Day 6: File Permissions and Access Control Lists
Day6 of #90DaysofDevops challenge
In Linux, file permissions are a crucial aspect of ensuring that your files are secure and can only be accessed or modified by authorized users.
In this blog, we will explain what file permissions are, how they work, and provide some examples to illustrate how they can be used.
Linux file ownership
In Linux, there are three types of file owners: the user owner, the group owner, and the other (or world) owner.
User owner
The user owner is the person who created the file or directory and has complete control over the file. The user owner can read, write, and execute the file, as well as change the permissions and ownership of the file.
Group owner
The group owner is a collection of users who have similar permissions for accessing the file or directory. The group owner can be changed by the user owner, but only members of the group can be assigned as group owners.
Other
The other owner, also known as the world owner, refers to all other users who are not the user owner or group owner.
Linux File Permissions
File permissions are represented using a 10-character string, where the first character represents the file type (file, directory, or link), and the next nine characters represent the file permissions.
The nine characters are divided into three groups, with each group representing the permissions for the owner, group, and other users, respectively. Within each group, the three characters represent read, write, and execute permissions, in that order.
The letters used to represent these permissions are as follows:
r: read permission
w: write permission
x: execute permission
-: no permission
we can find permissions of files and folders using long listing (ls -l) r by other options on a Linux terminal.
In the output above, d represents a directory and- represents a regular file.
Chmod
The chmod command is used to change the permissions of a file or directory. It can be used in various ways, depending on whether you want to add or remove permissions, and whether you want to change the permissions for the owner, group, or other users.
Syntax of chmod:
chmod permissions filename
We can change permissions using two modes:
Symbolic mode: this method uses symbols like
u,g,oto represent users, groups, and others. Permissions are represented asr, w, xfor read write and execute, respectively. You can modify permissions using +, - and =.Absolute mode: this method represents permissions as 3-digit octal numbers ranging from 0-7.
How to Change Permissions using Symbolic Mode
The table below summarizes the user representation:
| USER REPRESENTATION | DESCRIPTION |
| u | user/owner |
| g | group |
| o | other |
We can use mathematical operators to add, remove, and assign permissions. The table below shows the summary:
| OPERATOR | DESCRIPTION |
| + | Adds permission to a file or directory |
| – | Removes the permission |
| \= | Sets permission if not present before. Also overrides the permissions if set earlier. |
Example:
Suppose, I have a script and I want to make it executable for owner of the file .
Current file permissions are as follows:
Let's give execute(x) permission to user :
chmod u+x mymotd.sh
Output:
How to Change Permissions using Absolute Mode
The absolute mode uses numbers to represent permissions and mathematical operators to modify them.
The below table shows how we can assign relevant permissions:
| PERMISSION | PROVIDE PERMISSION |
| read | add 4 |
| write | add 2 |
| execute | add 1 |
Permissions can be revoked using subtraction. The below table shows how you can remove relevant permissions.
| PERMISSION | REVOKE PERMISSION |
| read | subtract 4 |
| write | subtract 2 |
| execute | subtract 1 |
Example:
- Set
read(add 4) foruser,read(add 4) andexecute(add 1) for group, and onlyexecute(add 1) for others.
chmod 451 file-name
Chown
The chown command is used to change the owner of a file or directory. You need to have root privileges to change the owner of a file that you don't own.
Syntax of chown:
chown user filename
Example:
Let's transfer the ownership from user KunalMaurya to user Maurya.
sudo chown Maurya backup.sh
Chgrp
The chgrp command is used to change the group ownership of a file or directory. You need to have root privileges to change the group ownership of a file that you don't own.
Example:
$ chgrp group example.txt
Output:
- The group ownership of
example.txtis changed togroup.
Access control lists
Access control lists (ACLs) in Linux are a set of permissions that can be applied to a file or directory to grant or restrict access to it for specific users or groups. While traditional Linux file permissions (user, group, and other) only allow for basic access control, ACLs provide more granular control over file access.
ACLs are implemented using a set of rules that are associated with each file or directory. These rules specify which users or groups have what level of access to the file or directory. There are two types of ACLs in Linux:
Basic ACLs: These are the traditional UNIX-style permissions (read, write, execute) that are associated with each file or directory.
Extended ACLs: These provide additional permissions beyond the basic permissions. These permissions include things like setting file attributes, setting file ownership, and setting the maximum size of a file.
getfacl
getfacl: This command is used to display the ACLs associated with a file or directory. Here's an example:
setfacl
setfacl: This command is used to modify or remove the ACLs associated with a file or directory.
-m: modify ACLs
-x: remove ACLs
-b: remove all ACLs
Example:
setfacl -m: This command is used to modify the ACLs associated with a file or directory. Here's an example:
Thank you for reading! Hope you find this article helpful.
~Kunal