Skip to content

Linux: Advanced permissions settings

While the default permissions in Linux may not be as fine grained as those in Windows, they are certainly easier to setup (and arguably to get correct)

However, there may be some situations where we might want to take the more fine-grained Window style permissions. For example allowing specific users to execute a file in a given way. This can get complex with the traditional User, Group, World permission levels, as we need to start managing large numbers of groups1

While you might not see ACL's that often, its worth being aware of them.

Access Control Lists

You should be familiar with ACL (access control lists) from networking. They give us another way to control users (or groups of users) access to resources, outside of the usual User, Group, World (UGW) context.

If there is an ACL applied to a file or directory, the output of ls -l will have a plus symbol as part of the permissions string+ 

dang@a152285ced23:~$ ls -l
total 4
drwxr-x---+ 2 dang students 4096 Feb  7 10:34 ACL_Demo

We can view the current ACL permissions using the getfacl command

dang@a152285ced23:~$ getfacl ACL_Demo/
# file: ACL_Demo/
# owner: dang
# group: students
user::rwx
group::r-x
other::---
default:user::rwx
default:user:adam:rwx
default:group::r-x
default:mask::rwx
default:other::---

We can set permissions using the setfacl command. (See the Arch Wiki for a description of the flags.

ACL's can be interesting to us, as it means we might be able to get access to files outside of our normal User or Group limitations.

While find will can show us files we have access to, in a large system the signal to noise ratio is going to be high.

Instead we could use the getfacl command with the recursive option

$ getfacl -Rs / 2>/dev/null

ACL Demo

Lets take a quick look at how an ACL might work:

  • We have a user dang who is the owner of a folder
  • We have a group student who are able to view the contents of the folder
  • No one else should be able to access the folder.

This part is pretty simple to setup.

  • Give the dang user RWX permissions
  • Give the student group RX permissions3
  • Set No world permissions 
dang@a152285ced23:~$ ls -l
total 4
drwxr-x--- 2 dang students 4096 Feb  7 10:19 ACL_Demo

We could also take a look at the current ACL for the folder

dang@a152285ced23:~$ getfacl ACL_Demo/
# file: ACL_Demo/
# owner: dang
# group: students
user::rwx
group::r-x
other::---

Now lets complicate things. Imagine we have a new user adam who also needs to be able to both read and write files.

Under the regular permissions system this becomes impossible, as we need to allocate roles to more than one user and group at the same time.

With our current settings we get a permission denied when we try to access the folder

adam@a152285ced23:/home/dang$ ls -l ACL_Demo/
ls: cannot open directory 'ACL_Demo/': Permission denied

So lets now use an ACL to give Adam RWX permissions and check they worked.

Note

Here we set the permissions twice. The first time applies the ACL to the folder.

The second call to setfacl -d sets the "default" permissions. This means that the ACL settings will be inherited by newly created files and folders.

#Set current permissions
dang@a152285ced23:~$ setfacl -m  adam:rwx ACL_Demo/

#Set permissions to inherit.
dang@a152285ced23:~$ setfacl -d -m  adam:rwx ACL_Demo/


# Then List the new permissions

dang@a152285ced23:~$ getfacl ACL_Demo/
# file: ACL_Demo/
# owner: dang
# group: students
user:adam:rwx
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:adam:rwx
default:group::r-x
default:mask::rwx
default:other::---

We can see that now even though the Adam user has none of the "traditional" permissions assigned, they can still access and write to the folder.

adam@a152285ced23:/home/dang$ ls -l
total 4
drwxrwx---+ 2 dang students 4096 Feb  7 10:34 ACL_Demo

adam@a152285ced23:/home/dang$ echo Bleh > ACL_Demo/bleh.txt
adam@a152285ced23:/home/dang$ ls -l ACL_Demo/
total 16
-rw-r--r--  1 dang dang 8 Feb  7 10:35 bar
-rw-r--r--  1 dang dang 8 Feb  7 10:35 baz
-rw-rw----+ 1 adam adam 5 Feb  7 12:20 bleh.txt
-rw-r--r--  1 dang dang 9 Feb  7 10:35 foo
adam@a152285ced23:/home/dang$

Summary

In this article we have looked at some of the advanced options for setting permissions in Linux.

ACLs give us the ability to assign permissions to users that are not part of the usual Owner and Group set. While they are not that common, It can be worth checking for any ACL's to check for any corner cases in permissions.

  1. You could argue that this is a corner case, Most situations won't need this kind of complex permission settings. 

  2. You might also argue that while Windows gives you the option to do this by default, its not actually "Easier" to do. The trade-off between security, simplicity and usability comes into play here. 

  3. Remember we need eXecute permissions to view the contents of the folder 

Back to top