Linux security begins with a deceptively simple question:
Who is allowed to do what?
That question sits behind almost every serious Linux administration, security, DevOps, cloud, and incident response task. When a web server cannot read its configuration file, when a developer cannot write to a shared directory, when a container unexpectedly runs as root, when a vulnerable binary becomes a privilege escalation path, or when sudo gives too much access, the root cause usually comes back to the Linux user and permission model.
The Linux user and permission models are not just about memorizing chmod 755 or knowing that root is powerful. They define how the kernel separates people, processes, services, files, devices, sockets, and system resources. They also explain why Linux can safely run thousands of processes from many users on the same machine, why a service compromise does not always mean full system compromise, and why one wrong ownership or permission decision can turn a small bug into a serious security incident.
This guide starts from the simplest mental model and gradually moves into engineering-level depth: users, groups, ownership, permission bits, umask, special bits, access control lists, sudo, Linux capabilities, containers, namespaces, filesystems, and real deployment trade-offs.
The First Principle: Linux Protects Objects from Subjects
At the most basic level, Linux security is about controlling access between two things:
- Subject: the active entity trying to do something, usually a process.
- Object: the passive resource being accessed, such as a file, directory, socket, device, or memory region.
A user does not directly read a file. A process running with that user’s identity asks the kernel to read the file. The kernel then checks whether that process has permission.
This distinction matters.
The root cause sits inside algif_aead.c where the in-place optimization introduced in commit 72548b093ee3 causes the sg_init_table to point both the source and destination scatterlists at the same page-cache folio. When authencesn performs its internal scratch write during AEAD decryption, it lands 4 bytes past the output buffer end – which is now a live shared kernel page. The attacker controls those 4 bytes by crafting the associated data length field in the AEAD control message. Repeated 4 bytes at a time across the binary’s .text section, this overwrites the entry point with architecture-specific shellcode that calls setresuid(0,0,0) before execve of a shell. The full annotated Python exploit, the Falco detection rule, the auditd config, and exact patch commands for every major distribution are all inside the full post…
The rest of this post is for members.
Join to unlock the full technical breakdown.
Master Linux Users, Groups & Permissions – The Complete Sysadmin Guide
Unlock the full breakdown: rwx deep-dives, real-world user/group management, privilege escalation risks, sudo hardening, ACLs, and hands-on command references every Linux sysadmin needs. Exclusive to members.
Join the membership – from $2/mo- Full Linux permissions guide instantly
- Weekly sysadmin security breakdowns
- Ready-to-use hardening checklists
- Cancel anytime
Already a member? Sign in to read the full post
