DAY 6: Understanding Access Control Lists (ACL's) and Special File Permissions in Linux

Rakshita BelwalRakshita Belwal
4 min read

Table of contents

What is ACL?

Access control list (ACL) provides an additional, more flexible permission mechanism for file systems. ACLs allow you to define different permissions for different users or groups beyond the standard owner/group/others model.

Using 'getfacl ' and 'setfacl '

setfacl and getfacl are used for setting up ACL and showing ACL respectively.

  • 'getfacl '

The getfacl command is used to display the ACLs of a file or directory. This command shows the effective permissions of users and groups, as well as the default ACLs if they are set.

To display the ACLs of a file named rakshita.txt, we would use:

getfacl rakshita.txt

The output is:

# file: rakshita.txt
# owner: ubuntu
# group: ubuntu
user::rw-
group::rw-
other::r--

  • # file: rakhsita.txt- The file we're looking at is named rakshita.txt.

  • # ubuntu: ubuntu: The user who owns this file is ubuntu.

  • # group: ubuntu: The group associated with this file is ubuntu.

  • user: :rw-: The owner (ubuntu) has:

    • Read (r) permission: Can view the file.

    • Write (w) permission: Can modify the file.

    • No execute (-) permission: Cannot run the file as a program.

  • group: :rw-: The group (ubuntu) has:

    • Read (r) permission: Can view the file.

    • Write (w) permission: Can modify the file.

    • No execute (-) permission: Cannot run the file as a program.

  • other: :r--: All other users have:

    • Read (r) permission: Can view the file.

    • No write (-) permission: Cannot modify the file.

    • No execute (-) permission: Cannot run the file as a program.

  • 'setfacl '

The setfacl command is used to set or modify the ACLs of a file or directory.

  • To add permissions for user:

      setfacl -m "u:user:permissions" /path/to/file

  • To add permissions for a group:

      setfacl -m "g:group:permissions" /path/to/file

  • Remove a Specific ACL Entry:

        setfacl -x u:username /path/to/file

  • To remove all entries:

setfacl -b path/to/file

Task: Create a directory and set specific ACL permissions for different users and groups. Verify the permissions using ''getfacl".

  1. Create a directory:

     mkdir control

  2. Grant read and write permissions to user1:

     setfacl -m u:user1:rw control

  3. Grant read-only permissions to user2:

     setfacl -m u:user2:r control

  4. Grant read and execute permissions to group1:

     setfacl -m g:group1:rx control

To verify the ACL permissions set on control, use the getfacl command:

getfacl control

Output:

# file: control
# owner: ubuntu
# group: ubuntu
user::rwx
user:user1:rw-
user:user2:r--
group::rwx
group:group1:r-x
mask::rwx
other::r-x

ADDITIONAL TASK:

Task: Create a script that changes the permissions of multiple files in a directory based on user input.

Create a file:

vim permissions.sh

Enter the bash secript int the file:

#!/bin/bash

echo "enter the directory path"
read directory_path

echo "enter permissions"
read permissions

chmod $permissions $directory_path
echo "permissions changed successfully"

Change the file permssions to make it executable:

chmod 700 permissions.sh

Run the file:

./permissions.sh

Understanding Sticky Bit, SUID, and SGID

  1. Sticky Bit: A Sticky bit is a permission bit that is set on a file or a directory that lets only the owner of the file/directory or the root user to delete or rename the file.

  2. SUID: SUID (Set User ID) is a special permission in Linux that allows a program to run with the permissions of the file's owner.

SGID: SGID (Set Group ID) is a special permission in Linux that affects both files and directories, but it works differently for each.

When SGID is set on an executable file, the program runs with the permissions of the file's group, rather than the user's group.

When SGID is set on a directory, any files created within that directory inherit the group ownership of the directory, rather than the group ownership of the user who created the file.

Task: Create examples demonstrating the use of sticky bit, SUID, and SGID.

  1. To set the sticky bit permission on a directory, use the chmod command

    The numeric value for the sticky bit is 1.

    If you want to set the sticky bit permission on a directory named public with permission bits 777, run:

chmod 1777 public

  1. The numeric value for SUID is 4.

    If you want to set the SUID permission on a file named script.sh that currently has the permission bits 755, you would run:

chmod 4755 script.sh

  1. The numeric value for SGID is 2.

    If you want to set the SGID permission on a directory named shared with permission bits 755, you would execute:

chmod 2755 shared
0
Subscribe to my newsletter

Read articles from Rakshita Belwal directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#90daysofdevops#TWSDevopsaccess control#shubhamLondhelearningAWSpermissions

Written by

Rakshita Belwal
Rakshita Belwal

Hi there! I'm Rakshita Belwal, an enthusiastic and aspiring DevOps engineer and Cloud engineer with a passion for integrating development and operations to create seamless, efficient, and automated workflows. I'm driven by the challenges of modern software development and am dedicated to continuous learning and improvement in the DevOps field.