 777 for dirs): 666 - 022 = 644 for files, 777 - 022 = 755 for dirs. That's why the file above landed on 644 without any chmod.

umask

5. Tighten umask to 0027 and retest

Set umask to 0027 (group read only, world nothing), created a new file and directory, and listed them. Output: -rw-r----- for secure.txt and drwxr-x--- for secure_dir. That's 640/750 — the hardening baseline used by most CIS benchmarks because it cuts world access entirely while keeping same-group collaboration working.

umask 0027
echo annika > secure.txt
mkdir secure_dir
ls -ld secure*
umask 0027: mask bits = user 0, group 2, other 7 Effect: files default to 640, dirs to 750

6. Sticky bit on /tmp

Listed /tmp with ls -ld: drwxrwxrwt. The trailing t is the sticky bit — directory is world-writable, but only the file owner (or root) can rename or delete a file inside it. Created /tmp/sticky_bit_test.txt to demonstrate: any user can write to /tmp, but annika's file is protected from deletion by other users in the same container.

ls -ld /tmp
echo "only annika may rename or delete this file" > /tmp/sticky_bit_test.txt
ls -l /tmp/sticky_bit_test.txt
drwxrwxrwt: d=dir, rwx (user), rwx (group), rwt (other with sticky) t without x would display as T

Key Findings

  • Default umask in the lab container is 0022, producing 644 files and 755 dirs
  • umask 0027 produces 640 files and 750 dirs — world access eliminated
  • /tmp has drwxrwxrwt — world-writable but protected by the sticky bit
  • Group-readable mode (640) preserves same-group collaboration

Security Controls

  • CIS Linux benchmark: default umask 027
  • File permission auditing (find -perm)
  • Sticky bit on world-writable directories
  • Service-account systemd UMask= hardening
  • Group-based collaboration without world access