BASH – file permissions
File permissions in Linux are one of those things that you either spend some time getting to grips with (and then never forget) or you end up having to double check against Google every time you need to change a file permission. Hopefully, this article will assist you in the former and help you avoid the latter.
The permissions matrix
If we look at the above matrix, note the Octal numbers for x (1), w (2), and r (4). By adding the relevant numbers, we can get the permission combination. If we want Read and Write, we add 4+2=6. Read and Executable is 4+1=5 and so on.
Who gets these permissions?
From the above table, we can see that these permissions are applied for User, Group and Other (Everyone). So you may select to give the user who owns the file full access – that would translate to a 700 permission. If the file is called test.txt we could use the chmod (CHange MODe) command as follows:
chmod 700 test.txt or chmod u+rwx test.txt (add rwx to User)
The ‘STICKY’ bit
The sticky bit is set on a DIRECTORY and allows the creator of a file to keep their permissions even though the directory permissions may seem to override individual permissions. In this way, we can open a directory for multiple users to use and still allow individual users to keep control over the files they create. The sticky bit is set with a “1” as a prefix to the permissions. Conversely, a “0” will cancel the sticky bit. Example:
chmod 1744 /home/shares – this will allow users full access to their own files and all other users and groups read-only access.
Permission Flexibility
Linux is not very flexible and a file may only be owned by one user or group at a time. Allowing multiple users access to a file or directory is not too hard – just add all the users to the group with the correct access or create a group, add the users to it and then change the group ownership of the file or directory to the new group. Ninety percent of the time the normal user and group permissions work out fine and users may belong to multiple groups. The problem comes on the few occasions when you would like to have a few groups to have access to a file or directory. Here we have to start using Linux file access control lists (FACLS) and the setfacl / getfacl commands.
The setfacl command is used to set access to a file or directory and the getfacl to see who has which level of access. Usually, only root may use these commands. See the guide below:
setfacl syntax
setfacl [-bkndRLPvh] [{-m|-x} acl_spec] [{-M|-X} acl_file] file ...
setfacl --restore=file
Options
-b, –remove-all [ Remove all extended ACL entries. The base ACL entries of the owner, group and others are retained. ]
-k, –remove-default [ Remove the Default ACL. If no Default ACL exists, no warnings are issued. ]
-n, –no-mask [ Do not recalculate the effective rights mask. ]
–mask [ Do recalculate the effective rights mask, even if an ACL mask entry was explicitly given. ]
-d, –default [ All operations apply to the Default ACL. Regular ACL entries in the input set are promoted to Default ACL entries. ]
–restore=file [ Restore a permission backup created by “getfacl -R” or similar. ]
–test [ Test mode. Instead of changing the ACLs of any files, the resulting ACLs are listed. ]
-R, –recursive [ Apply operations to all files and directories recursively. This option cannot be mixed with “–restore“. ]
-L, –logical [ “Logical walk”: follow symbolic links to directories. ]
-P, –physical [ “Physical walk”: do not follow symbolic links to directories. ]
-v, –version [ Print the version of setfacl, and exit. ]
-h, –help [ Print a help message explaining the command line options. ]
— [ A double-dash marks the end of command line options; all remaining parameters are interpreted as file names. ]
– [ If the file name parameter is a single dash, setfacl reads a list of files from standard input. ]
ACL Entries
setfacl recognizes the following ACL entry formats (spaces in the following formats are optional, but have been included for legibility):
[d[efault]:] [u[ser]:]uid [:perms] | Permissions of the user with user ID uid, or permissions of the file’s owner if uid is empty. |
[d[efault]:] g[roup]:gid [:perms] | Permissions of the group with group ID gid, or permissions of the owning group if gid is empty. |
[d[efault]:] m[ask][:] [:perms] | Effective rights mask. |
[d[efault]:] o[ther][:] [:perms] | Permissions of others. |
Linux permissions may seem involved, but getting them right can go a long way to securing your Linux server and making your Linux server a far healthier environment overall.
Happy Hosting!