Linux: Advanced permissions settings
While the default permissions in Linux may not be as fine grained as those in Windows, they are certainly easier to setup (and arguably to get correct)
However, there may be some situations where we might want to take the more fine-grained Window style permissions. For example allowing specific users to execute a file in a given way. This can get complex with the traditional User, Group, World permission levels, as we need to start managing large numbers of groups1
While you might not see ACL's that often, its worth being aware of them.
Access Control Lists
You should be familiar with ACL (access control lists) from networking. They give us another way to control users (or groups of users) access to resources, outside of the usual User, Group, World (UGW) context.
If there is an ACL applied to a file or directory, the output of ls -l
will have a plus symbol as part of the permissions string+
dang@a152285ced23:~$ ls -l
total 4
drwxr-x---+ 2 dang students 4096 Feb 7 10:34 ACL_Demo
We can view the current ACL permissions using the getfacl
command
dang@a152285ced23:~$ getfacl ACL_Demo/
# file: ACL_Demo/
# owner: dang
# group: students
user::rwx
group::r-x
other::---
default:user::rwx
default:user:adam:rwx
default:group::r-x
default:mask::rwx
default:other::---
We can set permissions using the setfacl
command. (See the
Arch Wiki
for a description of the flags.
ACL's can be interesting to us, as it means we might be able to get access to files outside of our normal User or Group limitations.
While find will can show us files we have access to, in a large system the signal to noise ratio is going to be high.
Instead we could use the getfacl command with the recursive option
$ getfacl -Rs / 2>/dev/null
ACL Demo
Lets take a quick look at how an ACL might work:
- We have a user dang who is the owner of a folder
- We have a group student who are able to view the contents of the folder
- No one else should be able to access the folder.
This part is pretty simple to setup.
- Give the dang user RWX permissions
- Give the student group RX permissions3
- Set No world permissions
dang@a152285ced23:~$ ls -l
total 4
drwxr-x--- 2 dang students 4096 Feb 7 10:19 ACL_Demo
We could also take a look at the current ACL for the folder
dang@a152285ced23:~$ getfacl ACL_Demo/
# file: ACL_Demo/
# owner: dang
# group: students
user::rwx
group::r-x
other::---
Now lets complicate things. Imagine we have a new user adam who also needs to be able to both read and write files.
Under the regular permissions system this becomes impossible, as we need to allocate roles to more than one user and group at the same time.
With our current settings we get a permission denied when we try to access the folder
adam@a152285ced23:/home/dang$ ls -l ACL_Demo/
ls: cannot open directory 'ACL_Demo/': Permission denied
So lets now use an ACL to give Adam RWX permissions and check they worked.
Note
Here we set the permissions twice. The first time applies the ACL to the folder.
The second call to setfacl -d
sets the "default" permissions. This means
that the ACL settings will be inherited by newly created files and folders.
#Set current permissions
dang@a152285ced23:~$ setfacl -m adam:rwx ACL_Demo/
#Set permissions to inherit.
dang@a152285ced23:~$ setfacl -d -m adam:rwx ACL_Demo/
# Then List the new permissions
dang@a152285ced23:~$ getfacl ACL_Demo/
# file: ACL_Demo/
# owner: dang
# group: students
user:adam:rwx
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:adam:rwx
default:group::r-x
default:mask::rwx
default:other::---
We can see that now even though the Adam user has none of the "traditional" permissions assigned, they can still access and write to the folder.
adam@a152285ced23:/home/dang$ ls -l
total 4
drwxrwx---+ 2 dang students 4096 Feb 7 10:34 ACL_Demo
adam@a152285ced23:/home/dang$ echo Bleh > ACL_Demo/bleh.txt
adam@a152285ced23:/home/dang$ ls -l ACL_Demo/
total 16
-rw-r--r-- 1 dang dang 8 Feb 7 10:35 bar
-rw-r--r-- 1 dang dang 8 Feb 7 10:35 baz
-rw-rw----+ 1 adam adam 5 Feb 7 12:20 bleh.txt
-rw-r--r-- 1 dang dang 9 Feb 7 10:35 foo
adam@a152285ced23:/home/dang$
Summary
In this article we have looked at some of the advanced options for setting permissions in Linux.
ACLs give us the ability to assign permissions to users that are not part of the usual Owner and Group set. While they are not that common, It can be worth checking for any ACL's to check for any corner cases in permissions.
-
You could argue that this is a corner case, Most situations won't need this kind of complex permission settings. ↩
-
You might also argue that while Windows gives you the option to do this by default, its not actually "Easier" to do. The trade-off between security, simplicity and usability comes into play here. ↩
-
Remember we need eXecute permissions to view the contents of the folder ↩