Linux File Permissions and Access Control Lists

Linux File Permissions and Access Control Lists

#90DaysofDevOps Challenge - Day 6

Francisco Souza's photo
Francisco Souza
·

6 min read

Table of contents

No heading

No headings in the article.

File permissions are core to the security model used by Linux systems. They determine who can access files and directories on a system and how.

This article provides an overview of Linux file permissions, how they work, and how to change them.

▶Linux File Ownership

Every file and directory on the Linux system is assigned 3 types of the owner, given below.

  1. User

    A user is the owner of the file. By default, the person who created a file becomes its owner. Hence, a user is also sometimes called an owner.

  2. Group

    A user- group can contain multiple users. All users belonging to a group will have the same Linux group permissions access to the file. You could add all users to a group, and assign group permission to files such that only this group member and no one else can read or modify the files.

  3. Other

    Any other user who has access to a file. This person has neither created the file nor belongs to a user group that could own the file. Practically, it means everybody else. Hence, when you set the permission for others, it is also referred to as set permissions for the world.

Linux File Permissions

Every file and directory in the Linux system has the following 3 permissions defined for all the 3 owners discussed above.

  1. Read (r): The read permission allows you to open and read the content of a file. But you can't do any editing or modification in the file.

  2. Write (w): The write permission allows you to edit, remove or rename a file. For instance, if a file is present in a directory, and write permission is set on the file but not on the directory, then you can edit the content of the file but can't remove, or rename it.

  3. Execute (x): In a Linux-type system, you can't run or execute a program unless execute permission is set.

▶To check the file permissions in Linux with examples:

[user@vm-test2 devops-zero-hero]$ ls -la

Here, we have highlighted -rw-rw-r– as an example, and this code is the one that tells us about the Linux permissions given to the owner, user group and others.

The first implies that we have selected a file. Else, if it were a directory, d would have been shown. The characters are pretty easy to remember:

r = read permission w = write permission x = execute permission – = no permission

By design, many Linux distributions like Fedora, CentOS, Ubuntu, etc. will add users to a group with the same group name as the user name. Thus, a user 'user' is added to a group named 'user’.

Changing file/directory permissions in Linux Using the ‘chmod’ command

We can use the chmod a command which stands for ‘change mode’. Using the command, we can set permissions (read, write, execute) on a file/directory for the owner, group and others.

There are 2 ways to use the command chmod

  1. Absolute mode

  2. Symbolic mode

Absolute(Numeric) Mode in Linux

In this mode, file permissions are not represented as characters but as three-digit octal numbers. The table below gives numbers for all permissions types.

Let’s see the chmod permissions command in action.

[user@vm-test2 devops-zero-hero]$ ls -la file2.txt

The current permission from the above file is 664 and there is no permission to execute it, only to read and write.

In the below, we have changed the permissions of this file to 764.

[user@vm-test2 devops-zero-hero]$ chmod 764 file2.txt

Now the owner of this file has permission to execute this file.

This is how you can change user permissions in Linux on file by assigning an absolute number.

Symbolic Mode in Linux

In the Absolute mode, you change permissions for all 3 owners. In the symbolic mode, you can modify the permissions of a specific owner. It makes use of mathematical symbols to modify the Linux file permissions.

Understanding Linux Permissions and chmod Usage

Changing the permission using symbolic mode:

Adding permission to execute to the 'other' user.

[user@vm-test2 devops-zero-hero]$ chmod o=rwx file2.txt

Adding permission to execute to the 'usergroup' and removing read for 'user'.

[user@vm-test2 devops-zero-hero]$ chmod g+x file2.txt 
[user@vm-test2 devops-zero-hero]$ chmod u-r file2.txt

▶Changing Ownership and Group in Linux

For changing the ownership of a file/directory, you can use the following command:

chown user <filename>

In case you want to change the user as well as the group for a file or directory use the command:

chown user:group <filename>

To change the file owner to 'devops2'.

To keep the 'devops2' user and change the group to 'root':

In case you want to change group-owner only, use the command

chgrp group_name <filename>

chgrp stands for change group.

▶Some Tips

  • The file /etc/group contains all the groups defined in the system.

  • You can use the command groups to find all the groups you are a member of.

  • You can use the command newgrp to work as a member of a group other than your default group.

  • You cannot have 2 groups owning the same file.

  • You do not have nested groups in Linux. One group cannot be a sub-group of another.

  • x- Executing a directory means being allowed to “enter” a dir and gain possible access to sub-dirs.

▶Summary:

  • Linux being a multi-user system uses permissions and ownership for security.

  • There are three user types on a Linux system viz. User, Group and Other.

  • Linux divides the file permissions into read, write and execute denoted by r,w, and x.

  • The permissions on a file can be changed by chmod a command which can be further divided into Absolute and Symbolic modes.

  • The chown a command can change the ownership of a file/directory.

  • The chgrp a command can change group ownership.

▶What is ACL?

An Access Control List (ACL) is designed to assist with Linux file permissions. ACL allows you to give permissions for any user or group to any disc resource.

Basically, ACLs are used to make a flexible permission mechanism in Linux.

From Linux man pages, ACLs are used to define more fine-grained discretionary access rights for files and directories.

setfacl and getfacl are used for setting up ACL and showing ACL respectively.

To check ACL permission:

getfacl <filename>

[root@vm-test2 devops-zero-hero]# getfacl test-dir_1/testfile1.txt

To add an ACL permission:

setfacl -m "u:user:permissions" /path/to/file

[root@vm-test2 devops-zero-hero]# setfacl -m u:devops1:rwx test-dir_1/testfile1.txt

Checking the ACL permissions of a file and adding new permission(rwx) to the 'devops1' user to the same file.

Using Default ACL :

The default ACL is a specific type of permission assigned to a directory, that doesn’t change the permissions of the directory itself. It makes it so that specified ACLs are set by default on all the files created inside of it.

Let’s demonstrate it: first, we are going to create a directory and assign a default ACL to it by using the -d option:

[root@vm-test2 devops-zero-hero]# mkdir newfolder2 && setfacl -d -m u:devops2:rw newfolder2

Understanding Linux file permissions (how to find them, read them, and change them) is an important part of maintaining and securing your systems.

DevopsLinuxlinux for beginnersCloudCloud Computing