File permissions and ownership are crucial for system security. The commands chmod, chown, and chgrp are used to manage these aspects.

chmod (change mode)

---

Purpose: It is used to change the permissions of a file or directory. These permissions determine who can read, write, or execute the file.

Permissions:

• Permissions are divided into three categories:

  • User (u): The owner of the file.

  • Group (g): Members of the group that owns the file.

  • Others (o): Everyone else.

• Each category can have three types of permissions:

  • Read (r): Allows viewing the file's contents or listing a directory's contents.

  • Write (w): Allows modifying the file or adding/removing files in a directory.

  • Execute (x): Allows running the file as a program or entering a directory.

Notation:

chmod can use two types of notation:

1. Numeric Mode: You can use a numeric mode to set permissions. Each permission (read, write, execute) is assigned a value: read (4), write (2), and execute (1).

   

2. Symbolic Mode: You can use symbolic notations to change permissions. The symbolic mode includes:

- "+" to add permissions

- "-" to remove permissions

- "=" to set permissions explicitly

- "r" for read, "w" for write, and "x" for execute

- "u" for the owner, "g" for the group, and "o" for others, and "a" for all (owner, group, and others)

Commands

1. To list the permissions : ls -l

   

2. How to change permissions?

   Symbolic Examples:

    chmod u+r <file_name>  // For adding permission
    chmod ugo+r <file_name>
    chmod a+rwx <file_name> // (Adding permission for all)
    chmod ugo-r <file_name> // For removing permission
   

Numeric Examples:

sudo chmod 600 <file-name> // very restrictive, and used for very sensitive files.
sudo chmod 777 <file-name> // grants full permissions to everyone.

Note : A user cant change permissions of other users

Changing Permissions Recursively: To change permissions recursively for a directory and its contents, you can use the -R option with chmod.

  chmod -R 755 directory_name

chown (change owner)

---

Purpose: chown is used to change the ownership of a file or directory. This means changing the user and/or group that owns the file.

Usage: You can change both the user and group ownership at the same time, or just one of them.

Example 1 :

sudo chown sumati playingXI

Output

Changes the owner to "sumati".

Example 2:

chown sumati:friends bowlers

Output

Changes the owner to "sumati" and the group to "friends".

chgrp (change group)

---

Purpose: chgrp is used to change the group ownership of a file or directory.

Usage: It specifically targets the group association of a file.

Example:

sudo chgrp rishita bowlers

Output:

Changes the group ownership to "group1".

Relationship to chown: While chown can also change the group, chgrp provides a dedicated command for this specific task.

Access Control List - ACL

---

What is ACL?

• ACLs are a set of permissions that can be applied to files and directories, allowing for more fine-grained control over who can access and manipulate these resources.

• It allows you to give more specific set of permissions to a file or directory without changing the base ownership and permissions.

Commands - setfacl & getfacl

• Viewing ACLs: You can use the getfacl command to display the ACL for a file or directory

• To modify ACLs, you can use the setfacl command.

  1. For adding permission for user

    setfacl -m u:username:permissions /path/to/file

The -m option tells setfacl to modify the ACL of the file

Here + sign indicates that ACL is used.

2. For adding permission for group

    setfacl -m g:group:rwx <target_file>
   

   

3. To change the Primary Group Permission

 setfacl -m g::rwx <file-name>

4. To remove a specific entry

     setfacl -x u:user:rwx <target_file>
   

The -x option tells setfacl to remove the ACL entry for the user
setfacl -x g:swati_verma batters

5. To remove all entries : setfacl -b <target_file>

6. For adding permission for user in all the files inside a folder

 setfacl -Rm "entry" <target_file/folder>

setfacl -Rm u:swati_verma:rw practice/

Use Case: ACL vs. chmod in a Real-World Scenario

---

Scenario:

Imagine you are working on a project directory (/project) that multiple users need access to, but with different levels of permissions.

• The owner (you) should have full access (rwx).

• The developer group should have read and write access (rw-).

• A tester user (tester1) should have read-only access (r--).

Using chmod alone, you cannot grant different permissions to individual users; you can only set permissions for owner, group, and others. ACL solves this by allowing finer control.

Solution 1: Using chmod (Limited Control)

mkdir /project

chown swati:developers /project # Set owner to 'swati' and group to 'developers'

chmod 770 /project # Owner and group get full access, others get no access

Issue:

• This works for the developers group, but tester1 (who is not in the developers group) cannot access the directory.

• You cannot assign different permissions to individual users without changing the group structure.

Solution 2: Using ACL (Fine-Grained Control)

Step 1: Set basic permissions

chmod 770 /project # Owner and group have full access, others have no access

Step 2: Give read-only access to tester1 using ACL

setfacl -m u:tester1:r /project # Give tester1 read-only access

Step 3: Verify ACL settings : getfacl /project

Output:

# file: /project

# owner: swati

# group: developers

user::rwx

user:tester1:r-- # Custom ACL entry

group::rwx

mask::rwx

other::---

Result:

• Owner (swati) → Full access (rwx)

• Developers group → Full access (rwx)

• Tester1 → Read-only (r--)

✅ ACL allows you to give individual users permissions without modifying group settings.