On Day 6, of
#90 Days of DevOps challenge. Let's Deep dive into File Permissions and ACLs.
Create a simple file and do
ls -ltr to see the details of the files.
File Permissions :
File permissions are core to the security model used by Linux systems. They determine who can access files and directories on a system and how
To create a simple file and view the File Permissions:
Let's create a simple file "file1.txt" and check out its details using the "ls -ltr" command. This will help us understand more about File Permissions.
cat > file1.txt this is simple text file
ls command along with its
-l (for long listing) option will show you metadata about your Linux files, including the permissions set on the file.
[root@ip-172-31-6-64 ~]# ls -ltr total 9056 -rw-r--r-- 1 root root 9258617 Jun 26 11:09 apache-maven-3.9.3-bin.tar.gz drwxr-xr-x 7 root root 252 Jul 11 06:39 django-notes-app drwxr-xr-x 77 root root 4096 Aug 3 17:26 newD -rw-r--r-- 1 root root 25 Aug 8 18:54 test1 -rw-r--r-- 1 root root 20 Aug 8 19:20 file1.txt
File permissions are represented using a three-character string, where each character corresponds to the access rights for the owner, group, and others, respectively. The three characters are arranged in the order: of owner-group-others. Each character can take one of the following values:
As shown in the below example file1.txt, permission of owner are
rw- which means owner has only read and modify permission but not execute permission of a file. permission of group is
r-- only read and no modify and execute permission. Similarly, others also have read permission.
-rw-r--r-- 1 root root 20 Aug 8 19:20 file1.txt
'r': Read permission (4)
'w': Write permission (2)
'x': Execute permission (1)
'-': No permission (0)
To change the file or the directory permissions, you use the chmod (change mode) command. There are two ways to use chmod — Symbolic mode and Absolute mode.
Here the example for symbolic mode, we are adding write and execute permissions for the group to the file1.txt.
Adds the designated permission(s) to a file or directory.
Removes the designated permission(s) from a file or directory.
Sets the designated permission(s).
chmod g+wx file1.txt ls -l file1.txt -rw-rwxr-- 1 root root 20 Aug 8 19:20 file1.txt chmod u-w file.txt ls -l file1.txt -r--rwxr-- 1 root root 20 Aug 8 19:20 file1.txt
Using chmod with Absolute Permissions
The second way to modify permissions with the chmod command is to use a number to specify each set of permissions for the file.
Execute and write permission: 1 (execute) + 2 (write) = 3
Read and execute permission: 4 (read) + 1 (execute) = 5
Read and write permission: 4 (read) + 2 (write) = 6
All permissions: 4 (read) + 2 (write) + 1 (execute) = 7
Here is the example using octal permission and can see result using
chmod 756 file1.txt #ls -l file1.txt -rwxr-xrw- 1 root root 20 Aug 8 19:20 file1.txt
Changing Ownership and Permissions:
To change the file owner and group, we use the chown command in the Linux operating system. Linux is a multiuser operating system so every file or directory belongs to an owner and group.
Syntax: chown owner_name file_name
To change the group of the file:
In this example, the group1 group is assigned as the group of file1.txt
chown :group1 file_name
ACCESS CONTROL LISTS(ACL):
Access Control Lists (ACLs) provide access control to directories and files. ACLs can set read, write, and execute permissions for the owner, group, and all other system users.
An ACL consists of a set of rules that specify how a specific user or group can access ACL-enabled files and directories. A regular ACL entry specifies access information for a single file or directory. A default ACL entry is set on directories only and specifies the default access information for any file within the directory that does not have an access ACL.
Viewing the ACL
ACLs allow us to apply a more specific set of permissions to a file or directory without (necessarily) changing the base ownership and permissions. They let us "tack on" access for other users or groups.
We can view the current ACL using the
Setting an ACL
The syntax for setting an ACL is
setfacl [option] [specification] filename
The 'action' would be
-m (modify) or
-x (remove), and the specification would be the user or group followed by the permissions we want to set. In this case, we would use the option
-d (defaults). So, to set the default ACL for this directory, we would execute:
[root] # setfacl -d -m siri :rwx /directo1