Traditional access permissions for files and folders in Linux distributions enables us control of granting access to files/folders and what users can do with them. Not complicated, easy to understand and crucial to working with a file system.
There are 3 types of users that can access a files: the owner of the file (OWNER), a member of a group that file is asssociated with (GROUP), and everyone else (OTHER). A user can access the file in 3 ways: READ, WRITE and EXECUTE.
If you input command “ls -l” you will get the output
Let’s break it down starting from the left column
1. Type of file “-” for files, “d” for folders, “s” socket file
2. File acess permissions for owner, group and other. Permissions are represented
by “r” read, “w” write, “x” execute. If there is a “-” that means there is no permission.
3. Flag for ACL if the file has an ACL
4. Number of links to the file
5. the name of the owner
6. the name of the group the file is associated with
7. the size of the file
8. the date and time of creation or modification
9. the name of the file
chmod : changing acess permissions
Permisions can be modified by symbolic (relative) or numeric (absolute) arguments. The person with root previleges has access to all files, regardles the owner of the file. The owner has right to modified the permissions.
“Chmod” removes (-) or adds (+) read(r), write(w) and execute(e) permissions for the users. The owner and group permissions are not affected.
The syntax of command:
chmod ugo+rwx file
UGO – User Group Other – we have to remember the “O” stands for Other not for Owner !
If we want to change permissions of “file123.txt”. Firstly I added WRITE permission
for Group and Other and secondly I removed WRITE permission for User.
The numeric argument consists of 3 octal digits 0-7. The first digit specifies permissions for the owner, the second for the group anf the third for the users.
1 – gives the specified Users EXECUTE permissions
2 – gives WRITE permissions
4 – gives READ permissions
By adding those 3 values we can modify permissions, for example 1+4=5 and 5 gives
us EXECUTE and READ permissions for a given users.
Let’s check on the example :
Examples of numeric permissions:
777 – The owner, group and other has full access Read, Write and Execute
755 – the owner RWE, the group and other RE
640 – the owner RW, the group R, the other no access to the file
chown: changing the owner of the file/folder
The syntax of command:
chown user file
chown user.group file
.group is optional if we are not going to modify the group, only user.
I can also change recursively “-R” the owner for all files in the given folder
chgrp: changing the group of the file/folder
The syntax of use:
chgrp group file
In this case I changed recursively group for all files in the MyFoler folder
There are 3 special permissions SetUID (set user ID), SetGID (set group ID) and Sticky Bits. Before I go over explanation what they do, let me explain how to manipulate them. Unfortunately “s” or “t” will not appear next to “execute” rights but instead of its. Execute flag will be covered.
If the underlying executable bit is not set, the “s” or “t” are capital “S” and “T”.
How do we modify SUID, SGID and Sticky Bits ?
We modify those parameters with “chmod”. When we type :
chmod 777 file.txt means the same as chmod 0777 file.txt
At the beginning of the permissions our “0” we set up SUID SGID and Sticky Bit.
For “4” we have SUID, for “2” we have SGID, for “1” we have Sticky Bit
Take a look at the examples :
as we see 4 activates SUID, 2 activates SGID and 1 activates Sticky Bit, 5 activates SUID and Sticky Bit, 6 activates SUID and SGID and 7 activates SUID, SGID and Sticky Bit
What SUID, SGID and Sticky Bits do for us ?
Below table clarifies everything
let’s add some SUID, SGID and Sticky Bits
ACLs are supported by default in CentOS, if not, you have to add info about that to fstab file. ACL overrules default permissions, makes permissions more granular, we may specify a particular user or a particular group and give them permissions. In other words with ACL, despite we’ve set up “no read” permission for the ‘other’, we may still allow given users grant access to the resources.
getfacl – Get File Access List
syntax of command
getfacl file – whole ACL info
getfacl u::rwx – standard permission info
u:marcin:rwx – acl for specific user
g:users:rwx – acl for specific group
setfacl – Set File Access List
syntax of command
setfacl -m u:user:rwx file
-m – modify
-b – erease ACL info
-d – set default acl info
-k – erease default acl info
Let’s see on the example how it works
We have a “file1.txt” file and only the “root” from group “users” has access to its, we have changed this with setfacl command and gave an access for user “marcin” that belongs to the same group “users”. As you see ls -l will not show entire information, only shows that now entire group “users” have rights to Read and Write, what is not true, because only user “marcin” and “root” from group “users” got this rights. But you may only get to know about that by “getfacl file1.txt” command.