Introduction to File Permissions and Access Control Lists (ACL) in Linux
Managing file and directory access is a crucial aspect of Linux system administration. At the heart of this management lie file permissions and Access Control Lists (ACLs), two essential mechanisms that define who can read, write, or execute files and directories.
Linux's traditional file permissions model offers three types of permissions (read, write, and execute) for three classes of users (owner, group, and others). While this model is effective, it may not provide enough flexibility in complex environments where multiple users and groups need varying levels of access to specific files.
This is where Access Control Lists (ACLs) come in. ACLs extend the basic permissions model, allowing administrators to assign more granular permissions to individual users or groups, going beyond the default owner-group-other paradigm. By using ACLs, you can tailor file and directory permissions more precisely to meet security and operational needs.
In this blog, we'll explore the basics of file permissions, dive into the extended capabilities of ACLs, and guide you on how to effectively manage access control in Linux systems. Whether you’re a beginner or an experienced sysadmin, understanding these concepts will help you better control and secure your Linux environment.
Task 1: Change the user permissions of the file and note the changes after running ls -ltr.
- Understanding File Permissions:
Create a simple file and run ls -ltr to see the details of the files.
Each of the three permissions are assigned to three defined categories of users. The categories are:
Owner: The owner of the file or application.
Use chown to change the ownership permission of a file or directory.
Group: The group that owns the file or application.
Use chgrp to change the group permission of a file or directory.
Others: All users with access to the system (outside the users in a group).
Use chmod to change the other users' permissions of a file or directory.
Task 2 :Witing an Article:
- Write an article about file permissions based on your understanding from the notes.
Answer
Understanding File Permissions in Linux
- File permissions in Linux are critical for maintaining security and proper access control. They define who can read, write, and execute a file or directory. Here, we explore the concepts and commands related to file permissions.
Basic Permissions
Permissions in Linux are represented by a three-digit number, where each digit represents a different set of users: owner, group, and others.
Highest Permission:
7
(4+2+1)Maximum Permission:
777
, but effectively666
for files due to security reasons, meaning no user gets execute permission.Effective Permission for Directories:
755
Lowest Permission:
000
(not recommended)Minimum Effective Permission for Files:
644
(default umask value of022
)Default Directory Permission: Includes execute permission for navigation
Categories of Users
Each of the three permissions are assigned to three defined categories of users:
Owner: The owner of the file or application.
- Command:
chown
is used to change the ownership of a file or directory.
- Command:
Group: The group that owns the file or application.
- Command:
chgrp
is used to change the group permission of a file or directory.
- Command:
Others: All users with access to the system.
- Command:
chmod
is used to change the permissions for other users.
- Command:
Special Permissions
SUID (Set User ID): If SUID is set on an executable file and a normal user executes it, the process will have the same rights as the owner of the file being executed instead of the normal user (e.g.,
passwd
command).SGID (Set Group ID): If SGID is set on any directory, all subdirectories and files created inside will inherit the group ownership of the main directory, regardless of who creates them.
Sticky Bit: Used on folders to avoid deletion of a folder and its contents by other users though they have write permissions. Only the owner and root user can delete other users' data in the folder where the sticky bit is set.
/Task 3: Acess Control Lists (ACL):
Read about ACL and try out the commands
getfacl
andsetfacl
.Task: Create a directory and set specific ACL permissions for different users and groups. Verify the permissions using
getfacl
.
Task 4: Create a script that changes the permissions of multiple files in a directory based on user input.
Task 5 : Understanding Sticky Bit, SUID, and SGID:
Task: Create examples demonstrating the use of sticky bit, SUID, and SGID, and explain their significance.
Read about sticky bit, SUID, and SGID.
Sticky bit: Used on directories to prevent users from deleting files they do not own.
SUID (Set User ID): Allows users to run an executable with the permissions of the executable's owner.
SGID (Set Group ID): Allows users to run an executable with the permissions of the executable's group.
-
SUID :
SGID:
Task 6 : Backup and Restore Permissions
Restore in Scripting
Restoring permissions in scripting typically involves saving the current state of file or directory permissions before making changes, and then being able to restore them later if needed. This is often done to ensure that changes can be reverted, especially in scenarios where scripts temporarily modify permissions to perform certain tasks.
Steps to Restore Permissions in a Script:
Backup the current permissions using the
getfacl
orstat
command.Modify the permissions as needed during the script execution.
Restore the original permissions using
setfacl
orchmod
to revert the changes.