A Guide to Linux Permissions and Advanced ACL

Sahil MhatreSahil Mhatre
4 min read

Table of contents

Understanding File Permissions:

Creating and Viewing File Details

  1. Create a Simple File:

    • Use touch filename to create a file.

  2. View File Details:

    • Run ls -l to see detailed information about files, including permissions.

File Permission Categories

File permissions are divided into three categories, each with three types of permissions: read (r), write (w), and execute (x).

  1. Owner:

    • The user who owns the file.

    • To change ownership, use chown username filename.

  2. Group:

    • The group that owns the file.

    • To change the group ownership, use chgrp groupname filename.

  3. Others:

    • All other users with access to the system.

    • To change permissions for others, use chmod with the appropriate permission set.

To view permisions you can use ls -l, you might see something like this:

-rwxr-xr-- 1 owner group 7 Jul 14 12:34 file.txt

-rwxr-xr-- indicates the permissions.

  • rwx for the owner (read, write, execute)

  • r-x for the group (read, execute)

  • r-- for others (read)

Access Control Lists (ACL):

  • getfacl

    The getfacl command is used to display the Access Control Lists (ACLs) of files and directories in Unix/Linux systems. ACLs provide a more granular permission mechanism than traditional file permissions, allowing specific permissions for individual users or groups.

  • Basic Usage: getfacl filename

    setfacl

    The setfacl command is used to set or modify the ACLs of files and directories. This allows administrators to define specific permissions for multiple users or groups beyond the standard owner/group/others model.

    Usage:

    • Add or Modify ACL**:** setfacl -m u:username:permission filename

Example of getfact and setfacl :

Understanding Sticky Bit, SUID, and SGID:

The setuid (Set User ID) bit is a special permission in Linux systems that allows users to run an executable file with the permissions of the file's owner, rather than with the permissions of the user who is running the file. This mechanism is often used to allow users to execute programs with elevated privileges.

Setting thesetuidBit: chmod u+s filename

Example:

The setgid (Set Group ID) bit is a special permission in Linux systems that, when set on a directory, allows files created within the directory to inherit the group ownership of the directory. When set on an executable file, it allows the file to be executed with the permissions of the file's group, rather than the user's group.

Setting thesetguidBit: chmod g+s filename

The sticky bit is a special permission in Linux systems that can be set on directories to control file deletion within that directory. When the sticky bit is set on a directory, only the file's owner, the directory's owner, or the root user can delete or rename files within that directory. This is particularly useful for directories where many users have write permissions, such as /tmp.

Setting the sticky Bit: chmod o+t filename

Creating a script that backs up the current permissions of files in a directory to a file:

#!/bin/bash

# Check if the directory path is provided
if [ -z "$1" ]; then
  echo "Usage: $0 directory_path"
  exit 1
fi

# Assign the directory path to a variable
DIRECTORY=$1

# Check if the provided path is a directory
if [ ! -d "$DIRECTORY" ]; then
  echo "Error: $DIRECTORY is not a directory"
  exit 1
fi

# Create a backup filename with the current date and time
BACKUP_FILE="permissions_backup_$(date +'%Y%m%d_%H%M%S').txt"

# Use getfacl to get the permissions of the directory and its contents, then save to the backup file
getfacl -R "$DIRECTORY" > "$BACKUP_FILE"

# Confirm the backup was created
if [ -f "$BACKUP_FILE" ]; then
  echo "Permissions backup saved to $BACKUP_FILE"
else
  echo "Error: Failed to create the backup file"
  exit 1
fi

Creating another script that restores the permissions from the backup file:

#!/bin/bash

# Check if the backup file is provided
if [ -z "$1" ]; then
  echo "Usage: $0 backup_file"
  exit 1
fi

# Assign the backup file path to a variable
BACKUP_FILE=$1

# Check if the provided path is a file
if [ ! -f "$BACKUP_FILE" ]; then
  echo "Error: $BACKUP_FILE is not a file"
  exit 1
fi

# Restore the permissions using setfacl
setfacl --restore="$BACKUP_FILE"

# Confirm the permissions were restored
if [ $? -eq 0 ]; then
  echo "Permissions successfully restored from $BACKUP_FILE"
else
  echo "Error: Failed to restore permissions"
  exit 1
fi
1
Subscribe to my newsletter

Read articles from Sahil Mhatre directly inside your inbox. Subscribe to the newsletter, and don't miss out.

DevopsLinuxlinux for beginnerslinux-basicslinux-commandsBashbash scriptaccess control#cybersecurity

Written by

Sahil Mhatre
Sahil Mhatre