File Permissions and Access Control Lists

Anirban BanerjeeAnirban Banerjee
10 min read

Table of contents

Understanding Linux File Permissions

Linux file permissions are an essential aspect of system security and file management, dictating who can read, write, or execute files and directories. These permissions ensure that only authorized users can access, modify, or execute certain files, making them critical in multi-user environments.

The Three Permission Types

In Linux, there are three primary types of permissions for each file and directory:

  1. Read (r): Allows viewing the contents of a file or listing the contents of a directory.

  2. Write (w): Grants permission to modify the contents of a file or add/delete files in a directory.

  3. Execute (x): For files, this permission enables execution as a program. For directories, it allows access to the directory’s contents.

Permission Categories

Each of these permissions is assigned to three categories of users:

  • Owner: The creator or owner of the file, who generally has full control.

  • Group: A set of users who may share specific access needs.

  • Others: All other users on the system who are not the owner or part of the group.

Viewing and Modifying Permissions

Use the ls -l command to view permissions in the format of drwxr-xr-x, where:

  • The first character indicates the type (d for directory, - for file).

  • The next three characters (e.g., rwx) are for the owner.

  • The following three are for the group.

  • The last three are for others.

Each permission is represented by either a letter (r, w, x) or a dash (-) indicating the absence of a permission.

Changing Permissions

To modify permissions, Linux provides the chmod command:

  • Symbolic Mode: chmod u+w file.txt adds write permission to the user (owner).

  • Numeric Mode: chmod 755 file.txt sets the permissions using numbers (7 for owner, 5 for group, 5 for others). Here’s a breakdown of the values:

    • 4 = Read

    • 2 = Write

    • 1 = Execute

The combination of these values defines specific permissions. For example, 7 (4+2+1) grants full access (read, write, execute).

Changing Ownership

Linux also allows changing the ownership of files and directories:

  • chown: Changes the file owner, e.g., chown user file.txt.

  • chgrp: Changes the group ownership, e.g., chgrp group file.txt.

Practical Example

For a file with -rwxr-xr-- permissions:

  • The owner has read, write, and execute permissions.

  • The group has read and execute permissions.

  • Others have read-only access.

Access Control Lists (ACLs) in Linux provide a more flexible way to assign permissions to files and directories, allowing you to specify access rights for individual users and groups beyond the standard owner-group-others model. Here's a guide to creating a directory, setting ACLs for specific users and groups, and verifying those permissions using getfacl and setfacl.

Step 1: Create a Directory

mkdir acl_example

Step 2: Set ACL Permissions

  1. Granting Permissions to a User: Use the setfacl command to specify permissions for an individual user on the directory.

     setfacl -m u:username:rwx acl_example

    Here:

    • -m specifies a modification.

    • u:username:rwx assigns read, write, and execute permissions to the user username on the acl_example directory.

  2. Granting Permissions to a Group: Similarly, you can assign permissions to a group.

     setfacl -m g:groupname:rx acl_example

    This command gives the group groupname read and execute permissions on the directory.

  3. Setting Default ACLs: If you want all new files and subdirectories within acl_example to inherit specific ACLs, use the -d flag.

     setfacl -dm u:username:rwx acl_example

    This sets default permissions for the user on new files and directories created within acl_example.

  4. Removing an ACL: If you need to remove ACL permissions, use the -x option.

     setfacl -x u:username acl_example

Step 3: Verify Permissions

Use getfacl to check the current ACL permissions on the directory:

getfacl acl_example

This command displays ACL entries for the directory, including any user-specific and group-specific permissions you've set.

Example Walkthrough

  1. Create a directory and verify its initial permissions:

     mkdir acl_example
 ls -ld acl_example

  2. Grant read, write, and execute permissions to user alice and read and execute permissions to group developers:

     setfacl -m u:alice:rwx acl_example
 setfacl -m g:developers:rx acl_example

  3. Set default ACLs to allow bob read-only access to any new files within the directory:

     setfacl -dm u:bob:r acl_example

  4. Verify all ACL entries:

     getfacl acl_example

This will display a list of permissions for alice, developers, and the default ACLs for bob.

Explanation of ACL Commands

  • setfacl: Modifies ACL entries for a file or directory.

    • -m for adding or modifying permissions.

    • -x for removing permissions.

    • -d for setting default ACLs.

  • getfacl: Displays the ACLs for a file or directory, showing all the defined permissions for specific users and groups.

ACLs provide enhanced control over permissions in Linux, especially useful in multi-user environments where permissions need to be finely tuned for specific users or groups.

Sure! Below are two scripts: one for changing file permissions in a directory based on user input, and another for setting ACL (Access Control List) permissions for a user on a specified file.

Script 1: Change Permissions for Multiple Files in a Directory

This script will change the permissions of all files in a specified directory based on user input.

#!/bin/bash

# Ask for the directory and permission mode
read -p "Enter the directory path: " directory
read -p "Enter the permission mode (e.g., 755, 644): " mode

# Check if the directory exists
if [ ! -d "$directory" ]; then
  echo "Directory does not exist."
  exit 1
fi

# Change permissions for all files in the directory
chmod -R "$mode" "$directory"

echo "Permissions changed to $mode for all files in $directory."

Script 2: Set ACL Permissions for a User on a Given File

This script will set ACL permissions for a specified user on a given file.

#!/bin/bash

# Ask for the file, user, and permissions
read -p "Enter the file path: " file
read -p "Enter the username: " username
read -p "Enter the permission type (e.g., read, write, execute): " permission

# Check if the file exists
if [ ! -f "$file" ]; then
  echo "File does not exist."
  exit 1
fi

# Set the ACL permission for the user
setfacl -m u:"$username":"$permission" "$file"

echo "ACL permission '$permission' granted to user '$username' on file '$file'."

Usage Instructions

  1. Save each script in a file (e.g., change_permissions.sh and set_acl.sh).

  2. Make the scripts executable:

     chmod +x change_permissions.sh
 chmod +x set_acl.sh

  3. Run the scripts:

     ./change_permissions.sh
 ./set_acl.sh

Notes

  • The first script uses chmod to change file permissions.

  • The second script uses setfacl, which requires ACL support in the filesystem.

  • Ensure you have the necessary permissions to change file modes or set ACLs.

  • You might need to run these scripts with sudo for certain operations, depending on your system configuration.

In Linux, sticky bit, SUID (Set User ID), and SGID (Set Group ID) are special permissions that provide additional control over file and directory access. Here’s an overview of each, along with example scenarios to demonstrate their usage.

1. Sticky Bit

The sticky bit is a permission setting primarily used on directories. When set on a directory, it ensures that only the owner of a file within that directory (or the root user) can delete or modify the file, regardless of the directory’s write permissions.

Example of Sticky Bit

  1. Create a directory and make it writable for everyone:

     mkdir /tmp/sticky_dir
 chmod 777 /tmp/sticky_dir

  2. Apply the sticky bit using the chmod command:

     chmod +t /tmp/sticky_dir

  3. Verify the sticky bit:

     ls -ld /tmp/sticky_dir

    The directory permissions will display as drwxrwxrwt, where t at the end signifies the sticky bit.

Significance

With the sticky bit set, only the file owner can delete or rename their files within sticky_dir, even though all users have write access. This is commonly used in shared directories like /tmp to prevent users from deleting or renaming each other's files.

2. SUID (Set User ID)

SUID is a special permission set on executables that allows users to run the executable with the file owner's permissions (often root) rather than with the user's own permissions. This is useful for programs that require elevated privileges to perform specific tasks, like passwd, which needs root access to modify password files.

Example of SUID

  1. Create an executable script:

     sudo bash -c 'echo -e "#!/bin/bash\necho Hello, I am running as root!" > /usr/local/bin/suid_script'
 sudo chmod 755 /usr/local/bin/suid_script

  2. Set the SUID bit:

     sudo chmod u+s /usr/local/bin/suid_script

  3. Verify SUID permissions:

     ls -l /usr/local/bin/suid_script

    The permissions should show -rwsr-xr-x, where s in the user section indicates the SUID bit.

  4. Run the script as a normal user:

     /usr/local/bin/suid_script

    The script will run with root privileges, demonstrating the effect of SUID.

Significance

SUID allows specific programs to be run with elevated permissions, which is crucial for system utilities that require root privileges to perform essential functions. However, it should be used carefully, as it can be a security risk if applied to non-essential executables.

3. SGID (Set Group ID)

SGID is a permission setting that affects both files and directories. When set on a directory, it ensures that any new files or subdirectories created within inherit the group ownership of the parent directory, rather than the primary group of the user who created the file. When set on an executable file, it allows users to run the file with the group privileges of the file’s group owner.

Example of SGID on a Directory

  1. Create a directory and set group ownership:

     sudo mkdir /opt/sgid_dir
 sudo chown :developers /opt/sgid_dir
 sudo chmod 770 /opt/sgid_dir

  2. Apply the SGID bit:

     sudo chmod g+s /opt/sgid_dir

  3. Verify SGID permissions:

     ls -ld /opt/sgid_dir

    The permissions should show drwxrws---, where s in the group section indicates the SGID bit.

  4. Test group inheritance:

    • Switch to a user who is a member of the developers group.

    • Create a file in /opt/sgid_dir and check its group ownership. It should inherit the group developers.

Significance

SGID is useful in collaborative environments where files need to retain consistent group ownership. By setting SGID on a shared directory, all files created within will have the same group, simplifying permission management.

Summary Table

PermissionUsageExample CommandExplanation
Sticky BitControls file deletion in shared directorieschmod +t <directory>Only file owners can delete their files in the directory, often used for /tmp.
SUIDRun executables with file owner’s permissionschmod u+s <file>Allows users to execute files with the file owner's privileges, typically for system tasks.
SGIDConsistent group ownership in directorieschmod g+s <directory>Ensures files created in the directory inherit the parent directory’s group ownership.

Here’s how you can create two scripts: one to back up file permissions and another to restore them. These scripts use getfacl to capture the permissions, which includes standard permissions and ACL (Access Control List) information.

Script 1: Backup Permissions

This script backs up the current permissions of files in a specified directory and saves them to a backup file.

#!/bin/bash

# Usage: ./backup_permissions.sh <directory> <backup_file>
directory=$1
backup_file=$2

if [ -z "$directory" ] || [ -z "$backup_file" ]; then
    echo "Usage: ./backup_permissions.sh <directory> <backup_file>"
    exit 1
fi

# Check if directory exists
if [ ! -d "$directory" ]; then
    echo "Error: Directory $directory does not exist."
    exit 1
fi

# Backup permissions using getfacl
getfacl -R "$directory" > "$backup_file"
echo "Permissions for files in $directory have been backed up to $backup_file"

Explanation:

  • getfacl -R <directory> recursively captures the ACL permissions for all files in the directory.

  • The output is redirected to backup_file, which serves as the permissions backup file.

Script 2: Restore Permissions

This script restores permissions from the backup file to the files in the specified directory.

#!/bin/bash

# Usage: ./restore_permissions.sh <backup_file>
backup_file=$1

if [ -z "$backup_file" ]; then
    echo "Usage: ./restore_permissions.sh <backup_file>"
    exit 1
fi

# Check if backup file exists
if [ ! -f "$backup_file" ]; then
    echo "Error: Backup file $backup_file does not exist."
    exit 1
fi

# Restore permissions using setfacl
setfacl --restore="$backup_file"
echo "Permissions have been restored from $backup_file"

Explanation:

  • setfacl --restore=<backup_file> applies the permissions stored in the backup file to the files and directories.

  • This command will recreate the original permissions for each file and directory listed in the backup file.

Usage

  1. Backup: Run the first script to back up permissions.

     ./backup_permissions.sh /path/to/directory /path/to/backup_file.acl

  2. Restore: Run the second script to restore permissions.

     ./restore_permissions.sh /path/to/backup_file.acl
0
Subscribe to my newsletter

Read articles from Anirban Banerjee directly inside your inbox. Subscribe to the newsletter, and don't miss out.

linux-active-control-listsLinuxlinux file permissions

Written by

Anirban Banerjee
Anirban Banerjee