File Permissions and Access Control Lists

File Permissions and Access Control Lists

1.Create a simple file and do ls -ltr to see the details of the files. As a task, change the user permissions of the file and note the changes after ls -ltr

ubuntu@ip-172-31-13-215:~/file_permissions$ vi new_file.txt
ubuntu@ip-172-31-13-215:~/file_permissions$ ls
new_file.txt
ubuntu@ip-172-31-13-215:~/file_permissions$ ls -ltr
total 0
-rw-rw-r-- 1 ubuntu ubuntu 14 Apr  5 17:32 new_file.txt
ubuntu@ip-172-31-13-215:~/file_permissions$ chmod 774 new_file.txt 
ubuntu@ip-172-31-13-215:~/file_permissions$ ls -ltr
total 0
-rwxrwxr-- 1 ubuntu ubuntu 14 Apr  5 17:32 new_file.txt
ubuntu@ip-172-31-13-215:~/file_permissions$

2.File Permissions in Linux

In Linux, every file and directory is owned by a user and a group. Each user can have different levels of access to these files and directories, which is determined by a set of permissions.
To view the permissions of a file or directory in Linux, we can use the ls -ltr command. This will display a detailed list of files and directories, including their ownership and permissions.

While using ls -l command, it displays various information related to file permission as follows −

$ls -l /home/amrood
-rwxr-xr--  1 amrood   users 1024  Nov 2 00:10  myfile
drwxr-xr--- 1 amrood   users 1024  Nov 2 00:10  mydir

All the three owners (user owner, group, others) in the Linux system have three types of permissions defined. Nine characters denotes the three types of permissions.

  1. Read (r) : The read permission allows you to open and read the content of a file. But you can't do any editing or modification in the file.

  2. Write (w) : The write permission allows you to edit, remove or rename a file. For instance, if a file is present in a directory, and write permission is set on the file but not on the directory, then you can edit the content of the file but can't remove, or rename it.

  3. Execute (x): In Unix type system, you can't run or execute a program unless execute permission is set.But in Windows, there is no such permission available.

user – The user permissions apply only the owner of the file or directory, they will not impact the actions of other users.
group – The group permissions apply only to the group that has been assigned to the file or directory, they will not effect the actions of other users.
others – The others permissions apply to all other users on the system, this is the permission group that you want to watch the most.

Changing security permissions

The command you use to change the security permissions on files is called “chmod”, which stands for “change mode”, because the nine security characters are collectively called the security “mode” of the file.

  1. The first argument you give to the “chmod” command is ‘u’, ‘g’, ‘o’. We use:
    u for user
    g for group
    o for others,
    you can also use a combination of them (u,g,o).
    This specifies which of the three groups you want to modify.

  2. After this use
    a ‘+’ for adding
    a ‘-‘ for removing
    and a “=” for assigning a permission.

  3. Then specify the permission r,w or x you want to change.
    Here also you can use a combination of r,w,x.
    This specifies which of the three permissions “rwx” you want to modify

  4. use can use commas to modify more permissions

  5. Finally, the name of the file whose permission you are changing

There are two modes of chmod command that we can use.

1- Symbolic mode: The permissions for a file or directory can be set for the owner, for the group that the file belongs to, and for all other users. There are three types of permissions in Linux read, write, and execute with three categories of Owner/User , Group and Others

 chmod g+w filename #To give write permission to groups
 chmod o-r filename #To remove the read permission from others users
 chmod a-rwx filename #To remove read,write and execute permission     from all the 3 categories

The letters u, g, and o represent the file owner, group, and others, respectively. The + and - symbols indicate whether to add or remove permissions. The letters r, w, and x indicate which permissions to add or remove.

2- Numeric Method: To specify permissions using numbers, we can use a three-digit code that represents the permissions for the file owner, group, and others. Each digit represents a combination of read(4), write(2), and execute(1) permissions.

 chmod [permissions] [file or directory]
 chmod 700 [file or directory] #represents all permissions for the file owner and no permissions for the group and others
 chmod 760 [file or directory] #represents all permissions for the file owner and read,write for the group and no permissions for the others

You can also use octal notations like this.

octal table

So, the following work the same.

chmod ugo+rwx [file_name]
chmod 777 [file_name]
chmod 775 [file_name]
chmod ug+rwx,o=rx [file_name]
chmod u=r,g=wx,o=rx [file_name]
chmod 435 [file_name]

3.Access Control List in Linux

Access control list (ACL) provides an additional, more flexible permission mechanism for file systems. It is designed to assist with UNIX file permissions. ACL allows you to give permissions for any user or group to any disc resource.

Use of ACL :
Think of a scenario in which a particular user is not a member of group created by you but still you want to give some read or write access, how can you do it without making user a member of group, here ACL helps us to do this trick.

setfacl and getfacl are used for setting up ACL and showing ACL respectively.

For example :

1) To get permissions user

ubuntu@ip-172-31-13-215:~$ mkdir test
ubuntu@ip-172-31-13-215:~$ vi test/my_file.txt
ubuntu@ip-172-31-13-215:~$ getfacl test/my_file.txt
# file: test/my_file.txt
# owner: ubuntu
# group: ubuntu
user::rw-
group::rw-
other::r--

2) To add permission for user setfacl -m "u:user:permissions" /path/to/file

ubuntu@ip-172-31-13-215:~$ setfacl -m u:priya:rwx test/my_file.txt
ubuntu@ip-172-31-13-215:~$ getfacl test/my_file.txt
# file: test/my_file.txt
# owner: ubuntu
# group: ubuntu
user::rw-
user:priya:rwx
group::rw-
mask::rwx
other::r--

3) To add permission for group setfacl -m "g:group:permissions" /path/to/file

ubuntu@ip-172-31-13-215:~$ setfacl -m g:devops:rwx test/my_file.txt
ubuntu@ip-172-31-13-215:~$ getfacl test/my_file.txt
# file: test/my_file.txt
# owner: ubuntu
# group: ubuntu
user::rw-
user:priya:rwx
group::rw-
group:devops:rwx
mask::rwx
other::r--

4) To remove a specific entry setfacl -x u:user: /path/to/file

ubuntu@ip-172-31-13-215:~$ setfacl -x u:priya: test/my_file.txt
ubuntu@ip-172-31-13-215:~$ getfacl test/my_file.txt
# file: test/my_file.txt
# owner: ubuntu
# group: ubuntu
user::rw-
group::rw-
group:devops:rwx
mask::rwx
other::r--

5) To remove a specific entry setfacl -x g:group: /path/to/file

ubuntu@ip-172-31-13-215:~$ setfacl -x g:devops: test/my_file.txt
ubuntu@ip-172-31-13-215:~$ getfacl test/my_file.txt
# file: test/my_file.txt
# owner: ubuntu
# group: ubuntu
user::rw-
group::rw-
mask::rw-
other::r--

6) To remove all entries setfacl -b path/to/file

Thank you all for giving your valuable time for reading

stay in touch!! many more blogs in a queue!! Happy Learning