For full text search please use the '?' prefix. e.g. ? Onboarding

File permissions

POSIX file permissions are the basis of most Linux access control mechanisms. Over time they've been extended to make it possible to represent more complex business logic.

Traditional POSIX file permissions

POSIX file permissions give us three levels of access control:

  • Users allow the file's owning user specific rights;
  • Groups allow the file's owning group specific rights; and
  • Other users have fallback permissions.

Each of these can any combination of the following permissions:

  • Read file contents or see the existence of a directory;
  • Write file contents or create files within a directory; and
  • eXecute on files, or list the contents of directories.

POSIX permissions

In an applied example:

$ ls -hal file
-rw-r--r-- 1 lukecarrier lukecarrier 0 Sep 26 15:02 file
  • lukecarrier is the file's owner (user) and has read and write permissions
  • lukecarrier is the file's group and has read permissions
  • Everyone else has read permissions

We could represent these permissions as follows:

sudo chown lukecarrier file
sudo chgrp lukecarrier file
sudo chmod u+rx,go+r

Or more concisely:

sudo chown lukecarrier:lukecarrier file
sudo chmod 644 file

How ACLs extend POSIX permissions

ACLs are an extension of POSIX permissions; they don't replace them. The same permissions we set above can be viewed in the ACL tools:

$ touch file
$ getfacl file
# file: file
# owner: lukecarrier
# group: lukecarrier
user::rw-
group::r--
other::r--

Now we might want to grant another user read access to our file:

$ setfacl -Rm user:www-data:r file
$ getfacl file
# file: file
# owner: lukecarrier
# group: lukecarrier
user::rw-
user:www-data:r--
group::r--
other::r--

Directories have one additional type of ACL -- default. These set the default ACLs of files created within them. We can use these to avoid having to constantly reapply ACLs to catch newly created files:

$ mkdir dir
$ setfacl -Rm default:user:www-data:r dir
$ getfacl dir/file
# file: dir/file
# owner: lukecarrier
# group: lukecarrier
user::rw-
user:www-data:r--
group::r-x          #effective:r--
mask::r--
other::r--

It's usually a good practice to keep the default ACLs in line with the desired ACLs.

Backlinks