umask, stat, ls -1
umask, stat, ls -l View and Set Default Permissions**
What You Will Learn
- How to check file and directory permissions with
ls -l. - How to use
statto view detailed metadata, including octal permissions. - How default permissions are determined when creating files/folders.
- How to configure and test
umaskto control default permissions. - Real-world use cases for managing WordPress folder security.
- How to apply secure defaults so new files and directories dont expose vulnerabilities.
- How to interpret permission outputs line by line.
- Best practices for auditing and enforcing default permission policies.
Prerequisites
- **Access Level: Normal user for viewing;
sudorequired for enforcing security on/var/www. - **Software: SSH client (Terminal, PuTTY).
- **Knowledge: Basic commands (
cd,ls,chmod,chown).
5W + 1H Framework
| Question | Answer |
|---|---|
| What | Tools (umask, stat, ls -l) to check and control file permission defaults. |
| Why | Ensures newly created files/folders follow secure patterns and are not world-writable. |
| When | During WordPress setup, new user creation, or when securing critical files like wp-config.php. |
| Where | WordPress directory: /var/www/html/. |
| Who | System administrators, DevOps, WordPress site owners. |
| How | By running permission checks and applying restrictive umask values. |
Core Commands with Expected Outputs
View permissions of WordPress root
ls -l /var/www/html/
Output:
drwxr-xr-x 5 www-data www-data 4096 Sep 23 12:10 wp-content
-rw-r--r-- 1 www-data www-data 405 Sep 23 12:10 wp-config.php
**Explanation: Lists files and directories with permissions, owner, group, size, and timestamps.
**Use Case: Audit your WordPress installation for insecure folders like 777.
View permissions of a single file
ls -l wp-config.php
Output:
-rw-r--r-- 1 www-data www-data 4201 Sep 23 12:11 wp-config.php
**Explanation: Displays owner (www-data) and permissions (644) for a single file.
**Use Case: Ensure wp-config.php isnt world-writable.
Long listing with hidden files
ls -la
Output:
-rw-r--r-- 1 www-data www-data 220 Sep 23 12:12 .bash_logout
-rw-r--r-- 1 www-data www-data 3526 Sep 23 12:12 .bashrc
-rw-r--r-- 1 www-data www-data 807 Sep 23 12:12 .profile
**Explanation: Adds hidden files (like .htaccess) to the listing.
**Use Case: Detect hidden .htaccess rules in WordPress.
Human-readable sizes
ls -lh
Output:
-rw-r--r-- 1 www-data www-data 4.1K Sep 23 12:13 index.php
-rw-r--r-- 1 www-data www-data 1.2M Sep 23 12:13 error_log
**Explanation: Shows file sizes in KB/MB/GB instead of bytes.
**Use Case: Quickly identify large log or backup files.
Sort by modification time
ls -lt
Output:
-rw-r--r-- 1 www-data www-data 405 Sep 23 12:15 latest.log
-rw-r--r-- 1 www-data www-data 4201 Sep 23 12:11 wp-config.php
**Explanation: Lists files in order of most recent modification.
**Use Case: Detect recently modified suspicious files after a hack.
Detailed metadata of config
stat wp-config.php
Output:
File: wp-config.php
Size: 4201 Blocks: 8 IO Block: 4096 regular file
Access: (0640/-rw-r-----) Uid: ( 33/www-data) Gid: ( 33/www-data)
Access: 2025-09-23 12:15:00
Modify: 2025-09-22 14:00:00
Change: 2025-09-22 14:05:00
**Explanation: Shows octal permissions, ownership, and timestamps.
**Use Case: Verify whether wp-config.php was altered.
Metadata of directory
stat wp-content
Output:
File: wp-content
Size: 4096 Blocks: 8 IO Block: 4096 directory
Access: (0755/drwxr-xr-x) Uid: ( 33/www-data) Gid: ( 33/www-data)
**Explanation: Confirms directory permissions in octal and symbolic forms.
**Use Case: Ensure wp-content/ is 755, not writable by others.
Show only permission bits
stat -c "%a %n" wp-config.php
Output:
640 wp-config.php
**Explanation: Extracts octal mode only.
**Use Case: Script automation for auditing permissions.
Show owner and group
stat -c "%U %G %n" wp-config.php
Output:
www-data www-data wp-config.php
**Explanation: Displays only user and group ownership.
**Use Case: Ensure files are owned by the web server user.
Show access time only
stat -c "%x %n" wp-config.php
Output:
2025-09-23 12:15:55.000000000 +0700 wp-config.php
**Explanation: Shows when the file was last read.
**Use Case: Detect if unauthorized processes accessed critical files.
Show modification time only
stat -c "%y %n" wp-config.php
Output:
2025-09-22 14:00:00.000000000 +0700 wp-config.php
**Explanation: Last time content was changed.
**Use Case: Identify recent edits to WordPress configuration.
Show change (metadata) time
stat -c "%z %n" wp-config.php
Output:
2025-09-22 14:05:00.000000000 +0700 wp-config.php
**Explanation: Last time metadata (permissions/ownership) changed.
**Use Case: Detect chmod or chown changes during attacks.
Check default umask
umask
Output:
0022
**Explanation: Shows default permission mask.
**Use Case: Confirms that new files default to 644 and dirs to 755.
Create test file with current umask
touch test.txt
ls -l test.txt
Output:
-rw-r--r-- 1 ubuntu ubuntu 0 Sep 23 12:20 test.txt
**Explanation: File created with mask-applied permissions.
**Use Case: Test effective defaults on new files.
Create test dir with current umask
mkdir testdir
ls -ld testdir
Output:
drwxr-xr-x 2 ubuntu ubuntu 4096 Sep 23 12:21 testdir
**Explanation: Directory inherits defaults.
**Use Case: Ensure dirs arent world-writable by default.
Temporary restrictive umask
umask 0027
touch private.txt
ls -l private.txt
Output:
-rw-r----- 1 ubuntu ubuntu 0 Sep 23 12:22 private.txt
**Explanation: Owner gets full, group read, others none.
**Use Case: Restrict sensitive files created during the session.
Revert umask to default
umask 0022
touch normal.txt
ls -l normal.txt
Output:
-rw-r--r-- 1 ubuntu ubuntu 0 Sep 23 12:23 normal.txt
**Explanation: Back to open defaults.
**Use Case: Resume normal WordPress file operations.
Apply umask permanently (bash profile)
echo "umask 0027" >> ~/.bashrc
source ~/.bashrc
umask
Output:
0027
**Explanation: Updates shell profile with new defaults.
**Use Case: Enforce stricter file creation policies permanently.
Verify if any file is world-writable
find /var/www/html -perm -002 -type f -ls
Output:
131085 4 -rw-rw-rw- 1 www-data www-data 405 Sep 23 12:25 /var/www/html/insecure.php
**Explanation: Finds files writable by others.
**Use Case: Detect insecure scripts left with 777.
Verify if any directory is world-writable
find /var/www/html -perm -002 -type d -ls
Output:
131090 4 drwxrwxrwx 2 www-data www-data 4096 Sep 23 12:26 /var/www/html/uploads
**Explanation: Finds directories where everyone can write.
**Use Case: Identify dangerous uploads/ folder settings.
Combined Practical Scenarios
| Scenario | Action | Outcome |
|---|---|---|
| Secure wp-config.php | chmod 640 wp-config.php | Owner can edit; web server group can read; others denied. |
| Audit WordPress directories | ls -l /var/www/html/ | Quickly check if any file is 777. |
| Apply strict umask | umask 0027 | Ensures new files/dirs are private by default. |
| Investigate file tampering | stat wp-config.php | Check last modification/change timestamps. |
WordPress-Specific Benefits
| Command | Benefit |
|---|---|
ls -l | Quickly spot insecure files (777) in WordPress. |
stat | Detect tampering in wp-config.php or theme files. |
umask | Enforce safe defaults for new uploads or scripts. |
Implementation Steps
-
**Check permissions on WordPress root:
ls -l /var/www/html/ -
Audit detailed file metadata:
stat wp-config.php -
Check default mask:
umask -
**Set stricter defaults (for session):
umask 0027 -
Test new file creation:
touch newfile.phpmkdir newdirls -l
Best Practices
- Always audit permissions with
ls -lbefore and after major updates. - Use
statto verify octal codes and detect tampering. - Keep default
umasksecure (e.g.,0027instead of0002). - For WordPress:
- Files
644 - Directories
755 wp-config.php640or600.
- Never leave uploads or themes as
777.
Quick Lab
cd /var/www/html
umask
umask 0027
touch secure.txt
mkdir secure_dir
ls -l secure.txt
ls -ld secure_dir
stat secure.txt
Expected Results:
- Default umask displayed (e.g.,
0022). - After changing, new file
640, new directory750. statconfirms octal mode and timestamps.
Cheat Sheet
| Command | Purpose |
|---|---|
ls -l | View file permissions & ownership |
stat file | Detailed metadata (octal + timestamps) |
umask | Show current default mask |
umask 0027 | Set stricter defaults (files 640, dirs 750) |
chmod 640 file | Lock down WordPress config |
chmod 755 dir | Secure directories |
Mini Quiz
- What does
umask 0022mean for new files? - How does
statdiffer fromls -l? - Why should
wp-config.phphave640instead of644? - What command checks if any WordPress file is world-writable?
- How do you temporarily enforce stricter defaults so new files are private?