Ojas Hitendra Jawale's Blog
Linux File Permissions and Access Control Lists

Linux File Permissions and Access Control Lists

Ojas Hitendra Jawale's photo
Ojas Hitendra Jawale
·

8 min read

Table of contents

File permissions in Linux control the access level that users have to files and directories. They are critical for system security and functionality. Each file and directory has a set of permissions associated with it.

  1. Understanding File Permissions

     linux$ touch demoFile
 linux$ ls -ltr
 total 0
 -rw-r--r-- 1 shuhari shuhari 0 Jul  4 12:52 demoFile

    Above command [ls -ltr],

    ls : Lists the files and directories.

    -l : Detailed information about each file/directory (permissions, number of links, owner, group, size, and timestamp).

    -t : Sorts the files and directories by the time of the last modification, with the newest files first.

    -r : Reverses the order of the sort, so the oldest files are listed first.

Each of the three permissions are assigned to three defined categories of users.

  • Owner: The user who owns the file.

  • Group: A group of users who share the same access permissions.

  • Others: All other users who are not the owner or part of the group.

-rwxr-xr--

  1. Breakdown of Permissions

The string is divided into four parts:

  1. File Type: The first character indicates the type of the file:

    • - : Regular file

    • d : Directory

    • l : Symbolic link

    • c : Character device

    • b : Block device

  2. Owner Permissions: The next three characters indicate the permissions for the file's owner:

    • r : Read permission

    • w : Write permission

    • x : Execute permission

  3. Group Permissions: The following three characters indicate the permissions for the group:

    • r : Read permission

    • w : Write permission

    • x : Execute permission

  4. Others Permissions: The final three characters indicate the permissions for others:

    • r : Read permission

    • w : Write permission

    • x : Execute permission

Examples

For the string -rwxr-xr--:

  • - : Regular file

  • rwx : The owner has read, write, and execute permissions.

  • r-x : The group has read and execute permissions.

  • r-- : Others have read permission only.

  1. Changing Permissions

Permissions can be changed using the chmod command. There are two methods to do this: symbolic and numeric.

Symbolic Method

Using chmod with letters:

  • r : Read

  • w : Write

  • x : Execute

  • u : User (owner)

  • g : Group

  • o : Others

  • a : All (user, group, and others)

Examples:

  • Add execute permission for the owner: chmod u+x filename

  • Remove write permission for the group: chmod g-w filename

  • Set read and write permissions for all: chmod a=rw filename

Numeric Method

Using numbers:

  • 4 : Read

  • 2 : Write

  • 1 : Execute

The permissions are represented by a three-digit number where each digit is the sum of the permissions for user, group, and others.

Examples:

  • chmod 755 filename sets permissions to rwxr-xr-x

  • chmod 644 filename sets permissions to rw-r--r--

Command chown

Used to change the ownership of files and directories. The command allows you to change the owner and the group associated with a file or directory.

linux$ ls -ltr
total 0
-rw-r--r-- 1 shuhari shuhari 0 Jul  4 12:52 demoFile
# Owner is Shuhari

linux$ sudo chown root:root demoFile
# Owner changed to root using chown command

linux$ ls -ltr
total 0
-rw-r--r-- 1 root root 0 Jul  4 12:52 demoFile

Command chgrp

Used to change the group ownership of files and directories. It allows you to set a new group for one or more files or directories.

linux$ touch File1.txt
shuhari@debian:~/linux$ ls -l
total 0
-rw-r--r-- 1 shuhari shuhari 0 Jul  4 13:10 File1.txt

Above created file called File1.txt, group of file is shuhari.

linux$chgrp root File1.txt
shuhari@debian:~/linux$ ls -l
total 0
-rw-r--r-- 1 shuhari root 0 Jul  4 13:10 File1.txt

Group of file File1.txt changed to root. Also group of files can be change as recursively.

linux$chgrp -R root /path/to/directory
# root is group

Command chmod

Used to change the file mode (permissions) of a file or directory. This command allows you to define who can read, write, or execute a file.

linux$ ls -l
total 0
-rw-r--r-- 1 shuhari root 0 Jul  4 13:10 File1.txt

Default file permissions are 644.

linux$ chmod u+x File1.txt
shuhari@debian:~/linux$ ls -l
total 0
-rwxr--r-- 1 shuhari root 0 Jul  4 13:10 File1.txt

Above assigned execute permission to the file. [u+x means assign execute permision to user.]

  1. Access Control Lists (ACL)

Create a directory and set specific ACL permissions for different users and groups. Verify the permissions using getfacl.

# Install acl package
$sudo apt install acl

Command getfacl

The getfacl command is used to display the ACLs of a file or directory.

linux$ getfacl demoDir
# file: demoDir
# owner: shuhari
# group: shuhari
user::rwx
group::r-x
other::r-x

Using command 'getfacl' list the acl configured on directory 'demoDir'.

Command setfacl

The setfacl command is used to set, modify, or remove ACLs for a file or directory.

Options

  • -m: Modify the ACL.

  • -x: Remove the ACL.

  • -b: Remove all ACL entries.

  • -k: Remove the default ACL.

  • -R: Recursively apply the ACL to all files and directories within the specified directory.

  • -d: Set the default ACL for directories (which applies to new files created within the directory).

linux$ setfacl -m u:shuhari:rw demoDir/
linux$ getfacl demoDir/
# file: demoDir/
# owner: shuhari
# group: shuhari
user::rwx
user:shuhari:rw-
group::r-x
mask::rwx
other::r-x

Assign read and write permission for user Shuhari.

Q. Create a script that changes the permissions of multiple files in a directory based on user input.

linux$ cat changerPer.sh
#!/bin/bash

#Prompt the user for directory
read -p "Enter your directory:" dir

#Prompt user for permissions
read -p "Enter permissions you want to change(e.g 744, 700):" permissions

#Prompt the user for file/directory names
read -p "Enter the file/directory name(if multiple then space-separated):" -a files

#Change to the specified directory
cd "$dir" || { echo "Directory not found: $dir"; exit 1; }

# Change permissions for each file
for file in "${files[@]}"; do
        if [ -e "$file" ]; then
                chmod "$permissions" "$file"
                echo "Changed permissions of $file to $permissions"
        else
                echo "File not found: $file"
        fi
done

echo "Permission changes completed."

#Output

linux$ ls -l
total 8
-rw-r--r-- 1 shuhari shuhari  674 Jul  4 14:03 changerPer.sh
drwxr-xr-x 2 shuhari shuhari 4096 Jul  4 13:42 ojas

linux$ bash changerPer.sh
Enter your directory:/home/shuhari/linux
Enter permissions you want to change(e.g 744, 700):400
Enter the file/directory name(if multiple then space-separated):ojas
Changed permissions of ojas to 400
Permission changes completed.

linux$ ls -l
total 8
-rw-r--r-- 1 shuhari shuhari  674 Jul  4 14:03 changerPer.sh
dr-------- 2 shuhari shuhari 4096 Jul  4 13:42 ojas

Q. Write a script that sets ACL permissions for a user on a given file, based on user input.

#Previous permission before executing script

linux$ getfacl demoDir/
# file: demoDir/
# owner: shuhari
# group: shuhari
user::rwx
group::r-x
other::r-x

/linux$ bash aclPer.sh
Enter file path: /home/shuhari/linux/demoDir
Enter the username: root
Enter the permissions (e.g. read, write, execute): rw
ACL permissions for user root set sucessfully on file /home/shuhari/linux/demoDir

linux$ getfacl demoDir/
# file: demoDir/
# owner: shuhari
# group: shuhari
user::rwx
user:root:rw-
group::r-x
mask::rwx
other::r-x

  1. Understanding Sticky Bit, SUID, and SGID

Sticky Bit

Sticky bit on a directory /stickyDir ensures that only the owner of a file can delete or rename the file, even if other users have write permissions to the directory.

# Create directory
linux$ mkdir stickyDir
linux$ ls -l
total 4
drwxr-xr-x 2 shuhari shuhari 4096 Jul  4 14:27 stickyDir

# Set sticky bit on directory stickDir
linux$ chmod +t stickyDir/
linux$ ls -l
total 4
drwxr-xr-t 2 shuhari shuhari 4096 Jul  4 14:27 stickyDir

# Create nested files in directory called stickyDir
linux$ touch stickyDir/file{1..3}.txt
linux$ ls -l stickyDir/
total 0
-rw-r--r-- 1 shuhari shuhari 0 Jul  4 14:29 file1.txt
-rw-r--r-- 1 shuhari shuhari 0 Jul  4 14:29 file2.txt
-rw-r--r-- 1 shuhari shuhari 0 Jul  4 14:29 file3.txt

# Set permissions allowing all users to write to the directory

linux$ chmod 1777 stickyDir/
linux$ ls -l
total 4
drwxrwxrwt 2 shuhari shuhari 4096 Jul  4 14:29 stickyDir

# Attempt to delete a file as a different user

linux$ sudo -u ojas rm /stickyDir/file1.txt
rm: cannot remove '/stickyDir/file1.txt': No such file or directory

SUID (Set User ID)

Setting the SUID bit on an executable file /bin/su allows non-root users to execute it with root privileges.

# Check current permissions
linux$ ls -l /bin/su

# Set SUID bit
linux$ sudo chmod u+s /bin/su

# Verify SUID is set
linux$ ls -l /bin/su

# Execute the file as a regular user
linux$ /bin/su

SGID (Set Group ID)

SGID bit on a directory /demoDir ensures that files created within it inherit the group ownership of the parent directory, rather than the primary group of the user creating the file.

# Create a directory and set SGID bit
mkdir /demoDir
chmod g+s /demoDir

# Set permissions allowing all users in the group to write to the directory
chmod 2775 /demoDir

# Create files within the directory
touch /demoDir/file1.txt
touch /demoDir/file2.txt

# Check the group ownership of the newly created files
ls -l /demoDir

linux$ mkdir demoDir

linux$ ls -l
total 4
drwxr-xr-x 2 shuhari shuhari 4096 Jul  4 14:43 demoDir

linux$ chmod g+s demoDir/

linux$ ls -l
total 4
drwxr-sr-x 2 shuhari shuhari 4096 Jul  4 14:43 demoDir

linux$ touch demoDir/file{1..3}.txt

linux$ ls -l demoDir/
total 0
-rw-r--r-- 1 shuhari shuhari 0 Jul  4 14:44 file1.txt
-rw-r--r-- 1 shuhari shuhari 0 Jul  4 14:44 file2.txt
-rw-r--r-- 1 shuhari shuhari 0 Jul  4 14:44 file3.txt
#90daysofdevopsDevopsLinux#cybersecurity